Business roles can be formed in two ways:
Analyzer uses the "One Identity Manager" program to make its own tools available for analyzing user accounts and permissions. The Analyzer supports analysis of business roles as well as the analysis of data quality with respect to the question: how well suited is the permissions data to partially automated role mining?
The Analyzer offers:
- Automatic analysis of permissions assignments base on cluster analysis algorithms with different weighting.
- Automatic analysis of existing structures and permissions of employees assigned in them
- Manual analysis of certain staff groups for role mining
The aim of role mining is to replace direct permissions, which previously were only granted to users in individual application systems, with indirect ones. This allows permissions, which users obtain through role association to be defined across the application system. Analyzer’s aim is not only pure role mining but also classification of roles in a simple to administer hierarchical system. This can reduce the administration workload further and increase security for granting permissions.
To user role mining in One Identity Manager
- In the Designer, set the "QER | Org | RoleMining" configuration parameter.
NOTE: To use Analyzer for analyzing permissions, at least the Target System Base Module must be installed.
The basis for role mining is always a cluster analysis when the Analyzer with help of mathematical algorithm tries to find single clusters, meaning employees with similar permissions. In the process, either hierarchical structures are built or predefined structures are applied that can be used for constructing your own role model.
In role mining, you not only try to find single clusters and assign these to business roles, but you also try to develop direct hierarchical role structures that can then be effectively used through standard inheritance mechanisms.
Automatic role mining supports One Identity Manager through two different cluster analysis methods that differ in the way they calculate the distances between individual clusters. The use of existing role structures, for example, organizational structure from ERP systems, is possible. With the help of permissions analysis, these can be assigned to access rights. Lastly, role structures can be freely defined and assignment of permissions and employees can be manually evaluated based on existing permissions.
Figure 14: Cluster analysis methods in the Analyzer
In clustering methods, Analyzer calculates a frequency distribution from user permissions in the different application systems, like Active Directory, IBM Notes, or SAP R/3. Certain permissions may have a higher weighting in comparison to others. The number of a permissions' members can, for example, represent this sort of criteria. This is acknowledged through the Analyzer during calculation and taken into account by weighting the distance between clusters. This allows the hierarchical structures arising from the analysis to be optimized in advance and the smallest possible number of roles to be attained.
Use the Analyzer to automatically detect and analyze data correlations in the database. For example, this information can be used to replace direct permissions assignments with indirect assignments therefore reducing the administration effort.