Skip to end of banner
Go to start of banner

Role Mining Overview

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Current »

Role mining is the process of analyzing an organization’s existing access assignments to discover and define security roles. These roles help streamline access management by grouping users with similar access needs based on their job functions, locations, or responsibilities. Properly defined roles ensure that users are granted the least privilege necessary to perform their tasks, reducing the risk of over-provisioning and security vulnerabilities.

For large organizations, manually managing user access individually can be costly, inefficient, and prone to errors. Role mining automates this process by identifying patterns in user access and creating roles that align with organizational needs. This helps organizations maintain compliance, optimize access control, and reduce administrative workloads.

Role Mining and Optimization

EmpowerID's approach to role mining is rooted in Compliant Access by Design, a strategy that ensures organizations can map out appropriate access for employees, partners, and customers in advance. This proactive approach reduces the need for costly and inefficient manual processes, which can lead to security vulnerabilities and project delays.

The EmpowerID Role Mining engine solves this challenge by recommending an optimal set of roles based on a combination of HR job position data and existing access assignments. These initial roles are dynamic and evolve in response to changes in the business environment, such as reorganizations or mergers. EmpowerID’s role optimization further ensures that roles are aligned with the least privilege principle, maintaining compliance and minimizing security risks.

To implement Compliant Access effectively, EmpowerID relies on external sources of business role data, which serve as the foundation for role mining.

Leverage Existing Sources of Business Role Infomation

Establishing business roles and organizational locations is essential in implementing Compliant Access. EmpowerID simplifies this process by leveraging data from HR or Human Capital Management (HCM) systems and Active Directory. Systems like Workday, SuccessFactors, or SAP HCM store valuable organizational structures and employee position data, which EmpowerID uses to perform its analysis.

EmpowerID inventories external roles and user assignments through out-of-the-box connectors, generating an initial Business Role and organizational location tree. This automated data-driven approach ensures continuous compliant access delivery. Any changes made in the authoritative HR system, such as role changes or promotions, automatically trigger a reevaluation of user access to ensure compliance without manual intervention.

During role design, EmpowerID also performs Separation of Duties (SoD) simulations to ensure that proposed roles do not create conflicts, further enhancing compliance and security.

With business role data in place, EmpowerID applies its sophisticated top-down role mining techniques to optimize access management.

Top-Down Analytical Role Mining

EmpowerID's Top-Down Analytical Role Mining technique analyzes organizational security models and ensures access entitlements align with business roles. This method ensures that each user’s access is appropriate for their position and that roles reflect the organization’s structure.

Top-down role mining uses data from HR systems, which are typically the primary maintained source of employee position information. Since job assignments, promotions, and organizational locations are constantly updated in these systems, EmpowerID relies on this up-to-date data to determine and maintain appropriate roles.

Top-Down Analytical Role Mining Process

EmpowerID inventories all user entitlements and access assignments across systems, not just HR, and optimally aligns them with the business role and location structure. This process involves analyzing how users' existing access fits within predefined business roles. Once EmpowerID identifies the optimal matches, these role-based assignments are published, ensuring they can be managed and updated through automation based on HR data.

Although top-down role mining covers a large portion of access assignments, bottom-up role mining, which refines more dynamic access needs, can address additional unstructured access patterns.

Bottom-Up Role Mining

While top-down role mining focuses on defining structured roles based on business functions, Bottom-Up Role Mining complements this by optimizing more fluid, unstructured access that isn’t easily categorized by traditional role definitions. This includes access related to team-based or matrix-based structures and exceptions.

EmpowerID’s machine learning algorithms drive Role Mining Campaigns, analyzing user and entitlement data to identify candidate roles. These candidate roles are reviewed, fine-tuned, and either published as Management Roles or mapped to existing business roles and locations. This step ensures that even less formalized access is controlled and optimized alongside structured business roles.

By combining top-down and bottom-up techniques, EmpowerID provides a comprehensive solution to role mining that covers all areas of user access.

Streamlining Recertification

One key advantage of EmpowerID’s role mining and optimization is its impact on the recertification process. After defining roles through top-down and bottom-up mining, organizations can significantly reduce the number of direct access assignments that managers need to certify. This shift minimizes the administrative burden while improving overall security.

EmpowerID’s approach can reduce the number of direct assignments by up to 80%, presenting managers with a compact list of business-friendly roles to certify. This streamlines the recertification process and ensures managers review roles rather than individual entitlements, making compliance much easier to maintain.

Recertification isn’t the only area where EmpowerID integrates with external systems to simplify role management. EmpowerID also supports organizations working with external role management tools, allowing for even more flexibility in managing access.

Role Modeling Inbox

For organizations that work with external role management tools or consultants, EmpowerID provides the Role Modeling Inbox. This feature integrates external role designs and access changes into EmpowerID, where they are processed using configurable rules. Depending on your organization's governance needs, these changes can be automatically applied or routed through workflow approval processes.

Leverage Existing Sources of Business Role Information

Establishing business roles and organizational locations is typically the initial step in many EmpowerID implementations. The primary sources for this data include an organization’s HR or Human Capital Management (HCM) system and Active Directory. Systems such as Workday, SuccessFactors, and SAP HCM provide a structured overview of the organization and the positions occupied by employees, facilitating the analysis process.

EmpowerID inventories these external roles and user assignments using its connector capabilities. Once this data is imported into the EmpowerID system, it is used to create an initial Business Role and organizational location tree for top-down analytical role mining.

This foundational information is crucial once roles are defined and access policies are assigned. Changes in the authoritative systems will automatically trigger a reevaluation and adjustment of access for each user, minimizing the need for manual administration. Additionally, EmpowerID conducts Separation of Duties (SoD) simulations during role design to ensure that proposed roles do not have inherent SoD conflicts.

Top Down Analytical Role Mining

Top Down Analytical Role Mining is a technique invented by the EmpowerID team after many years of experience with analyzing many organizations’ security models and sources of data. Compliant Access requires that the entitlements granted are appropriate for the position. For organizations with HR systems, the only maintained source for employee position information is the HR system itself. The assignment of users to positions and organizational locations will be maintained and will continue to change regardless of how well role assignments are maintained in IGA. Therefore, this source of up-to-date data is valuable and should be used to drive the initial determination of roles and role-based access policies and to maintain changes in users' assignments to roles in whatever manner possible.

Top Down Analytical Role Mining leverages the rough skeleton of the Business Roles within the organization and the knowledge concerning which users occupy those positions within different portions of the company. In addition to this HR-related information, EmpowerID inventories all the entitlements and access assignments for each user in every system. EmpowerID then uses a sophisticated analytical technique to optimally fit existing user access assignments on the Business Role and Location tree. Once the optimal matches are identified, they can be published as role-based assignments automated by HR data.

Bottom Up Role Mining

After completing top down role mining, much of each user’s access will be delivered and controlled via Business Roles. The top down model is effective for optimizing access based on what a person does within an organization. The remaining unoptimized access assigned to users consists of less structured team or matrix-based access and exceptions. This access can also be optimized using a technique known as bottom up analytical role mining. Bottom up role mining is a multi-step process that involves creating, running and analyzing "Role Mining Campaigns." Role Mining Campaigns analyze entitlement and user data using powerful machine learning algorithms to produce optimal "candidate roles" containing combinations of people and entitlements. These are then analyzed and accepted or manipulated to create subsets of combinations. Once candidate roles are accepted, they can be published as standalone Management Roles, mapped to Business Roles and Locations, or used to create new Business Roles and Locations.

Streamline Recertification

Role Mining and Optimization assists organizations by minimizing the number of security roles, reducing administrative workloads, and streamlining audit recertification campaigns. Without role optimization, managers are faced with the daunting task of certifying hundreds of individual technical entitlements per direct report. A role optimization program can reduce the number of direct assignments by 80% and present managers with a compact list of business-friendly roles to certify. Security becomes more manageable, and the organization’s risk profile is minimized.

Role Modeling Inbox

EmpowerID supports leveraging the roles and locations designed in these systems for organizations working with consultants and other role-modeling tools. The Role Modeling Inbox integrates external role and access management with EmpowerID by providing a set of inboxes for publishing roles and access changes. Configurable rules within EmpowerID determine if these upstream decisions are automatically implemented or go through workflow approval processes before becoming active.

See Also

Bottom Up Role Mining


  • No labels