In this section, we look at the following
- Role Mining and Optimization delivering position appropriate access in accordance with your organization’s risk policies is critical for compliant access.
- Leverage Existing Sources of Business Role Information is the starting point and will involve your HR, HCM, Active Directory or other authoritative system.
- “Top Down Analytical” Role Mining unique to EmpowerID and is used to optimize access based on what a user does—their business function—within your organization.
- Bottom Up Role Mining EmpowerID uses this and Role Mining Campaigns to create and optimize combinations of people and entitlements (or candidate roles).
- Streamline Recertification manual recertification is not only time-consuming, but error-prone. Automating this with EmpowerID can reduce the number of direct assignments by approximately 80%.
- Role Modeling Inbox one of the many advantages of EmpowerID is the capability to connect to, and work with, a multitude of systems. The Role Modeling Inbox allows anyone or anything to integrate their external roles and access management.
Role Mining and Optimization
Compliant Access by design is the capability to map out the following in advance:
- Position appropriate access for employees, partners, and customers.
- The risk policies that will measure and ensure continued compliance.
Unfortunately, defining position appropriate access for a large organization can be a huge and daunting task.
It can also lead to unavoidable project delays. However, not having such guidelines forces IT organizations to resort to costly and inefficient manual processes which often create security vulnerabilities.
EmpowerID’s Role Mining engine solves this challenge by intelligently scanning your organization and then recommending an optimal initial set of roles.
This initial set is based on the combination of your organization’s existing HR job position data as well as existing access assignments.
These initial roles then evolve as your business environment changes, e.g. with reorganizations, mergers and acquisitions, role changes, etc.
All the while, EmpowerID’s role optimization functionality manages all aspects of role management ensuring they always adhere to Zero Trust and only ever grant optimal least privilege access.
Leverage Existing Sources of Business Role Information
The starting point for many EmpowerID projects is to establish business roles and organizational locations.
The best sources for this data are usually your HR or Human Capital Management system (HCM), and Active Directory.
One major advantage of EmpowerID it that is comes with a wide range of out of the box connectors for such systems.
To get an initial analysis rolling, EmpowerID connects with your HR system, such as Workday, SuccessFactors, or SAP HCM. (Each of these systems maintains a rough organization structure and details of employee positions.)
EmpowerID then inventories these “external roles” and locations, and obtains information about user assignments.
Once this data resides within the EmpowerID system, it generates an initial business role and organization location tree for “top down analytical” role mining analysis.
To ensure continuous Compliant Access delivery, this information becomes a key driver once roles are defined and access policies are assigned
Subsequent changes in the authoritative system will trigger reevaluation and adjustment of Compliant Access for each user and without any laborious or expensive manual administration.
In addition, during role design, EmpowerID performs Separation of Duties (SoD) simulations to ensure any proposed roles have no inherent SoD conflicts.
“Top Down Analytical” Role Mining
After years of analyzing organizations’ security models and sources of data, EmpowerID invented the “Top Down Analytical” Role Mining technique.
Compliant Access requires that user entitlements are appropriate for their position
Top Down Analytical Role Mining facilitates this by leveraging 3 areas:
- The rough outline of an organization’s existing business roles.
- The knowledge about which users occupy those positions.
- Their whereabouts in the company, i.e. their department, location, etc.
Primarily, “Top Down Analytics” optimizes access based on what a user does within the organization.
For organizations with HR systems, the only maintained source for employee position information is that HR system itself.
Like any invaluable data source, it needs updating as users change jobs, locations, and roles.
The Top Down Analytical Process
First, EmpowerID takes a snapshot of this data to determine roles and rolebased access policies.
Next, EmpowerID inventories all the entitlements and access assignments for each user in every system (not just in your HR system).
Following which, EmpowerID then uses a sophisticated analytical technique to optimally fit existing user access assignments on the business role and location tree.
Fourth, once the optimal matches are identified, they can be published as role-based assignments automated by your HR data.
Finally, EmpowerID then maintain changes on an on-going basis.
Bottom Up Role Mining
After completing Top Down role mining, much of each user’s access will be optimized, delivered, and then controlled via your business roles.
The remaining unoptimized access will consist of less structured team or matrixbased access and exceptions.
This access can then be optimized using “Bottom up” analytical role mining.
Bottom up role mining is a multi-step process that involves creating, running, and analyzing "Role Mining Campaigns”.
Role Mining Campaigns analyze entitlements and user data using powerful machine learning algorithms to produce optimal "candidate roles". Candidate roles are combinations of people and entitlements.
These combinations are then further analyzed and are either accepted by the organization as being accurate, or they are further manipulated to create subsets of those combinations.
Once candidate roles are accepted, they can be published as standalone management roles, mapped to business roles and locations, or they can be used to create new business roles and locations.
Streamline Recertification
Role Mining and Optimization assists organizations by minimizing the number of security roles, reducing administrative workloads, and streamlining audit recertification campaigns.
Without role optimization, your managers are faced with the daunting task of certifying hundreds of individual technical entitlements per direct report.
A role optimization program can reduce the number of direct assignments by 80% and present managers with a compact list of business-friendly roles to certify.
More importantly, your organization’s security becomes more manageable and your risk profile is minimized.
Role Modeling Inbox
For organizations working with consultants and role modeling tools, EmpowerID’s Role Modeling Inbox allows anyone to integrate their external roles and access management.
It does this by providing a set of inboxes into which roles and access changes can be published.
EmpowerID then uses configurable rules to determine if these upstream decisions are automatically actioned or need to go through workflow approval processes first.