25.3 Understanding Business Role Mining

Identity Governance uses advanced analytics to mine business data and identify role candidates. This process of discovering and analyzing business data in order to group multiple users and access rights under one business or technical role candidate is called Role Mining or Role Discovery. Global or Business Role administrators can use role mining to reduce complexity in defining roles, and easily select role candidates with authorized users, permissions, technical roles, and applications to create business roles as well as technical roles with common permissions. Identity Governance uses two approaches to business role mining to identify business role candidates.

  • Directed Role Mining enables administrators to direct the mining based on user attributes they specify. If administrators are not sure which attribute to select, they can search for recommended attributes, and select an attribute from the recommended bar graph which displays the strength of attributes that have data. Additionally, directed role mining also enables them to specify minimum membership and coverage percentage to identify role candidates. For example, when an administrator selects “Department” as the attribute to group candidates by, the mining results will display list of items consisting of department name with associated users, permissions, roles, and application as role candidates.

  • Visual Role Mining enables administrators to select role candidates from a visual representation of the user attributes. The attribute circle’s width displays the recommendation strength, and the width and darkness of the lines indicate the affinity of the attribute to other user attributes. Administrations can customize the mining results by modifying the default maximum number of results, minimum potential members, and number of automatic recommendations.

NOTE:Role recommendations are dependent on your data and role mining settings. To optimize search results, administrators can modify default role mining settings in Administration > Analytics and Role Mining Settings. For more information see, Configuring Analytics and Role Mining Settings.

After previewing users and their associated permissions, technical roles, and applications, administrators can select one or more items from the list to either create role candidates for each selected item in the list or a single candidate for all of them. Additionally, common permissions can be grouped under a technical role, and technical role candidate could be generated for each application.

NOTE:Mined business or technical roles are created in a candidate state. Administrators can edit and save role candidates, but candidates must be promoted before they can be approved or published as a role. Administrators can also select multiple role candidates and submit for approval, publish or delete using Actions options.