14.3 Defining Business Roles

In order to use business roles, you must create a business role and define a membership policy and an authorization policy for the business role based on your business needs.You can create a business role either manually or use role mining analytics.

To define a business role:

  1. Log in to Identity Governance as a Business Role or Global Administrator.

  2. Under Policy, select Business Roles.

  3. Select the Mining tab if you want the system to recommend role candidates, and based on your selection auto-create membership expression and authorize associated permissions, technical roles, and applications.

    NOTE:If you are confident about your data and want to define membership expression manually, select + on the Business Roles page to create a new business role and then proceed to Step 12.

    If

    Then

    You are not sure about where to start

    • Select Visual Role Mining.

    • (Optionally) Click the gear icon to modify the maximum number of results to display for recommended attributes, and the required minimum number of members for each role candidate.

    • Click an attribute node (circle) to select a role candidate.

      WARNING:You might not see any recommendations if the Settings > Minimum potential members is set too high or when the role mining settings in Configuration > Analytics and Role Mining Settings does not meet the required conditions. For more information see, Configuring Analytics and Role Mining Settings.

    You want to direct the mining by specifying user attribute

    • Select Directed Role Mining.

    • Specify the user attributes by entering the user attribute names or by searching and selecting the attributes based on the strength of the recommendation.

    • Specify a minimum number of times the attribute value must occur across users, or the percentage of all users who must have the attribute value.

    • Specify additional coverage criteria.

      NOTE:Identity Governance uses the permission, technical role, and application coverage fields to determine which authorizations are auto-populated in the business role candidate. For example, if permission coverage is at 50% then 50% of the members must hold a permission for Identity Governance to add it as an authorization in the candidate. If it is 100%, then all members must hold the permission for Identity Governance to add it as an authorization.

    • Save the specified values to trigger the user catalog analysis.

    • (Optional) Click the gear icon to adjust the settings, and save the settings to refresh the candidate suggestions.

  4. Select one or more items from the Directed Role Mining > Mining Results list or Visual Role Mining > Role Candidates list.

  5. Click Create Candidates.

  6. Create separate candidates for each criteria or Create a single business role candidate. If the latter, specify a name for the business role.

  7. (Optional) Select Create associated technical for common permissions to generate the technical roles with users who have the same permissions.

  8. (Optional) Select Group permissions added to technical roles by application to create application-specific technical roles.

  9. In the Role tab, click the newly generated inactive role to view the role description.

  10. Click Edit.

    NOTE:Identity Governance creates the role candidate in a pending state and administrators must promote it before anyone can approve the role candidate or publish it as a role. Ensure that the membership criteria and authorizations are as you want them to be before publishing.

  11. Select Yes to promote the role candidate.

  12. Specify the following information to create the business role:

    Name and Description

    Modify the auto-generated name to a unique name and edit the description for the business role.

    Grace period

    Specify a grace period. A grace period specifies the number of days that you want Identity Governance to consider the user as a member of the role when it detects that the member no longer meets the membership policy requirements.

    Risk

    Specify the importance of the business role in terms of limited access and security.

    For example, you might want to review access to business roles with a high risk more often than business roles with a mild risk.

    Included Membership

    Optionally, specify roles whose membership criteria, users, and groups you want to include in the new business role. When combining the included roles, Identity Governance only includes published roles membership and eliminates duplicates. For example, you can include role A and role B in the membership of role C. Then, role C becomes the union of role A and role B along with any membership criteria specified for role C.

    NOTE:Excluded members of the including role take precedence over inclusion of included business role members. For example, when role C includes A, and A has a member User1, and role C excludes User1 then Identity Governance also excludes the user.

    Membership expressions

    Membership expressions are criteria that specify a set of users that are considered members of the business role. Identity Governance converts your specified criteria to create SQL SELECT statements to find the users that match the criteria. When you use Identity Governance's role mining feature, Identity Governance provides recommendations for role candidates based on your data and auto-generates the membership expressions when you create a role candidate. To optimize specific SELECT statements, follow query optimization principles such as creating indexes for attributes you are going to query on. To optimize specific SELECT statements that might not be performing as expected, contact your database administrator.

    Include and Exclude Users and Groups

    Optionally, define specific users and groups that you want to include in the business role that might not match any membership expression. You can also specify users and groups to exclude from the business role who would otherwise match membership expressions. For example, you can have a membership expression that matches all managers in engineering, but you do not want John Smith or managers in the CTO group even if they match that criteria. You can also define a time period for when these inclusions or exclusions are valid.

    NOTE:Excluding a user or group takes precedence over including them. For example, suppose you include Sales group and exclude Contractors group. Then, Identity Governance excludes a user who belongs to both of those groups because exclusion takes precedence over inclusion.

  13. Select the Authorizations tab, then define the following:

    Permissions

    Identity Governance might preauthorize permissions when you mine for roles or you might need to define them. Select permissions from the entire catalog or from a list of permissions held by the business role members. Specify whether the permission is mandatory or not. Specify whether Identity Governance should or should not automatically grant or revoke permissions. If needed, select the calendar control to set an authorization period for when Identity Governance authorizes these permissions for users in the business role.

    If an authorized permission comes from an Identity Manager application and is an Identity Manager role (parent) that contains other Identity Manager roles and Identity Manager resources (children), there will be an option to also authorize the contained permissions (default is to not authorize contained permissions). You can view the hierarchy of contained permissions by clicking show.

    NOTE:If you specify auto-grant or auto-revoke on this kind of permission, the selected option does not apply to any of the contained permissions. This is because if you grant or revoke a permission that is an Identity Manager role that contains other contained Identity Manager roles and Identity Manager resources, the Identity Manager system automatically grants or revokes any contained Identity Manager roles and resources.

    Technical Role

    Identity Governance might preauthorize technical roles when you mine for roles or you might need to define them. The technical role acts as a grouping for the permissions. If all of the appropriate permissions are included in a technical role, you can add the technical role instead of the individual permissions. If needed, select technical roles from the entire catalog or from a list of technical roles held by the business role members. Determine whether the technical role is mandatory or not. Specify whether Identity Governance should or should not automatically grant or revoke the technical role authorization. If needed, select the calendar control to set an authorization period for when the permissions in the technical role are valid for the business role.

    Permissions contained in a technical role might come from an Identity Manager application and might be an Identity Manager role that contains other Identity Manager roles and Identity Manager resources. For this reason, technical roles have two options for authorizing contained permissions. You can opt to only authorize the permissions that are explicitly specified in the technical role, or you can opt to authorize the permissions contained in the technical role and any permissions that are contained in those permissions. The second option only applies to permissions that are Identity Manager roles that contain other Identity Manager roles or Identity Manager resources. You can view the hierarchy of all contained permissions that Identity Governance authorizes by clicking show.

    NOTE:If you specify auto-grant or auto-revoke on a technical role, the selected option applies only to the permissions explicitly specified in the technical role. It does not apply to any of the permissions which those permissions might contain.

    Applications

    Identity Governance might preauthorize applications when you mine for roles or you might need to define them. If needed, define which applications the members of the business role are authorized to hold. This means Identity Governance can create accounts for the members of the business role in the listed applications. Select applications from the entire catalog or from a list of applications held by the business role members. Specify whether Identity Governance should or should not automatically grant or revoke the application authorization. If needed, select the calendar control to set an authorization period for when the members of the business role have access to the application.

    NOTE:Applications must have an account collector to allow you to specify automatic grant or revoke.

    For more information about authorizing permissions, technical roles, and applications, see Section 14.5, Adding Authorizations to a Business Role.

  14. Select the Owners and Administration tab to assign the following:

    • Role owner

    • Role manager

    • Fulfiller

    • Categories

    • Approval Policy

    Identity Governance makes default assignments for the owner, and fulfiller, and assigns a default approval policy to the business role if you do not make selections on this tab.

  15. (Optional) On the Membership tab, select View Membership to view list of business role members.

    NOTE:During migration or upgrades, you must always run publication to refresh list of business role members. For more information about publishing data sources, see Section 6.0, Publishing the Collected Data.

  16. Under What-if Scenarios, select Estimate Publish Impact and Analyze SoD Violations to respectively view types of changes and SoD violations information.

  17. (Conditional) Resolve SoD violations or edit business role definition to resolve any issues. For more information about SoD violations, see Approving and Resolving an SoD Violation.

  18. Select Save to save your modifications to the mined business role definition.

    NOTE:When editing an existing business role, the Owners and Administration tab has a separate Save button, which allows you to change these items independent of other items pertaining to the business role.

After you have created the business role and assigned owners and administrators, the business role is ready for approval or it is ready to be published depending on your approval policy. The approval policy allows you to have people review the business role and approve or request changes to the business role. For more information, see Section 14.6, Adding a Business Role Approval Policy.

To detect users that meet the business role criteria in reviews or in the catalog, you must publish the business role. For more information, see Section 14.7, Publishing or Deactivating Business Roles.