How user-entitlement clusters works when Role Mining in RSA Identity Governance & Lifecycle

3 years ago

Originally Published: 2020-08-12

Article Number

000059362

Applies To

RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: All

Issue

The Discover Roles feature (Roles > Roles > Create/Discover > Discover Roles) provides automated, bottom-up role mining techniques for creating new roles. When choosing the Discover Roles option, on the Role Creation page under How do you want to create the roles, one of the options, from user-entitlement clusters, discovers roles based on shared user attribute values. The purpose of this RSA Knowledge Base Article is to explain how roles are created and members and entitlements added when using the from user-entitlement clusters option. An example of the option is shown in the screenshot below.

Resolution

The from user-entitlement clusters option works as follows:

For a given set of users and entitlements find a specific percentage of those entitlements that those users have in common and create a Role with those users as members. Once users are added to a new Role through Role Discovery, all their entitlements become part of the new Role (not just the entitlements that they have in common).. This is best illustrated with an example.

EXAMPLE

Consider the following example where Discover Roles is defined as:

Users matching: Iris, Rose, Cherry, Sun, Moon, Tree
Entitlements matching: dog, cat, horse, cow, pig
Clustering Method: allow duplicate entitlements, allow duplicate users
Users with: 50 % entitlements in common
Create with a minimum of 2 users
Create with a minimum of 1 entitlements

NOTE: This example is intentionally simplistic in order to illustrate a complex concept.

User	Ent1	Ent2	Ent3	Ent4	Ent5	Ent6	Ent7
Iris	dog	cat	goat
Rose	dog	cat	pig	cow
Cherry	horse	cow	sheep	donkey
Sun	cat	hamster
Moon	dog	cow	pig	tiger	zebra
Tree	dog	cow	pig	panther	sheep	cougar	bear

Two Roles will be defined as follows:

Role001

Members: Iris, Rose
Entitlements: dog, cat, goat, cow, pig

Role002

Members: Rose, Moon
Entitlements: dog, cow, pig, cat, tiger, zebra

Break Down:

Roles created:
- Iris and Rose have entitlements dog and cat and these entitlements are 50% or greater of their total entitlements which means they have at least 50% of the specified entitlements in common. Goat, pig and cow are added as entitlements to Role001 because either Rose or Iris have them.
- Rose and Moon have dog, cow, and pig as 50% or greater of their total entitlements so all three add up to 50% or more of the specified entitlements in common. Cat, tiger, and zebra are added as entitlements to Role002 because either Rose or Moon have them.
No Roles created:
- Tree also has entitlements dog, cow, and pig but these are not 50% of Tree's total entitlements. Therefore Tree does not become a member of Role002 because Tree does not have 50% of his entitlements in common with the other users specified in Role002.
- Sun has cat which is 50% of Sun's total entitlements but not 50% of anyone else's entitlements so Sun does not become a member of a new Role.
- Cherry has cow which is only 25% of her total entitlements so this is not enough to become a Role member.

A key point to note here is that the Roles are created with all the entitlements that users who meet the criteria have, not just the entitlements that they have in common.

Don't see what you're looking for?

Related Articles

Trending Articles