000039223 - How user-entitlement clusters works when Role Mining in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Aug 13, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000039223
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: All
 
IssueThe Discover Roles feature (Roles > Roles > Create/Discover > Discover Roles) provides automated, bottom-up role mining techniques for creating new roles. When choosing the Discover Roles option, on the Role Creation page under How do you want to create the roles, one of the options, from user-entitlement clusters, discovers roles based on shared user attribute values. The purpose of this RSA Knowledge Base Article is to explain how roles are created and members and entitlements added when using the from user-entitlement clusters option. An example of the option is shown in the screenshot below.
 
User-added image


 
ResolutionThe from user-entitlement clusters option works as follows:

For a given set of users and entitlements find a specific percentage of those entitlements that those users have in common and create a Role with those users as members. Once users are added to a new Role through Role Discovery, all their entitlements become part of the new Role (not just the entitlements that they have in common).. This is best illustrated with an example. 

EXAMPLE

Consider the following example where Discover Roles is defined as:
 
Users matching: Iris, Rose, Cherry, Sun, Moon, Tree
Entitlements matching: dog, cat, horse, cow, pig
Clustering Method: allow duplicate entitlements, allow duplicate users
Users with: 50 % entitlements in common
Create with a minimum of 2 users
Create with a minimum of 1 entitlements


NOTE: This example is intentionally simplistic in order to illustrate a complex concept.
 
UserEnt1Ent2Ent3Ent4Ent5Ent6Ent7
Irisdogcatgoat    
Rosedogcatpigcow   
Cherryhorsecowsheepdonkey   
Suncathamster     
Moondog cowpigtigerzebra  
Treedogcowpigpanthersheepcougarbear


Two Roles will be defined as follows:
 
Role001


Members: Iris, Rose
Entitlements: dog, cat, goat, cow, pig
 


Role002


Members: Rose, Moon
Entitlements: dog, cow, pig, cat, tiger, zebra


Break Down:
  • Roles created:
    • Iris and Rose have entitlements dog and cat and these entitlements are 50% or greater of their total entitlements which means they have at least 50% of the specified entitlements in common. Goat, pig and cow are added as entitlements to Role001 because either Rose or Iris have them.
    • Rose and Moon have dog, cow, and pig as 50% or greater of their total entitlements so all three add up to 50% or more of the specified entitlements in common. Cat, tiger, and zebra are added as entitlements to Role002 because either Rose or Moon have them.
  • No Roles created:
    • Tree also has entitlements dog, cow, and pig but these are not 50% of Tree's total entitlements. Therefore Tree does not become a member of Role002 because Tree does not have 50% of his entitlements in common with the other users specified in Role002.
    • Sun has cat which is 50% of Sun's total entitlements but not 50% of anyone else's entitlements so Sun does not become a member of a new Role.
    • Cherry has cow which is only 25% of her total entitlements so this is not enough to become a Role member.
  A key point to note here is that the Roles are created with all the entitlements that users who meet the criteria have, not just the entitlements that they have in common.

 

Attachments

    Outcomes