Bottom Up Role Mining Overview

Owned by Patrick Parker
Last updated: Dec 28, 2021 by Phillip Hanegan
2 min read

Bottom Up Role Mining

After completing top down role mining, much of each user’s access will be delivered and controlled via Business Roles. The top down model is effective for optimizing access based on what a person does within an organization. The remaining unoptimized access assigned to users consists of less structured team or matrix-based access and exceptions. This access can also be optimized using a technique known as bottom up analytical role mining. Bottom up role mining is a multi-step process that involves creating, running and analyzing "Role Mining Campaigns." Role Mining Campaigns analyze entitlement and user data using powerful machine learning algorithms to produce optimal "candidate roles" containing combinations of people and entitlements. These are then analyzed and accepted or manipulated to create subsets of combinations. Once candidate roles are accepted, they can be published as standalone Management Roles, mapped to Business Roles and Locations or used to create new Business Roles and Locations.

In EmpowerID, Bottom Up role mining is a multi-step process that involves creating, running and analyzing "Role Mining Campaigns." Role Mining Campaigns produce "candidate roles" containing combinations of people and entitlements, which can then be analyzed and accepted or manipulated to create subsets of combinations. Once candidate roles are accepted, they can be published as standalone Management Roles, mapped to Business Roles and Locations or used to create new Business Roles and Locations. From a high level, the processes you need to follow to mine roles is represented by the below image.



The above image depicts two Role Mining campaigns. In the first campaign, candidate roles are analyzed and used to create a standalone Management Role as well as a Management Role that is mapped to an existing Business Role and Location. In the second campaign, candidate roles are analyzed and used to create a standalone Management Role a new Business Role and Location. The specific steps involved are as follows:

  1. Step 1 — You create, configure and compile Role Mining Campaigns with selections of people, attributes and entitlements based on RBAC groupings, such as all people in specific Business Roles and Locations, Query-Based Collections and Group memberships. Compiling the campaigns captures the entitlements and selected attributes of each person in the specified RBAC grouping and saves that data to the EmpowerID Identity Warehouse.

  2. Step 2 — You review the compiled campaign data, optionally slicing that data into subsets and when ready create "runs." Runs, in turn, create candidate roles which contain the users and entitlements you specified in the campaign.

  3. Step 3 — You analyze the run results and either discard or publish the candidate roles created by those runs.

Next Steps

Configure Role Mining

Create Campaigns

Configure Campaigns

Create Campaign Runs

Analyze Run Results

Publish Candidate Roles