29.1 Understanding Analytics and Role Mining Settings

Roles in governance systems enable administrators to simplify security administration on systems and applications, by encapsulating popular sets of entitlements and assigning them as packages, rather than individually, to users. Identity Governance uses attributes specified in Configuration > Analytics and Role Mining Settings to provide recommendations for creating business roles. If the specifications do not meet certain conditions administrators may not see any recommendations when mining for roles. Only a Global, Data, or Business Roles Administrator can configure the role mining settings.

When specifying attributes make sure that:

In addition, in order for visual role mining to render recommendations make sure that:

Identity Governance tracks key risk indicators so that administrators can monitor these risk factors in your governance system and make improvements based on the collected metrics. The key risk factors or facts extracted and collected from various data sources are stored in fact tables that are then used to calculate metrics and the results (metric tables) are published to the default or administrator-specified database. Administrators can also download all metric results in CSV format.

Identity Governance default metrics analyze common risk factors and enable you to find answers for questions like how many average number of users are in an account, how many accounts are unmapped, and what proportion of your entitlements are assigned by policies versus assigned directly. In addition, authorized administrators can create custom metrics, using SQL statements and insight queries, to adjust metric calculations based on your business needs. For example, you can create a custom metric for calculating how many role policies are active.

Administrators cannot edit the default metrics but can view associated description and metric columns by selecting the metric name. The default schedule for all metric calculations is 24 hrs. Administrators can change the metric calculation schedule and set a start date for metric calculations by selecting Actions > Set collection schedule. Though Identity Governance allows administrators to schedule the collection of metrics, collections might be delayed because Identity Governance manages the number collections running concurrently to optimize performance. Some collections scheduled to run might be delayed until other collections have completed. Identity Governance also delays scheduled calculations after initial startup of the Identity Governance server.

Administrators can control how many metric collection can be collected simultaneously by using the Identity Governance Configuration Utility to configure com.netiq.iac.fact.collection.thread.pool.size. Currently, if an administrator chooses to run more than five metric collection then the first five collections will run simultaneously and the other collections will be queued and will run after the previous one finishes calculations. We recommend that administrators override the default 5 setting to a lower number if they observe metric collections impacting the system adversely. For more information about the Configuration Utility, see Using the Identity Governance Configuration Utility in the Identity Governance 3.7 Installation and Configuration Guide.

You can store metrics data in Identity Governance databases, Vertica, Oracle, PostgreSQL, Microsoft SQL Server (MS SQL), or Kafka. Identity Governance enables you to select generic data types and translates them to a specific data type based on the type of storage as shown in the table below.