Role Mining Overview

Owned by Phillip Hanegan
Last updated: Jan 18, 2021Version comment

Role Mining and Optimization

Compliant Access by design is the capability to map out in advance the position appropriate access for employees, partners, and customers and the risk policies that will measure and ensure continued compliance. Defining position appropriate access for a large organization can be a daunting task and can lead to project delays. However, without this guideline IT organizations are forced to resort to costly and inefficient manual processes which create security vulnerabilities. EmpowerID’s Role Mining engine solves this challenge by recommending an optimal initial set of roles, based on the combination an organization’s existing HR job position data as well as existing access assignments. Once initial roles are established, they immediately begin to evolve due to changes in the business environment such as re-organizations, mergers and acquisitions. EmpowerID’s role optimization functionality assists with maintaining roles and ensuring that they grant the optimal least privilege access.

Leverage Existing Sources of Business Role Information

Establishing Business Roles and organizational locations is usually the starting point for many EmpowerID projects. The best sources for this data are usually an organization’s HR or Human Capital Management system (HCM) and Active Directory. HR systems such as Workday, SuccessFactors, or SAP HCM maintain a rough organization structure and the positions occupied by all employees to get the analysis rolling. EmpowerID’s out of the box connector model inventories these “external roles” and locations and which users are assigned to each. Once this data resides within the EmpowerID system, it can be used to generate an initial Business Role and organization location tree for “top down analytical” role mining analysis. This information also becomes a key driver later once roles are defined and access policies assigned to ensure continuous Compliant Access Delivery as changes in the authoritative system will trigger reevaluation and adjustment of Compliant Access for each user without the laborious and expensive manual administration. In addition, EmpowerID performs SOD simulation during role design to ensure proposed roles have no inherent SOD conflicts.

“Top Down Analytical” Role Mining

“Top Down Analytical” Role Mining is a technique invented by the EmpowerID team after many years of experience with analyzing many organizations’ security models and sources of data. Compliant Access requires that the entitlements granted are appropriate for the position. For organizations with HR systems the only maintained source for employee position information is the HR system itself. Assignment of users to positions and organizational locations will be maintained and continue to change regardless of how well role assignments are maintained in IGA. Therefore, this source of up to date data is valuable and should be used to both drive the initial determination of roles and role-based access policies as well as to maintain changes in the assignments of users to roles in whatever manner possible.

Top Down Analytical Role Mining leverages the rough skeleton of the Business Roles within the organization and the knowledge concerning which users occupy those positions within different portion of the company. In addition to this HR-related information, EmpowerID inventories all the entitlements and access assignments for each user in every system. EmpowerID then uses a sophisticated analytical technique to optimally fit existing user access assignments on the Business Role and Location tree. Once the optimal matches are identified, they can be published as role-based assignments automated by HR data.

Bottom Up Role Mining

After completing top down role mining, much of each user’s access will be delivered and controlled via Business Roles. The top down model is effective for optimizing access based on what a person does within an organization. The remaining unoptimized access assigned to users consists of less structured team or matrix-based access and exceptions. This access can also be optimized using a technique known as bottom up analytical role mining. Bottom up role mining is a multi-step process that involves creating, running and analyzing "Role Mining Campaigns." Role Mining Campaigns analyze entitlement and user data using powerful machine learning algorithms to produce optimal "candidate roles" containing combinations of people and entitlements. These are then analyzed and accepted or manipulated to create subsets of combinations. Once candidate roles are accepted, they can be published as standalone Management Roles, mapped to Business Roles and Locations or used to create new Business Roles and Locations.

Streamline Recertification

Role Mining and Optimization assists organizations by minimizing the number of security roles, reducing administrative workloads, and streamlining audit recertification campaigns. Without role optimization, managers are faced with the daunting task of certifying hundreds of individual technical entitlements per direct report. A role optimization program can reduce the number of direct assignments by 80% and present managers with a compact list of business-friendly roles to certify. Security becomes more manageable and the organization’s risk profile is minimized.

Role Modeling Inbox

For organizations working with consultants and other role modeling tools, EmpowerID supports leveraging the roles and locations designed in these systems. The Role Modeling Inbox integrates external role and access management with EmpowerID by providing a set of inboxes into which roles and access changes can be published. Configurable rules within EmpowerID determine if these upstream decisions are automatically put into effect or go through workflow approval processes before becoming active.