Skip Navigation Links | |
Exit Print View | |
Oracle Identity Analytics Business Administrator's Guide 11g Release 1 |
1. Oracle Identity Analytics Identity Warehouse
2. Oracle Identity Analytics Importing
3. Oracle Identity Analytics ETL Process
4. Oracle Identity Analytics Data Correlation
5. Oracle Identity Analytics Role Engineering and Management
Understanding Role Mining, Role Consolidation, and Entitlements Discovery
Setting Role Mining Attributes
Using the Role Mining Wizard Display Controls
Using the Mining Criteria Page
Using the Role Engineering Data Preview Page
Running or Scheduling a Role Mining Task
To Run or Schedule a Saved Role Mining Task
Validating and Saving Role Mining Results
To Validate and Adjust Role Discovery Results
Using the Role Mining Results Page
Using the Mining Statistics Tab
Performing Entitlements Discovery
To Perform Entitlements Discovery
Creating and Using Role Provisioning Rules
To Approve/Reject Role Provisioning Rules
To Deactivate or Decommission Rules
To Preview Role Provisioning Rules Job
To Run Role Provisioning Rules Job
6. Oracle Identity Analytics Workflows
7. Oracle Identity Analytics Identity Certifications
8. Oracle Identity Analytics Identity Audit
9. Oracle Identity Analytics Reports
10. Oracle Identity Analytics Scheduling
11. Oracle Identity Analytics Configuration
Role mining (role discovery) uses expectation maximization and cobweb clustering algorithms to discover relationships between users based on similar access permissions that can logically be grouped to form a role.
The role mining process consists of three steps:
1. Setting role mining attributes
2. Creating and running a role mining task
3. Analyzing role mining results and configuring and saving roles
Before starting a role mining job, specify the applications and attributes that will return the best data mining results. To do this, set minable attribute settings. It is important to identify attributes that define access to a particular application/target system and set them as minable. Ensure that the appropriate applications and input data are accounted for. Do not add unimportant attributes because they will affect the accuracy of the role mining effort. Running role mining without any attributes set as minable will result in an error.
Log in to Oracle Identity Analytics.
Choose Administration > Configuration.
Click Resource Types.
The Resource Types configuration screen opens.
Select the resource type whose attributes are to be selected for role mining by clicking on the resource type in the Resource Types panel on the left.
Select attributes for mining by selecting the check box in the Minable column and clear attributes that are not useful.
The key to a good role engineering effort is to select the best set of representative users for a given role. For best results, select a group of users whose job responsibilities are the most similar. Oracle Identity Analytics then suggests roles based on the users' collective entitlements.
A good practice before running a role mining task is to preview the input data selected for the role mining exercise. Do this to ensure that all attributes are accounted for, and also that all attributes are correct. Check for any visible inconsistencies in the data.
Follow these steps to create and run a role mining task. You can also schedule the task to run at a later time, or simply save the task without running or scheduling it.
Log in to Oracle Identity Analytics.
Choose Role Management > Role Mining.
Click New Role Mining Task.
In the New Role Mining Task window, complete the Name and Description fields, then select a Selection Strategy for role mining:
By Business Structures - Choose this option to perform role discovery on one or more users that you select by business unit.
By Resource - Choose this option to perform role discovery on one or more resources.
By Existing Role - Choose this option to perform role discovery using existing roles.
All Users - Choose this option to base role mining on one or more users that you select from a list of all users.
Click Next.
Proceed as follows.
For help using the user interface controls during this step, see To Create a Role Mining Task later in this chapter.
If your selection strategy is By Business Structures, select the business unit from the Business Structures panel on the left, then select users assigned to the business unit in the Available Users panel on the right. Selected users will display in the panel at the bottom of the screen.
If your selection strategy is By Resource, select the resource from the Available Resource Types panel on the left, then select individual resources in the Available Resources panel on the right. Selected resources will display in the Number of Selected Resources panel at the bottom of the screen.
If your selection strategy is By Existing Role, select the role from the available roles panel on the left, then select users assigned to the role in the available Users panel on the right. Selected users will display in the panel at the bottom of the screen.
If your selection strategy is All Users, search for the users using the specific criterion. Selected users will display in the panel at the bottom of the screen.
Click Next.
Complete the Mining Criteria form by selecting parameters to refine the role mining task.
See Using the Role Mining Wizard Display Controls later in this chapter for help configuring the parameters on this page.
Click Preview to preview and analyze role mining input data.
The Role Engineering Data Preview window opens. See Using the Mining Criteria Page later in this chapter for help using this page.
Use the Role Engineering Data Preview window to review the columns on the Role Engineering Data Preview page.
Check the minable attributes that are accounted for in this run.
Verify that minable attributes are correct with respect to your set of representative users.
Verify that multi-valued attributes display correctly in separate columns.
If not, specify that the attribute is multi-valued on the attributes configuration screen.
Click Close to return to the Mining Criteria page.
Do one of the following:
Click Run Now to start the role mining task.
See Using the Role Engineering Data Preview Page later in this chapter for more information.
Click Run Later to schedule the task.
See Using the Role Engineering Data Preview Page later in this chapter for help using the scheduler.
Click Save & Exit to save the task without scheduling it.
This section describes how to use the display controls that are part of the role mining task creation wizard. See Creating a Role Mining Task for more information.
Select Page at the top of the panel to select all the users on the page, or select clear Page to deselect all the users on the page.
Select All to select all users across all pages, or select clear All to deselect all users.
Use the Display drop-down menu at the bottom of the panel to change the number of records that are displayed at once. You can choose to view 10, 20, 50, or 100 records at a time.
Click at the bottom of the page to filter large record sets. Type a few characters in the filter boxes, and Oracle Identity Analytics will display the matching records.
This section describes the Mining Criteria page, which is part of the role mining task creation wizard. Role mining parameters give you more control over the role mining process. The following table describes parameters that you can set to tune the role mining process.
|
|
|
This section describes how to use the Role Engineering Data Preview page, which is part of the Role Mining task creation wizard. To open this page, follow the steps in Creating a Role Mining Task.
To view the data associated with individual resources or resource types, make a selection in the Resource Types panel.
To select the data associated with the entire user set, select Resource Types.
To filter users by GlobalUserId, use the Filter feature, or click Clear to cancel the filtering.
To save the role mining input data as a CSV file, click Export to CSV.
Role mining tasks can run on demand, or you can schedule them to run at a later time. Oracle Identity Analytics provides a sophisticated scheduling mechanism that is easy to use. Tasks can be run multiple times and can be executed on demand or scheduled for a future time. Task results are timestamped and stored. This enables you to run a task and then review results later in order to configure and save roles. Unless they are explicitly deleted, all role mining tasks are permanently stored by Oracle Identity Analytics.
To run or schedule a saved task, follow these steps:
Log in to Oracle Identity Analytics.
Choose Role Management > Role Mining.
A table of Role Mining Tasks is displayed.
Do one of the following tasks:
In the Action column, click Run to run a given task now.
Click Schedule to open the schedule for a task.
Select a Daily, Monthly, or One Time Only recurrence schedule.
For Perform This Task, specify the Start Time, whether the task should run Every Day or only on Weekdays, and a Start Date.
Click Schedule to schedule the task.
The role mining task is scheduled to run at the intervals you selected.
Role mining identifies users with nearly identical access entitlements and displays the entitlements and the resources associated with the entitlements on the role configuration screen. You can assign to the role all of the entitlements or a partial list based on a level of accepted risk.
If the need is to match users with exact entitlements only, then set a cutoff percentage of 100 percent. This value will only save entitlements where 100 percent of the users in that role have the same access entitlement. Selecting a percentage below 100 percent allows Oracle Identity Analytics to save entitlements above the set cutoff as a primary policy (or parent role), and those entitlements below the set cutoff as a secondary policy (or child role). You can decide later if you want to maintain the child role policy for a transitional period of time, or remove access altogether.
Log in to Oracle Identity Analytics.
Choose Role Management > Role Mining.
A table of Role Mining Tasks is displayed.
Find the role mining task that you want to validate.
To find a specific role mining task, do the following:
Click the Display drop-down menu at the bottom of the panel to change the number of records that are displayed at once.
You can choose to view 10, 20, 50, or 100 records at a time.
Click "filter icon" at the bottom of the page to filter large record sets.
Type a few characters in the filter boxes, and Oracle Identity Analytics will display the matching records.
Click View Results in the Action column.
The results display in a panel at the bottom of the page.
In the View Reports column, click View Reports for the task instance that you are validating.
The Role Mining Report page opens. This page displays membership and attribute details across all resources and resource types for all the roles created in the role mining effort.
Note - To export the report to another format, click the Actions button.
Click the Back button.
In the panel at the bottom of the page, click View in the View Results column.
The Role Mining Results page opens. See the Using the Role Mining Results Page for information about this page.
This section describes the Role Mining Results page. To open this page, see To Validate and Adjust Role Mining Results for instructions.
The Role Mining Results page has four tabs:
Roles tab - Click to view a role mining report for one or more roles, and to save roles from the mining effort.
Mining Statistics tab - Click to view the statistics used to validate the result of the role mining effort.
Classification Rules tab - Click to view the classification rules that were used to create the roles during the role mining process.
Users In Roles tab - Click to view a pie chart that shows the percentage of users assigned to each role type as part of the role mining process.
At the bottom of the page, click Discard to go back to Role Mining Option Details page.
Use this page to save roles created by the mining effort.
The Roles tab contains a Roles Found left panel that lists created roles, and a main panel that contains two tabs: Role Details and Membership.
Role Details Window
The following explains how you can use the Role Details Window:
Click a resource type, resource, attribute, or attribute value for more detail. A new window opens and shows users with and without entitlements.
To export the report as a PDF or CSV file, click the Actions button. Select a role from this list to view role details. Each role in the Roles Found panel can be expanded to view resource types, resources, and attributes associated with the role. Click on a resource type, resource, or attribute within a role to view role membership details.
The No. of Users column lists the number of role users that correlate to the attribute listed in the role.
The % of Users column indicates the percentage of users that have access to the selected attribute.
Slide the cutoff ruler to the desired accepted risk percentage. All attributes above the cutoff percentage will be set to a primary or parent role policy, and all those below the cutoff percentage will be set to a secondary policy for child roles.
Select Create Role to save the role in the Oracle Identity Analytics Identity Warehouse.
The role is displayed in the Identity Warehouse with the appropriate timestamp. Click Identity Warehouse > Roles to view the saved role.
The role can be renamed and its corresponding policy viewed and modified as required.
Note - Before changing policies (or the associated access attributes), consult with the business owner or role owner.
Select the role and click View Reports to view a role mining report for one or more roles. The role mining report details the attributes and values associated with the role across all resources and resource types.
Membership Window
The Membership Window displays the members of the selected roles.
Use this page to determine how well the Role Mining algorithm performed.
The Mining Statistics tab reports the following statistics that you can use to interpret role mining results:
|
Use this page to view the classification rules that were used to create the roles during the role mining process.
|
This page displays a pie chart that shows the percentage of users assigned to each role type as part of the role mining process. Use this page to enhance your understanding of the role mining effort.