17.2 Understanding Business Roles

The workflow shows the business role process in Identity Governance.

Figure 17-2 Business Role Workflow

The primary purpose of business roles is to specify a set of applications, roles, and permissions that each member of a business role is authorized to access. The set of authorized resources is defined by each business role’s authorization policy. A business role authorizes resources and generates requests, but does not assign resources.

17.2.1 Understanding Business Role Access Authorizations

The Customer, Global, or Business Roles Administrator creates, modifies, and defines business roles and manages business role policies. They can delegate administrative actions by specifying a Role Owner or a Role Manager for each business role. Role Owners can view and approve business roles but cannot edit business roles. Role Managers can edit business role membership and resource authorizations, submit business roles for approval, promote role candidates, publish roles, and deactivate roles. If the administrator did not specify Role Owners in the business role definition, Identity Governance automatically assigns the administrator who created the role as the Role Owner. For more information about access authorizations, see Section 2.1, Understanding Authorizations in Identity Governance.

17.2.2 Understanding Business Role Mining

Identity Governance uses advanced analytics to mine business data and identify role candidates. This process of discovering and analyzing business data in order to group multiple users and access rights under one business role candidate is called business role mining. Customer, Global, or Business Roles administrators can use role mining to reduce complexity in defining roles, and easily select role candidates with authorized users, permissions, technical roles, and applications to create business roles as well as technical roles with common permissions. Identity Governance uses three approaches to business role mining to identify business role candidates.

Directed Role Mining enables administrators to direct the mining based on user attributes they specify when they select this approach. If administrators are not sure which attribute to select, they can search for recommended attributes, and select an attribute from the recommended bar graph which displays the strength of attributes that have data. Additionally, directed role mining enables them to specify a minimum membership and coverage percentage to identify role candidates. For example, when an administrator selects “Department” as the attribute to group candidates by, the mining results display the list of items consisting of department name with the associated users, permissions, roles, and applications as role candidates.
Automated Role Mining enables administrators to enhance business role mining in larger environments by specifying a minimum number of attributes, a minimum number of occurrences, and the maximum number of results. In addition, administrators can specify a coverage percentage to identify role candidates. In this approach, Identity Governance uses the attributes specified in the role mining settings in Configuration > Analytics and Role Mining Settings to calculate role candidates.

NOTE:We recommend that you use this option if you have a large and complex catalog such as a catalog with a greater number of variations in extended attributes, with multiple values of attributes, and a catalog size that slows role mining performance.
Visual Role Mining enables administrators to select role candidates from a visual representation of the user attributes. The attribute circle’s width displays the strength of the recommendation, and the width and darkness of the lines indicate the affinity of the attribute to other user attributes. Administrators can customize the mining results by modifying the default maximum number of results, a minimum potential members, and the number of automatic recommendations. In this approach, Identity Governance uses the attributes specified in the role mining settings in Configuration > Analytics and Role Mining Settings to calculate role candidates.

NOTE:Variations in the number of extended attributes, attributes with multiple values, or overall catalog size may affect the performance of visual role mining. You might see invalid results when mining larger or more complex data. You can disable this option by setting the com.netiq.iac.analytics.role.mining.visual.hide global configuration property to true. To optimize performance and to avoid invalid results, use the automated role mining option to mine for roles.

NOTE:Role recommendations are dependent on your data and role mining settings. To optimize search results, administrators can modify default role mining settings in Configuration > Analytics and Role Mining Settings. For more information see, Configuring Analytics and Role Mining Settings.

After previewing users and their associated permissions, technical roles, and applications, administrators can select one or more items from the list to create either role candidates for each selected item in the list or a single candidate for all of them. Additionally, Identity Governance could group common permissions under a technical role, and generate a technical role candidate for each application.

NOTE:Identity Governance creates the mined business or technical roles in a candidate state. Administrators can edit and save role candidates, but they must promote candidates before they can approve or publish them as roles. Administrators can also select multiple role candidates and submit them for approval, publish them, or delete them using the Actions options.

17.2.3 Understanding Role Hierarchy with Role Mining

Business Role mining in Identity Governance creates business roles for each selected candidate, but cannot group the created roles. Role hierarchy allows you to create a hierarchy of roles, based on the mining attributes, that allow you to assign resources either at the candidate level, or by grouping the candidates at a higher level.

NOTE:Role hierarchy is not available for Visual Role Mining.

When you select Create business role hierarchy, you can select the attributes used in the role mining as grouping attributes for the role hierarchy. For example, Figure 17-3 illustrates a company organization chart in which each department includes job codes that represent positions. The company wants to create departmental Business Roles for Engineering, Tours, Transportation and Finance, as well as roles for each job code. Furthermore, they want an “All Department” role that includes the Engineering Department and all the other top-level departments. Selecting the department attribute as the role hierarchy grouping attribute would create business roles that mirror the organizational chart.

Figure 17-3 Company Organization with Department and Job Codes

17.2.4 Understanding Business Role States

After you create, or after Identity Governance mines a business role, the role contains many states during its life cycle. From beginning to end, the business role goes through the states in Figure 17-4. For a detailed description of the states see the following table.

Figure 17-4 Business Role States

Business Role State	Description
CANDIDATES	The mining process created the business role and the administrators must promote it before they or others can approve (depending on the approval policy) and publish it. This state corresponds to the internal state called MINED.
DRAFT	The assigned approval policy requires approval and the administrator has not submitted the changes for approval.
CHANGES REQUESTED	The approver denies approval of a business role. This state corresponds to the internal state called REJECTED.
APPROVAL PENDING	Pending changes are ready for approval by the approver specified in the approval policy. This state corresponds to the internal state called PENDING_APPROVAL.
APPROVED	The approver approved the business role, but the business role has not yet been published.
PUBLISHED	The business role is approved and the administrator has published the role.
ARCHIVED	An administrator deletes the policy or creates a new version. Identity Governance archives the policy for history and reporting purposes. Identity Governance never displays archived business roles in the application.