1. Administering Oracle Identity Role Intelligence
  2. Overview of Oracle Identity Role Intelligence

1 Overview of Oracle Identity Role Intelligence

Oracle Identity Role Intelligence is an intelligent, automated, and flexible way to optimize role-based access control (RBAC).

This chapter describes the capabilities of Oracle Identity Role Intelligence (OIRI) in the following topics:

1.1 About Oracle Identity Role Intelligence

Role-Based Access Control (RBAC) faces the following challenges:

  • Building roles as a manual process is time-consuming. Entitlement data is difficult and complex for humans to analyze and interpret.

  • Entitlements accumulate over time. Users and applications data change constantly.

  • Roles are difficult to maintain and change to align with business activities, such as reorganization, merge, acquisition, and so on.

  • Lack of tooling to provide what if analysis before organizations adopt roles for various business units.

These challenges are addressed by the new Oracle Identity Role Intelligence (OIRI) microservice. This is a containerized microservice and is an extension to Oracle Identity Governance (OIG). You can deploy the microservice on-premises or on the Cloud. It can be deployed on Kubernetes containers for your on-premises landscape.

Note:

This document refers to Oracle Identity Role Intelligence as OIRI and Oracle Identity Governance as OIG.

The solution components of OIRI are:

  • Data ingress: Supports data import to OIRI from OIG database or flat files in full and incremental modes

  • Data modelling: The data model allows you to define role mining tasks based on a combination of user, application, and entitlement attributes.

  • Predictive analytics: OIRI uses Oracle Database’s KMean clustering and unsupervised Machine Learning (ML) algorithms. The regression model groups the user data based on the common entitlement attributes, and predicts the relevant and matching candidate roles.

  • Assistant: Compares candidate roles with the existing roles in the system. You can publish the candidate roles to your system to avoid duplication or explosion of roles.

  • Data egress: Provides automation to publish the candidate roles to Oracle Identity Governance and triggers the workflow approval.

OIRI Capabilities

The key capabilities of OIRI include:

  • Discovery of entitlements patterns across peer groups

  • Support for top-down approach for role mining based on user attributes, or for bottom-up approach that filters data based on applications and entitlements, or a hybrid approach

  • Compare candidate roles with existing role to avoid role explosion

  • Ability to fine tune the candidate roles based on user affinity and role affinity

  • Automated publishing of roles to OIG to trigger workflow for role adoption

  • Ability to merge data from different sources, such as OIG database and flat files, and provide what if analysis before moving candidate roles to production

Business Benefits

The business benefits of using OIRI are:

  • OIRI automates role discovery and provisioning to eliminate the error-prone and manual process of creating roles.

  • It optimizes existing RBAC.

  • It provides what if analysis that is useful for merge, acquisitions, or new application onboarding.

1.2 About Role Mining

The role mining process discovers relationships between users based on similar access permissions that can logically be grouped to form a role. Role engineers can specify the applications and attributes that will return the best mining results. Role mining is also called role discovery.

Role mining with OIG allows creation of role mining tasks by using data extracted from OIG with OIRI data import (or data ingestion) service. OIG data contains user, role, application, and entitlement information. A role mining task discovers the relationship between users and entitlements in OIG data filtered by user and application attribute values. These entitlements are then clustered into candidate roles. The role engineer can refine candidate roles by adjusting user-role affinity and role-entitlement affinity, and perform in-depth analysis based on OIRI role mining analytics. When satisfied, candidate roles can be published to OIG, approved, and adopted with RBAC.

Role mining with flat files allow creation of a role mining task by using flat files as the data source. This enables offline identity role mining and provides flexibility for user to discover roles outside of OIG without connecting to a live system. A role mining task discovers roles based on users, applications, and entitlements loaded with flat file. Candidate roles can then be refined and published to OIG.

1.3 Optimizing RBAC Using Role Mining

Figure 1-1 depicts a scenario for optimizing RBAC from multiple systems by using the role mining capability of OIRI.

Figure 1-1 RBAC Optimization from Multiple Systems

Description of Figure 1-1 follows
Description of "Figure 1-1 RBAC Optimization from Multiple Systems"

Here, the steps in the role mining process are:

  1. Entity data is imported to OIRI database from OIG database or flat files. The process of importing data to OIRI is referred to as data import or data ingestion.

  2. The role mining system filters the data based on user, application, and entitlement attributes, runs the role mining tasks to discover candidate roles.

  3. OIRI provides the analytics of the candidate roles, and enables you to review and adjust the candidate roles by providing role similarity data and comparing with existing roles.

  4. The candidate roles and role memberships are published to OIG, and workflow for approval is triggered.