This chapter describes how role mining works in Oracle Identity Analytics. It contains the following sections:
Role Mining, Entitlements Discovery, and Role Consolidation are modules that can be used to populate the Identity Warehouse with the right combination of users and roles. The process of populating the Identity Warehouse with roles has roughly three phases: role definition, role refinement, and role verification.
During the role definition phase you should use the role mining module to populate the Identity Warehouse with roles. To refine your roles, use the Entitlements Discovery and Role Consolidation modules. Also use the Role Consolidation module to verify that your roles are clean and complete.
The role mining process discovers relationships between users based on similar access permissions that can logically be grouped to form a role. Role engineers can specify the applications and attributes that will return the best mining results. Role mining is also called role discovery.
Oracle Identity Analytics supports three approaches to role mining: a top-down approach, a bottom-up approach, and a hybrid approach.
In the top-down approach, Oracle Identity Analytics creates roles by analyzing users' job functions and HR attributes. (For example, geographical location and manager are typical HR attributes.) In the bottoms-up approach, Oracle Identity Analytics creates roles by analyzing users' account permissions. In the hybrid approach, the top-down approach and the bottom-up approach are combined. The hybrid approach is recommended.
Role Consolidation is a feature that prevents the creation of new roles with almost the same membership and entitlements of existing roles, a syndrome known as role explosion.
Role Consolidation tells you how similar two roles are based on the following two criteria:
Role membership
Entitlements
Entitlements Discovery analyzes legacy roles in order to define, re-evaluate, and refine the content of these roles. Role Entitlements Discovery can also be used for role consolidation if you need to include more applications in the role entitlement mix.
Once roles have been defined for critical applications, you might not want to add new roles or change the makeup of a role, but instead introduce a larger domain of application entitlements in those roles. In this case, select the relevant attributes of the new application as minable only and run Role Entitlements Discovery on the existing roles.
The Role Entitlements Discovery process can also be applied to top-down roles that are already defined in the organization in order to expedite the hybrid, best-practice role definition process.
Role mining (role discovery) uses expectation maximization and cobweb clustering algorithms to discover relationships between users based on similar access permissions that can logically be grouped to form a role.
The role mining process consists of three steps:
Before starting a role mining job, specify the applications and attributes that will return the best data mining results. To do this, set minable attribute settings. It is important to identify attributes that define access to a particular application/target system and set them as minable. Ensure that the appropriate applications and input data are accounted for. Do not add unimportant attributes because they will affect the accuracy of the role mining effort. Running role mining without any attributes set as minable will result in an error.
Note:
Role mining should be performed with a small number of users who best represent the data trend. Role mining too many users can lead to out-of-memory errors.
Log in to Oracle Identity Analytics.
Choose Administration > Configuration.
Click Resource Types.
The Resource Types configuration screen opens.
Select the resource type whose attributes are to be selected for role mining by clicking on the resource type in the Resource Types panel on the left.
Select attributes for mining by selecting the check box in the Minable column and clear attributes that are not useful.
The key to a good role engineering effort is to select the best set of representative users for a given role. For best results, select a group of users whose job responsibilities are the most similar. Oracle Identity Analytics then suggests roles based on the users' collective entitlements.
A good practice before running a role mining task is to preview the input data selected for the role mining exercise. Do this to ensure that all attributes are accounted for, and also that all attributes are correct. Check for any visible inconsistencies in the data.
Follow these steps to create and run a role mining task. You can also schedule the task to run at a later time, or simply save the task without running or scheduling it.
Log in to Oracle Identity Analytics.
Choose Role Management > Role Mining.
Click New Role Mining Task.
In the New Role Mining Task window, complete the Name and Description fields, then select a Selection Strategy for role mining:
By Business Structures - Choose this option to perform role discovery on one or more users that you select by business unit.
By Resource - Choose this option to perform role discovery on one or more resources.
By Existing Role - Choose this option to perform role discovery using existing roles.
All Users - Choose this option to base role mining on one or more users that you select from a list of all users.
Click Next.
Proceed as follows.
For help using the user interface controls during this step, see Section 5.2.2.2, "Using the Role Mining Wizard Display Controls."
If your selection strategy is By Business Structures, select the business unit from the Business Structures panel on the left, then select users assigned to the business unit in the Available Users panel on the right. Selected users will display in the panel at the bottom of the screen.
If your selection strategy is By Resource, select the resource from the Available Resource Types panel on the left, then select individual resources in the Available Resources panel on the right. Selected resources will display in the Number of Selected Resources panel at the bottom of the screen.
If your selection strategy is By Existing Role, select the role from the Available Roles panel on the left, then select users assigned to the role in the available Users panel on the right. Selected users will display in the panel at the bottom of the screen.
If your selection strategy is All Users, search for the users using the specific criterion. Selected users will display in the panel at the bottom of the screen.
Click Next.
Complete the Mining Criteria form by selecting parameters to refine the role mining task.
See Section 5.2.2.3, "Using the Mining Criteria Page" for help configuring the parameters on this page.
Click Preview to preview and analyze role mining input data.
The Role Engineering Data Preview window opens.
See Section 5.2.2.4, "Using the Role Engineering Data Preview Page" later in this chapter for help using this page.
Use the Role Engineering Data Preview window to review the columns on the Role Engineering Data Preview page.
Check the minable attributes that are accounted for in this run.
Verify that minable attributes are correct with respect to your set of representative users.
Verify that multi-valued attributes display correctly in separate columns. If not, specify that the attribute is multi-valued on the attributes configuration screen.
Click Close to return to the Mining Criteria page.
Do one of the following:
Click Run Now to start the role mining task.
See Section 5.2.3, "Running or Scheduling a Role Mining Task" later in this chapter for more information.
Click Run Later to schedule the task.
Click Save & Exit to save the task without scheduling it.
This section describes how to use the display controls that are part of the role mining task creation wizard. See Section 5.2.2.1, "To Create a Role Mining Task" for more information.
Select Page at the top of the panel to select all the users on the page, or select clear Page to deselect all the users on the page.
Select All to select all users across all pages, or select clear All to deselect all users.
Use the Display drop-down menu at the bottom of the panel to change the number of records that are displayed at once. You can choose to view 10, 20, 50, or 100 records at a time.
Click the filter icon at the bottom of the page to filter large record sets. Type a few characters in the filter boxes, and Oracle Identity Analytics will display the matching records.
This section describes the Mining Criteria page, which is part of the role mining task creation wizard. Role mining parameters give you more control over the role mining process. The following tables describes parameters that you can set to tune the role mining process.
Table 5-1 Mining Criteria Page—Role Mining Parameters
| Parameter | Description |
|---|---|
|
Find Number of Roles |
The number of roles that the algorithm should find. |
|
Let the system find the best number of roles |
The maximum number of clusterer iterations. |
Table 5-2 Mining Criteria Page—HR Attributes
| Parameter | Description |
|---|---|
|
Selected HR Attributes |
A list of user attributes that can be incorporated into the search algorithm. Using these parameters, along with the logical grouping of users by job responsibility, gives the best results for a hybrid role mining effort. |
Table 5-3 Mining Criteria Page—Advanced Parameters
| Parameter | Description |
|---|---|
|
Attribute Frequency |
Instructs the role mining engine to ignore attributes that have a frequency lower than the value entered. Attributes may not be relevant if they have low frequency and they may introduce "noise." Furthermore, processing them is costly and adds processing time. |
|
Data Resampling Percentage |
The best threshold value is 300%. |
|
Min. standard deviation |
Used by the role mining algorithm to size the amount of user detail to capture. Use values between |
|
Single instance per user |
Keep this selected to choose a single instance per user. |
|
Use Binary splits |
The goal of splitting is to get more roles with greater differences. When role mining, the ideal subset is a group of users who do not share any attributes with users in any other group or role. Enabling Binary splits forces Oracle Identity Analytics to attempt to build a role classification model with greater differences. |
|
Confidence factor |
A method to statistically analyze the users-to-role assignment data and estimate the amount of error inherent in it. |
|
Minimum users per role |
Minimum number of users per role when building the classification rules. If the clusterer step has found a role with fewer users, the classification test can show incorrect results. |
|
Number of folds |
Reduce error pruning is another mechanism to prune the tree (the classification model). |
|
Randomize start |
Randomize the seed number used to initialize the random number generator. Role mining may return slightly different roles if you select this option. |
|
Consider subtree raising |
Another mechanism to simplify the classification model (smaller number of final roles). |
|
Unpruned |
Generates a more complex decision tree (later decomposed into more rules) |
This section describes how to use the Role Engineering Data Preview page, which is part of the Role Mining task creation wizard. To open this page, follow the steps in Section 5.2.2.1, "To Create a Role Mining Task."
To view the data associated with individual resources or resource types, make a selection in the Resource Types panel.
To select the data associated with the entire user set, select Resource Types.
To filter users by GlobalUserId, use the Filter feature, or click Clear to cancel the filtering.
To save the role mining input data as a CSV file, click Export to CSV.
Role mining tasks can run on demand, or you can schedule them to run at a later time. Oracle Identity Analytics provides a sophisticated scheduling mechanism that is easy to use. Tasks can be run multiple times and can be executed on demand or scheduled for a future time. Task results are timestamped and stored. This enables you to run a task and then review results later in order to configure and save roles. Unless they are explicitly deleted, all role mining tasks are permanently stored by Oracle Identity Analytics.
To run or schedule a saved task, follow these steps:
Log in to Oracle Identity Analytics.
Choose Role Management > Role Mining.
A table of Role Mining Tasks is displayed.
In the Action column, click Run to run a given task now, or click Schedule to open the schedule for a task.
To schedule the task, do the following:
Select a Daily, Monthly, or One Time Only recurrence schedule.
For Perform This Task, specify the Start Time, whether the task should run Every Day or only on Weekdays, and a Start Date.
Click Schedule to schedule the task. The role mining task is scheduled to run at the intervals you selected.
Role mining identifies users with nearly identical access entitlements and displays the entitlements and the resources associated with the entitlements on the role configuration screen. You can assign to the role all of the entitlements or a partial list based on a level of accepted risk.
If the need is to match users with exact entitlements only, then set a cutoff percentage of 100 percent. This value will only save entitlements where 100 percent of the users in that role have the same access entitlement. Selecting a percentage below 100 percent allows Oracle Identity Analytics to save entitlements above the set cutoff as a primary policy (or parent role), and those entitlements below the set cutoff as a secondary policy (or child role). You can decide later if you want to maintain the child role policy for a transitional period of time, or remove access altogether.
Log in to Oracle Identity Analytics.
Choose Role Management > Role Mining.
A table of Role Mining Tasks is displayed.
Find the role mining task that you want to validate.
To find a specific role mining task, do the following:
Click the Display drop-down menu at the bottom of the panel to change the number of records that are displayed at once. You can choose to view 10, 20, 50, or 100 records at a time.
Click the "filter icon" at the bottom of the page to filter large record sets.
Type a few characters in the filter boxes and Oracle Identity Analytics will display the matching records.
Click View Results in the Action column.
The results display in a panel at the bottom of the page.
In the View Reports column, click View Reports for the task instance that you are validating.
The Role Mining Report page opens. This page displays membership and attribute details across all resources and resource types for all the roles created in the role mining effort.
Note - To export the report to another format, click the Actions button.
Click the Back button.
In the panel at the bottom of the page, click View in the View Results column.
The Role Mining Results page opens.
See Section 5.2.4.2, "Using the Role Mining Results Page," for information about this page.
This section describes the Role Mining Results page. To open this page, see Section 5.2.4.1, "To Validate and Adjust Role Discovery Results" for instructions.
The Role Mining Results page has four tabs:
Roles tab - Click to view a role mining report for one or more roles, and to save roles from the mining effort.
Mining Statistics tab - Click to view the statistics used to validate the result of the role mining effort.
Classification Rules tab - Click to view the classification rules that were used to create the roles during the role mining process.
Users In Roles tab - Click to view a pie chart that shows the percentage of users assigned to each role type as part of the role mining process.
At the bottom of the page, click Discard to go back to Role Mining Option Details page.
Use this page to save roles created by the mining effort.
The Roles tab contains a Roles Found left panel that lists created roles, and a main panel that contains two tabs: Role Details and Membership.
Role Details Window
The following explains how you can use the Role Details Window:
Click a resource type, resource, attribute, or attribute value for more detail.
A new window opens and shows users with and without entitlements.
To export the report as a PDF or CSV file, click the Actions button. Select a role from this list to view role details. Each role in the Roles Found panel can be expanded to view resource types, resources, and attributes associated with the role. Click on a resource type, resource, or attribute within a role to view role membership details.
The No. of Users column lists the number of role users that correlate to the attribute listed in the role.
The % of Users column indicates the percentage of users that have access to the selected attribute.
Slide the cutoff ruler to the desired accepted risk percentage. All attributes above the cutoff percentage will be set to a primary or parent role policy, and all those below the cutoff percentage will be set to a secondary policy for child roles.
Select Create Role to save the role in the Oracle Identity Analytics Identity Warehouse.
The role is displayed in the Identity Warehouse with the appropriate timestamp.
Click Identity Warehouse > Roles to view the saved role. The role can be renamed and its corresponding policy viewed and modified as required.
Note - Before changing policies (or the associated access attributes), consult with the business owner or role owner.
Select the role and click View Reports to view a role mining report for one or more roles. The role mining report details the attributes and values associated with the role across all resources and resource types.
Membership Window
The Membership Window displays the members of the selected roles.
Use this page to determine how well the Role Mining algorithm performed.
The Mining Statistics tab reports the following statistics that you can use to interpret role mining results:
| Field | Description |
|---|---|
|
% of users correctly / incorrectly assigned |
This mining statistic tells what percentage of users has been assigned correctly and what percentage has not. |
|
Kappa value |
A statistical measure of the degree of agreement for a particular physical finding. In the case of Oracle Identity Analytics, the physical finding is the roles discovered through the role mining process. Kappa is always less than or equal to 1. A value of 1 represents perfect agreement, so the higher the Kappa value, the stronger the agreement. Depending on the application, a Kappa value of less than 0.7 indicates that your system needs improvement. Kappa values greater than 0.9 are considered excellent. |
|
Kononenko & Bratko score and relative score |
A score of the data mining algorithm. This value can be disregarded. |
Use this page to view the classification rules that were used to create the roles during the role mining process.
| Field | Description |
|---|---|
|
Rule # |
This column lists the rules in ascending order. |
|
Description |
This column contains descriptions of the corresponding rules. |
|
Confidence (%) |
This column lists confidence scores as a percentage. |
|
Role |
This column lists roles. |
|
Record Count |
This column lists record count. |
Role Consolidation is a feature that prevents the creation of new roles with almost the same membership and entitlements of existing roles, a syndrome known as role explosion.
Role Consolidation tells you how similar two roles are based on the following two criteria:
Role membership
Entitlements
Log in to Oracle Identity Analytics.
Choose Role Management > Role Consolidation.
The Role Consolidation page opens.
Choose one of the following:
Choose consolidation based on Role Membership - Checks for similarity of two roles based on users.
Choose consolidation based on Entitlements - Checks for similarity of two roles based on entitlements.
Select the two roles that you want to compare.
Use the "cut-off" slider at the bottom of the page to set a percentage, below which roles that have a low similarity score will not appear in the results.
Click Submit.
The Role Consolidation Results Table appears.
This module analyzes legacy roles in order to define, re-evaluate, and refine the content of these roles. Entitlements Discovery can also be used for role consolidation if you need to include more applications in the role entitlement mix.
Once roles have been defined for critical applications, you might not want to add new roles or change the makeup of a role, but instead introduce a larger domain of application entitlements in those roles. In this case, select the relevant attributes of the new application as minable only and run Entitlements Discovery on the existing roles.
The Role Entitlements Discovery process can also be applied to top-down roles that are already defined in the organization in order to expedite the hybrid, best-practice role definition process.
Log in to Oracle Identity Analytics.
Choose Role Management > Entitlements Discovery.
The Choose Attribute Type Strategy page opens.
Select Evaluate Minable attributes and click Next.
Select the desired role from the Available Roles panel on the left.
The Available Users panel on the right displays the users that belong to that role.
Select one or more users.
Do one of the following:
Click the Display drop-down menu at the bottom of the panel to view more users on the page.
Select Page at the top of the panel to select all the users on the current page, or select clear Page to deselect the users on the current page.
Select All to select all users across all pages, or clear All to deselect all users.
Click Next.
On the left side of the screen, select a Role and click View Details.
Select a cut-off percentage for each policy and click Save Policies. The cut-off slider at the bottom of the page can be set to a percentage so that only the users that have an equal or higher similarity-percentage will appear in the result.
Choose Identity Warehouse > Policies to view the time-stamped policies.
The access (attributes) related to these policies can be evaluated and added or removed as required. Policies, once renamed and finalized, can be re-associated to the original role.
Note - Before changing policies (or the associated access attributes), consult with the business owner or role owner.
Organizations are in a constant state of flux. Any change in an employee's responsibility also means assigning or revoking user access. To meet this challenge, Oracle Identity Analytics enables you to create role provisioning rules.
Role provisioning rules automatically assign roles to a user, if the user meets the rule condition. The condition can include HR attributes or entitlement-related information.
Log in to Oracle Identity Analytics.
Choose Role Management > Rules.
Click New Rule, complete the form, and click Next.
Create the condition for the rule and click Next.
Select the Object (four options are provided: User, Role, Business Unit, and Resource Types), an attribute, a condition, and a value.
Select AND or OR from the menu in the Operation column to add additional conditions.
Select two or more rules and use the Group and Ungroup buttons to create complex conditions.
Click Select Role, choose a role from the roles listed, and click Next.
If the user meets the condition, the user is assigned the chosen role.
Click Add Owners, select the user who should own this role, and click Next.
Use the quick or advanced search options, as needed.
Select from the following options:
No Changes - If any change occurs to the attributes or its values, this option does not make any change.
Remove Role Immediately - If any change occurs to the attributes or its values, this option removes the role immediately.
Remove Role after n days - If any change occurs to the attributes or its values, this option removes the role after the selected number of days.
Notify Administrator - If any change occurs to the attributes or its values, this option sends an e-mail based on the e-mail template to the concerned actor.
Click Finish.
The role provisioning rule is created and the rule state is marked as composing.
To send the rule for approval, select the rule and click Send for Approval.
The status of the rule is changed to Pending Approval.
Note - The current status of a newly created role provisioning rule is composing or pending approval until the rule is approved by the rule owner or the administrator. Thereafter, the rule becomes active. Action can only be taken on active rules.
Log in to Oracle Identity Analytics.
Choose My Requests > Pending Requests.
This page displays the pending role provisioning rule request.
Do one of the following:
To approve the rule, select the rule and click the Approve button.
To reject the rule, select the rule and click the Reject button.
The rule is displayed in the Completed Requests page. If approved, the rule's status (under the Role Management tab) is changed to active.
Note - Only approved roles become active.
Before You Begin - Note the following:
Decommissioning a rule makes the rule invalid permanently. It cannot be made active again, but it remains in the software to enable better rule lifecycle management.
De-activating a rule makes the rule invalid temporarily. It can be made active again by changing the state of the rule.
Log in to Oracle Identity Analytics.
Choose Role Management > Rules.
Click a rule to edit it.
The Edit Rule page opens.
Select a new status from the New Status drop-down menu.
Click Save.
After you save your changes, a new version of the rule is created. To make the changes effective, the new version needs to be approved. See Section 5.5.2, "To Approve/Reject Role Provisioning Rules" for information.
You can preview the results of a role-provisioning rules job. You can preview the results of rules in the composing state, however the results cannot be saved until the rule is active.
Log in to Oracle Identity Analytics.
Choose Role Management > Rules.
Click Preview in the Actions column.
Click the Selection Strategy drop-down menu and choose from the following:
All Business Structures - Selects users from all business structures.
Selected Business Structures - Selects the users from the selected business structures.
All Users - Selects all users in Oracle Identity Analytics.
Users criteria - Selects users based on the condition you create. Click Preview to get an idea of the users selected.
Selected Users - Selects users which you choose individually.
Click Next. Based on the user selection strategy in Step 4, select the desired business structures or users and click Next.
A summary page opens.
Click Preview.
A Role Provisioning Jobs page opens and displays the status of the preview action.
Select the rule after the status is 100 percent complete. The preview results appear.
Select one of the following:
Apply - Saves the results of the action.
Don't Apply - Does not save the results of the action.
Role provisioning rules can be run only if the rule is in the active state. See Section 5.5.2, "To Approve/Reject Role Provisioning Rules" to change the rule state to active.
Log in to Oracle Identity Analytics.
Choose Role Management > Rules.
Select Run next to the rule that you want to run.
Click the Selection Strategy drop-down menu and choose from the following:
All Business Structures - Selects users from all business structures.
Selected Business Structures - Selects the users from the selected business structures.
All Users - Selects all users in Oracle Identity Analytics.
Users criteria - Selects users based on the condition you create.
Click Preview to get an idea of the users selected.
Selected Users - Selects users which you choose individually.
Click Next.
Based on the user selection strategy in Step 4, select the desired business structures or users and click Next.
A summary page opens.
To run now, click Run Now and click View Results.
To run the job later, click Run Later and do the following:
Complete the form, including name, description, and time and day for the task to start.
A summary page opens.
Click Schedule.
Note - To run multiple rules simultaneously, select the desired rule and click Run.
In Oracle Identity Analytics, rules play a pivotal part in role management. Therefore, every action taken on any role provisioning rule is saved in the software and can be referred to at any given point.
Log in to Oracle Identity Analytics
Choose Role Management > Rules.
All the rules and their states are displayed.
Select the desired rule.
The Edit Role Provisioning Rule page appears.
General tab - Displays information such as Rule Name, Description, Role (assigned to the rule), Current Status, New Status, Creation, and Update dates.
Conditions tab - Displays the condition associated with the rule.
Ownership tab - Displays the rule owner.
Versions tab - Displays all the previous versions of the rule. Any change, which occurs in the rule condition, rule owner, or status, is recoded in Rule Versions.
History tab - Displays the history of various changes made to the rule. All changes are recorded except rule condition, rule owner, or status changes.
Action tab - Displays the Unassign Rule Option.
Select the desired tab to make the required change in the rule.
Click Save.