Managing user access to various resources and applications in an organization comes with a significant administrative and technological cost. If user permissions are under-provisioned, productivity may suffer. On the other hand, overly provisioned user permissions can pose potential security risks.
To ensure a balance between productivity and security, most organizations require an Role Based Access Control(RBAC) system to handle user permissions to resources.
RBAC system is needed to assign users access to various resources in the organization by grouping the various permissions into roles. Roles are directly assigned to the user instead of individual permissions. Determining what roles should be created in the system for optimal assignment of permissions to the user across various resources and applications requires time commitment and efforts from RBAC and system experts.
The information required to determine if a role should be created in an RBAC system and what permissions are required to be included in it is derived from the response to two questions -
1. What are the commonly grouped permissions and entitlements in the current system?
2. What are the user attributes which drive the permissions currently assigned to them?
Role mining is the process of identifying the roles to be introduced in a RBAC system by analyzing the existing user-permission assignments across various resources in the organization and identifying what business roles may be derived by clustering the existing entitlements of the user and correlating them with user attributes.
Data Collection The first step in role mining is to capture the existing users and their entitlements. The goal of this exercise is to gather information on various user attributes that may have led to their permissions on different resources, such as their department, designation, and location.
Identifying potential business roles To identify potential roles, cluster users based on their attributes and current permission assignments. This can involve techniques such as clustering or association rule mining. The main objective here is to identify roles as groups of permissions and presenting them as potential roles to which the permissions may be mapped in an RBAC system. The users will then be assigned these roles in the RBAC system.
Post processing and Optimization An analysis of the potential roles extracted from the existing data will help the RBAC and system administrators identify the “correctness” of the roles generated. Additional heuristics may be applied to vary the number of roles generated by the system, which in turn affects the number of user-role mappings and user-permission mappings to be done during RBAC implementation.
Increased Efficiency Role mining can streamline the process of provisioning and deprovisioning user access by identifying the most common roles and responsibilities within an organization, making it easier to manage access control.
Principle of Least Access Role mining helps identify common business roles based on the existing permissions, which is mapped with the user’s position in the organization. Administrators of applications and RBAC system may review the permissions currently assigned to the user and map it to the discovered roles to determine over-provisioned roles.
Peer Review and Compliance Role mining allows for identifying the differences in the permissions assigned to the peers in an organization. Role mining can help organizations to demonstrate compliance with industry and regulatory standards, by ensuring that users only have access to the data they need to perform their job functions.
Segregation of Duties and Identifying toxic access Role Mining allows for defining rules based on user attributes and COSO types for permissions, which allows for definition of roles that avoid toxic access (e.g., a role that includes permissions for both checker and maker). Checking the mined roles in an organization helps identify users with toxic access.
Role Mining is implemented in Cymmetri as explained below:
Cymmetri expects the following set of inputs for data collection:
User details (UserId, Department, Location, Designation etc.)
Permission details (ApplicationId, Permission/Entitlement in the application, PermissionId)
User-Permission Mapping (UserId, PermissionId)
Cymmetri iterates through the list of user-permission mappings and performs various heuristics to determine a list of business roles, which identify roles as a group of 1 or more permissions, which is assigned to multiple users.
Cymmetri optimizes over the above-produced business roles to remove roles which have very few users assigned to the permissions assigned to the role. Further optimization is performed by identifying the correlation between user attributes and the role generated.