Roles Mining

Role mining is a systematic and analytical process designed to identify and extract existing access assignment patterns within an organization's current infrastructure. This involves comprehensively examining "who has access to what" to discern recurring groupings of permissions and entitlements. The overarching objective of this discovery phase is to define meaningful business roles, which represent logical job functions or responsibilities, rather than mere technical access groupings.

Cymmetri's methodology centers on the comparative analysis of these existing access assignments, leveraging specific, predefined attribute fields. These fields serve as critical dimensions for grouping users and identifying logical access patterns. Key examples include:

• Department: Categorizes users by their organizational unit.

• Designation: Groups users based on their job title or professional level

• User Type: Differentiates users by their employment status or category

• Other Contextual Fields: Additional relevant organizational or user attributes that facilitate the delineation of distinct access requirements.

Once these analytical fields are selected, Cymmetri generates "candidate roles." Each candidate role represents a potential business role derived from a specific, observed combination of these attributes chosen fields.

Configuration and Execution of Role Mining in Cymmetri

The role mining process in Cymmetri is structured into clear, sequential steps within the Identity Governance module.

To initiate a new role mining project: Navigate to the Identity Governance section and click on "+ Add New".

Step 1: Define Role Mining Details

Provide essential identifying information for the role mining initiative:

• Role Mining Name: A unique and concise title that identifies the specific role mining project.

• Role Mining Description: Comprehensive descriptive information outlining the scope, objectives, and any relevant context for the role mining effort.

Step 2: Select Role Mining Criteria

Determine the basis for the role mining analysis by selecting the relevant user attributes:

• Options Provided:

  • Department

  • Designation

  • User Type

• Administrator Control: The administrator can flexibly select all available options for a more granular analysis or choose only the required ones to focus on specific dimensions.

• Proceed: After selecting the desired attributes, click "Next" to advance.

Step 3: Generate Candidate Roles

Based on the attributes selected in Step 2, the system will process the access data to "Generate Candidate Roles." This action initiates the analytical engine to identify and propose potential business roles.

Refining Candidate Roles: The Minimum Support Parameter Score

The "Filter Options" feature provides administrators with a crucial mechanism to refine and control the granularity of the presented role mining results. This functionality is driven by the minimum support parameter score.

The support parameter score, expressed as a percentage, is a key metric calculated during the role mining process. It quantifies the statistical significance and consistency of a discovered access pattern, indicating the proportion of users within a particular grouping who consistently possess a specific set of application roles or permissions.

Functionality of the Minimum Support Parameter Score:

• Setting the Threshold: The administrator sets a minimum threshold for this support parameter. Only candidate roles and their associated application access patterns that meet or exceed this defined minimum score will be displayed as valid suggestions.

• Higher Percentage for Accuracy and Precision:

  • Setting a higher minimum percentage (e.g., 90% or 95%) ensures the system presents only highly consistent and prevalent access patterns. This yields more accurate and precise role suggestions, ideal for defining clear, widely applicable business roles with minimal exceptions.

• Lower Percentage for Broader Discovery and Granularity:

  • Conversely, a lower minimum support score (e.g., 60% or 70%) results in a broader display of candidate roles, including less universally consistent but still significant groupings. This offers wider discovery and allows for the identification of more granular or niche roles, presenting more potential fields and combinations for administrative review.

Step 4: Review and Formalize Candidate Roles

Upon completion of the role mining analysis and the application of any filters, the system presents the administrator with the generated candidate roles for review. The administrator can:

• Systematically Review: Examine each proposed rule.

• Inspect Attributes: Verify the underlying attributes that defined the rule.

• Verify Conditions: Review the specific logical conditions associated with the rule.

• Assess Support Score: Evaluate the calculated support score for each candidate.

• Review Rule Name: Observe the initial system-generated rule name.

For future access management and automation, a generated and validated candidate rule can be formalized into an active provisioning rule. This is achieved by:

• "Generate Rule" Action: Clicking this button transforms the candidate rule into an active provisioning rule within the system.

Verification Path: The newly created provisioning rule can be verified under: Lifecycle Management -> Rules -> Provision

After a rule has been established as a provisioning rule, the system provides an interface for further refinement and detailed verification. The administrator retains the ability to edit key aspects of the provisioning rule, ensuring its ongoing accuracy and relevance:

• Edit Rule Name: Modify the formal name of the provisioning rule.

• Edit Description: Update the descriptive information for comprehensive context.

• Verify Conditions: Confirm the logical conditions that trigger the rule.

• Verify Assigned Applications: Review the specific application roles or permissions automatically assigned upon condition satisfaction.

• Save: All modifications must be explicitly saved to apply changes.