...
For organizations that work with external role management tools or consultants, EmpowerID provides the Role Modeling Inbox. This feature integrates external role designs and access changes into EmpowerID, where they are processed using configurable rules. Depending on your organization's governance needs, these changes can be automatically applied or routed through workflow approval processes.
Leverage Existing Sources of Business Role Information
Establishing business roles and organizational locations is typically the initial step in many EmpowerID implementations. The primary sources for this data include an organization’s HR or Human Capital Management (HCM) system and Active Directory. Systems such as Workday, SuccessFactors, and SAP HCM provide a structured overview of the organization and the positions occupied by employees, facilitating the analysis process.
EmpowerID inventories these external roles and user assignments using its connector capabilities. Once this data is imported into the EmpowerID system, it is used to create an initial Business Role and organizational location tree for top-down analytical role mining.
This foundational information is crucial once roles are defined and access policies are assigned. Changes in the authoritative systems will automatically trigger a reevaluation and adjustment of access for each user, minimizing the need for manual administration. Additionally, EmpowerID conducts Separation of Duties (SoD) simulations during role design to ensure that proposed roles do not have inherent SoD conflicts.
Top Down Analytical Role Mining
Top Down Analytical Role Mining is a technique invented by the EmpowerID team after many years of experience with analyzing many organizations’ security models and sources of data. Compliant Access requires that the entitlements granted are appropriate for the position. For organizations with HR systems, the only maintained source for employee position information is the HR system itself. The assignment of users to positions and organizational locations will be maintained and will continue to change regardless of how well role assignments are maintained in IGA. Therefore, this source of up-to-date data is valuable and should be used to drive the initial determination of roles and role-based access policies and to maintain changes in users' assignments to roles in whatever manner possible.
Top Down Analytical Role Mining leverages the rough skeleton of the Business Roles within the organization and the knowledge concerning which users occupy those positions within different portions of the company. In addition to this HR-related information, EmpowerID inventories all the entitlements and access assignments for each user in every system. EmpowerID then uses a sophisticated analytical technique to optimally fit existing user access assignments on the Business Role and Location tree. Once the optimal matches are identified, they can be published as role-based assignments automated by HR data.
Bottom Up Role Mining
After completing top down role mining, much of each user’s access will be delivered and controlled via Business Roles. The top down model is effective for optimizing access based on what a person does within an organization. The remaining unoptimized access assigned to users consists of less structured team or matrix-based access and exceptions. This access can also be optimized using a technique known as bottom up analytical role mining. Bottom up role mining is a multi-step process that involves creating, running and analyzing "Role Mining Campaigns." Role Mining Campaigns analyze entitlement and user data using powerful machine learning algorithms to produce optimal "candidate roles" containing combinations of people and entitlements. These are then analyzed and accepted or manipulated to create subsets of combinations. Once candidate roles are accepted, they can be published as standalone Management Roles, mapped to Business Roles and Locations, or used to create new Business Roles and Locations.
Streamline Recertification
Role Mining and Optimization assists organizations by minimizing the number of security roles, reducing administrative workloads, and streamlining audit recertification campaigns. Without role optimization, managers are faced with the daunting task of certifying hundreds of individual technical entitlements per direct report. A role optimization program can reduce the number of direct assignments by 80% and present managers with a compact list of business-friendly roles to certify. Security becomes more manageable, and the organization’s risk profile is minimized.
Role Modeling Inbox
EmpowerID supports leveraging the roles and locations designed in these systems for organizations working with consultants and other role-modeling tools. The Role Modeling Inbox integrates external role and access management with EmpowerID by providing a set of inboxes for publishing roles and access changes. Configurable rules within EmpowerID determine if these upstream decisions are automatically implemented or go through workflow approval processes before becoming active.
...
...