Motivation

We can all agree that the current state of the art access control mechanism is the role based one, especially when it comes to access rights in an enterprise. As the name suggests, access rights (also called entitlements) are bundled into roles, which then can be assigned to human or non-human identities inside the enterprise. While this is the best way to manage the access governance in an enterprise, it has one significant drawback – you must have the role defined, keeping in mind at least three aspects:

1. Which identities would possibly get the role assigned?

2. Which entitlements would be bundled into this role?

3. Which other roles are non-compatible with this one (Segregation of Duties)?

Now the first two aspects can make the job a bit tricky for one very simple reason.

Unless the company started today, which is unlikely, there are already some (or most probably a lot of) entitlements which are already assigned directly to someone. So, if you have already mapped directly identities or users to entitlements (extremely bad practice), how do you put the roles in between them. Is there any (semi) automatic way? 

Actually, there is and it is called Role Mining.

How does it work?

Modern IGA solutions use Artificial Intelligence to extract the current mappings of users and entitlements. There are a few steps to be followed:

1. Identify the applications where the entitlements should be mined from.

2. The IGA tools would examine the entitlements and users mapped to them.

3. The algorithm would find similarities between those users and would suggest that they are bundled in a role.

4. The algorithm offers some fine tuning of attributes.