Role: A role is a collection of entitlements or other roles that enables an identity to access the resources and to perform certain operations within an organization.
Need for Roles in IdentityIQ:
- IdentityIQ roles are designed to be highly flexible and customizable.
- This flexibility allows them to be used to model a wide array of business structures and IT functions without the need for custom coding.
- It helps enterprises line up low-level IT privileges with their corporate structure and business operations by grouping individual entitlements into higher-level business functions.
- Translate entitlement data into terms that can be most understood by business managers and other employees when they certify and examine the data.
Types of Roles in IdentityIQ:
By default there are four types of roles configured in IdentityIQ, they are
- Organizational Role.
- Business Role.
- IT Role.
- Entitlement Role.
We will discuss the various possible usages of the role structures in their default configuration as shown below.
- Organization Role: Designed for organizing the role hierarchy in IdentityIQ UI. They do not perform any function other than creating a nesting structure in the Role Modeler.
Possible Organizational structures could include:
- A hierarchy matching the corporate org structure for organizing business roles into easily managed groupings.
- A set of container roles for holding IT roles collections based on commonalities
- A set of container roles grouping other roles by application
- A set of container roles grouping other roles alphabetically
Organization Role creates a familiar and easily navigable framework for managing the business role model. This makes it easier to identify and create the component business roles, and it facilitates finding and managing roles as changes occur in the future.
- Example Model:
Creating an Organization Role:
STEP-1: GO TO Define Roles - > New Role - > Role as shown below.
STEP-2: Click on New Role and select Role, the following screen is displayed. Enter the required fields and click on Submit.
Required Fields on Role Editor Page:
- Name: Name of the IT Role.
- Display Name: Display Name for the IT Role.
- Type: Select type as Organizational from the drop down menu.
- Owner: select the Owner for the IT Role.
- Description: Description for the IT Role.
- Enable Activity Monitoring: To enable/disable the Activity Monitoring.
- Disabled: Enable/Disable the Role.
- Modify Inheritance: To inherit any other roles, click on modify Inheritance.
STEP-3: Select Type as Organizational as shown below.
STEP-4: The following page is displayed on selecting the Modify Inheritance as shown below.
STEP-5: Add the Roles you want to inherit into this Organization Role and save it. And the created roles will be viewed under the View Roles tab
- Business Role: Identifying job functions or titles or other attributes by which users can be grouped together into a Business Role.
For example, within the Financing Organization, there might be an Accountant, 3 Cashiers, and some people under Treasury. This would require the creation of business roles:
- Accounting
- Treasury
Example:
Creation of a Business Role:
STEP-1: GO TO Define Roles, Click on New Role and select Role the following screen is displayed as shown.
STEP-2: Select Type as Business, the following screen is displayed. Enter the required fields and click on Submit.
Required Fields on Role Editor Page:
- Name: Name of the Business Role.
- Display Name: Display Name for the Business Role.
- Type: Select type as Business from the drop down menu.
- Owner: select the Owner for the Business Role.
- Description: Description for the Business Role.
- Enable Activity Monitoring: To enable/disable the Activity Monitoring.
- Disabled: Enable/Disable the Role.
- Inherited Roles: To inherit any other roles, click on modify Inheritance.
- Entitlements: Select the Entitlements you want to group them as a role.
- Required Roles: To add roles into this, click on Modify Required Roles.
- Permitted Roles: To add roles into this, click on Modify Permitted Roles.
Required Roles: Required Roles are the IT roles that an Identity must have when they are associated with that business role.
Add the appropriate IT Roles for the Required Roles and click on Save.
Permitted Roles: Permitted Roles are the ones that the Identity can have but is not required to have when assigned that business role.
Add the appropriate IT Roles for the Permitted Roles and click on Save.
STEP-3: The created Business Roles are listed down under Role Viewer tab as shown below.
NOTE-1: When a Business Role defined with Required Roles is requested to an Identity whose Entitlements do not match with the required Roles will be marked in red color in the identity cube as shown in the below.
NOTE-2: When a Business Role is requested to the identities in Active Directory, automatic provisioning of missing Entitlements in the Required Role is enabled in SailPointIQ.
Role Membership Certifications: The Role Membership Certification is another useful tool in role lifecycle management. This certification focuses on the set of Identities to which one or more selected roles is assigned. Certification responsibility can be Role Management in IdentityIQ assigned to each Identity’s Manager, to the Role Owner, or to a specifically selected certifier – whoever is best equipped to determine whether the roles’ members should hold the roles or not.
Scheduling a Role Membership Certification:
Often, this certification type is used during the role creation process to validate the sets of identities grouped together under a mined or manually created business role even before that role is connected to any required or permitted IT roles. This helps validate the role structure and any automatic assignment rules created for the roles before it has any impact on application entitlement provisioning.
STEP-1: GO TO Monitor Certifications - > New Certification - > Role Membership
STEP-2: Select the Owner and the Roles to be certified, check Run now on the Basic page, In this case it is STRATEGY,
STEP-3: GO TO Behavior page; check Enable Provisioning of Missing Role Requirements under the decision tab. This will notify the certifier if any provisioning is required during the approval process.
STEP-4: GO TO Advance page, select the Certifier and click on Schedule Certification
STEP-5: A Work Item is created for certification; the certifier defined in the certification will be able to certify the Work Item is shown below.
STEP-6: Any Identity who’s Roles do not match with the Required Business roles will be identified here as shown in the below.
STEP-7: When the certifier approves the certification, the following window is popped up saying “Provision the Required Roles” or “Approve without provisioning” as shown below.
NOTE-1: Business Roles will be assigned to the Identities automatically by writing the Assignment Rule or by Access requesting in the Access Request option in the IdentityIQ Dashboard.
Business Role Mining: Though business roles can be manually created through the IdentityIQ user interface, role mining can also be used to generate business roles and can often do the task much more efficiently than a manual process. In business role mining, roles are identified based on one or more Identity Attributes in IdentityIQ. For example, if Department is one of the identity attributes, a business role can be created based on each unique Department.
NOTE: Mined business roles are created in a disabled state and must be activated before they can be assigned to any identity, either automatically or through an access request. Mined business roles also automatically contain assignment logic which will automatically assign them to identities whose attributes match the criteria used to identify the role, once the role is activated.
Creating a Business Role using Mining:
STEP-1: GO TO Define Role - > New Role - > Business Role Mining, the following page is displayed. Enter the required information and click on Save and Execute.
Required fields on Role Mining Page:
- Name: Name of the Role Mining.
- Compute Population Statistics: Enable/Disable Population Computing Statistics.
- Perform Analysis Only: Enable/Disable Perform Analysis.
- Type of Root Container Role to Generate: Select the type of Role.
- Ordered Identity Mining Attributes: Select the attributes from the drop down menu.
- Type of Business Roles to Generate: Select the type of the Role.
- Owner: Select the Owner.
- Minimum no of users per Role: Specify the minimum number of users per Role.
STEP-2: After Executing the Role Mining the following page displayed with the list of Role Mines created as shown below.
The Business Role hierarchy can be viewed under Role Viewer Tab as shown in the below.
Role Impact Analysis: Role uniqueness, as well as the role membership impact of a role creation or change, can be measured through a role impact analysis. An impact analysis can be run IdentityIQ user interface.
Impact Analysis on a Role (Business or IT Role):
The impact of any changes to the Role memberships can be analyzed by submitting the role with impact analysis.
Example: Submitting a Business role with Impact Analysis.
STEP-1: GO TO Define Role; select a role, click on Edit Role as shown in the below.
STEP-2: Make any changes to the selected Role in this editor, like Add or Remove any Roles or change Description or inherit any Roles and click on Submit with Impact Analysis, a Work Item is created for Approval as shown below.
STEP-3: The Work Item for approval goes to the owner of the Role, in this case Administrator, he can view the changes made to it and the impact it has on the organization, he can approve, reject or forward to appropriate authority or identity.
Policy Validation: The Impact Analysis section of the analysis results also includes a statistic on policy violations detected for the selected role. This statistic is calculated by evaluating the role against the defined Policies in the system and determining if it will cause violations of any of those Policies.
Checking Policy Conflicts in a Role (Business or IT Role):
STEP-1: GO TO Define Role; select a role, click on Edit Role as shown in the below.
STEP-2: Click on Check Policy Conflicts, we can find out if this Role has any conflicts with the policies defined in the IdentityIQ.
- IT Role: IT Roles allow multiple entitlements from one or more applications to be grouped together into a single role. IT roles should encapsulate groups of related entitlements that are shared by one or more business roles.
Example:
In the above figure BUSINESS ANALYST is an IT Role created for the Identities who are all entitled with the Access c3 & c4.
Creation of an IT Role:
STEP-1: GO TO Define Roles, the following screen is displayed as shown
STEP-2: Click on New Role and select Role, the following screen is displayed. Enter the required fields and click on Submit.
Required fields on Role Mining Page:
- Name: Name of the IT Role.
- Display Name: Display Name for the IT Role.
- Type: Select type as IT from the drop down menu.
- Owner: select the Owner for the IT Role.
- Description: Description for the IT Role.
- Enable Activity Monitoring: To enable/disable the Activity Monitoring.
- Disabled: Enable/Disable the Role.
- Inherited Roles: To inherit any other roles, click on modify Inheritance.
- Entitlements: Select the Entitlements you want to group them as a role.
STEP-3: To add the entitlements click on Add option under the Entitlements a new window is popped up as shown in the below.
STEP-4: Select the Application from the drop down menu and the Entitlements you want to group as a Role and click on Save and click on Submit.
The roles you have created will be listed down under the Role Viewer menu as shown in the below picture.
NOTE: IT Roles will be automatically detected to the matched Identities on Refreshing the Identity Cube by checking Refresh assigned, detected roles and promote additional entitlements.
Creation of an IT Role using Profiles in Advance View option:
Here we will discover creating an IT Role using Profiles in the Advance View option.
STEP-1: GO TO Define Roles - > New Role - > Role.
STEP-2: Select Advance View in the Entitlements window the following screen is displayed Select Create New Profile as shown below.
STEP-3: Edit Entitlement page is displayed, select the Application, add the filters and save it.
STEP-4: It redirects back to the Role Editor page, go ahead and submit it, you can view all the created roles under Role viewer tab.
Creating IT Roles using Profiles created From Entitlement Analysis in Advance View option:
Profiles can also be created from Entitlement Analysis in Advance View tab in Role Editor Page.
STEP-1: GO TO Define - > Roles - > New Role - > Role.
STEP-2: Select Advance View in the Entitlements window the following screen is displayed Select Create New Profile from Entitlement Analysis as shown below.
STEP-3: Enter the name, description, type, and select the Application, and their Attributes, click on Search as shown below.
STEP-4: The search results are displayed as shown below, select the required Entitlements and click on Create profile and click on Save.
STEP-5: It redirects to the Role Editor page, Click on Submit, IT role is created using Profiles created from Entitlement Analysis. As shown below.
IT Roles can be created automatically by setting up the filters in IT Role Mining.
IT Role Mining: In general, the most efficient way to get started creating IT roles in the IdentityIQ Role Modeler is to generate them through role mining. In role mining, IT roles are generated based on system access current employees already have.
Types of IT Role Mining Activities: Roles can be mined either by performing an IT Role Mining or by running an Entitlement Analysis.
IT Role Mining: IT Role Mining is designed to highlight Identities’ entitlement commonalities. It returns every set of entitlements on the selected applications that are all held by one or more Identities.
- Administrator selects one or more application whose entitlements will be evaluated as well as set of identity attributes that filter the identities that should be examined.
- IT Role Mining is designed to highlight identities entitlements commonalities. Returns every set of entitlements on the selected applications that are all held by one or more identities.
- It does not return subsets where there are no identities.
- IT role mining definitions and results can be saved and to be re-run or examined later.
- Roles created from IT role mining are created in disabled state and must be enabled before they will be detected for a user.
An Example for IT Role Mining:
We will create an IT role using IT Role Mining as shown in the below steps.
STEP-1: GO TO Define Role - > New Role - > IT Role Mining, the following page is displayed. Enter the required information and click on Save and Execute.
Required fields on Role Mining Page:
- Name: Name of the Role Mining.
- Owner: Select the Owner for the mining.
- Identities to Mine: Filter the Identities for mining, this can be done by two ways
- Search by Attributes
- Search by Population
- Applications to Mine: Select the application for mining.
- Entitlements to Exclude: Select the entitlements for the selected application to be excluded from mining.
- Minimum identities per Role: Specify the minimum number of identities per role.
- Minimum Entitlements per Role: Specify the minimum number of Entitlements per role.
- Maximum Groups to Mine: Specify Maximum number of groups to be mined.
STEP-2: After Executing the Role Mining the following page displayed with the list of Role Mines created as shown below.
STEP-3: The results for the Role Mining can be viewed in Role Mining Results tab as shown below.
STEP-4: The results are displayed in Groups; each group in the results represents a set of access held by at least one Identity, Right Click on the required group and select Create Role as shown in the below.
STEP-5: The following window is popped up, enter the required fields and click on Save as shown below.
Requires fields for Create Role Window:
- Name: Name of the IT role.
- Owner: Select the Owner for the IT Role.
- Scope: Select the Scope from the drop down menu.
- Container Role: Select the Container Role.
- Description: Description for the IT Role.
- Entitlements to Include: Entitlements Included will be displayed here.
- Inherited Roles: Select the Roles to be inherited.
- Entitlements from Inherited Roles: Entitlements for the Inherited Roles will be displayed here.
STEP-6: The system generated IT Role through Role Mining will be listed down under the Role Viewer tab as shown.
Entitlement Analysis: Entitlement Analysis is designed to allow maximum flexibility in grouping entitlements into roles by returning each entitlement separately and allowing the administrator to group them in as many combinations as are desired.Entitlement Analysis even allows the creation of roles that represent sets of entitlements no one user currently holds, while IT Role Mining does not. However, Entitlement Analysis does not show the existing connections between entitlements as well as IT Role Mining does.
An Example for Entitlement Analysis:
STEP-1: GO TO Define Role - > New Role - > Entitlement Analysis, the following page is displayed. Enter the required information and click on Search.
Required fields on Role Mining Page:
- Application: Select the Application for analysis.
- Filter Operation: Select the Owner for the mining.
- Identities to Mine: Determines whether the identities returned will be based on if they have accounts on all applications selected ("AND") or any of the applications selected ("OR").
STEP-2: The search results are displayed as shown in the below.
STEP-3: Select the Entitlements you want to group together and click on Create Role as shown below.
STEP-4: The following screen is displayed, where you enter the name of the Role, select the Type of the Role and description and Save it.
STEP-5: The Role created will be listed down under Role Viewer tab as shown below.
