サポートと今すぐチャット
サポートとのチャット

Identity Manager 9.0 LTS - Business Roles Administration Guide

Managing business roles
One Identity Manager users for business roles Hierarchical role structure basic principles Basic principles for assigning company resources Basics of calculating inheritance Preparing business roles for company resource assignments Base data for business roles Creating and editing business roles Assigning employees, devices, and workdesks to business roles Assigning business roles to company resources Analyzing role memberships and employee assignments Setting up IT operational data for business roles Creating dynamic roles for business roles Assign organizations Defining inheritance exclusion for business roles Assigning extended properties to business roles Creating assignment resources for application roles Dynamic roles for business roles with incorrectly excluded employees Reports about business roles
Role mining in One Identity Manager

Dynamic roles for business roles with incorrectly excluded employees

In the Manager, you can obtain an overview of all the dynamic roles with conflicting entries in the exclude list. This means that for at least one item in the list the following applies:

  • The dynamic role condition does not apply.

    For example, this might occur if the dynamic role condition was changed after a person was entered in the exclude list.

    - OR -

  • The excluded person is also assigned to the role in another way

    such as through inheritance or direct assignment.

Check these entries and correct the assignments.

To check conflicting entries of business roles in the exclusion list

  1. In the Manager, select the Business Roles > Troubleshooting > Dynamic roles with potentially incorrect excluded employees category.

  2. Select the dynamic role in the result list.

  3. Select the Exclude employees task.

    In the exclusion list you can see which employees are affected by the given conditions.

For more information about editing the dynamic roles' exclusion list, see the One Identity Manager Identity Management Base Module Administration Guide.

Related topics

Reports about business roles

One Identity Manager makes various reports available containing information about the selected base object and its relations to other One Identity Manager database objects. The following reports are available for business roles.

NOTE: Other sections may be available depending on the which modules are installed.

Table 16: Reports about business roles
Report Description

Overview of all assignments

This report finds all the roles in which employees from the selected business roles are also members.

Show historical memberships

This report lists all members of the selected business role and the length of their membership.

Show products still to be approved

The report shows all products for a business role whose requests can be approved by the business role's members.

Business roles with high risk level

The report lists all business roles with a risk index equal or higher that the configurable risk index. The result can be limited to a specified role class. You can find this report in the My One Identity Manager category.

Related topics

Role mining in One Identity Manager

Business roles can be formed in two ways:

Analyzer uses the One Identity Manager program to make its own tools available for analyzing user accounts and permissions. The Analyzer supports analysis of business roles as well as the analysis of data quality with respect to the question: how well suited is the permissions data to partially automated role mining?

The Analyzer offers:

  • Automatic analysis of permissions assignments base on cluster analysis algorithms with different weighting.

  • Automatic analysis of existing structures and permissions of employees assigned in them

  • Manual analysis of certain staff groups for role mining

The aim of role mining is to replace direct permissions, which previously were only granted to users in individual application systems, with indirect ones. This allows permissions, which users obtain through role association to be defined across the application system. Analyzer’s aim is not only pure role mining but also classification of roles in a simple to administer hierarchical system. This can reduce the administration workload further and increase security for granting permissions.

To use role mining in One Identity Manager

  • In the Designer, set the QER | Org | RoleMining configuration parameter.

NOTE: To use Analyzer for analyzing permissions, at least the Target System Base Module must be installed.

Cluster analysis as a basis for role mining

The basis for role mining is always a cluster analysis when the Analyzer with help of mathematical algorithm tries to find single clusters, meaning employees with similar permissions. In the process, either hierarchical structures are built or predefined structures are applied that can be used for constructing your own role model.

In role mining, you not only try to find single clusters and assign these to business roles, but you also try to develop direct hierarchical role structures that can then be effectively used through standard inheritance mechanisms.

Automatic role mining supports One Identity Manager through two different cluster analysis methods that differ in the way they calculate the distances between individual clusters. The use of existing role structures, for example, organizational structure from ERP systems, is possible. Permissions analysis can then be used to assign permissions to these role structures. Lastly, role structures can be freely defined and assignment of permissions and employees can be manually evaluated based on existing permissions.

Figure 14: Cluster analysis methods in the Analyzer

In clustering methods, Analyzer calculates a frequency distribution from user permissions in the different application systems, like Active Directory, HCL Domino, or SAP R/3. Certain permissions may have a higher weighting in comparison to others. The number of a permissions' members can, for example, represent this sort of criteria. This is acknowledged through the Analyzer during calculation and taken into account by weighting the distance between clusters. This allows the hierarchical structures arising from the analysis to be optimized in advance and the smallest possible number of roles to be attained.

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択