Role Mining Overview

EmpowerID’s Role Mining engine solves the challenge of determining an optimal initial set of roles, based on the organization’s existing access assignments. Sophisticated machine learning algorithms uncover the existing “implicit” roles already in use within and organization by analyzing current access assignments for users. These existing roles become the starting point for defining standardized access roles and adopting role-based access control (RBAC).

EmpowerID supports both the more common "bottom up analytical" analysis using machine learning whereby entitlements are used to uncover and visualize clusters of access as well as a new approach we are dubbing "top down analytical role mining". In the top down analytical model an organization's existing role and location hierarchy from an external system such as Workday or SAP HCM is used as the basis of the analysis. The idea is that this structure already exists and is being maintained independent of the IAM system and operates on its own course. EmpowerID uses analytical techniques to take the bottom up entitlement data of who has access to what and then tries to optimally fit these assignments on the Role and Location tree from SAP or another system. An algorithm starts with each entitlement at the bottom of the two trees (most specific roles and locations) and then crawls up each tree until it finds the highest point that entitlement could be assigned and all the people in that role and location and their children would have it. It is at this level the entitlement could be assigned by that Role and Location producing no net change but making the entitlement now role-managed. Customers can add tolerances and optimize placement by not looking for a 100% match but allowing something less, such as a 90% match. Once the desired match is found, the customer can choose to publish as an RBAC managed assignment.

Role Mining allows enterprises to analyze the access to resources that users within their organization have, and based on that analysis create Management Roles that reflect common access level assignments for specific groups of users. There are two approaches to role mining, top-down and bottom-up. The top-down approach involves analyzing current business processes to determine what Management Roles users need to perform tasks and is often linked to user attributes. For example, this approach could begin with the question, What do managers in location X require? Once the answer is derived, a role with the needed entitlements can be created for every person with those attributes. The bottom-up approach, on the other hand, looks at the common access level assignments that already exist within the organization and based on that analysis creates Management Roles.

In EmpowerID, role mining is a multi-step process that involves creating, running and analyzing "Role Mining Campaigns." Role Mining Campaigns produce "candidate roles" containing combinations of people and entitlements, which can then be analyzed and accepted or manipulated to create subsets of combinations. Once candidate roles are accepted, they can be published as standalone Management Roles, mapped to Business Roles and Locations or used to create new Business Roles and Locations. From a high level, the processes you need to follow to mine roles is represented by the below image.

The above image depicts two Role Mining campaigns. In the first campaign, candidate roles are analyzed and used to create a standalone Management Role as well as a Management Role that is mapped to an existing Business Role and Location. In the second campaign, candidate roles are analyzed and used to create a standalone Management Role a new Business Role and Location. The specific steps involved are as follows:

  1. Step 1 — You create, configure and compile Role Mining Campaigns with selections of people, attributes and entitlements based on RBAC groupings, such as all people in specific Business Roles and Locations, Query-Based Collections and Group memberships. Compiling the campaigns captures the entitlements and selected attributes of each person in the specified RBAC grouping and saves that data to the EmpowerID Identity Warehouse.
  2. Step 2 — You review the compiled campaign data, optionally slicing that data into subsets and when ready create "runs." Runs, in turn, create candidate roles which contain the users and entitlements you specified in the campaign.
  3. Step 3 — You analyze the run results and either discard or publish the candidate roles created by those runs.

The topics in this section take you through each of these steps, showing you how to get started with Role Mining in your environment.