Role Mining Notes

Owned by Patrick Parker
Jul 26, 2021
4 min read

 

 

3.2.5.5 Top-Down Role Mining

 

Once an organization has established its initial Business Role and Organizational Location tree, Top-Down “Analytical” Role Mining can optimize the existing entitlement landscape to convert direct user-assigned entitlements to “role-automated” access. Compliant access requires that the entitlements granted are appropriate for the position. At this point in our process, we have our initial Business Role and Location tree with people assigned one or more of these roles based on attribute policies and RBAC Mapping to position information in authoritative external sources. What is missing is for these new roles to be responsible for granting and controlling their members' access. The users in these roles already have access directly assigned, but these are exceptions and will not yet be automated when they change positions. The users are assigned to Business Roles and Locations, and the system has an inventory of the entitlements they hold from all inventoried systems. What is needed to optimize and go forward with Compliant Access Delivery is to reassign these direct user-assigned entitlements to the appropriate Business Roles and Organizational Locations. This transforms static assignments lacking business context or justification to compliant role-managed access.

Analyzing the Business Role and Location hierarchies to optimize and reassign direct user access to the optimal Business Roles and Locations within the two trees would be an impossible task for a human being. It is not, however, an impossible task for a computer leveraging complex algorithms.

In the top-down analytical role mining process, an organization’s existing Business Role and Organizational Location hierarchy and the inventoried access assignments of their members are used as the basis of the analysis. EmpowerID uses analytical techniques to take the inventoried direct access assignment data of who can access what and then tries to optimally fit these assignments on the Business Role and Location tree. An algorithm starts with each entitlement at the bottom of the two trees (most specific roles and locations). It then crawls up each tree until it finds the highest point that entitlement could be optimally assigned, and all the people in that role and location and their children would have it. At this level, the entitlement could be granted by that Role and Location, producing no net change but making the entitlement now role-managed. Also, fuzzy logic matching can be employed to relax the tolerances to optimize placement by not looking for a 100% match but allowing, say, a 90% match. Once the desired match is found, the customer can choose to publish as a managed assignment, which is now controlled and automated by the RBAC system. In the example below, we see a suggested match determined by the top-down engine. It has uncovered that every person in the “Sales in Munich” Business Role is a member of the “DE Sales” group in Active Directory. We can publish this group membership to this role and convert 180 exceptions or direct assignments to one role-managed assignment if we take its suggestion.

 

 

 

 

Figure: Top-Down Analytical Role Mining Example – suggested match to convert the DE Sales group to a role-based assignment for the Sales in Munich Business Role and Location

 

 

3.2.5.6 Bottom-Up Role Mining

 

After completing top-down role mining, much of each user’s access will be delivered and controlled via Business Roles. The top-down model is effective for optimizing access based on what a person does within an organization. The remaining unoptimized access assigned to users consists of the less structured team or matrix-based access and exceptions. This access can also be optimized using a technique known as bottom-up analytical role mining. Bottom-up role mining is a multi-step process that involves creating, running, and analyzing “Role Mining Campaigns.” Role Mining Campaigns analyze entitlement and user data using powerful machine learning algorithms to produce optimal “candidate roles” containing combinations of people and entitlements. These are then analyzed and accepted or manipulated to create subsets of combinations. Once candidate roles are accepted, they can be published as standalone Management Roles, mapped to Business Roles and Locations, or used to create new Business Roles and Locations.

 

 

 

Figure: Role Visualizer showing examples of candidate functional and global roles

 

Benefits of Analytical Role Mining:

  • ·      Reuses Existing Roles and HR Position Information

  • ·      Supports Role Optimization and Clean up Efforts to Remove Unneeded Access

  • ·      Makes Roles More Intelligible as Business Roles Match More Closely HR Structure

  • ·      Dramatically Reduces Effort Required for Manager Access Recertification

  • ·      Role Mining Can Convert 80% of Exceptions to Automated Access