Role Mining and Optimization
Role-based security management provides increased efficiency and other benefits, but implementation projects can become delayed as organizations work to define their initial set of roles. EmpowerID’s Role Mining engine solves this challenge by recommending an optimal initial set of roles, based on the organization’s existing access assignments. Our sophisticated machine learning algorithms uncover the existing “implicit” roles already in use within an organization by analyzing current access assignments for users. These existing roles become the starting point for defining standardized access roles and adopting role-based access control (RBAC).
Minimizing the number of security roles reduces administrative workloads and can streamline the audit recertification campaigns. RBAC also helps eliminate access assignments that have been directly assigned to users rather than assigned through their role. EmpowerID’s Role Mining engine identifies these opportunities for optimization and can eliminate redundant direct assignments. Security becomes more manageable and the organization’s risk profile is minimized.
Role Administration
EmpowerID includes a powerful, 3-tiered role model that combines the structured approach of traditional RBAC with the dynamic flexibility of attribute-based access control (ABAC). These policies extend to control access to all of your systems, so you don’t have to grant native permissions. EmpowerID uses this same authorization model to control management of its own roles and policies. Designated security architects can design enterprise-wide role-management policies while role owners are able to manage membership of their roles. All activities are audited, logged and tracked and can be subject to workflow approval rules.
Dynamic Role Automation
Each internal and external user identity has a lifecycle, and their roles and responsibilities change often. Some experts estimate as high as a 20+% internal turnover per year, creating high volumes of role churn. EmpowerID monitors your authoritative HR systems to detect these changes in a person’s job title and location. These changes can be set up to trigger query-driven and mapping-driven policies that adjust the user’s role assignments in EmpowerID to control their access across all managed systems.
Role Self-Service Shopping
EmpowerID brings a shopping cart experience to the role access request process. Users simply search for the roles or access they need and add them to their cart. Managers may shop for multiple direct reports at the same time and submit a bulk request to save time. Requests even include the ability to request temporary access, with specified start and end times for the role. When a user is done shopping, they submit their request and the EmpowerID workflow engine manages the approval process. The EmpowerID workflow engine determines from your organizational hierarchy and rules which items need approval, how many approvals are needed, and who must approve each. Requests are automatically routed for approval, and their status is tracked in a business-user friendly interface. All participants are kept informed by email notifications, and all requests, decisions and associated fulfillment actions are recorded and integrated into the access recertification process.
Role Recertification and Risk Management
EmpowerID manages the entire role lifecycle including periodic recertification and risk management. Built-in recertification policies snapshot the members for each role and the access roles grant, so role audits are quick and easy. This also generates an audit trail exists that covers all role management activities from self-service access requests to delegated role administration. Risk-based separation of duties policies allows administrators to define, detect, and remedy toxic combinations of roles if discovered.
Real-Time Authorization
The EmpowerID authorization engine leverages Big Data technology to recalculate the total access for each person continuously. EmpowerID uses the net result of a person’s direct and inherited access to control their group membership in on-premise and Cloud systems. This compiled access information, when combined with flexible, attribute-based policies, forms the core of EmpowerID’s external authorization engine for application developers.
Analytics and Alerting
EmpowerID brings intelligence and in-depth visibility to an organization’s role management efforts. The Identity Warehouse becomes the hub for all role management activities as it provides valuable insights. The Identity Warehouse can quickly tell administrators who is a member of which roles, which access each role grants, when (and by whom) access was granted, was access sent for approval, who manages each role, and when was the access last certified. EmpowerID displays hundreds of built-in statistics, metrics, and risk scores in user-friendly dashboards. Administrators get visibility into how your roles are changing, and where the greatest risk lies. A large library of out of the box reports keeps everyone up to date.