Role Engineering or Role Mining



Every organization use some model to manage their resources or assets and RBAC is the most famous & most adopted model for the same. RBAC i.e. Role Based Access Control simplifies the management of access to resources and assets. In RBAC model, all the permissions/access are tied to various roles. Controlling the access through roles reduces the administrative burden of security practitioners. Here are the few key benefits of RBAC model:

Key Benefits:

  • ·       Reduces no of access requests & approvals
  • ·       Improve end user experience
  • ·       Enhance security
  • ·       Very helpful in implementing Birth Right Access
  • ·       Improve Productivity
  • ·       Simplifies the User Access Re-validation (Certification)
  • ·       Build the foundation to implement Separation of Duties


Sometimes it becomes difficult to implement RBAC in large organizations as every organization has their own set of resources, permissions, job functions, policies and controls. Identifying the right roles for an organization is a big & an important task and this task of identifying roles is known as Role Engineering. Role Engineering is also known as Role Mining or Role Discovery. Role Engineering is a process to discover relationships between access permissions and users or job functions which can be grouped together to form a role.
.
There are three types of approaches which we use for Role Engineering:
.
  • Top-Down Approach: Roles are defined based on organization business
  • Bottom-Up Approach: Roles are defined to meet specific application or system access
  • Hybrid Approach: Roles are defined using above two approaches

Earlier Role Engineering was a manual process. Data Owners used to export the access data in an excel sheet to analyze and define the roles but nowadays most of the organizations have implemented IDM products like Oracle Identity Analytics, SailPoint IdentityIQ, CA IDM etc. Because organizations are using these IDM products, so these products will have the up-to-date access data which is a must have to perform this Role Mining process. These IDM products come with OOTB Role Mining capabilities, but custom algorithms can be implemented based on organization needs. Here’s the process which is used by these products for defining the roles in any organization:

  • ·       Setting the Role Engineering attributes
  • ·       Creating and Running Role Engineering Process
  • ·       Analyze the Role Engineering Results
  • ·       Configure and Save the Role Definitions
  • ·       Set the metadata for the roles

In the above steps, setting the role engineering attributes is the key steps because that is going to set the base or build the logic for the entire Role Mining process. If we want to perform Role Mining for an application, first we need the access data for that application. Second, we need to define some parameters like Job Title, Job Function, Department, User Type, Manager, Job Level etc. to find/discover the relationship. Once we execute step 1 and 2, IDM products will execute the Role Mining task and share the results.

Role Engineering is not just a one-time task or job, rather it’s an ongoing activity which helps organizations in enabling better control on their resources and assets. It was also proven that defining just high-level roles with basic access/permissions does not deliver expected business benefits. Role Engineering with any approach (Top-Down, Bottom-Up or Hybrid) is a key cornerstone.