Chat now with support
Chat with Support

We are currently experiencing issues on our phone support and are working diligently to restore services. For support, please sign in and create a case or email supportadmin@quest.com for assistance

Identity Manager 9.2 - Business Roles Administration Guide

Managing business roles
One Identity Manager users for business roles Hierarchical role structure basic principles Basic principles for assigning company resources Basics of calculating inheritance Preparing business roles for company resource assignments Base data for business roles Creating and editing business roles Assigning identities, devices, and workdesks to business roles Assigning business roles to company resources Analyzing role memberships and identity assignments Setting up IT operational data for business roles Creating dynamic roles for business roles Assigning departments, cost centers, and locations to business roles Defining inheritance exclusion for business roles Assigning extended properties to business roles Creating assignment resources for application roles Dynamic roles for business roles with incorrectly excluded identities Certification of business roles Reports about business roles
Role mining in One Identity Manager

Cluster analysis as a basis for role mining

The basis for role mining is always a cluster analysis when the Analyzer with help of mathematical algorithm tries to find single clusters, meaning identities with similar permissions. In the process, either hierarchical structures are built or predefined structures are applied that can be used for constructing your own role model.

In role mining, you not only try to find single clusters and assign these to business roles, but you also try to develop direct hierarchical role structures that can then be effectively used through standard inheritance mechanisms.

Automatic role mining supports One Identity Manager through two different cluster analysis methods that differ in the way they calculate the distances between individual clusters. The use of existing role structures, for example, organizational structure from ERP systems, is possible. Permissions analysis can then be used to assign permissions to these role structures. Lastly, role structures can be freely defined and assignment of permissions and identities can be manually evaluated based on existing permissions.

Figure 14: Cluster analysis methods in the Analyzer

In clustering methods, Analyzer calculates a frequency distribution from user permissions in the different application systems, like Active Directory, HCL Domino, or SAP R/3. Certain permissions may have a higher weighting in comparison to others. The number of a permissions' members can, for example, represent this sort of criteria. This is acknowledged through the Analyzer during calculation and taken into account by weighting the distance between clusters. This allows the hierarchical structures arising from the analysis to be optimized in advance and the smallest possible number of roles to be attained.

Working with the Analyzer program

Use the Analyzer to automatically detect and analyze data correlations in the database. For example, this information can be used to replace direct permissions assignments with indirect assignments therefore reducing the administration effort.

Analyzer menu items

Table 18: Meaning of items in the menu bar

Menu

Menu item

Meaning

Shortcut

Database

New connection

Establishes a database connection.

Ctrl + Shift + N

Save to database

Changes to the data are saved to the connected One Identity Manager database.

Ctrl + Shift + S

Settings

For configuring general program settings.

Exit

Exits the program.

Alt + F4

Analysis

Previous assignment

Jumps to previous identity/permissions assignment.

Ctrl + U

Next assignment

Jumps to next identity/permissions assignment

Ctrl + D

Parent cluster

Swaps to parent cluster in the hierarchy.

Ctrl + P

Reanalyze

Reruns the analysis.

F9

Help

Analyzer help

Open the help program.

F1

Info

Shows the version information for program.

Analyzer program settings

To change the program settings in the Analyzer

  1. In the Analyzer, select the Database > Settings menu item.

  2. Customize the following settings.

    • Common language: Language for formatting data, such as data formats, time formats or number formats.

    • Other user interface language:Language for the user interface. The initial program login uses the system language for the user interface. Changes to the language settings take effect after the program has been restarted.The language is set globally for all One Identity Manager programs, which means the language setting does not have to be configured for each program individually.

    • Automatically close analysis information window on completion: If this option is set and analyses are predefined, the information window is closed at the end of the analysis. If the option is not set, the information window is shown. Click the Finished button to close the window.

    • Show permissions weighting: Set this option to additionally display a weighting for the permissions.

    • Role naming template: Define a template for role names. This is used when to format new role names in predefined analysis methods.

      The template support following variables:

      %sequence%: Sequential number

      %object%: Name of the first object in the cluster

      %property%: Name of the first property in the cluster

  3. Save the settings with OK.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating