1. Administering Oracle Identity Role Intelligence
  2. Managing Role Mining Tasks

4 Managing Role Mining Tasks

Use the Identity Role Intelligence user interface to create, modify, search, copy, and run role mining tasks.

This section contains the following topics:

4.1 Signing In to Identity Role Intelligence

To sign in to the Identity Role Intelligence user interface:
  1. Navigate to the following URL:

    http://HOST_NAME:PORT/oiri/ui/v1/console

    The OIRI account sign in page appears.
  2. Enter the user name and password.
  3. Click Sign In.
    The Identity Role Intelligence home page appears.
You have successfully authenticated to the Identity Role Intelligence user interface.

4.2 Creating Role Mining Tasks

As the role engineer, you use role mining to discover relationships between users based on similar entitlements across various data sources that can logically be grouped to form candidate roles and publish to Oracle Identity Governance.

To create a role mining task:

  1. On the Identity Role Intelligence home page, in the Start something new tile, click Create a new Task.

    Alternatively, you can click the Application Navigation menu icon, and click All Tasks, and then click New Task on the top right of the page.

    The New Task page to select the data for creating a new role mining task appears.
  2. In the Users tab, filter and select a group of users that you want to include in the role mining task. To do so:

    Note:

    The Users tab lists the users that have entitlements assigned to them. This tab does not list all the users in the OIRI database.

    1. Click a filter criteria on the left column, such as Organization. The organizations are shown in a hierarchical manner on the right column.

      The left column lists the filter criteria based on which you can select the users. For example, you can select the users based on organizations, managers, roles, job code, or country.

    2. Select one or more organizations or suborganizations that are listed on the right column. Alternatively, you can enter the organization name in the search field and press Enter, and then select the organization.

      Organization search is supported only on the organizations that contain users with at least one entitlement membership. But the organization hierarchy might contain parent organizations with no users having entitlement membership. Such parent organizations are not searchable.

      Note:

      If you select multiple rows and then click any other row, the earlier selection is deselected. You can press the Ctrl key and then select multiple organizations. This is also applicable to user and entitlement selections.

      The organizations are included in the Selected Criteria tile on the right side of the page. In other words, users belonging to the selected organizations have been included in the role mining task.

    3. Expand Search for Users from the selected data. All the users that belong to the selected organizations are listed. You can enter a user name or a search criteria, such as the first letter of the user name, in the search field and press Enter to verify if one or more users you wanted to include in the task have been selected.
    4. Click the next filter criteria in the left column, and select the users based on that criteria. For example, select all users reporting to managers Gloria Osborne and Russell Peterson.

      The managers you selected have been included in the Selected criteria tile.

    5. If you want to specify advanced filter criteria for selecting the users, click Advanced on the left column. Then, expand one or more user attributes, and specify the criteria for selecting the users.

      The Advanced section shows Department Number, Employee Number, Employee Type, Territory, Email, and State default user attributes. In addition, if custom user attributes have been imported to OIRI database, then the custom user attributes are also displayed under the Advanced section. You can search the values of the custom attributes and include them in the selected criteria for the role mining task. See Importing Custom Attributes to OIRI Database for information about importing custom attributes to OIRI.

    6. Similarly, select all the users you want based on the filter criteria.
    7. In the Selected Criteria tile, verify that the correct filters and subfilters have been selected. Alternatively, if you want to exclude any criteria from selection, then click the cross icon to remove it.
  3. Click the Applications tab. The applications are listed in this tab based on the user selection on the Users tab.

    Note:

    The Applications tab lists the applications with associated entitlements assigned to users. It does not list the applications although users have accounts but no corresponding entitlements.

  4. Select one or more applications in the left column to include in the role mining task. The selected applications are included in the Selected Criteria tile.
  5. Click the Entitlements tab. The entitlements are listed in this tab based on the user and application selection on the Users and Applications tabs.

    Note:

    The Entitlements tab lists the entitlements that have been assigned to users. This tab does not list all the entitlements in the OIRI database.

  6. Select one or more entitlements in the left column to include in the role mining task. The selected entitlements are included in the Selected Criteria tile.
  7. After completing all selections, click any one of the following:
    • Save for later: Click to save the role mining task for later use. The Save Task dialog box appears. In the Name field, enter a name for the role mining task. This is a required field. In the Description field, enter a description for the role mining task. Then, click Save. A message is displayed stating that the role mining task has been saved successfully.
    • Mine Roles: Click to mine the roles based on the user, application, and entitlement selection in the role mining task. The Save Task and Mine Roles dialog box appears with the following options:

      Name: Enter a name for the role mining task. This is a required field.

      Description: Enter a description for the role mining task.

      Fine-tuning slider: Drag to minimize or maximize the number of candidate roles. Dragging the slider to the left minimizes the number of candidate roles. In other words, more users will get the permissions provided by the roles. Whereas, dragging the slider to the right maximizes the number of candidate roles. In other words, less misaligned entitlements and users are provided by the roles.

      Mine Roles: Click to run the role mining task and discover candidate roles. A message appears stating that a request for running the task has been submitted. Alternatively, click Cancel to close the Save Task and Mine Role dialog box without mining roles.

4.3 Searching Role Mining Tasks

To search for role mining tasks:
  1. Navigate to the Manage Tasks page by performing any one of the following steps:
    • On the Identity Role Intelligence home page, click the Application Navigation menu icon on the top left of the page, and then click All Tasks.
    • On the Identity Role Intelligence home page, click any one of the following:
      • In-progress Tasks: Click to open the Manage Tasks page with a list of tasks that have been saved for later use.
      • Executed Tasks: Click to open the Manage Tasks page with a list of tasks that are in successful, failed, ready to run, or running states.
      • All Tasks: Click to open the Manage Tasks page with a list of all role mining tasks, both in-progress and executed.
  2. In the Name field, enter the complete or partial name of the role mining task that you want to search. The tasks beginning with the string you entered are listed.
  3. From the Last updated list, select any one of the All, 1 Day, 7 Days, 1 Month, 6 Months options to specify the duration within which the task you want to search was created.
  4. Click the Status field, and then select or enter any one of the following status options:
    • Saved: Filters the role mining tasks that have been saved for later use
    • Ready To Run: Filters the role mining tasks for which role mining jobs have not started. This is an intermediate status between Saved and Running.
    • Running: Filters the role mining tasks that are currently running
    • Successful: Filters the role mining tasks that have run successfully to mine roles.
    • Failed: Filters the role mining tasks that have failed while running.
  5. From the filtered list of tasks, locate the task that you are looking for.

4.4 Modifying Role Mining Tasks

To modify a role mining task that you saved for later use:
  1. On the Identity Role Intelligence home page, in the Continue, something is in progress tile, click In-progress Tasks. The Manage Tasks page appears with a list of all the role mining tasks that have been saved for later use.

    Alternatively, you can click the Application Navigation menu icon, and then click All Tasks. The Manage Tasks page appears with a list of all role mining tasks, both in-progress and completed.

  2. Filter the saved tasks, and search for the saved task that you want to modify.
  3. Click the Edit icon on the right side of the saved task.
  4. In the Users, Applications, and Entitlements tabs, add or remove the selection criteria for users, applications, and entitlements respectively. See steps 2 through 6 in Creating Role Mining Tasks for information about specifying the selection criteria for users, applications, and entitlements.
  5. Click any one of the following:
    • Save for later: Click to save the role mining task for later use. Clicking this option displays a message that the task has been saved successfully, and the Manage Tasks page appears.
    • Mine roles: Click to mine the roles based on the user, application, and entitlement selection in the role mining task. The Save Task and Mine Roles dialog box appears with the following options:

      Name: Enter a name for the role mining task. This is a required field.

      Description: Enter a description for the role mining task.

      Fine-tuning slider: Drag to minimize or maximize the number of candidate roles. Dragging the slider to the left minimizes the number of candidate roles. In other words, more users will get the permissions provided by the roles. Whereas, dragging the slider to the right maximizes the number of candidate roles. In other words, more users will get new entitlements provided by the roles.

      Mine Roles: Click to run the role mining task and discover candidate roles. A message appears stating that a request for running the task has been submitted. Alternatively, click Cancel to close the Save Task and Mine Role dialog box without mining roles.

4.5 Copying Role Mining Tasks

To copy a role mining task:
  1. On the Manage Tasks page, search for the task that you want to copy.
  2. Click the Copy icon to the right of the task row. The task is copied, and the data selection page for users, applications, and entitlements appears.
  3. In the Users, Applications, and Entitlements tabs, add or remove the selection criteria for users, applications, and entitlements respectively. See steps 2 through 6 in Creating Role Mining Tasks for information about specifying the selection criteria for users, applications, and entitlements.
  4. Click any one of the following:
    • Save for later: Click to save the role mining task for later use. When you click this option, the Save Task dialog box appears. In the name field, enter a name for the role mining task. This is a required field. In the Description field, enter a description for the role mining task. Then, click OK. A message is displayed stating that the role mining task has been saved successfully.
    • Mine roles: Click to mine the roles based on the user, application, and entitlement selection in the role mining task. the Save Task and Mine Roles dialog box appears with the following options:

      Name: Enter a name for the role mining task. This is a required field.

      Description: Enter a description for the role mining task.

      Fine-tuning slider: Drag to minimize or maximize the number of candidate roles. Dragging the slider to the left minimizes the number of candidate roles. In other words, more users will get the permissions provided by the roles. Whereas, dragging the slider to the right maximizes the number of candidate roles. In other words, more users will get new entitlements provided by the roles.

      Mine Roles: Click to run the role mining task and discover candidate roles. A message appears stating that a request for running the task has been submitted. Alternatively, click Cancel to close the Save Task and Mine Roles dialog box without mining roles.

4.6 Mining Roles

To mine roles for candidate role discovery:
  1. Run the role mining task in any one of the following ways:
    • On the page for creating a role mining task, after selecting user, application, and entitlement criteria, click Mine Roles.
    • On the Manage Tasks page, search for the in-progress or executed task that you want to run, and then click Mine Roles.
    The Mine Role dialog box appears.
  2. Drag the Fine-tuning slider to minimize or maximize the number of candidate roles.
    Dragging the slider to the left minimizes the number of candidate roles. In other words, more users will get the permissions provided by the roles. Whereas, dragging the slider to the right maximizes the number of candidate roles. In other words, less users will get the permissions by the roles.
  3. Click Mine Roles. A message appears stating that a request for running the task has been submitted.

4.7 Managing Outdated Data

Data import into Oracle Identity Role Intelligence (OIRI) is an ongoing process where entities stored in the OIRI schema may be added, modified, or removed over a period of time. Custom attributes may also be added, modified, or removed at different stages in the process. If changes to entities or custom attributes are made, they may impact on existing role mining tasks that were based on the data that has since changed. Management of outdated data allows the role mining administrator to determine whether a particular role mining outcome (task or candidate role) is based on outdated data by flagging this in the OIRI application.

Table 4-1 shows the usecases that can be associated with outdated data and how such situations are flagged in tasks and candidate roles.

Table 4-1 Managing Outdated Data Usecases

Usecase Summary Outcome
Delete custom attribute
  1. Role administrator defines a customer attribute, 'Company Code'.
  2. Role administrator creates and runs a task which utilizes the 'Company Code' custom attribute.
  3. Role administrator deletes the 'Company Code' custom attribute.
  • The task that uses the custom attribute will be marked as outdated.
  • A warning flag and message will be displayed with the affected task.
  • The attribute will be removed from
    • View Task
    • Copy Task
    • Edit Task
  • If the outdated task is run the role administrator will see an error message associated with the missing data.

Note:

the outdated data feature flags issues with the underlying data, it will not 'fix' the problem in the backend. Role administrators should take relevant action such as running a new task if outdated data is flagged.
Delete entity data
  • User
  • Entitlement
  • Assignment
  • Role
  • Role User Membership
  • Role Entitlement
  1. Role administrator creates a role mining task 'MyTask'.
  2. 'MyTask' is run multiple times and outputs candidate roles 'CR1', 'CR2'…'CR5'.
  3. A data load is run where entities that make up part of the criteria for 'MyTask' have been deleted from the source.
  • All candidate roles 'CR1', 'CR2'... 'CR5' will be marked as outdated.
  • A warning flag and message will be displayed with the affected candidate roles.
  • Deleted entitles will not be displayed in the Candidate Roles detail screen.

Note:

User and Entitlement counts in Task, Candidate Roles, and Published Roles will remain the same as analytics for the missing entities will not be regenerated.
Accept outdated task
  1. Task and its candidate roles have been marked as outdated.
  • Role administrator can accept the change by clicking the Accept Outdated Data option and then selecting Accept in the dialog box. When confirmed this will remove the outdated data flag from the task and its candidate roles.
Accept outdated candidate role
  1. Task and its candidate roles have been marked as outdated.
  • Role administrator can accept the change by clicking the Accept Outdated Data option and then selecting Accept in the dialog box. When confirmed this will remove the outdated data flag from the candidate role.