Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
Top-Down Role Mining in EmpowerID allows organizations to optimize group memberships by leveraging existing role and group data from authoritative
...
systems, such as HR systems. This article provides step-by-step instructions on how to run the process and analyze the resulting data effectively.
Prerequisites
Before running Top-Down Role Mining, ensure the following:
Establish the Role Structure: EmpowerID establishes the role structure using data
...
from your
...
authoritative systems, such as HR
...
systems. This foundational setup is crucial for ensuring that user roles and access are accurately defined.
Create Set Groups of Groups: It is recommended that users create set groups of groups to streamline the role mining process. This allows for more targeted analysis and improves the efficiency of the role assignment process. For detailed instructions on creating sets and set groups, please refer to Query Based Collections.
Procedure
Step 1 – Accessing the Top-Down Role Mining Feature
On the navbar, navigate to Role Management > Role Mining.
Select the Top Down Mining tab.
Image Modified
Key UI Elements
Before proceeding, familiarize yourself with the following UI Elements:
Element | Description | Usage |
---|---|---|
Restrict Analysis to SetGroup of Groups | Used to filter the role mining analysis to the specified SetGroup of groups. If left empty, the system analyzes all inventoried groups for possible matches. | Select the relevant SetGroup. If empty, analyze all groups. |
Exclude RBAC Assigned |
...
Select this option (recommended) to exclude analysis of groups with existing policies that grant users membership based on RBAC settings. | Check this box to exclude existing RBAC-assigned roles. | |
Exclude Dynamic Groups | Excludes EmpowerID dynamic groups from the role mining analysis. Enabling this option does not exclude dynamic groups from systems like Azure. It is recommended that you check this box to enable this option. | Check this box to exclude EmpowerID dynamic groups. |
Search Field | Filters compilation results to the specified group. | Enter the name of the desired group. |
Compile Button | Compiles the selected SetGroup of Groups |
...
as specified. If a SetGroup of Groups is not specified, the engine compiles all groups. After the initial compilation of data, subsequent compilations show appended results if changes have occurred. | Click to initiate the compilation. | |
Approve Button | Used to approve selected matches returned by the system. | Click to approve selected matches. |
Publish Button | Used to publish selected and approved matches as role mining rules. | Click to publish selected role mining rules that have been approved. |
Step 2 – Running the Compilation Process
Restrict Analysis to SetGroup of Groups: Select the SetGroup containing the groups you want to analyze. If left empty, EmpowerID analyzes all groups in the system.
If the data is recompiled, the results will be appended to existing results.Exclude RBAC Assigned: Select this option (recommended) to exclude analysis of groups with existing policies that grant users membership based on RBAC settings.
Exclude Dynamic Groups: Select this option (recommended) to exclude EmpowerID dynamic groups from the role mining analysis.
Click Compile.
Image Modified
Image Modified
Once the system completes the compilation, you should see a “Finished Compiling” message.Click the dropdown on the Search field to open the advanced search options.
Image ModifiedYou should see the following advanced search parameters:
Parameter | Description | Usage | Default Value |
---|---|---|---|
Min % Role Match | Minimum percentage of users in the role that must match group criteria. | Enter a percentage between 0 and 100. | 40 |
Minimum # People | Minimum number of users required in a group for consideration. | Enter an integer value. | 2 |
Min % of People in Group | Minimum percentage match required between users and associated role. | Enter a percentage between 0 and 100. | 60 |
Ignore Parent if Drops More Than % | Excludes parent roles from the analysis based on a percentage drop. | Enter a percentage threshold. | 30 |
Business Role and Location | Filters results to the specified role and location. | Optionally, enter a Business Role and Location. | Blank |
Group | Filters results to the specified group. If a value is entered in this field, the group specified in the main search field is ignored. | Optionally, enter a group name. | Blank |
Adjust the search parameters to meet your requirements, such as:
MIN % Role Match: 70%
Minimum # People: 2
MIN % of People in Group: 60%
Ignore Parent if Drops More Than %: 30%
Group: Limit the search results to the specified group
Image Modified
Click the Advanced Search button to view the results.
Image Modified
If the results show a good match:
Check the box to select the record.
Image ModifiedClick Approve.
Image ModifiedA “Finished Approving!” message will appear.
Image ModifiedClick Publish.
Image Modified
Image Modified
You should see a “Finished Publishing!” message.
Tip |
---|
For this article, the analysis was conducted using the EmpowerID UI for simplicity. In real-world scenarios involving larger data sets, it is recommended to analyze the compiled results in Excel. You can download the data by clicking the Download Report button. Image Added |
Expected Results
EmpowerID creates a new
...
RBAC Group Membership policy that places all people in the Business Role and Location into the group as members. Each time a new person is added to the Business Role and Location, they will automatically be added to the group.
You can verify the rule by:
Viewing Access to Groups on the View One page for the Business Role and Location.
Viewing RBAC Access to This Resource on the View One page for the group.
Viewing the Access to Groups for the Business Role and Location
Right-click the Business Role and Location link for the rule you published and select Open link in new tab to open the View One page for the Business Role and Location in a new tab.
Image ModifiedOn the View One page for the Business Role and Location, click the Advanced tab and then select the Access sub-tab.
Image ModifiedExpand the Access to Groups accordion and select the Mandatory tab.
Use the right search field to search for the group. You should see it in the grid.
Image Modified
Viewing the RBAC Access to the Group
Right-click the Group link for the rule you published and select Open link in new tab to open the View One page for the group in a new tab.
Image ModifiedOn the View One page for the group, click the Advanced tab and then select the RBAC sub-tab.
Image ModifiedExpand the RBAC Access to This Resource accordion.
Select the Resource Delegations tab and then select Business Role and Location from the To Which Type of Actor Do You Wish to Assign Access? dropdown.
Image ModifiedSearch for the Business Role and Location targeted by the role mining rule. You should see the role and location has the Member access level.
Image Modified
Testing the Role Mining Rule
To test the new rule:
Navigate to the View One page for the Business Role and Location as before.
Select the Advanced tab and then select the Members sub-tab.
Image ModifiedExpand the All People in Business Role and Location accordion.
Enter the name of a person in the left search field and then click the tile for that person.
Image ModifiedClick Submit.
Image ModifiedAfter EmpowerID processes the operation, navigate to the View One page for the group targeted by the role mining rule.
On the group’s View One page, click the Advanced tab and then select the RBAC sub-tab as before.
Expand the RBAC Access to This Resource accordion and select the Resultant Access to Resource tab.
Image ModifiedSelect Member from the Select Access Level to check field.
Image ModifiedIn the Person field, enter the name of the person you added to the Business Role and Location and click the tile for that person.
Image ModifiedClick Search. You should see the person has the Member access level granted.
To verify the assignment is based on the person belonging the Business Role and Location targeted by the role mining rule, click the View Assignment link.
Image ModifiedYou will be directed to the View One Actor Security page for the assignment. From there you should see that the person gained the assignment by belonging to the target Business Role and Location.
Image Modified
In addition, you will see the numbers increment accordingly on the record for the Top-Down Role Mining rule.
Div | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
IN THIS ARTICLE
|