Converse agora com nosso suporte
Chat com o suporte

Identity Manager 9.0 LTS - Business Roles Administration Guide

Managing business roles
One Identity Manager users for business roles Hierarchical role structure basic principles Basic principles for assigning company resources Basics of calculating inheritance Preparing business roles for company resource assignments Base data for business roles Creating and editing business roles Assigning employees, devices, and workdesks to business roles Assigning business roles to company resources Analyzing role memberships and employee assignments Setting up IT operational data for business roles Creating dynamic roles for business roles Assign organizations Defining inheritance exclusion for business roles Assigning extended properties to business roles Creating assignment resources for application roles Dynamic roles for business roles with incorrectly excluded employees Reports about business roles
Role mining in One Identity Manager

Selecting analysis data using the wizard

Before you start the analysis, you collect your initial data. The Analyzer accesses all permissions information in its own database and creates a mapping table with employees and their permissions. The result can be suggestions for single roles from analyzing a single application but also cross-system roles from analyzing permissions in several systems.

To select initial data with the wizard

  1. Start the Launchpad and log in to the One Identity Manager database.

  2. Open the Launchpad and select Analyze business roles in the Manage section. This starts the Analyzer program.

  3. On the Analyzer’s start page, select the Select data with wizard analysis method and click Start.

    This starts the wizard.

  4. On the start page, you specify the group of employee for analysis. Select one of the following selection categories and click Next.

    • Structures: Employees can be selected through organizations and business roles contained in One Identity Manager.

      1. In the Structures list, select the organization or business role for analysis.

      2. The employees assigned to this structure are displayed in the Employees list. Use the Show directly/indirectly assigned employees buttons in the title bar to filter the employees.

        Table 18: Icons for filtering the employee list
        Icon Meaning

        Show indirectly assigned employees.

        Show directly assigned employees.

        Show employees from child nodes.

    • Query wizard: Define the condition used to find the employees in the database. The wizard helps you to formulate a condition (where clause) for database queries. The complete database query is composed internally. The database query references the Person table.

      For more information about using the wizard, see One Identity Manager User Guide for One Identity Manager Tools User Interface.

    • Menu: The list displays all the employees in the One Identity Manager database. Use Shift + select or Ctrl + select to select several employees for analysis.

    • Load wizard template: Load an existing configuration. Select the template file and click Open.

  5. On the Select user accounts page, select the target system whose user accounts and permissions will be included in the analysis. User Ctrl + select to multi-select target systems.

  6. On the Select analysis method page, you specify the analysis method. The following methods are available.

    Table 19: Analysis methods
    Analysis method Description

    Simple cluster analysis/Complex cluster analysis

    Permissions are grouped into new business roles using cluster analysis methods and employees are assigned.

    The Analyzer supports automatic role mining by two different cluster analysis methods, which differ in terms of how they calculate the distances between individual clusters.

    Decision hierarchy

    Permissions are grouped into new business roles in a decision hierarchy and the employees are assigned. The number of group members is taken as the decision criteria.

    Structure assignment

    The permissions are assigned to an existing structure hierarchy. The use of existing structures, for example, organizational structure from ERP systems, is possible.

    Permissions analysis

    Employee permissions are analyzed with the help of permissions analysis. Business roles are freely defined and assignments of permissions and employees are evaluated manually based on the existing permissions.

  7. On the last page you start the analysis.

    1. (Optional) To reuse the configuration at a later time, set the Save configuration as template option. Select the directory path for saving the file using the file browser and click Save.

    2. On the last page, click Finish to start the analysis.

      This loads the analysis data and starts the analysis. The results of the analysis are then displayed in the Analyzer.

  8. Verify the analysis results.

  9. Create a new business role if required and assign the employees. Add the suggested changes to the One Identity Manager database.

Related topics

Run predefined analysis

The following predefined analyses are provided:

  • Active Directory Employee Permissions: The permissions of all employees with Active Directory group memberships are analyzed.

    NOTE: Analysis methods are available if the Active Directory Module is installed.

  • Active Directory Employee Permissions and Departments: The permissions of all employees with Active Directory group memberships are analyzed. Departments with Active Directory groups are also included in the analysis.

    NOTE: Analysis methods are available if the Active Directory Module is installed.

  • LDAP Employee Permissions: The permissions of all employees with LDAP group memberships are analyzed.

    NOTE: Analysis methods are available if the LDAP Module is installed.

To start a predefined analysis

  1. Start the Launchpad and log in to the One Identity Manager database.

  2. Open the Launchpad and select Analyze business roles in the Manage section. This starts the Analyzer program.

  3. On the Analyzer's start page, select the predefined analysis procedure and click Start.

    This loads the analysis data and starts analysis immediately. This may take some time, depending on the amount of data. The results of the analysis are then displayed in the Analyzer.

    NOTE: If you have disabled the Automatically close analysis information window on completion program setting, information about the analysis is displayed in the Cluster analysis window. Click Expand to see detailed information. Click Finish to close the dialog.

  4. Verify the analysis results.

  5. Create a new business role if required and assign the employees. Add the suggested changes to the One Identity Manager database.

Related topics

Analysis evaluation

You should always compare the business roles with the custom structures in the case of role mining, because the mathematical methods of cluster analysis only forecast a trend. Apart from renaming nodes, you can also edit employee assignments and business role permissions directly. You can create new business roles with the Analyzer and assign them directly to employees. This makes adding and moving employees into a certain business role very simple.

View the results of the analysis in a window with various panes in the Analyzer.

Figure 15: Presentation of analysis results

On the left, the clusters found by the analysis are displayed hierarchically on a tab. The nodes mapped here are named though the first employee found when analysis data is selected with wizards. The naming of predefined analysis methods follows specified rules in the program settings. You can change names using F2 or Rename in the context menu.

The number of occurrences is displayed graphically in the columns <Employees> and <Permissions>. The display is normed in both columns, which means the group with the highest number of employees or permissions assigned to it corresponds to 100 percent and is represented with maximized bars.

Table 20: Meaning of items in the context menu in view 1
Context Menu Item Meaning

Paste

Marks the business role for transfer into the database.

Add recursively

Marks the business role and its child roles for transfer into the database.

Delete

Removes the business role from the data transfer set.

Create

Defines a new business role.

Delete

Deletes the business role.

Rename

Renames the business role.

Generate business roles names

Generates business role names according to the rules specified (Database> > Settings menu).

Optimize business roles

Optimizes the business roles. Empty business roles are deleted.

Properties

Displays other properties of the business role such as user accounts and permissions.

When a structure node is selected the employees (above) and permissions (below) contained in it are listed in view (2). You can use the color similarity bar to help identify where permissions overlap with each other and how far the user’s actual permissions situation fits to the permissions assignment of the selected role. Matching group memberships are green, but non-matching, additional group memberships are red. Directly below this, you see each of the employee’s permissions for the analyzed target systems separately. A permissions weighting is displayed depending on the program settings.

Table 21: Meaning of items in the context menu in view 2
Context Menu Item Meaning

Add to business role

Adds employee/permissions to the hierarchy of the selected business role.

Remove from business role

Removes employee/permissions from the hierarchy of the selected business role.

Compare

Compares employees with each other. The result is displayed in view 3.

Mark assignments

Marks employee/permissions assignments in the hierarchy.

Properties

Shows other properties of active objects.

You can analyze permissions memberships of individual employees by multi-selecting in the list of employees and running a direct comparison.

To compare employee memberships

  • Select employees in the right pane (2) using Ctrl + select or Shift + select.

  • Click Compare in the context menu to start comparing.

TIP: When you click on an employee in this list, they become the reference employee. The colored similarity bars are aligned to this employee.

Applying changes from the analysis

You can use the Analyzer to create new business roles and assign employees directly to them or move employees and permissions into specific business roles.

To transfer changes to the One Identity Manager database

  1. In the Analyzer, in the hierarchy mark the business roles you want to transfer.

    Use the Insert and Recursive context menu items to do this. You can delete individual business roles from the data transfer using the Remove context menu item.

  2. Select Database > Commit to database from menu to start the data transfer wizard and click Next to continue.

  3. On the Save options page, you specify the following settings:

    1. Role class: Select the role class under which the business roles will be created in the One Identity Manager database.

      Click the button next to the menu to create a new role class.

    2. Select the save options.

      • Delete existing objects in role class: This option deletes existing objects in the selected role class from the One Identity Manager database.

      • Business roles do not inherit: This option disables inheritance of assignments by business roles.

        NOTE: Once you have checked the assignments, remove Employees do not inherit from the business roles. Use the Manager program to do this.

      • Delete direct assignments: This option removes direct permissions assignments to the employees’ user accounts.

        CAUTION: Only set this option if you have ensured that the permissions are inherited by the employees through business roles. Otherwise this option results in a loss of permissions.

      • Attest new roles: New business roles must go through an attestation case.

        NOTE: This function is only available if the Attestation Module is installed.

  4. Click Finished to save the data.

Documentos relacionados

The document was helpful.

Selecione a classificação

I easily found the information I needed.

Selecione a classificação