Performing Role Mining

Role mining (role discovery) uses expectation maximization and cobweb clustering algorithms to discover relationships between users based on similar access permissions that can logically be grouped to form a role.

The role mining process consists of three steps:

1. Setting role mining attributes

2. Creating and running a role mining task

3. Analyzing role mining results and configuring and saving roles

Setting Role Mining Attributes

Before starting a role mining job, specify the applications and attributes that will return the best data mining results. To do this, set minable attribute settings. It is important to identify attributes that define access to a particular application/target system and set them as minable. Ensure that the appropriate applications and input data are accounted for. Do not add unimportant attributes because they will affect the accuracy of the role mining effort. Running role mining without any attributes set as minable will result in an error.

To Set Role Mining Attributes

Log in to Oracle Identity Analytics.
Choose Administration > Configuration.
Click Resource Types.

The Resource Types configuration screen opens.
Select the resource type whose attributes are to be selected for role mining by clicking on the resource type in the Resource Types panel on the left.
Select attributes for mining by selecting the check box in the Minable column and clear attributes that are not useful.

Creating a Role Mining Task

The key to a good role engineering effort is to select the best set of representative users for a given role. For best results, select a group of users whose job responsibilities are the most similar. Oracle Identity Analytics then suggests roles based on the users' collective entitlements.

A good practice before running a role mining task is to preview the input data selected for the role mining exercise. Do this to ensure that all attributes are accounted for, and also that all attributes are correct. Check for any visible inconsistencies in the data.

To Create a Role Mining Task

Follow these steps to create and run a role mining task. You can also schedule the task to run at a later time, or simply save the task without running or scheduling it.

Log in to Oracle Identity Analytics.
Choose Role Management > Role Mining.
Click New Role Mining Task.
In the New Role Mining Task window, complete the Name and Description fields, then select a Selection Strategy for role mining:
- By Business Structures - Choose this option to perform role discovery on one or more users that you select by business unit.
- By Resource - Choose this option to perform role discovery on one or more resources.
- By Existing Role - Choose this option to perform role discovery using existing roles.
- All Users - Choose this option to base role mining on one or more users that you select from a list of all users.
Click Next.
Proceed as follows.

For help using the user interface controls during this step, see To Create a Role Mining Task later in this chapter.
- If your selection strategy is By Business Structures, select the business unit from the Business Structures panel on the left, then select users assigned to the business unit in the Available Users panel on the right. Selected users will display in the panel at the bottom of the screen.
- If your selection strategy is By Resource, select the resource from the Available Resource Types panel on the left, then select individual resources in the Available Resources panel on the right. Selected resources will display in the Number of Selected Resources panel at the bottom of the screen.
- If your selection strategy is By Existing Role, select the role from the available roles panel on the left, then select users assigned to the role in the available Users panel on the right. Selected users will display in the panel at the bottom of the screen.
- If your selection strategy is All Users, search for the users using the specific criterion. Selected users will display in the panel at the bottom of the screen.
Click Next.
Complete the Mining Criteria form by selecting parameters to refine the role mining task.

See Using the Role Mining Wizard Display Controls later in this chapter for help configuring the parameters on this page.
Click Preview to preview and analyze role mining input data.

The Role Engineering Data Preview window opens. See Using the Mining Criteria Page later in this chapter for help using this page.
Use the Role Engineering Data Preview window to review the columns on the Role Engineering Data Preview page.
1. Check the minable attributes that are accounted for in this run.
2. Verify that minable attributes are correct with respect to your set of representative users.
3. Verify that multi-valued attributes display correctly in separate columns.
  
  If not, specify that the attribute is multi-valued on the attributes configuration screen.
Click Close to return to the Mining Criteria page.
Do one of the following:
- Click Run Now to start the role mining task.
  
  See Using the Role Engineering Data Preview Page later in this chapter for more information.
- Click Run Later to schedule the task.
  
  See Using the Role Engineering Data Preview Page later in this chapter for help using the scheduler.
- Click Save & Exit to save the task without scheduling it.

Using the Role Mining Wizard Display Controls

This section describes how to use the display controls that are part of the role mining task creation wizard. See Creating a Role Mining Task for more information.

Select Page at the top of the panel to select all the users on the page, or select clear Page to deselect all the users on the page.
Select All to select all users across all pages, or select clear All to deselect all users.
Use the Display drop-down menu at the bottom of the panel to change the number of records that are displayed at once. You can choose to view 10, 20, 50, or 100 records at a time.
Click at the bottom of the page to filter large record sets. Type a few characters in the filter boxes, and Oracle Identity Analytics will display the matching records.

Using the Mining Criteria Page

This section describes the Mining Criteria page, which is part of the role mining task creation wizard. Role mining parameters give you more control over the role mining process. The following table describes parameters that you can set to tune the role mining process.

Role Mining Parameters	Find Number of Roles	The number of roles that the algorithm should find.
	Let the system find the best number of roles	The maximum number of clusterer iterations.


HR Attributes	Selected HR Attributes	A list of user attributes that can be incorporated into the search algorithm. Using these parameters, along with the logical grouping of users by job responsibility, gives the best results for a hybrid role mining effort.


Advanced Parameters	Ignore attributes with a frequency lower than - .	Attributes might not be relevant if the frequency they show is low and they might introduce noise. Processing them is costly and adds processing time.
	Data Resampling Percentage	The best threshold value is `300%`.
	Min. standard deviation	Used by the role mining algorithm to size the amount of user detail to capture. Use values between `-2`, `-1`, `0`, `1`, and `2`. Larger numbers (positive or negative) return more outliers.
	Single instance per user	Keep this selected to choose a single instance per user.
	Use Binary splits	The goal of splitting is to get more roles with greater differences. When role mining, the ideal subset is a group of users who do not share any attributes with users in any other group or role. Enabling Binary splits forces Oracle Identity Analytics to attempt to build a role classification model with greater differences.
	Confidence factor	A method to statistically analyze the users-to-role assignment data and estimate the amount of error inherent in it.
	Minimum users per role	Minimum number of users per role when building the classification rules. If the clusterer step has found a role with fewer users, the classification test can show incorrect results.
	Number of folds	Reduce error pruning is another mechanism to prune the tree (the classification model).
	Consider subtree raising	Another mechanism to simplify the classification model (smaller number of final roles).
	Unpruned	Generates a more complex decision tree (later decomposed into more rules)

Using the Role Engineering Data Preview Page

This section describes how to use the Role Engineering Data Preview page, which is part of the Role Mining task creation wizard. To open this page, follow the steps in Creating a Role Mining Task.

To view the data associated with individual resources or resource types, make a selection in the Resource Types panel.
To select the data associated with the entire user set, select Resource Types.
To filter users by GlobalUserId, use the Filter feature, or click Clear to cancel the filtering.
To save the role mining input data as a CSV file, click Export to CSV.

Running or Scheduling a Role Mining Task

Role mining tasks can run on demand, or you can schedule them to run at a later time. Oracle Identity Analytics provides a sophisticated scheduling mechanism that is easy to use. Tasks can be run multiple times and can be executed on demand or scheduled for a future time. Task results are timestamped and stored. This enables you to run a task and then review results later in order to configure and save roles. Unless they are explicitly deleted, all role mining tasks are permanently stored by Oracle Identity Analytics.

To Run or Schedule a Saved Role Mining Task

To run or schedule a saved task, follow these steps:

Log in to Oracle Identity Analytics.
Choose Role Management > Role Mining.

A table of Role Mining Tasks is displayed.
Do one of the following tasks:
- In the Action column, click Run to run a given task now.
- Click Schedule to open the schedule for a task.
  1. Select a Daily, Monthly, or One Time Only recurrence schedule.
  2. For Perform This Task, specify the Start Time, whether the task should run Every Day or only on Weekdays, and a Start Date.
  3. Click Schedule to schedule the task.
    
    The role mining task is scheduled to run at the intervals you selected.

Validating and Saving Role Mining Results

Role mining identifies users with nearly identical access entitlements and displays the entitlements and the resources associated with the entitlements on the role configuration screen. You can assign to the role all of the entitlements or a partial list based on a level of accepted risk.

If the need is to match users with exact entitlements only, then set a cutoff percentage of 100 percent. This value will only save entitlements where 100 percent of the users in that role have the same access entitlement. Selecting a percentage below 100 percent allows Oracle Identity Analytics to save entitlements above the set cutoff as a primary policy (or parent role), and those entitlements below the set cutoff as a secondary policy (or child role). You can decide later if you want to maintain the child role policy for a transitional period of time, or remove access altogether.

To Validate and Adjust Role Discovery Results

Log in to Oracle Identity Analytics.
Choose Role Management > Role Mining.

A table of Role Mining Tasks is displayed.
Find the role mining task that you want to validate.

To find a specific role mining task, do the following:
- Click the Display drop-down menu at the bottom of the panel to change the number of records that are displayed at once.
  
  You can choose to view 10, 20, 50, or 100 records at a time.
- Click "filter icon" at the bottom of the page to filter large record sets.
- Type a few characters in the filter boxes, and Oracle Identity Analytics will display the matching records.
Click View Results in the Action column.

The results display in a panel at the bottom of the page.
In the View Reports column, click View Reports for the task instance that you are validating.

The Role Mining Report page opens. This page displays membership and attribute details across all resources and resource types for all the roles created in the role mining effort.
- Note - To export the report to another format, click the Actions button.
Click the Back button.
In the panel at the bottom of the page, click View in the View Results column.

The Role Mining Results page opens. See the Using the Role Mining Results Page for information about this page.

Using the Role Mining Results Page

This section describes the Role Mining Results page. To open this page, see To Validate and Adjust Role Mining Results for instructions.

The Role Mining Results page has four tabs:

Roles tab - Click to view a role mining report for one or more roles, and to save roles from the mining effort.
Mining Statistics tab - Click to view the statistics used to validate the result of the role mining effort.
Classification Rules tab - Click to view the classification rules that were used to create the roles during the role mining process.
Users In Roles tab - Click to view a pie chart that shows the percentage of users assigned to each role type as part of the role mining process.

At the bottom of the page, click Discard to go back to Role Mining Option Details page.

Using the Roles Tab

Use this page to save roles created by the mining effort.

The Roles tab contains a Roles Found left panel that lists created roles, and a main panel that contains two tabs: Role Details and Membership.

Role Details Window

The following explains how you can use the Role Details Window:

Click a resource type, resource, attribute, or attribute value for more detail. A new window opens and shows users with and without entitlements.

To export the report as a PDF or CSV file, click the Actions button. Select a role from this list to view role details. Each role in the Roles Found panel can be expanded to view resource types, resources, and attributes associated with the role. Click on a resource type, resource, or attribute within a role to view role membership details.
The No. of Users column lists the number of role users that correlate to the attribute listed in the role.
The % of Users column indicates the percentage of users that have access to the selected attribute.
Slide the cutoff ruler to the desired accepted risk percentage. All attributes above the cutoff percentage will be set to a primary or parent role policy, and all those below the cutoff percentage will be set to a secondary policy for child roles.
Select Create Role to save the role in the Oracle Identity Analytics Identity Warehouse.

The role is displayed in the Identity Warehouse with the appropriate timestamp. Click Identity Warehouse > Roles to view the saved role.

The role can be renamed and its corresponding policy viewed and modified as required.

Note - Before changing policies (or the associated access attributes), consult with the business owner or role owner.
Select the role and click View Reports to view a role mining report for one or more roles. The role mining report details the attributes and values associated with the role across all resources and resource types.

Membership Window

The Membership Window displays the members of the selected roles.

Using the Mining Statistics Tab

Use this page to determine how well the Role Mining algorithm performed.

The Mining Statistics tab reports the following statistics that you can use to interpret role mining results:

% of users correctly / incorrectly assigned	This mining statistic tells what percentage of users has been assigned correctly and what percentage has not.
Kappa value	The higher the Kappa value, the stronger the agreement. Depending on the application, a Kappa value of less than 0.7 indicates that your measurement system needs improvement. Kappa values greater than 0.9 are considered excellent.
Kononenko & Bratko score and relative score	A score of the data mining algorithm. This value can be disregarded.

Using the Classification Rules Tab

Use this page to view the classification rules that were used to create the roles during the role mining process.

Rule #	This column lists the rules in ascending order.
Description	This column contains descriptions of the corresponding rules.
Confidence (%)	This column lists confidence scores as a percentage.
Role	This column lists roles.
Record Count	This column lists record count.

Using the Users in Roles Tab

This page displays a pie chart that shows the percentage of users assigned to each role type as part of the role mining process. Use this page to enhance your understanding of the role mining effort.

Skip Navigation Links
Exit Print View
	Oracle Identity Analytics Business Administrator's Guide 11g Release 1