1. Administering Oracle Identity Role Intelligence
  2. Reviewing and Publishing Candidate Roles

5 Reviewing and Publishing Candidate Roles

Review and modify candidate roles, export the roles to files, publish the roles to Oracle Identity Governance, and view the details of published and imported roles.

This section contains the following topics:

5.1 Viewing Candidate Roles for Role Mining

To view candidate roles for role mining:
  1. In the Manage Tasks page, search for the role mining task that you submitted for running.
  2. If the task status shows that it has been completed, then click View Candidate Roles.

    The Results for role mining task page appears. In this page, the line at the top provides a summary of the role mining task run. It indicates the number of users and entitlements for which the task has been run, and how many candidate roles have been identified. For example:

    <TASK_NAME> executed and found 10 Candidate Roles covering for 105 Users and 57 Entitlements

    This page also shows information about the candidate roles in the following sections:

    • Candidate Roles Distribution Chart: Provides a distribution chart of the candidate roles with weightage on the number of entitlements and users picked up by each candidate role. As a result, a role with higher number of entitlements and users picked up by the role is represented by a larger box in the distribution chart.
    • Candidate Roles: Provides a list of the candidate roles with options to review, export, or discard the roles. The list of candidate roles is grouped by status. The options displayed for each row is based on the status of the candidate role. The options are Rule, Review Role, Export, Discard, Modify and Publish, and Undo Discard.
  3. Click the number of users in the results summary line. The Users tab of the Review Users and Entitlements for <TASK_NAME> page opens with a list of users for which the task has run.

    If you want to verify whether a particular user has been included in the task, then filter the user names to find the user. To do so:

    1. Enter the complete or partial user login name or user display name in the Search field, and press Enter.
    2. Optionally, click the Entitlements tab to review the entitlements included in the task. Otherwise, click the Go back icon at the top of the page to navigate back to the Results for role mining task page.
  4. Click the number of entitlements in the results summary line. The Entitlements tab of the Review Users and Entitlements for <TASK_NAME> page opens with a list of entitlements for which the task has run. The applications to which the entitlements are associated are listed on the right side of the list.

    If you want to verify whether a particular entitlement has been included in the task, then filter the entitlements to find the entitlement. To do so:

    1. With Entitlements selected by default, enter the complete or partial entitlement name in the search field, and press Enter.
    2. Alternatively, to filter by the applications, select Applications.
    3. Enter the complete or partial application name in the search field, and press Enter.
    4. Optionally, click the Users tab to review the users included in the task. Otherwise, click the Go back icon at the top of the page to navigate back to the Results for role mining task page.
  5. In the Candidate Roles Distribution Chart section, place your mouse pointer on the roles in the distribution chart. Details of the roles with the number of users and entitlements is displayed, for example, Entitlements 5, Users 11.
  6. In the Candidate Roles Distribution Chart, click a role. The candidate roles are listed in the Candidate Roles section, which are classified as the following:
    • Review started: The candidate roles that have been modified while reviewing. Modification can include setting names for the candidate roles, or configuring the attributes for role analytics. See Reviewing and Adjusting Candidate Roles for information about reviewing and adjusting candidate roles.
    • Review not started: The candidate roles that have not been modified as part of the review.
    • Published roles: The candidate roles that have been published to Oracle Identity Governance.
    • Discarded roles: The candidate roles that have been removed from the distribution chart and the list of candidate roles.
  7. In the Candidate Roles section, expand Review started if it is not already expanded.
  8. For each candidate role, you can click any one of the following:
    • Rule: Click to view the User Assignment Rule associated with the selected candidate role.
    • Continue Reviewing: Click to open the role analytics page and continue the review or modification of the candidate role. See Reviewing and Adjusting Candidate Roles for information about reviewing and adjusting candidate roles.
    • The Export icon: Click to export the role data in a CSV file, which you can open or save for future use. The file is named role.csv by default. You can change the file name and download the file.
    • Discard Role: Click to remove the candidate role. The role is displayed in the Discarded roles section, where you can export the role or bring it back to the candidate roles list by clicking Undo Discard.
  9. In the Candidate Roles section, expand Review not started if it is not already expanded.
  10. For each candidate role, the options to export the role to a CSV file and discard the role are the same as described in step 8. Click Review Role to open the Review and Adjust a Candidate Role page that lets you review and modify the candidate role before exporting and publishing. See Reviewing and Adjusting Candidate Roles for information about reviewing and adjusting candidate roles.
  11. In the Candidate Roles section, expand Published roles if it is not already expanded.
  12. For each candidate role, you can click any one of the following:
    • Modify and Publish: Click to open the Review and Adjust a Candidate Role page that lets you modify the candidate role and publish it again to Oracle Identity Governance.
    • The Export icon: Click to export the role data in a CSV file, which you can open or save for future use. The file is named role.csv by default. You can change the file name and download the file.
  13. In the Candidate Roles section, expand Discarded roles if it is not already expanded.
  14. For each candidate role, you can click any one of the following options:
    • The Export icon: Click to export the role data in a CSV file, which you can open or save for future use. The file is named role.csv by default. You can change the file name and download the file.
    • Undo Discard: Click to bring the candidate role back to the distribution chart and in the list of candidate roles.

5.2 Reviewing and Adjusting Candidate Roles

To review and adjust candidate roles:
  1. In the Candidate Roles section of the Results for role mining task page, click Review Role or Continue Reviewing.
    The Review and adjust a Candidate Role page appears.
  2. To specify a name for the candidate role:
    1. Click Set Name adjacent to the Review and Adjust Candidate Role label.
    2. In the Candidate Role Name field, enter a name for the candidate role.
    3. Click Save.

    When you set the name of the candidate role or make any other modification, the candidate role moves to the Review started category, and the candidate role name is displayed in the Review started section of the Results for role mining task page.

    In addition, when you set the name of the candidate role, the title of the Review and adjust a Candidate Role changes to the candidate role name you specified. If you want to change the candidate role name, then click Change Name, specify a new name, and click Save.

  3. The Entitlements horizontal bar shows the number of entitlements that are part of the candidate role out of the total number of entitlements included in the role mining task. To view the entitlements, click Show. The Entitlements tab of the Review Users and Entitlements for CANDIDATE_ROLE_NAME page appears with a list of the entitlements that are part of the candidate role. You can filter and review the entitlements. When finished, click the Go Back icon to navigate back to the Review and Adjust Candidate Role page.
  4. The Users horizontal bar shows the number of users that are part of the candidate role out of the total number of users included in the role mining task. To view the users, click Show. The Users tab of the Review Users and Entitlements for CANDIDATE_ROLE_NAME page appears with a list of the users that are part of the candidate role. You can filter and review the users. When finished, click the Go Back icon to navigate back to the Review and Adjust Candidate Role page.
  5. The Role Analytics section displays the percentage of top three attributes in the candidate role based on configuration. For example, Top Managers represent the top managers among the users that are part of the candidate role. If all users belong to one organization, then 100 percent is shown in the Top Organization. To configure the attributes for role analytics:
    1. Click the Configure Attributes for Analytics icon to the right in the Role Analytics section. The Configure Role Analytics Graph dialog box appears.
    2. Select any one of 3, 5, or 10 options to display the analytics for Top values for the attributes you specify.
    3. Under Select user attributes to view analytics (Maximum 3 supported), select any three attributes for which you want to display the analytics.

      The analytics can be shown for a maximum three attributes, and Oracle Identity Role Intelligence does not allow you to select more than three attributes.

    4. Click Apply. The role analytics is displayed for the attributes you selected.
  6. In the User Assignment Rule section, you can view the assignment rule associated with the candidate role. The criteria forming the rule are displayed. User attributes participating in the User Assignment Rule will be sourced from the role mining job filter, and user attributes for which the userMembershipRule flag is enabled. Where enabled, user custom attributes will be included as well. The number of users matching the rule in the rule in the candidate role, and those matching the rule in the system, are displayed.

    In this section you can select and deselect the attribute conditions that make up the rule and see the corresponding effect on the number of users in the target system. If enabled, this will include custom attributes. By default, the checkbox will be deselected for those attributes which have null values within the data. If you want to save the changes to the rule click on Apply and then Save. On saving your changes, all unselected user attributes will be removed and the User Assignment Rule will be updated only with the selected user attributes.

  7. In the Similar roles section, review the top three similar roles existing in the system. The similarity is determined by a minimum of 50 percent entitlement and user similarity. For example, if the entitlements and users that are part of a candidate role are 27 and 13 respectively, then roles with 14 entitlements and 7 users is considered similar.

    In OIRI, the data import job imports only those roles from OIG that are associated with an access policy in OIG. These imported roles in OIRI are only used to calculate the role similarity.

  8. Click the similar role name. The Role Similarity page appears with details of the similar role.
    Alternatively, you can click the See all similar roles that could be leveraged for this purpose link to open the Role Similarity page with the details of all the similar roles.
  9. In the Role Similarity page, expand the similar role name to display its details.
    The Entitlements horizontal bar shows the percentage of entitlements in the candidate role that are similar to the entitlements in the similar role. Similarly, the Users horizontal bar shows the percentage of users in the candidate role that are similar to the users in the similar role.
  10. Click the Entitlements tab, and then view the following types of entitlements:
    • Common Entitlements: Click to display the entitlements that are common to the candidate role and the similar role.
    • Entitlements in Candidate Role only: Click to display the entitlements that belong only to the candidate role.
    • Entitlements in SIMILAR_ROLE only: Click to display the entitlements that belong only to the similar role. Here. SIMILAR_ROLE is the placeholder for the name of the similar role.
  11. Click the Users tab, and then view the following types of users:
    • Common Users: Click to display the users that are common to the candidate role and the similar role.
    • Users in Candidate Role only: Click to display the users that belong only to the candidate role.
    • Users in SIMILAR_ROLE only: Click to display the users that belong only to the similar role. Here. SIMILAR_ROLE is the placeholder for the name of the similar role.
  12. Click the Go back icon to navigate back to the Review and Adjust Candidate Role page.
  13. In the Entitlement gaining users section, review the number of entitlements that are gaining users. For example, if this section shows 9 of 27 Entitlements are gaining users, then it means that 9 entitlements will be assigned to users who currently do not have these entitlements when the candidate role is published. In other words, if you publish this candidate role, then these 9 entitlements will be granted to users.

    Below this line, the Entitlement gaining users section also lists the entitlements gaining users, the application to which each one is associated, and the number of users that are gaining access to the entitlements.

  14. To view the users that are gaining access to an entitlement, click the number of new users in the Summary column. The Entitlement gaining users dialog box is displayed with a list of the users who will gain access to the entitlement. Click Close.
  15. Optionally, to remove entitlements from the candidate role:
    1. Select one or more entitlements, and click Exclude Selected Entitlements. The Selected Entitlements dialog box appears.
    2. Click Confirm Remove and Save. The selected entitlements are removed from the candidate role, and the Review Excluded Entitlements link is displayed in the Entitlement gaining users section.

      Alternatively, click Do not remove to retain the selected entitlements in the candidate role.

    3. If you want to bring the discarded entitlements back to the candidate role, then click Review Excluded Entitlements. In the Excluded Entitlements dialog box, click Recover for each entitlement you want to include in the candidate role, and then click Close.
  16. In the User gaining entitlements section, review the number of users that are gaining entitlements. For example, if this section shows 7 of 14 users are gaining entitlements, then it means that 7 users will get access to new entitlements when the candidate role is published.
    While reviewing the users, you can exclude and recover the users in a similar way as described in step 10.
  17. After completing the review and modification of the candidate role, click Looks Good! Publish the role at the top of the page. See Publishing Candidate Roles for information about publishing candidate roles to Oracle Identity Governance or offline publishing to a CSV file.
  18. Optionally, click Export at the top of the page to export the role data in a CSV file, which you can open or save for future use. The file is named role.csv by default. You can change the file name and download the file.

5.3 Publishing Candidate Roles

To publish a candidate role:
  1. In the Review and Adjust Candidate Role page, click Looks Good! Publish the role. The Publish Role dialog box appears.
  2. In the Candidate Role Name field, enter a name for the candidate role. This is a required field.

    If you have already set the name for the candidate role, then this section is not visible.

  3. Select the Publish Role without User assignment option to publish the candidate role only with entitlement assignment and exclude user assignment.

    If you do not select this option, then the candidate role will be published by default with user and entitlement assignment as defined in the candidate role.

  4. Select the Publish Role with User Assignment Rule option to publish the candidate role together with the user assignment rule. This will publish the rule as well as the role, meaning that users satisfying the criteria of the rule will be assigned the role automatically. Where enabled, the rule will contain custom attributes. Default value for this is not to publish so this must be selected if you want to publish the User Assignment Rule with the Candidate Role.
  5. Select the Offline to file option to publish the candidate role to a file.

    If you do not select this option, then the candidate role is published to Oracle Identity Governance by default.

  6. Click Confirm Publish. Depending on your selection to publish the role online or offline, the candidate role is published to Oracle Identity Governance or to a CSV file respectively.
  7. Click the Go Back icon to navigate to the Results for role mining task page, and scroll down to the Candidate Roles section. Verify that the newly published role is displayed under Published Roles.

5.4 Viewing Role Details

You can view the role details of the published roles and imported roles.

This section contains the following topics:

5.4.1 Viewing the Details of Published Roles

To view the details of the roles published to Oracle Identity Governance:
  1. On the Identity Role Intelligence home page, click the Application Navigation menu icon, and then click Published Roles. Alternatively, on the Explore all tasks and roles tile on the home page, click Published Roles.
    The Published Roles page is displayed with a cumulative list of roles that have been published offline and to Oracle Identity Governance.
  2. Search for the published role you want to review. To do so, enter the complete or partial role name in the Search field, and press Enter.
  3. Click the role you want to review. Alternatively, you can click the view role icon on the right.
    The Role Details page is displayed.
  4. Click the Rule icon if it is already not active..
    This section displays the details of the published role user assignement rule role.
  5. Click the Info tab if it is already not active.
    This tab displays the role information, such as role name, description, and the number of users, applications, and entitlements in the role.
  6. Click the Users tab.
    The list of users in the role is displayed. You can search for particular users by using the Search field.
  7. Click the Applications tab.
    The list of applications in the role is displayed.
  8. Click the Entitlements tab.
    The list of entitlements in the role along with the associated applications is displayed. You can filter the entitlements by entitlement name or application name, and search for particular entitlements by using the Search field.

5.4.2 Viewing the Details of Imported Roles

To view the details of the roles imported from flat files:
  1. On the Identity Role Intelligence home page, click the Application Navigation menu icon, and then click Imported Roles. Alternatively, on the Explore all tasks and roles tile on the home page, click Imported Roles.
    The Imported Roles page is displayed with a list of roles that have been imported from OIG and flat files. The data import job imports only those roles from OIG that are associated with an access policy in the OIG. The risk level associated with each role, such as low, medium, or high, is displayed on the right of the page.
  2. Search for the imported role you want to review. To do so, enter the complete or partial role name in the Search field, and press Enter.
  3. Click the role you want to review. Alternatively, you can click the View Role icon on the right.
    The Role Details page is displayed.
  4. Click the Info tab if it is already not active.

    This tab displays the role information, such as role name, display name, risk score, inherited from, and inherited to.

    The User Assignment Rule section provides information about the user assignment rule of that imported role.

  5. Click the Users tab.
    The list of users in the role is displayed. You can search for particular users by using the Search field.
  6. Click the Applications tab.
    The list of applications in the role is displayed.
  7. Click the Entitlements tab.
    The list of entitlements in the role along with the associated applications is displayed. You can filter the entitlements by entitlement name or application name, and search for particular entitlements by using the Search field.