25.5 Defining Business Roles

To define a business role:

1. Log in to Identity Governance as a Business Role or Global Administrator.

2. Under Policy, select Business Roles.

3. Select the Mining tab if you want the system to recommend role candidates and based on your selection auto-create membership expression and authorize associated permissions, technical roles, and applications.

   NOTE:If you are confident about your data and want to define membership expression manually, select + on the Business Roles page to create a new business role and then proceed to Step 12.

   If	Then
   You are not sure about where to start	Select Visual Role Mining. (Optionally) Click Settings gear icon to modify the maximum number of results to display for each recommended attributes, and the required minimum number of members for each role candidate. Click on attribute node/circle to select a role candidate. WARNING:You might not see any recommendations if the Settings > Minimum potential members is set too high or when the role mining settings in Administration > Analytics and Role Mining Settings does not meet the required conditions. For more information see, Configuring Analytics and Role Mining Settings.
   You want to direct the mining by specifying user attribute	Select Directed Role Mining. Specify user attributes by entering user attribute names or by clicking search and selecting attributes based on the strength of the recommendation. Specify minimum number of times the attribute value must occur across users, or the percentage of all users who must have the attribute value. Specify additional coverage criteria. NOTE:The permission, technical role and application coverage fields are used to determine which authorizations are auto-populated in the business role candidate. For example, if permission coverage is at 50% then 50% of the members must hold a permission for it to be added as an authorization in the candidate. If it is 100% then all members must hold the permission for it to be added. Save the specified values to trigger user catalog analysis. (Optional) Click Settings gear icon to adjust the settings, and save to refresh the candidate suggestions.

4. Select one or more items from the Directed Role Mining > Mining Results list or Visual Role Mining > Role Candidates list.

5. Click Create Candidates.

6. Create separate candidates for each criteria or Create a single business role candidate. If the latter, enter Name.

7. (Optional) Select Create associated technical for common permissions to generate technical roles with users who have the same permissions.

8. (Optional) Select Group permissions added to technical roles by application to create application-specific technical roles.

9. Click Role tab and click on the newly generated inactive role to view role description.

10. Click Edit.

    NOTE:Role candidates are created in pending state and must be promoted before they can be approved or published.

11. Select Yes to promote the role candidate.

12. Specify the following information to create the business role:

    Name and Description

    Modify the auto-generated name to a unique name and edit description for the business role.

    Grace period

    Specify a grace period. A grace period specifies the number of days a user is still considered to be a member of the role when it is detected that they no longer meet the membership policy requirements.

    Risk

    Specify the importance of the business role in terms of limited access and security.

    For example, you might want to review access to business roles with a high risk more often than business roles with a mild risk.

    Included Membership

    Optionally, specify roles whose membership criteria, users and groups you want to include in the new business role. When combining the included roles, only published roles membership will be included and duplicates will be eliminated. For example, you can include role A and role B in the membership of role C. Role C will then be the union of role A and role B along with any membership criteria specified for role C.

    NOTE:Excluded members of the including role take precedence over inclusion of included business role members. For example, When role C includes A, and A has a member User1, but User1 is excluded by role C the user will be excluded.

    Membership expressions

    Membership expressions are criteria which specify a set of users that are considered members of the business role and are auto-generated when you mine for roles. Each expression can have an authorization period for when it is valid. Optionally, add one or more expressions to search for users.

    Include and Exclude Users and Groups

    Optionally, define specific users and groups that you want to include in the business role that might not match any membership expression. You can also specify users and groups to exclude from the business role who would otherwise match membership expressions. For example, you can have a membership expression that matches all managers in engineering, but you do not want John Smith or managers in the CTO group even if they match that criteria. You can also define a time period for when these inclusions or exclusions are valid.

    NOTE:Excluding a user or group takes precedence over including them. For example, suppose the Sales group is included and the Contractors group is excluded. A user who belongs to both of those groups would be excluded from the business role, because exclusion takes precedence over inclusion.

13. Select the Authorizations tab, then define the following:

    Permissions

    Permissions may be preauthorized when you mine for roles or you may need to define them. Select permissions from the entire catalog or from a list of permissions held by the business role members. Specify whether the permission is mandatory or not. Specify whether the permission should be automatically granted and/or revoked, or manually fulfilled. If needed, click on the calendar control to set an authorization period for when these permissions are authorized for users in the business role.

    Technical Role

    Technical roles may be preauthorized when you mine for roles or you may need to define them. The technical role acts as a grouping for the permissions. If all of the appropriate permissions are included in a technical role, you can add the technical role instead of the individual permissions. If needed, select technical roles from the entire catalog or from a list of technical roles held by the business role members. Determine whether the technical role is mandatory or not. Specify whether the technical role authorization should be automatically granted and/or revoked, or manually fulfilled. If needed, click on the calendar control to set an authorization period for when the permissions in the technical role are valid for the business role.

    Applications

    Applications may be preauthorized when you mine for roles or you may need to define them. If needed, define which applications the members of the business role are authorized to hold. This means accounts can be created for the members of the business role in the listed applications. Select applications from the entire catalog or from a list of applications held by the business role members. Specify whether the application authorization should be automatically granted and/or revoked, or manually fulfilled. If needed, click on the calendar control to set an authorization period for when the members of the business role have access to the application using the calendar control.

    NOTE:Auto-grant and auto-revoke requests will be automatically fulfilled if automatic fulfillment has been enabled in the Owners and Administration tab and when fulfillment targets have been configured. For information about automatic fulfillment, visit Automatically Fulfilling the Changeset.

    For more information about authorizing permissions, technical roles, and applications, see Adding Authorizations to a Business Role.

14. Select the Owners and Administration tab to assign the following:

    • Role owner

    • Role manager

    • Fulfiller

    • Categories

    • Approval Policy

    • Automatic Fulfillment

    • Auto revoke period

    Identity Governance makes default assignments for the owner, fulfiller, and assigns a default approval policy to the business role if you do not make selections on this tab.

    Select whether you want this role to be automatically fulfilled. When selected, Identity Governance automatically sends fulfillment requests to provision and revoke mandatory resources for users.

    Set the number of days to wait after a user loses authorization for a resource before revoking the access.

15. (Optional) On the Membership tab, select View Membership to view list of business role members.

    NOTE:During migration or upgrades, you must always run publication to refresh list of business role members. For more information about publishing data sources, see Section 18.0, Publishing the Collected Data.

16. Under What-if Scenarios, select Estimate Publish Impact and Analyze SoD Violations to respectively view types of changes and SoD violations information.

17. (Conditional) Resolve SoD violations or edit business role definition to resolve issues if any. For more information about SoD violations, see Approving and Resolving an SoD Violation.

18. Select Save to save your modifications to the mined business role definition.

    NOTE:When editing an existing business role, the Owners and Administration tab has a separate Save button, which allows you to change these items independent of other items pertaining to the business role.