28.1 Configuring Analytics and Role Mining Settings

Based on their business needs, authorized administrators can configure analytics, customize decision support visibility and role mining detection, create custom metrics, run metric calculations on demand, and download and import custom metrics in order to optimize your governance system.

To configure analytics and role mining settings:

  1. Log in as a Customer, Global, Data, or Business Roles Administrator.

    NOTE:A Business Roles Administrator does not have the same access permissions as a Customer, Global, or Data Administrator, and can only configure role mining settings and collect business role mining metrics.

  2. Select Configuration > Analytics and Role Mining Settings.

  3. (Optional) Under Decision Support, specify if the following information is excluded or included in the guidance provided to reviewers, review owners, review administrators, and access approvers.

    1. Deselect Show business role authorization status if business roles are not used or if the reviewer or access request approver does not need guidance about whether the review or request item was authorized by a business role.

    2. Deselect Show similarity statistics in reviews and access requests if the reviewer of user reviews or access request approver does not need guidance about how many users have similar permissions.

    3. Deselect Show login statistics for review item users and accounts if Last Login and Number of Logins attributes are not configured/collected/logged for the users and accounts.

    4. Deselect Show review list statistics if the review related authorized user wants to hide the review item’s prior completion details, such as date of completion, name of the review run that included the review item, and decision made about the review item.

  4. (Optional) Under Similarity Profile, select additional attributes to use in the similarity profile so that Identity Governance can provide decision support.

    HINT:Use wildcard * to search for attributes.

  5. Under Role Mining:

    1. Specify the maximum number of results that should be returned when mining business roles using the directed role mining approach.

    2. Specify which additional user attributes should be used for both directed and visual business role mining. For more information about which attributes to select, see Understanding Role Mining Settings.

  6. Select Save to save all the settings.

  7. (Optional) Next to Metrics Collection, click the + icon to create custom metrics. For more information, see Section 28.1.2, Understanding Metrics and Creating Custom Metrics.

  8. Under Metrics Collection, select one or more items, and then specify Actions > Set collection interval to change the default setting of 24 hours between metrics collections or disable collection.

    HINT:Click on an item name to view detailed information about the metric, including list of metric columns’ aliases and corresponding data types.

  9. Specify start date, time, and hours or deselect the Active check box to disable collection.

  10. Click Save.

  11. (Optional) Select one or more items and then select Actions > Collect metrics to initiate a metrics collection on demand.

    HINT:Always collect metrics after a collection and publication to refresh charts on the Overview page.

  12. (Optional) When a custom metric collection is running and you want to cancel it:

    1. Select the item or items with an asterisk (*), and then select Cancel Collection

    2. Click Cancel Collection to confirm the cancellation.

  13. (Optional) Select one or more default and custom metric items and then select Actions > Download Metrics to download the metric results in CSV format.

    NOTE:In addition to downloading the results, you can also download custom metric definitions and import them. For more information, see Downloading and Importing Custom Metrics Definitions.

28.1.1 Understanding Role Mining Settings

Roles in governance systems enable administrators to simplify security administration on systems and applications, by encapsulating popular sets of entitlements and assigning them as packages, rather than individually, to users. Identity Governance uses attributes specified in Configuration > Analytics and Role Mining Settings to provide recommendations for creating business roles. If the specifications do not meet certain conditions administrators may not see any recommendations when mining for roles. For more information about role mining, see Section 17.2.2, Understanding Business Role Mining

Log in as a Customer, Global, Data, or Business Roles Administrator. When specifying attributes make sure that:

  • Specified attributes have values. User attributes with zero strength will not be displayed in the directed mining recommended attribute bar graph or visual attribute map.

In addition, in order for visual role mining to render recommendations make sure that:

  • At least two attributes are selected. For example, “Title” and “Department”.

  • Selected attributes share commonality. For example, departments A, B, and C have users with the same titles, such as Administrative Assistant and Department Lead.

NOTE:After customizing attributes, select Collect Metrics > Business Role Mining metrics to refresh data.

28.1.2 Understanding Metrics

Identity Governance tracks key risk indicators so that administrators can monitor these risk factors in your governance system and make improvements based on the collected metrics. The key risk factors or facts extracted and collected from various data sources are stored in fact tables that are then used to calculate metrics and the results (metric tables) are published to the default or administrator-specified database. Administrators can also download all metric results in CSV format.

Identity Governance default metrics analyze common risk factors and enable you to find answers for questions like how many average number of users are in an account, how many accounts are unmapped, and what proportion of your entitlements are assigned by policies versus assigned directly. In addition, authorized administrators can create custom metrics, using SQL statements and insight queries, to adjust metric calculations based on your business needs. For example, you can create a custom metric for calculating how many role policies are active.

Administrators cannot edit the default metrics but can view associated description and metric columns by selecting the metric name. The default schedule for all metric calculations is 24 hrs. Administrators can change the metric calculation schedule and set a start date for metric calculations by selecting Actions > Set collection schedule. Though Identity Governance allows administrators to schedule the collection of metrics, collections might be delayed because Identity Governance manages the number collections running concurrently to optimize performance. Some collections scheduled to run might be delayed until other collections have completed. Identity Governance also delays scheduled calculations after initial startup of the Identity Governance server.

Administrators can control how many metric collection can be collected simultaneously by using the Identity Governance Configuration Utility to configure com.netiq.iac.fact.collection.thread.pool.size. Currently, if an administrator chooses to run more than five metric collection then the first five collections will run simultaneously and the other collections will be queued and will run after the previous one finishes calculations. We recommend that administrators override the default 5 setting to a lower number if they observe metric collections impacting the system adversely. For more information about the Configuration Utility, see Using the Identity Governance Configuration Utility in the Identity Governance 3.6 Installation and Configuration Guide.

28.1.3 Understanding Supported Storages and Data Types

You can store metrics data in Identity Governance databases, Vertica, Oracle, PostgreSQL, Microsoft SQL Server (MS SQL), or Kafka. Identity Governance enables you to select generic data types and translates them to a specific data type based on the type of storage as shown in the table below.

NOTE:Identity Governance publishes facts to Kafka as JSON strings.

Data Type

Read from igops as

Published to Vertica as

Published to IG PostgreSQL as

Published to IG Oracle as

Published to IG MS SQL as

Boolean

BOOLEAN

BOOLEAN

boolean

number

bit

Long

INTEGER

INTEGER

integer

number

integer

Float

FLOAT

FLOAT

float

float

float

String

STRING

LONG VARCHAR

text

nclob

nvarchar(max)

Date

TIMESTAMP

TIMESTAMP WITH TIME ZONE

TIMESTAMP WITH TIME ZONE

TIMESTAMP WITH TIME ZONE

TIMESTAMP WITH TIME ZONE

28.1.4 Configuring Metrics Data Stores for Custom Metrics

Identity Governance allows a Global, Data, or Customer Administrator to define data storage locations to reference when creating custom metrics collections. In addition, metrics data stores allow you to easily create multiple metrics collections that use the same metrics data store.

NOTE:Metrics collections can use the same metrics data store, but if the data store is a database, each metrics collection using that data store must specify a different database table.

Identity Governance allows you to configure the following data store types:

  • Local Database (Identity Governance databases)

  • Vertica

  • Kafka

  • Oracle

  • Postgres

  • MS SQL

Before you create a custom data store type, create a database schema that includes a new database and table for the data store you want to create.

To create a metrics data store:

  1. Log in as a Global, Data, or Customer Administrator.

  2. Select Configuration > Analytics and Role Mining Settings.

  3. Next to Metrics Data Stores, click +.

  4. Provide the requested Metrics Data Store Details.

  5. Provide the configuration information for the selected store type.

    NOTE:If you select Kafka as the data store type, you must click Import Kafka Configuration, and then browse to select a JSON file that contains configuration information. You can click the “?” icon to view sample code you can copy and paste into a text editor to modify and create a JSON properties file.

  6. Click Save.

28.1.5 Creating Custom Metrics

In addition to default metrics, Identity Governance provides the ability to query your operations database for additional statistics that could help you to better monitor the health of your governance system. The product also displays an asterisk (*) in front of the names of the custom metrics to distinguish them from default metrics. You can click the metric name to view the details of the metric.

To create a custom metric:

  1. Log in as a Global, Data, or Customer Administrator.

  2. Select Configuration > Analytics and Role Mining Settings.

  3. Next to Metrics Collection, select the + icon and select New.

  4. Specify a name for the new metric.

  5. Optionally, select an existing category or create a custom category by selecting Add Custom.

  6. Type a short description for the metric.

  7. Click Storage, select a data store to publish the custom metric results, and then provide additional location information as required. For a Kafka data store, you must specify a topic. All other data store types are databases, which require a table name. The metrics will collect into the table you specify. For example, for large volume analytics you could define a metrics data store for your Vertica or Kafka database, select that data store for your metric, and then specify a table name or a topic name to store the metrics.

    NOTE:If you select a metrics data store that is a Local Database type, Identity Governance collects your metric to a table in the Identity Governance ARA database. In this case you do not have to specify a table name.

    If you do not specify a table name, Identity Governance creates a table with ex_randomGUID naming convention. However, it is recommended that you provide a meaningful table name.

  8. (Conditional) If you select to store the metric in Vertica, specify the schema name in Table before the table name and separate these with a comma.

  9. Click SQL Statement and enter a SQL select statement. For example, to calculate how many role policies are active enter select count(id) as active from role_policy where state = 'ACTIVE'.

    NOTE:Identity Governance automatically checks for statement errors and potential SQL injections to prevent invalid or malicious code. However, ensure that you have defined your query correctly, since you cannot edit saved custom metrics. If needed, you will have to delete the custom metric, and then create a new one to change your definition.

  10. Click Metric Columns.

  11. Click Add Column and specify an alias and type for each column selected in the SQL statement. When specifying an alias:

    • Do not use SQL reserved keywords as an alias for a custom metric column. Using a reserved keyword as a column name will cause an error. If, for example, you use "end" as an alias name in your custom metric definition when Identity Governance is connected to a PostgreSQL database, the PostgresSQL client will display the following error message:

      Fact validation failed: Unable to create table. Verify there are no reserved SQL keywords used as column aliases. ERROR: syntax error at or near "end" Position: 150.

      SQL reserved keywords vary based on the database. Refer to your database documentation for a list of database-specific reserved SQL keywords.

    • Ensure that the alias in Metric Columns and the SQL query match. For example, add metric column active with a type of Long for the SQL statement example in Step 9.

  12. Repeat the above step to add more columns.

  13. Address any metric column section warnings that appear.

    NOTE:Creating a metric with a warning might not work correctly.

  14. Select Save.

To create a custom metric from an Insight Query:

  1. Log in as a Global, Data, or Customer Administrator.

  2. Select Configuration > Analytics and Role Mining Settings.

  3. Next to Metrics Collection, select the + icon and select New from Insight Query. For information about creating insight queries, see Section 11.5, Analyzing Data with Insight Queries.

  4. Select the Insight Query to use, and then select Add.

  5. Specify a name for the custom metric and adjust any other settings, including those populated based on the Insight Query and storage settings for metrics.

  6. Select Save.

After creating custom metrics, you can collect them on demand by selecting one or more custom metrics and then selecting Actions > Collect metrics. In addition, you can also select Actions > Delete Custom to delete custom metrics.

28.1.6 Downloading and Importing Custom Metrics Definitions

In addition to creating a new custom metric using SQL statements or by using an Insight query, Identity Governance provides you the ability to download custom metric definitions so that you can edit and import them.

To download and import custom metric definitions:

  1. Log in as a Customer, Global or Data Administrator.

  2. Select Configuration > Analytics and Role Mining Settings.

  3. Select names starting with an asterisk (*).

  4. Select Actions > Download Definitions to download custom metric definitions.

  5. To import custom facts, select Import Custom Metrics, browse for custom metric JSON files containing exported custom metrics, select entities to import, and then click Import.

  6. (Conditional) If there is a conflict with an existing metric, resolve the conflict by selecting Import new to create a new custom metric or select Replace Existing to replace the existing metric.