Article Content
Article Number | 000039223 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Applies To | RSA Product Set: RSA Identity Governance & Lifecycle RSA Version/Condition: All | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Issue | The Discover Roles feature (Roles > Roles > Create/Discover > Discover Roles) provides automated, bottom-up role mining techniques for creating new roles. When choosing the Discover Roles option, on the Role Creation page under How do you want to create the roles, one of the options, from user-entitlement clusters, discovers roles based on shared user attribute values. The purpose of this RSA Knowledge Base Article is to explain how roles are created and members and entitlements added when using the from user-entitlement clusters option. An example of the option is shown in the screenshot below. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Resolution | The from user-entitlement clusters option works as follows: For a given set of users and entitlements find a specific percentage of those entitlements that those users have in common and create a Role with those users as members. Once users are added to a new Role through Role Discovery, all their entitlements become part of the new Role (not just the entitlements that they have in common).. This is best illustrated with an example. EXAMPLE Consider the following example where Discover Roles is defined as: Users matching: Iris, Rose, Cherry, Sun, Moon, Tree Entitlements matching: dog, cat, horse, cow, pig Clustering Method: allow duplicate entitlements, allow duplicate users Users with: 50 % entitlements in common Create with a minimum of 2 users Create with a minimum of 1 entitlements NOTE: This example is intentionally simplistic in order to illustrate a complex concept.
Two Roles will be defined as follows: Role001 Members: Iris, Rose Entitlements: dog, cat, goat, cow, pig Role002 Members: Rose, Moon Entitlements: dog, cow, pig, cat, tiger, zebra Break Down:
|