Role Mining Overview

Role Mining allows enterprises to analyze the access to resources that users within their organization have, and based on that analysis create Management Roles that reflect common access level assignments for specific groups of users. There are two approaches to role mining, top-down and bottom-up. The top-down approach involves analyzing current business processes to determine what Management Roles users need to perform tasks and is often linked to user attributes. For example, this approach could begin with the question, What do managers in location X require? Once the answer is derived, a role with the needed entitlements can be created for every person with those attributes. The bottom-up approach, on the other hand, looks at the common access level assignments that already exist within the organization and based on that analysis creates Management Roles.

In EmpowerID, role mining is a multi-step process that involves creating, running and analyzing "Role Mining Campaigns." Role Mining Campaigns produce "candidate roles" containing combinations of people and entitlements, which can then be analyzed and accepted or manipulated to create subsets of combinations. Once candidate roles are accepted, they can be published as standalone Management Roles, mapped to Business Roles and Locations or used to create new Business Roles and Locations. From a high level, the processes you need to follow to mine roles is represented by the below image.

The above image depicts two Role Mining campaigns. In the first campaign, candidate roles are analyzed and used to create a standalone Management Role as well as a Management Role that is mapped to an existing Business Role and Location. In the second campaign, candidate roles are analyzed and used to create a standalone Management Role a new Business Role and Location. The specific steps involved are as follows:

  1. Step 1 - You create, configure and compile Role Mining Campaigns with selections of people, attributes and entitlements based on RBAC groupings, such as all people in specific Business Roles and Locations, Query-Based Collections and Group memberships. Compiling the campaigns captures the entitlements and selected attributes of each person in the specified RBAC grouping and saves that data to the EmpowerID Identity Warehouse.
  2. Step 2 - You review the compiled campaign data, optionally slicing that data into subsets and when ready create "runs." Runs, in turn, create candidate roles which contain the users and entitlements you specified in the campaign.
  3. Step 3 - You analyze the run results and either discard or publish the candidate roles created by those runs.

The topics in this section take you through each of these steps, showing you how to get started with Role Mining in your environment.