Configure Top-Down Role Mining

Top-Down Role Mining in EmpowerID allows organizations to optimize group memberships by leveraging existing role and group data from authoritative systems, such as HR systems. This article provides step-by-step instructions on how to run the process and analyze the resulting data effectively.

Prerequisites

Before running Top-Down Role Mining, ensure the following:

  1. Establish the Role Structure: EmpowerID establishes the role structure using data from your authoritative systems, such as HR systems. This foundational setup is crucial for ensuring that user roles and access are accurately defined.

  2. Create Set Groups of Groups: It is recommended that users create set groups of groups to streamline the role mining process. This allows for more targeted analysis and improves the efficiency of the role assignment process. For detailed instructions on creating sets and set groups, please refer to Query Based Collections.

Procedure

Step 1 – Accessing the Top-Down Role Mining Feature

  1. On the navbar, navigate to Role Management > Role Mining.

  2. Select the Top Down Mining tab.

    image-20241004-150058.png

     

Key UI Elements

Before proceeding, familiarize yourself with the following UI Elements:

Element

Description

Usage

Element

Description

Usage

Restrict Analysis to SetGroup of Groups

Used to filter the role mining analysis to the specified SetGroup of groups. If left empty, the system analyzes all inventoried groups for possible matches.

Select the relevant SetGroup. If empty, analyze all groups.

Exclude RBAC Assigned

Select this option (recommended) to exclude analysis of groups with existing policies that grant users membership based on RBAC settings.

Check this box to exclude existing RBAC-assigned roles.

Exclude Dynamic Groups

Excludes EmpowerID dynamic groups from the role mining analysis. Enabling this option does not exclude dynamic groups from systems like Azure. It is recommended that you check this box to enable this option.

Check this box to exclude EmpowerID dynamic groups.

Search Field

Filters compilation results to the specified group.

Enter the name of the desired group.

Compile Button

Compiles the selected SetGroup of Groups as specified. If a SetGroup of Groups is not specified, the engine compiles all groups.

After the initial compilation of data, subsequent compilations show appended results if changes have occurred.

Click to initiate the compilation.

Approve Button

Used to approve selected matches returned by the system.

Click to approve selected matches.

Publish Button

Used to publish selected and approved matches as role mining rules.

Click to publish selected role mining rules that have been approved.

Step 2 – Running the Compilation Process

  1. Restrict Analysis to SetGroup of Groups: Select the SetGroup containing the groups you want to analyze. If left empty, EmpowerID analyzes all groups in the system.
    If the data is recompiled, the results will be appended to existing results.

  2. Exclude RBAC Assigned: Select this option (recommended) to exclude analysis of groups with existing policies that grant users membership based on RBAC settings.

  3. Exclude Dynamic Groups: Select this option (recommended) to exclude EmpowerID dynamic groups from the role mining analysis.

  4. Click Compile.

    image-20241007-130824.png


    Once the system completes the compilation, you should see a “Finished Compiling” message.

  5. Click the dropdown on the Search field to open the advanced search options.

     

    You should see the following advanced search parameters:

Parameter

Description

Usage

Default Value

Parameter

Description

Usage

Default Value

Min % Role Match

Minimum percentage of users in the role that must match group criteria.

Enter a percentage between 0 and 100.

40

Minimum # People

Minimum number of users required in a group for consideration.

Enter an integer value.

2

Min % of People in Group

Minimum percentage match required between users and associated role.

Enter a percentage between 0 and 100.

60

Ignore Parent if Drops More Than %

Excludes parent roles from the analysis based on a percentage drop.

Enter a percentage threshold.

30

Business Role and Location

Filters results to the specified role and location.

Optionally, enter a Business Role and Location.

Blank

Group

Filters results to the specified group. If a value is entered in this field, the group specified in the main search field is ignored.

Optionally, enter a group name.

Blank

  1. Adjust the search parameters to meet your requirements, such as:

    • MIN % Role Match: 70%

    • Minimum # People: 2

    • MIN % of People in Group: 60%

    • Ignore Parent if Drops More Than %: 30%

    • Group: Limit the search results to the specified group

       

  2. Click the Advanced Search button to view the results.

     

If the results show a good match:

  1. Check the box to select the record.

     

  2. Click Approve.

     

    A “Finished Approving!” message will appear.

     

  3. Click Publish.


    You should see a “Finished Publishing!” message.

     

For this article, the analysis was conducted using the EmpowerID UI for simplicity. In real-world scenarios involving larger data sets, it is recommended to analyze the compiled results in Excel. You can download the data by clicking the Download Report button.

 

Expected Results

EmpowerID creates a new RBAC Group Membership policy that places all people in the Business Role and Location into the group as members. Each time a new person is added to the Business Role and Location, they will automatically be added to the group.

You can verify the rule by:

  • Viewing Access to Groups on the View One page for the Business Role and Location.

  • Viewing RBAC Access to This Resource on the View One page for the group.

Viewing the Access to Groups for the Business Role and Location

  1. Right-click the Business Role and Location link for the rule you published and select Open link in new tab to open the View One page for the Business Role and Location in a new tab.

     

  2. On the View One page for the Business Role and Location, click the Advanced tab and then select the Access sub-tab.

  3. Expand the Access to Groups accordion and select the Mandatory tab.

  4. Use the right search field to search for the group. You should see it in the grid.

Viewing the RBAC Access to the Group

  1. Right-click the Group link for the rule you published and select Open link in new tab to open the View One page for the group in a new tab.

     

  2. On the View One page for the group, click the Advanced tab and then select the RBAC sub-tab.

     

  3. Expand the RBAC Access to This Resource accordion.

  4. Select the Resource Delegations tab and then select Business Role and Location from the To Which Type of Actor Do You Wish to Assign Access? dropdown.

     

  5. Search for the Business Role and Location targeted by the role mining rule. You should see the role and location has the Member access level.

Testing the Role Mining Rule

To test the new rule:

  1. Navigate to the View One page for the Business Role and Location as before.

  2. Select the Advanced tab and then select the Members sub-tab.

  3. Expand the All People in Business Role and Location accordion.

  4. Enter the name of a person in the left search field and then click the tile for that person.

     

  5. Click Submit.

  6. After EmpowerID processes the operation, navigate to the View One page for the group targeted by the role mining rule.

  7. On the group’s View One page, click the Advanced tab and then select the RBAC sub-tab as before.

  8. Expand the RBAC Access to This Resource accordion and select the Resultant Access to Resource tab.

  9. Select Member from the Select Access Level to check field.

     

  10. In the Person field, enter the name of the person you added to the Business Role and Location and click the tile for that person.

     

  11. Click Search. You should see the person has the Member access level granted.

  12. To verify the assignment is based on the person belonging the Business Role and Location targeted by the role mining rule, click the View Assignment link.

     

  13. You will be directed to the View One Actor Security page for the assignment. From there you should see that the person gained the assignment by belonging to the target Business Role and Location.

     

In addition, you will see the numbers increment accordingly on the record for the Top-Down Role Mining rule.

IN THIS ARTICLE