Identity Governance tracks key risk indicators so that you can monitor these risk factors in your environment and make improvements based on the collected metrics. In addition to the preset metrics, you can also create custom metrics based on your business needs. Additionally, you can also choose to include or exclude specific decision support information, and configure role mining settings.
To configure analytics and role mining settings:
Log in as a Global, Data, or Business Administrator.
NOTE:Business Administrator does not have the same access permissions as a Global or Data Administrator and can only configure Role Mining settings and collect Business Role Mining metrics.
Select Administration > Analytics and Role Mining Settings.
(Optional) Under Decision Support, specify if business role authorization status, similarity statistics in reviews and access requests, and login statistics for review item users and accounts are included in the guidance provided to reviewers, review owners, review administrators, and access approvers.
Deselect option Show business role authorization status either if business roles are not used or if the reviewer of user reviews or access request approver does not need guidance about whether the review or request item was authorized by business role.
Deselect option Show similarity statistics in reviews and access requests if the reviewer of user reviews or access request approver does not need guidance about how many users have similar permissions.
Deselect option Show login statistics for review item users and accounts if Last Login and Number of Logins attributes are not configured/collected/logged for the users and accounts.
(Optional) Under Similarity Profile, select additional attributes to use in the similarity profile so that Identity Governance can provide decision support.
HINT:Use wildcard * to search for attributes.
Under Role Mining:
Enter the Maximum number of results that should be returned when mining business roles using the directed role mining approach.
Specify which additional user Attributes should be used for both directed and visual business role mining. For more information about which attributes to select, see Understanding Role Mining Settings.
Select Save to save all the settings.
Under Metric Collection, select one or more items, and then specify Actions > Set collection interval to change the default setting of 24 hours between metrics collections or disable collection.
HINT:Click on an item name to view detailed information about the metric, including list of metric columns’ aliases and corresponding data types.
NOTE:In addition to the default metrics, you can create custom metric. For more information, see Creating Custom Metrics.
Enter Hours or Disable collection.
Click Save to set the new interval.
(Optional) Select one or more times and then select Actions > Collect metrics to initiate a metrics collection on demand.
HINT:Always collect metrics after a collection and publication to refresh charts on the Overview page.
(Optional) Select one or more items and then select Actions > Download to download metrics in CSV format.
(Optional) When a collection is running and you want to cancel it, select the item or items, and then select Cancel Collection.
Click Cancel Collection to confirm the cancellation.
Identity Governance uses attributes specified in Administration > Analytics and Role Mining Settings to provide business role recommendations. If the specifications do not meet certain conditions you may not see any recommendations.
When specifying attributes make sure that:
Specified attributes have values. User attributes with zero strength will not be displayed in the directed mining recommended attribute bar graph or visual attribute map.
In addition, in order for visual role mining to render recommendations make sure that:
At least two attributes are selected. For example, “Title” and “Department”.
Selected attributes share commonality. For example, Department A, B, and C have users with same titles like Administrative Assistant and Department Lead.
NOTE:After customizing attributes select Collect Metrics > Business Role Mining metrics to refresh data. For more information about role mining, see Understanding Business Role Mining.
In addition to default metrics, Identity Governance provides the ability to create SQL statement to query your operations database for additional statistics. The product also displays an * in front of the names of the custom metrics to distinguish them from other metrics. You can click the metric name to view the details of the metric.
After creating custom metrics, you can Collect Metrics, and Download metrics using the same procedures as for default metrics. In addition, you can also select Actions > Delete Custom to delete custom metrics.
To create a custom metric:
Log in as a Global, or Data Administrator.
Select Administration > Analytics and Role Mining Settings.
Next to Metrics Collection, select +.
Enter Name for the new metric.
Optionally, select an existing category or Add Custom category; and enter Description.
Select SQL Statement and enter a SQL select statement.
NOTE:Identity Governance automatically checks for statement errors and potential SQL injections to prevent invalid or malicious code. However, ensure that you have defined your query correctly, as once created and saved you cannot edit the custom metric. If needed, you will have to delete the custom metric, and then create a new one to change your definition.
Select Metrics Columns and then Add Column to specify an alias and type for each column selected in the SQL statement. For example, given the SQL statement: select count(id) as active from role_policy where state = 'ACTIVE', add a metric column active with a type of Long.
Select Save.
To understand how your entitlement assignments conform to your business polices, you can view the Role Leverage widget on the Overview page. It includes a graphical overview of effectiveness of your roles over a period of time, entitlements assignments using roles versus entitlements assigned directly, and ratio of indirect role-based entitlements versus total entitlement assignments in percentage. To change the default time range, select the calendar icon and select dates. To refresh the graphs, collect metrics for business role mining after publishing new business roles. Based on these metrics, you can then lower risk by using role mining to create more roles. For more information, see Defining Business Roles.
On the Overview page, you can see an account statistics summary for your environment. To see data, you must collect and publish data sources and then collect metrics on demand or wait the default metrics collection interval of 24 hours.
NOTE:To keep statistics up to date, collect metrics on demand after every publication.
Identity Governance displays available metrics on the summary panel followed by a chart for each metric per risk levels. To change the default settings:
Select the calendar icon to change the time range for account statistics.
Select the change option icon to show or hide risk level series.
To drill down to see many more specific charts relating to your accounts:
On Overview under Account Statistics, select View statistics details.
or
Select a data point on any chart to drill down to statistics details for that chart.
Select the calendar icon to change the date for the statistics.
Select a chart or table from the drop down menu to change to a different set of statistics. You can modify or delete these.
Drag and drop available metrics from header to columns or rows.
(Optional) To create a customized chart or table:
Start with a chart or table that contains the basic elements you want.
Select the type of table, such as heatmap or line chart.
Select the type of statistics, such as count or average.
(Optional) Select additional options, if needed. Some selections add more options to customize.
Customize the row and column headings.
Type a name for the customized view and select Save.