Autonomous Identity 2021.8.2

Roles Management Tasks

Autonomous Identity supports a powerful role analysis and management system that examines all roles and their assigned entitlements within your access landscape. The system uses machine learning rules and analytics thresholds to determine the confidence scores and driving factors for each role.

The central hub of the roles management system is the Roles Workshop. The Roles Workshop lets authorized users review, ediit, and test new or existing roles before publishing them to production.

In a typical scenario, an administrator runs a role mining job as part of the analytics pipeline. During a role mining analytics run, Autonomous Identity discovers candidates for any new roles and displays them in the Roles Workshop with confidence scores and driving factors. Authorized users can review these roles, make edits to entitlements, and re-run the role mining analytics until the correct mix of entitlements meets your threshold objectives for given rules.

A month or two later, the administrator can re-run the role mining job to pick up changes in the entitlements landscape. Autonomous Identity re-analyzes each role and recommends updates to existing roles, such as the indication of stale data, or changes in the confidence scores. Based on these recommendations, the authorized user can revoke any active roles, make new configuration changes to a draft, and publish these draft roles to production.

roles workshop
Figure 1. Roles Workshop

Roles User Types

Autonomous Identity supports two types of user role types to manage roles with the system. You can assign these roles using the Manage Identities [TBD: Add link] function.

User Type Description

Role Engineer

A user who has the ability to view, edit, delete, and export all roles. Role engineers can create drafts from mined candidates and assign role owners to the draft. They can also create custom roles for further evaluation and testing. Autonomous Identity administrators automatically are assigned this role.

Role Owner

A user who has the ability to view, edit, delete, and export active and draft roles assigned to them.

Roles Workflow

The Roles Workshop displays roles in three different states: candidate, draft, and active.

  • Candidate. A candidate is a template role that is discovered through the latest role mining analytics job. After each role mining job, all newly mined roles are marked as new and as a candidate. Role engineers can review a candidate, assign a role owner to it, and approve the role as a draft. You cannot edit or remove a candidate role as is, but must create a draft from a candidate to change its details. Candidate roles are retained in the system for later adjustments and for the creation of additional new roles until the next role mining job, where all candidates are deleted and a new candidate pool is rebuilt.

    See an image.
    roles workshop candidate
  • Draft. A draft is a role that requires review and approval by an authorized approver to become active. Role engineers can re-run a role mining job to pick up the latest changes in the access landscape. The Roles Workshop displays the latest confidence scores, driving factors, and a Recommended section that shows a suggested course of action for the role. Also, when you create a custom role, Autonomous Identity saves the role in draft status. You can edit the draft, make another custom role from it, publish the role for production, or delete the draft.

    See an image.
    roles workshop draft
  • Active. Once a draft has been approved, the role is active for production use. The role appears with an Active status and also appears on the Roles Catalog page. The Recommended section presents suggested updates for each role analyzed in the latest mining job. You can create a draft from this active role or unpublish it back to draft status.

    See an image.
    roles workshop active

Role-Mined vs Custom Roles

You can originate roles in two different ways: role-mined and custom.

Role-mined roles are discovered through Autonomous Identity’s machine learning process. The result of the role mining run is a generated list of candidates that a role engineer can edit and review on the Roles Workshop page.

Custom roles are created through different workflows:

  • From Scratch. You can create a totally new role on the Roles Workshop using the Create Role function.

  • From Existing. You can create a custom role from an existing draft or active role, which can occur in the following scenarios:

    • When you run a new role-mining job and an existing candidate role is deleted.

    • When you have a draft or an active role that is associated with a deleted candidate, and the recommendation is to delete the draft/active role as role mining determines that it is stale or no longer relevant.

Custom roles do not have recommendations. Recommendations are based on the difference between a mined role and its candidate.

Roles Workshop Tasks

The following procedures presents the typical Roles Workshop tasks:

Create a Custom Role

Autonomous Identity lets authorized users create new custom role drafts on the Roles Workshop.

Create a Custom Role:

  1. On the Roles Workshop, click Create Role. Autonomous Identity creates a random label for the role at the top of the page.

  2. Click Details. Enter a name, description, and select the Role Owner from the list of authorized users on the drop-down menu.

  3. Click Entitlements. On the page, click Add Entitlements. You can search by entitlement name or application.

  4. Click Access Patterns. On the page, click Add Access Pattern. Select a User Attribute, and enter an associated value.

  5. Review your entries. When ready, click Save Draft.

    The role will be saved in the Roles Workshop as a draft. An authorized user must review and approve the role to activate it in production.

See it in action
roles workshop create custom role
Do not create a custom role before running an initial analytics pipeline job. Doing so can result in the role mining job failing.

Search Roles Using the Filter

Many companies have a large number of roles within their system. The Roles Workshop provides a useful filter to locate specific roles.

Search Roles using the filter:

  1. On the Roles Workshop, click Filters.

  2. Enter any of the following data:

    1. Name. Enter a role name.

    2. Status. Select Active, Draft, or Candidate.

    3. Application. Enter an application with which the role is associated.

    4. Role Owner. Enter a role owner.

    5. Origin. Select Custom or Role Mining.

  3. Click Done.

    See it in action
    roles workshop search

Create a New Draft

Autonomous Identity lets authorized users review role-mined candidates on the Roles Workshop. If the role engineer and role owner approves the candidate, the role goes to draft state.

Create a New Draft:

  1. On the Roles Workshop, review the list of candidates. Click a candidate role.

  2. Change the role name, and then add a description.

  3. Add an authorized user as a role owner. All drafts or active roles must have a role owner assigned to it.

    Note: The role owner must have the Role Owner role assigned to them. Administrators can add them on the Manage Identities page, or make a request to your adminstrator.

  4. Click Entitlements to review the entitlement name, application if assigned, and the average confidence score.

  5. Click Members to review the members or users associated with this role.

  6. Click Access Patterns to review the access pattern for this role.

  7. Click Driving Factors to review the list of attributes, driving factors, frequency, and percentage of members with the role.

  8. Click Recommended to review any suggested action on the role. You must run the role mining job several times to pick up new changes in your access landscape. Initial role mining jobs will not have recommendations other than Create Draft.

  9. Click Create Draft when all entries are accepted.

    See it in action
    roles create draft

Publish a Role

Autonomous Identity lets role engineers and role owners approves a draft and push it into production. The Roles Workshop displays the role in an active state.

Publish a Draft:

  1. On the Roles Workshop, review the list of candidates. Click a draft role.

  2. Review the role details.

  3. Click Publish.

    See it in action
    roles workshop publish

Delete a Role

Autonomous Identity lets role engineers and role owners delete a draft or an active role.

Delete a Role:

  1. On the Roles Workshop, review the list of candidates. Click a draft or active role.

  2. Review the role details.

  3. Click Delete Draft.

    See it in action
    roles workshop delete

Roles Catalog Tasks

The Roles Catalog lists all active roles within your system. Role engineers can export any role as a json file, edit, unpublish, and delete the roles if necessary. Role owners can carry out the same tasks on only roles assigned to them.

Export a Role

Export a Role to JSON:

  1. On the UI Dashboard, click Roles, and then click Roles Catalog.

  2. Click the role(s) to export.

  3. Click Export Selected. Autonomous Identity sends a JSON file to your local drive.

Filter Roles in the Catalog

Search the Catalog using the filter:

  1. On the UI Dashboard, click Roles, and then click Roles Catalog.

  2. Click Filters to view specific roles in your catalog.

  3. On the Filters menu, enter and select from the following drop-down lists:

    1. Name. Enter a role name.

    2. Status. Select Active, Draft, or Candidate.

    3. Application. Enter an application with which the role is associated.

    4. Role Owner. Enter a role owner.

    5. Origin. Select Custom or Role Mining.

  4. Click Done.

Copyright © 2010-2022 ForgeRock, all rights reserved.