Chat now with support
Chat with Support

Identity Manager 8.1.5 - Business Roles Administration Guide

Managing business roles
One Identity Manager users for business roles Hierarchical role structure basic principles Basic principles for assigning company resources Basics of calculating inheritance Preparing business roles for company resource assignments Basic data for structuring business roles Editing business roles Assigning employees, devices, and workdesks to business roles Assigning business roles to company resources Analyzing role memberships and employee assignments Setting up IT operating data Additional tasks for managing business roles Reports about business roles
Role mining in One Identity Manager

Analysis evaluation

You should always compare the business roles with the custom structures in the case of role mining, because the mathematical methods of cluster analysis only forecast a trend. Apart from renaming nodes, you can also edit employee assignments and business role permissions directly. You can create new business roles with the Analyzer and assign them directly to employees. This makes adding and moving employees into a certain business role very simple.

View the results of the analysis in a window with various panes in the Analyzer.

Figure 15: Presentation of analysis results

On the left, the clusters found by the analysis are displayed hierarchically on a tab. The nodes mapped here are named though the first employee found when analysis data is selected with wizards. The naming of predefined analysis methods follows specified rules in the program settings. You can change names using F2 or Rename in the context menu.

The number of occurrences is displayed graphically in the columns <Employees> and <Permissions>. The display is normed in both columns, which means the group with the highest number of employees or permissions assigned to it corresponds to 100 percent and is represented with maximized bars.

Table 24: Meaning of items in the context menu in view 1
Context Menu Item Meaning


Marks the business role for transfer into the database.

Add recursively

Marks the business role and its child roles for transfer into the database.


Removes the business role from the data transfer set.


Defines a new business role.


Deletes the business role.


Renames the business role.

Generate business roles names

Generates business role names according to the rules specified (menu <Database>\<Settings...>).

Optimize business roles

Optimizes the business roles. Empty business roles are deleted.


Displays other properties of the business role such as user accounts and permissions.

When a structure node is selected the employees (above) and permissions (below) contained in it are listed in view (2). You can use the color similarity bar to help identify where permissions overlap with each other and how far the user’s actual permissions situation fits to the permissions assignment of the selected role. Matching group memberships are green, but non-matching, additional group memberships are red. Directly below this, you see each of the employee’s permissions for the analyzed target systems separately. A permissions weighting is displayed depending on the program settings.

Table 25: Meaning of items in the context menu in view 2
Context Menu Item Meaning

Add to business role

Adds employee/permissions to the hierarchy of the selected business role.

Remove from business role

Removes employee/permissions from the hierarchy of the selected business role.


Compares employees with each other. The result is displayed in view 3.

Mark assignments

Marks employee/permissions assignments in the hierarchy.


Shows other properties of active objects.

You can analyze permissions memberships of individual employees by multi-selecting in the list of employees and running a direct comparison.

To compare employee memberships

  • Select employees in view (2) using Ctrl + select or Shift + select.
  • Click Compare in the context menu to start comparing.
TIP: When you click on an employee in this list, they become the reference employee. The colored similarity bars are aligned to this employee.

Transferring changes

You can use the Analyzer to create new business roles and assign employees directly to them or move employees and permissions into specific business roles.

To transfer changes to the One Identity Manager database

  1. Mark the business roles you want to transfer, in the hierarchy.

    Use the Insert and Recursive context menu items to do this. You can delete individual business roles from the data transfer using the Remove context menu item.

  2. Select Database | Save to database... from menu to start the data transfer wizard and click Next to continue.
  3. In the wizard, select the role class under which the business roles will be created in the One Identity Manager database.

    Click the button next to the menu to create a new role class.

  4. Select the save options.
    Table 26: Save options for data transfer
    Save option Meaning

    Delete existing objects in role class

    This option deletes existing objects in the selected role class from the One Identity Manager database.

    Business roles do not inherite

    This option disables inheritance of assignments by business roles.

    NOTE: Once you have checked the assignments, remove Employees do not inherit from the business roles. Use the program "Manager" to do this.

    Delete direct assignments

    This option removes direct permissions assignments to the employees’ user accounts.

    CAUTION: Only set this option if you have ensured that the permissions are inherited by the employees through business roles. Otherwise this option results in a loss of permissions.
    Attest new roles

    New business roles must go through an attestation case.

    NOTE: This function is only available if the Attestation Module is installed.
  5. Click Finished to save the data.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating