rsa identity management and governance

RSA Identity Management and Governance

Businesss Role ManagerGuideV6.9

NoticeContact Information

Go to the RSA corporate website for regional Customer Support telephone and fax numbers: www.emc.com/domains/rsa/index.htm. For sales information, contact RSA Aveksa, Inc. at [email protected] technical support, contact RSA Aveksa, Inc. at [email protected]. For more information about RSA Aveksa, Inc., visit http://www.aveksa.com.

Trademarks

RSA, the RSA Logo, Aveksa, and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other trademarks used herein are the property of their respective owners. For a list of EMC trademarks, go to www.emc.com/legal/emc-corporation-trademarks.htm#rsa.

License Agreement

This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person.

No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability.

This software is subject to change without notice and should not be construed as a commitment by EMC.

Third-Party Licenses

This product may include software developed by parties other than RSA. The text of the license agreements applicable to third-party software in this product may be viewed by launching the RSA Aveksa product and selecting the About menu.

Note on Encryption Technologies

This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption technologies, and current use, import, and export regulations should be followed when using, importing or exporting this product.

Distribution

Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.

EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Copyright © 2014 EMC Corporation. All Rights Reserved. Published in the USA.

July 2014

http://www.emc.com/domains/rsa/index.htm

http://www.emc.com/domains/rsa/index.htm

http://www.aveksa.com

http://www.aveksa.com

ContentsPreface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5How This Guide Is Organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Related Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Chapter 1: Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7The Impetus for Role Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Business Role Manager Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Support for Different Role Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Decentralized Role Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Role Engineering Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Role Lifecycle Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Guidelines for Engineering Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Considering Role Frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Best Practices Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Chapter 2: Configuring Role Management Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 13About Business Role Manager Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Configuring Role Type Design Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Configuring Role Management Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Modifying Role Export Fulfillment Handler Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Chapter 3: Working with Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Creating Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Applying and Reverting Changes to Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Apply Changes to a Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Revert Changes to a Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Adding Members to Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Configure Membership Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Select Users to Add to a Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Select Suggested Members to Add to a Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Adding Entitlements to Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Select Entitlements to Add to a Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Select Suggested Entitlements to Add to a Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Discovering Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Discover Roles Based on User Attribute Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Discover Roles Based on User-Entitlement Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . 29Discover Roles Based on Entitlement Attribute Values . . . . . . . . . . . . . . . . . . . . . . . . 30

3

Contents

Managing Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Edit a Role’s Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Working with Role Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Working with Role Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Managing Access Privileges to Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Viewing Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Viewing Role Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Viewing Role Analytics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Exporting and Importing Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Export Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Import Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Chapter 4: Role Engineering with Role Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47About Role Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

About Role Sets and Resource Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48About Automatic Fulfillment of Change Requests for Roles in a Role Set . . . . . . . . . . . 48About Access Control and Role Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Viewing Role Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Viewing Role Set Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Creating Role Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Create a Single Role Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Create Multiple Role Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Viewing Role Set Analytics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Customizing Request Workflows for a Role Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Customize Submission Form Information for a Role Set . . . . . . . . . . . . . . . . . . . . . . . 56Associate an Approval or Fulfillment Workflow to a Role Set . . . . . . . . . . . . . . . . . . . . 57

Managing Role Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Modify a Role Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Delete a Role Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

4 Businesss Role Manager Guide

Preface

AudienceThis guide is intended for RSA Identity Management and Governance (RSA IMG) users authorized to view, develop, and manage roles in your organization. Users should have at least a basic understanding of access governance and role management concepts, and how roles are or should be implemented in their organization to maintain compliance with regulatory and security compliance policies.

Note: You require a license to access Business Role Manager. Contact an RSA sales representative for more information.

How This Guide Is OrganizedThis guide is organized as follows:

• Chapter 1, “Introduction,” on page 7 provides an overview of Business Role Manager features and role management concepts.

• Chapter 2, “Configuring Role Management Settings,” on page 13 explains how to configure Business Role Manager features.

• Chapter 3, “Working with Roles,” on page 19 explains how to create, manage, and view roles and export and import roles.

• Chapter 4, “Role Engineering with Role Sets,” on page 47 explains how to create, manage, and view role sets.

5

Preface

Text ConventionsThis guide uses the following text conventions:

Related Documents• Installation and Upgrade Guide

• Database Setup and Management Guide

• Installation and on Upgrade WebSphere Guide

• Installation and on Upgrade WebLogic Guide

• Administrators Guide

• User Tasks Guide

• Collectors Guide

• Access Request Manager Guide

• Data Access Governance Guide

• Access Fulfillment Express Guide

• Access Fulfillment Express Connector Configuration Guide

• Public Database Schema Reference

• Novell Identity Manager Integration Guide

• Sun Identity Manager Integration Guide

• IBM Tivoli Identity Manager Integration Guide

• Onboarding Cloud Applications Guide

Element Convention Used Example

Variables(The user supplies a value for the variable.)

Courier and Italic in angle brackets (<>)

Enter the following:DISPLAY=<workstation name>:0.0 export display

On-screen text Courier The following line displays:path=”/audit”

User-typed text Courier Enter the following path name:/etc/init.d/

Cross-references Underlined and hypertext-blue

See “Related Documents” on page 6.

References to documents (title and number)

Italic Installation Guide

6 Business Role Manager Guide

Chapter 1: Introduction

Content

• “The Impetus for Role Management” on page 8

• “Business Role Manager Features” on page 8

• “Guidelines for Engineering Roles” on page 10

7


The Impetus for Role ManagementEnterprise role management allows organizations to verify and enforce regulatory mandates and to audit the effectiveness of user access policies. Role management facilitates business and IT policy alignment by helping you translate business policy into technical IT controls such as separation-of-duty rules. With reporting and identity analytics capabilities, you have easy access to a variety of audit data and compliance metrics.

Role management is a critical component in addressing governance and compliance requirements for user access to mission-critical applications and data. Roles support compliance by aligning access privileges to user job functions within the organization and by providing business context to lower-level entitlements and permissions, which need to be reviewed by business managers and compliance staff.

Business Role Manager’s role lifecycle management features lets you create, enforce, and verify role-based access across enterprise applications. Aggregating user access privileges under roles lets you improve entitlement management and ensure that access rights adhere to business and regulatory policies. Ensuring adherence to these policies requires that business managers and auditors review and certify that user access privileges are appropriate within the organization. Business Role Manager enables you identify policy violations and inappropriate access and take corrective actions when necessary.

Business Role Manager FeaturesBusiness Role Manager provides a complete set of role management tools.

Important: The RSA IMG Rules module must be implemented on the system to provide decision support rules for role engineering. All content related to rules and violating access in this guide is applicable only if the module is implemented on the system. Consult your RSA IMG administrator for more information.

Support for Different Role Types

A role represents a group of users or entitlements or both. Business Role Manager enables you to create and manage the following role types:

• Business Roles — Includes users and typically includes technical roles as entitlements via a hierarchical parent role relationship with technical roles.

• Technical Roles — Includes entitlements and are typically child roles to business roles.

• Global Roles — Includes both users and entitlements.

Decentralized Role Management

Business Role Manager enables diverse line of business and IT personnel to participate in all aspects of the role development, management, and deployment process to whatever degree is required to maintain an effective role-based access management system for your organization. Decentralization of role management enables your organization to delegate role management responsibilities to the personnel in your organization who understand the business requirements of their direct reports and thus by extension their resource access requirements.



Any supervisor or line of business manager or any other user can be delegated the following role management responsibilities:

• Role Owner — The user responsible for defining, managing, and monitoring a role throughout a role’s lifecycle.

• Backup Owner — The user responsible for defining, managing, and monitoring a role throughout a role’s lifecycle in the event that the role owner cannot maintain oversight.

• Role Set Manager — The user responsible for defining, managing, and monitoring a role set. (A role set, as the term indicates, is simply a set of roles with features that enable roles to be efficiently managed as a group.)

Business Role Manager also provides role managers the ability to delegate varying levels of role monitoring and management privileges to other users on an as-required basis. This flexible access security model enables anyone in your organization to become stakeholders and participants in your organization’s role management system.

Role Engineering Options

Business Role Manager role engineering tools enable you to explicitly define roles or derive roles based on existing user attribute, entitlement attribute, or user-entitlement association criteria. Business Role Manager lets you engineer roles using the following approaches:

• Bottom-Up — Roles are derived from common user-entitlement associations for a particular group of users.

• Top-Down — Roles are derived from user-entitlement associations typically related to a business function or organization, or business managers can simply define by fiat the roles they want for the business functions or organization they control.

• Hybrid — Roles are derived using a combination of bottom up and top down approaches. Candidate roles mined by the bottom-up approach can be revised to meet top-down business- objectives. Those defined by the top-down approach can be revised according to the roles discovered by the bottom-up approach.

Role Lifecycle Management

Business Role Manager role lifecycle management features enable you to adapt roles to the ever-changing access requirements in your organization. As business units are consolidated and expanded, as the employee base expands or contracts, as applications are added and removed, your organization’s role management infrastructure must change to as well to maintain compliance with regulatory and security policies. Business Role Manager role lifecycle management features include:

• Role quality statistics that indicate whether roles meet the standards — the minimum number of user members and entitlements in a role for example — you specify for your roles. When, for example, membership or entitlements falls below the thresholds, Business Role Manager generates a quality metric that indicates that the role does not meet standards and may require re-engineering.

• Role sets, which are essentially role mining and role customization workshops, enable you to engineer and deploy multiple roles derived on the basis of user attributes, entitlement attributes, and clusters of user-entitlement associations.

Business Role Manager Guide 9


Business Role Manager lets role designers create single role sets and also multiple role sets in a single operation that can be delegated to line of business managers for their particular role management requirements. All roles, whether collected by role data collectors (which also must be associated with a role set) or created and managed in Business Role Manager must be contained in a role set.

• Role membership and entitlement rules specify the what role designers can do with roles for each rule type (business, technical, global). These globally applied rules, or policies, can be overridden in each role set.

• Role discovery features enable role designers to specify user attribute, entitlement attribute and user-entitlement cluster criteria that Business Role Manager uses to mine roles.

• Role action features enable role designers to combine and split roles, copy and delete roles, enable and disable roles, revert and commit changes to roles, and create a role hierarchy by designating a common parent role for one or more roles.

• Role analysis features suggest which users and entitlements to add to roles, which roles to combine and delete, and which users and entitlements to add to and remove from roles based on user-entitlement associations and similarities.

• Role export enables you to generate an XML file containing role definitions that you upload into your provisioning system. You can then collect the roles with an RSA IMG role collector on an ongoing basis to determine whether they meet role quality standards.

• The RSA IMG Rules module lets you configure rules that detect variances in role standards, role entitlements, role memberships. User access and separation of duty rules provide proactive rule violation notification when these rules would be breached during role configuration operations.

• RSA IMG reviews enable role owners to review role data and certify that roles and their entitlements are granted to the appropriate individuals in your organization.

• RSA IMG reports provide visibility into various aspects of user entitlements, application-specific entitlements, and roles.

Guidelines for Engineering RolesThe section provides some guidelines for conceptualizing role frameworks and best-practices guidelines for engineering quality roles that meet your access governance and compliance objectives.

Considering Role Frameworks

Before you begin engineering roles, you should consider the framework for roles that will serve both as the basis for the definition of new roles (mined or explicitly created) and the potential revision and reorganization of any existing roles that can be collected from your organization’s data sources by RSA IMG role collectors. A framework should be derived from the your perception of how users and their entitlements are or should be categorized in the organization.

Potential organizational frameworks include:

• Affiliation (engineering, finance, accounts)

• Function (CFO, order processor, payroll assistant)



• Location (Boston, building 2, northeast region).

A framework based on a security model might include a set of roles that provide graduated levels of access to sensitive data:

• Client data – Read All

• Client data – Read Contact Info Only

Regardless of the framework’s type, it must at least support your primary access governance objectives, be perceived as meeting a commonsense standard by role stakeholders who will manage and certify the roles abstracted from it, and be flexible and scalable enough to adapt to changes in the organization.

Best Practices Principles

If roles are to support your access governance objectives, then they should be based on the following best-practices role management principles:

A role should include the maximum number of entitlements and users

Although there are no practical limitations on how few or how many entitlements and users you can aggregate in a role, each role should cover the maximum number of entitlements and users possible under the circumstances in which the role is used. For example, it would be a violation of the maximization principle to define two roles that each aggregate a set of entitlements and assign the two roles to all members of a particular user population when the entitlements could instead be safely aggregated under one role that could be assigned to all the members. Assuming that the other guiding principles of least privilege and separation of duty are observed, it is more efficient to define one role that provides only the entitlements an entire user population requires to the do their jobs than it is to define two roles to meet the same requirement.

A role should provide the least amount of privileges necessary

The least privilege principle requires that a role should provide only those access privileges that enable users assigned the role to do their jobs. A role that enables users to perform a transaction on an organization resource they are not authorized to perform is a violation of the least privilege principle. Engineering roles that enforce the least privilege principle helps ensure data security in an organization. If users can access sensitive or mission-critical resources their jobs do not require them to access, security is undermined. For example, a user population is assigned a role with six entitlements that meet legitimate job requirements. The role also includes a seventh entitlement that not one user’s job responsibilities require them to have. In this case, the role violates the least privilege principle. That extraneous entitlement covered by the role in this example should be removed from the role and included in a more appropriate role that should be assigned only to users who must have the entitlement to do their jobs.

A role should adhere to segregation of duty requirements

The segregation of duty (SoD) principle requires that one or more roles not include a set of entitlements to a particular resource that would enable the users assigned the role(s) to perform all transactions with a resource. Segregation of duty requirements typically apply only to those resources that an organization deems vulnerable to fraudulent activities or resources that provide access to highly sensitive data.

An SoD requirement would probably not apply to a role or to two roles that provided users covered under it the ability to both view and edit their business unit wiki.



A typical SoD requirement might dictate that no single user should have the privileges of requesting and authorizing a cash disbursement. In other words, no role should accommodate both transaction privileges and no group of roles should be assigned to users that would enable them to perform both transactions. You must specify your SoD and compliance requirements before you begin engineering roles.


Chapter 2: Configuring Role Management Settings

Content

• “About Business Role Manager Configuration” on page 14

• “Configuring Role Type Design Policies” on page 15

• “Configuring Role Management Options” on page 15

• “Modifying Role Export Fulfillment Handler Settings” on page 17

13


About Business Role Manager ConfigurationBusiness Role Manager configuration lets you specify the following global settings:

• Role type configuration policies — Lets you specify the default allowances and restrictions on the type of actions you and other role designers can perform for each role type. You can override global policy settings in a role set. For example, if a default policy setting for business roles does not allow entitlements to be added to business roles, you can override this restriction to allow entitlements for any business role you are authorized to manage. See Chapter 4, “Role Engineering with Role Sets,” on page 47 for more information.

• Role options — Lets you specify management targets, the baseline standards for role quality statistics calculations: maximum users and entitlements per role and the time interval from which role change rate data is calculated. It also lets you deactivate the “Suggested” members or entitlements option available by default for “Add Members” and “Add Entitlements” operations during a role editing session. (See Chapter 3, “Working with Roles,” on page 19 for information on “Suggested Members/Entitlements” role engineering operations.)

Suppressing the option enables you to require role managers to explicitly select the members or entitlements they want included in their roles. Moreover, it allows you to free system processing resources that would otherwise be consumed by “Suggested” operations in scenarios where the system is performing other mission-critical operations (such as, but not limited to, data collection, review generation, and rule processing).

You can also specify the set of characters that are invalid in role names. This enables you to comply with role naming restrictions for third-party provisioning systems that integrate with RSA IMG and to which you might export roles.

• Fulfillment Handler Export — Lets you edit the configuration settings for the IBM Tivoli Identity Manager (ITIM) fulfillment handler that processes role exports in the IBM Tivoli Identity Manager provisioning system.

- See “Exporting and Importing Roles” on page 44 for information on how to export roles to the ITIM provisioning system.

- See the IBM Tivoli Identity Manager Integration Guide for more information on configuring ITIM integration settings.

- See the Administrator Guide for more information on managing fulfillment workflows.

Note: This configuration option pertains only to RSA IMG and ITIM integration scenarios.

• Custom setting for role analysis — The default upper limit on the number of roles that RSA IMG considers during role suggestion operations (suggest users and suggest entitlements for example) is 5000 roles. This limit restricts Business Role Manager from consuming an inordinate amount of system resources that can affect overall RSA IMG performance. Business Role Manager displays a warning message informing users when an executed operation exceeds the limit, and it truncates the number of roles involved in the analysis operation to the default limit.



In some scenarios, however, you may want to forgo system performance considerations and increase this limit to complete critical role management operations. You can increase the limit by setting the value you require for the custom.RoleAnalysisLimit parameter in Admin > System > Settings > Custom. For example, under Custom you would specify a limit of 10,000 roles as follows:

See “Specifying System Settings” on page 36 in the Administrators Guide for more information on working with system settings.

Configuring Role Type Design PoliciesYou can specify which role types role designers can create, the role engineering permissions and constraints for each role type, and whether designers can create role hierarchies.

To configure role type design specifications:

1. Click the Roles menu and select Configuration.

The Role Type Configuration window opens. It shows current configuration settings for business, technical, and global role types.

2. Click Edit.

3. Configure the following settings:

• Enabled — Select to enable designers to create and modify business/technical/global roles.

Note: Enabling a role type does not preclude role collection. However, entitlements and members cannot be added to roles once this setting is disabled.

• Select the Allow, Allow with warning, or Deny option for each setting you want to revise for each role type as required.

4. Click OK to save your settings.

Configuring Role Management OptionsYou can configure role management targets (or standards) that Business Role Manager uses to calculate role quality statistics for roles and role sets. Role management targets specify what you consider as an optimally designed role type in your system (for example, a role should have at least or no more than 50 members and 20 entitlements). Role quality statistics reveal whether roles fail to meet or exceed these standards.

You can also suppress the availability of the “Suggested Members/Entitlements” option for “Add Members/Entitlements” operations. Suppressing the option means that role managers must explicitly choose the members or entitlements they know they want to include in their roles (they do not require a suggestion option) and that system resources are freed up for other system operations that might otherwise be consumed by “Suggested” operations.

Parameter Value

custom.RoleAnalysisLimit 10000



See “Viewing Role Analytics” on page 42 for information of role quality statistics referenced in this section.

To configure role management options:


The Role Configuration window opens. It shows current configuration settings for business, technical, and global role types.

2. Click Role Options.

3. Click Edit.

4. Configure the following role management target settings:

• Users Per Role — Enter the optimal number of users for a role. Business Role Manager uses this value to calculate the “Number of Users” statistic and the role quality value. If this value is met, 100% role quality is attained.

• Entitlements Per Role — Enter the optimal number of entitlements for a role. Business Role Manager uses this value to calculate the “Number of Entitlements” statistic and the role quality value. If this value is met, 100% role quality is attained.

• Frequency Window — Enter the number of days, weeks, months, or years of data used for calculating the “Membership Growth Rate” and “Membership Change Rate” statistics for the time period specified. Business Role Manager updates the rate statistics when roles are collected.

• Rate of Change Unit — Enter the time period for which a rate of change statistic is derived for the “Membership Growth Rate” and “Membership Change Rate” statistics.

5. Configure additional settings as required:

• Suppress suggestions during role editing — Lets you suppress the availability of the “Suggested Members/Entitlements” option for role engineering operations. You would suppress suggestions when you know exactly which members or entitlements to add to a role and do not require suggestions.

• Invalid Role Name Character Rules — Lets you specify the set of characters that are invalid in role names. This enables you maintain compliance with role naming restrictions for roles that could possibly be exported to a third-party provisioning system. Third-party provisioning systems that integrate with RSA IMG have different restrictions on characters allowed in role names.

The two invalid character set options:

- (Default) Novell character set: (< > , ; \ " + # = / | & *)

- Minimal character set: (< > “)

Business Role Manager does not allow you to create roles with names that include characters from the set you specify.

6. Click OK.



Modifying Role Export Fulfillment Handler SettingsThe fulfillment handler effects the role export to the IBM Tivoli (ITIM) provisioning system when ITIM is integrated with RSA IMG. You can modify all fulfillment handler settings as required to ensure that roles are successfully exported to ITIM. For example, if the platform URL changed for the provisioning system, you would be required to update the URL setting for the fulfillment handler.

To modify export role settings:


The Role Configuration window opens.

2. Click Fulfillment Handler Export.

3. Click Edit.

4. Modify settings as required, and then click OK.


Chapter 3: Working with Roles

Content

• “Creating Roles” on page 20

• “Applying and Reverting Changes to Roles” on page 21

• “Adding Members to Roles” on page 22

• “Adding Entitlements to Roles” on page 25

• “Discovering Roles” on page 27

• “Managing Roles” on page 30

• “Viewing Roles” on page 40

• “Viewing Role Analytics” on page 42

• “Exporting and Importing Roles” on page 44

19


Creating RolesWhen you create a role, you can associate it with a role collector so that collected data provides the role entitlements, members, and other collected attribute values, or you can specify that a role is managed entirely within Business Role Manager.

Note: You can also create roles from the context of a role set as described in “Creating Role Sets” on page 51 and by various role engineering methods described in “Discovering Roles” on page 27 and “Managing Roles” on page 30.

To create a role:

1. Click the Roles menu and select Roles.

The Roles window appears. It lists all roles in the system.

2. Click Create/Discover and select Create.

The Create New Role window appears.

3. Configure the following settings under the General tab:

• Role Name — Enter a unique name.

• Role Type — Select the type of role: Business, Global, or Technical.

• Owner — Select the user who will be responsible for the maintenance of the role (the default is AveksaAdmin).

• Backup Owner (optional) — Select a user who will share responsibility for the maintenance of the role with owner.

• Role Collector (optional) — Select a role collector from the listbox if this role is going to be exported to an external system and subsequently collected from the system. You can create a role with or without a collector. Associating a role with a role collector restricts users and entitlements to those that the specified role collector has collected.

• Disabled — Accept the default No option if you do not want this role to be disabled throughout the system; otherwise, select Yes to disable the role. You enable or disable a role anytime after it has been created.

• Role Set — Select a role set for the role from the Existing role set option, or create a role set for the role by entering a role set name in the New role set named box.

• Hierarchy — (This is an optional feature and an optional configuration setting that may not be available for the role type you are creating. Consult your Business Role Manager administrator for more information.) Click the Parent the link to open a role selection box where you can choose one or more roles in which you want to subsume this role.

4. (Optional) Click the Description tab if you want to provide an alternate name for the role, tooltip text, a long description, or a help link. See “Creating Applications” on page 172 in the Administrators Guide for detailed instructions on creating descriptions.

5. Click the Members tab to add users to the role. See “Adding Members to Roles” on page 22 for more information.



6. Click the Entitlements tab to add granular entitlements, application roles, technical roles, groups, or any combination of the aforementioned to the role. See “Adding Entitlements to Roles” on page 25 for more information.

7. Apply configuration settings as required. See “Applying and Reverting Changes to Roles” on page 21 for more information.

8. Click OK.

Applying and Reverting Changes to RolesAll changes you make to a role when you create or modify role and add or remove members and entitlements from it are pending until you explicitly apply the changes. This applies to role sets as well. When you apply the changes, RSA IMG generates the change requests to complete the changes (approvals and activities). This enables you to work on your roles for a protracted period of time as necessary until you have determined the roles meets your requirements and you are ready to deploy them.

All changes to roles and who made the changes are cited under the History section in the role’s details view. If multiple users introduced simultaneous changes to role prior to commitment of the role (a user applies changes), then History indicates that “Multiple Users” have made changes to the role and the user who applies changes is warned that he or she is committing other users’ changes as well.

Note: See “Apply Changes to One or More Roles” on page 35 or “Revert Changes to One or More Roles” on page 35 for information on how to apply or revert changes to multiple roles in a single operation.

Apply Changes to a Role

Before you apply changes to a role, make sure that other users who have also changed the role are aware that you intend to commit the changes and that they endorse your action.

To apply all pending changes to a role:

1. Click Apply Changes.

The Change Request window appears. It lets you review the changes and enter notes to include in the change request that change request approvers and fulfillers can view in their approvals and activities, respectively.

2. Click OK to generate the change request.

Note that the Action label for the pending changes indicates that the change (addition or removal) has been processed.

You can also dismiss all changes you have made to a role prior to applying changes and revert back to a previous version. This removes all membership and entitlement addition and removal items from the pending state.



Revert Changes to a Role

Note: Use with caution, you may not be the only person working on the role. If you want to dismiss any pending changes you alone have specified, you can do so on a per-item basis by simply toggling the Added or Removed button to Cancelled.

To revert all pending changes to a role:

1. Click Revert Changes.

The Revert Changes window appears.

2. Select a version, and then click OK.

Adding Members to RolesYou can add members to a role if the configuration settings for role memberships are enabled for the type of role to which you want to add members. Business roles and global roles typically include members; technical roles typically do not. Consult your Business Role Manager administrator for more information.

You can add members to a role while you are creating a role or after it has been created using either or both of the following methods:

• Select members directly.

• Allow Business Role Manager to suggest users based on a specific percentage of entitlements they have that match those aggregated in a role or those that meet membership rule criteria or both. You can then select the users from the suggested users derived from the operation.

Note: See “Perform a Role Definition Review” on page 116 in the User Tasks Guide for information on how to add members to roles from a role review.

Configure Membership Rules

A membership rule defines the set of users who should have the role. Business Role Manager compares this set of users to the set of users who actually have the role. The results of the comparison enables you to bring users into compliance with your organization’s role-based access governance policies.

Consider the following when configuring a membership rule for a role:

• When you create a membership rule for a role, RSA IMG automatically creates an equivalent rule if you have specified one or more of the available actions in a membership rule configuration that you want RSA IMG to perform if it detects a membership rule violation (someone is a member of the role who should not be a member, or someone is not a member who should be member). See Chapter 4, “Rules,” on page 129 in the User Tasks Guide for information on creating and managing rules.

• If you commit a role that previously had a membership rule (you nullified the membership rule by deselecting all actions RSA IMG generates when it detects the role has members who do not meet the membership rule or there are non-members who do meet the membership rule), the corresponding rule is put into the inactive state.



• If you then later commit the role again with membership rule actions selected, the corresponding rule is updated to include those actions and set back to the active state.

To configure membership rules:

1. Do one of the following:

• If you are in the process of creating a role, go to step 2.

• If you want to configure membership rules for an existing role:

a.menuClick the role you want to edit.

2. Click Membership Rules under the Members tab.

The Membership Rules window appears.

3. Click the Membership Rule hyperlink.

The User Selection window appears. It lets you specify membership criteria based on any combination of user attribute values, affiliation with objects in the system such as groups and roles, or entitlements users have. For example, you may want to restrict membership to the role to only those users who belong to a particular department, are members of a particular role, and have a particular application role.

See “Selecting Objects” on page 30 in the Administrators Guide for details on selecting users.

See “Using Advanced Oracle SQL Queries to Filter Object Selections” on page 32 in the Administrators Guide for information on using the Advanced user selection feature.

4. Specify user membership criteria and, optionally, a display name for the criteria filter, and then click OK.

5. (Optional) Select one or more actions RSA IMG initiates when Business Role Manager determines that there are users who should but do not belong to the role (because they match membership rules) or there are users who belong but should not belong to the role (because they do not match membership rules) or both.

Options:

• Create change requests — A change request is generated to add a user to or remove a user from the role.

• Send email — Email notification is sent to the users you select.

• Generate reviews — A user or role review or both are generated based on the review definitions you select.

6. Click OK.

Select Users to Add to a Role

Use this method when you know which users should be added to a role. For example, if a role is designed for a particular department in your organization, you can invoke a selection table that lists all members of the department and add them to the role. In a simple case like this, you would not need to use the role engineering capabilities provided by the Suggest Users option.



To select users to add to a role:



• If you want to add users to an existing role:

a.Click the Roles menu and select Roles.

b.Click the Role to which you want to add members.

2. Click Add Members under the Members tab.

The Add Members window appears.

3. Select All Members from the Select the members to add selection box.

A list of all users in the system appears.

4. Select the users you want to add to the role.

5. Click OK.

The members list displays the members you selected. The Added button under Action field for each member you selected to add to the role is active, and it indicates that changes are pending. At any point before you apply changes to the role (and thus generate a change request to add the members), you can cancel the member pending member additions by toggling the button to Canceled.

Select Suggested Members to Add to a Role

The Suggest Members feature determines which users you should consider for membership in a role based on membership rule criteria (suggest users who meet the criteria) or on the percentage of the entitlements users have in common with the current members the role. It generates a list of suggested users that you can choose to add to the role. The feature excludes users who already have a role’s entitlements as a result of belonging to a containing (parent) role.The feature enables you to increase a role’s user count without having to determine yourself which users should be considered for the role. You must configure membership rules prior to using the Suggest Users feature. See “Configure Membership Rules” on page 22 for more information.

To select suggested members to add to a role:





b.Click the Role to which you want to add members.

2. Click Add Members under the Members tab.

The Add Members window appears.

3. Select one of the following options from the Select the members to add selection box:



• Suggested Members if you want to choose users from a list of users who meet the membership rule for the role and you also want to specify a percentage of entitlements potential members must have in common with current members to be suggested for the role.

Select users as follows:

a.Use the slider to set a percentage, or click Show More to reduce the percentage and therefore display more users.

b.Click Refresh to update the users list.

c. Select the users to add.

d.Click OK.

• Matching Members if you want to choose users from a list of users who meet the membership rule for the role.

Select users as follows:

a.Select the users you want to add as members to the role.

b.Click OK.

The members list displays the members you selected. The Added button under the Action field for each member you selected to add to the role is active, and it indicates that changes are pending. At any point before you apply changes to the role (and thus generate a change request to add the members), you can cancel the member pending member additions by toggling the button to Canceled.

Adding Entitlements to RolesYou can add entitlements to a role if the configuration settings for role entitlements are enabled for the type of role to which you want to add entitlements. Technical roles and global roles typically include entitlements; business roles typically do not. Consult your Business Role Manager administrator for more information.

You can add entitlements to a role while you are creating a role or after it has been created using either or both of the following methods:

• Select entitlements directly.

• Allow Business Role Manager to suggest entitlements that a specific percentage of users in the role have. You can then select the entitlements from the suggested entitlements derived from the operation.

Note: See “Perform a Role Definition Review” on page 116 in the User Tasks Guide for information on how to add entitlements to roles from a role review. See “Add Entitlements” on page 33 for information on how to add entitlements to multiple roles in a single operation.



Select Entitlements to Add to a Role

Use this method when you know which entitlements should be added to a role. For example, if a role is designed for a particular department in your organization only and users in that department all require a particular application role you can simply add the application role to the role. In a simple case like this, you would not need to use the role engineering capabilities provided by the Suggest Entitlements option.

To select entitlements to add to a role:



• If you want to add entitlements to an existing role:


b.Click the Role to which you want to add entitlements.

2. Click Add Entitlements under the Entitlements tab.

The Add Entitlements window appears.

3. Select All Entitlements from the Select the entitlements to add selection box.

A list of all entitlements in the system appears. By default, entitlements are grouped by the application or directory to which they belong.

4. Select the entitlements you want to add to the role.

5. Click OK.

The entitlements list displays the entitlements you selected. The Added button under Action field for each entitlement you selected to add to the role is active, and it indicates that changes are pending. At any point before you apply changes to the role (and thus generate a change request to add the entitlement), you can cancel the pending entitlement additions by toggling the button to Canceled.

Select Suggested Entitlements to Add to a Role

The Suggest Entitlements feature determines which entitlements should be considered for a role based on the percentage of users in the role and roles that contain the role who share those entitlements. It then generates a list of the suggested entitlements that you can select to add to the role. The feature excludes entitlements that already belong to roles contained by a role. The feature enables you to increase a role’s entitlement count without having to determine yourself which ones should be considered for the role. You must add users to a role prior to using the Suggest Entitlements feature.

To select suggested entitlements to add to a role:







b.Click the Role to which you want to add entitlements.

2. Click Add Entitlements under the Entitlements tab.


3. Select Suggested Entitlements from the Select the members to add selection box.

4. Select entitlements as follows:

a.Use the slider to set a percentage, or click Show More to reduce the percentage and therefore display more entitlements.

b.Select one or both filtering options as required:

- Hide Entitlements That Are Already Used In Committed Roles

- Hide Entitlements That Are Already Used In New Uncommitted Roles

c. Click Refresh to update the entitlements list.

d.Select the entitlements to add.

5. Click OK.

The entitlements list displays the entitlements you selected. The Added button under Action field for each entitlement you selected to add to the role is active, and it indicates that changes are pending. At any point before you apply changes to the role (and thus generate a change request to add the entitlement), you can cancel the pending entitlement additions by toggling the button to Canceled.

Discovering RolesThe discover roles feature provides automated, bottom-up role mining techniques for creating new roles. You can mine candidate roles from data stored in the RSA IMG database using the following techniques:

• Specify unique combinations of user attributes as the basis for role creation. For example, you could specify that Business Role Manager creates a role for each set of users who share location, supervisor, and business unit attribute values.

• Specify a percentage of entitlements that users have in common as the basis for role creation. For example, you could specify that Business Role Manager creates a role for each set of users who have 50% of their entitlements in common with other users.

• Specify unique combinations of entitlement attributes as the basis for role creation. For example, you could specify that Business Role Manager creates a role for each set of entitlements that share application technical owner and business unit attribute values.

To discover roles:


The Roles window appears. It lists all roles in the system.

2. Click Create/Discover and select Discover Roles.

The Discover Roles window appears.



3. Choose a discovery option:

• From users — Discover roles based on shared user attribute values. See “Discover Roles Based on User Attribute Values” on page 28 for more information.

• From user-entitlement clusters — Discover roles based on the percentage of entitlements users have in common with each other. See “Discover Roles Based on User-Entitlement Clusters” on page 29 for more information.

• From entitlements — Discover roles based on shared entitlement attribute values. See “Discover Roles Based on Entitlement Attribute Values” on page 30 for more information.

4. Specify the destination role set for the discovered roles. If you elect instead to create a new role set, specify the role set type (business, technical, or global).

5. Click Next.

6. Complete the discovery specification you selected.

A window appears that lists the discovered candidate roles and lets you refine the roles using the following options:

• Remove lets you delete selected candidate roles.

• Combine lets you consolidate selected candidate roles.

• Remove Users lets you delete all users from selected candidate roles.

• Remove Entitlements lets you delete all entitlements from selected candidate roles.

7. Click Finish.

Business Role Manager creates the roles.

Discover Roles Based on User Attribute Values

You can specify multiple shared user attribute values as the basis for discovering candidate roles.

To specify user attributes for role discovery:

1. Specify a set of users from which you want to create roles using the Users Matching filter. You can specify multiple user attribute values. For example, if you want to restrict the pool of users to those who belong to a particular business unit from a particular location, specify those values. Business Role Manager indicates the number of users that meet your specification.

2. Specify the user attribute values that you want to use as the basis for discovering roles using the Create Roles Split on these Attributes option. For example, if you want to discover roles based on unique business unit and location attribute values, specify those values. Business Role Manager indicates the number of roles it would create based on the specification.

3. (Optional) Generate a list of suggested entitlements for the discovered roles by selecting the Suggest Entitlements option. Then use the Suggest Entitlements Matching option to specify entitlement attributes. See “Select Suggested Entitlements to Add to a Role” on page 26 for more information.

4. Click Next.

The Role Information Expressions window appears.



5. Specify role information expressions. The expressions specify how the discovered roles are named. For example, if you are basing discovery on unique attribute value pairs, Business Role Manager uses the values for those attributes to assign names to the roles. You can change the role names later after you have discovered the roles. See “Combine Roles” on page 31 for more information.

6. Click Next.

A window appears that lists the discovered candidate roles.

Discover Roles Based on User-Entitlement Clusters

You can specify that users with a particular percentage of entitlements in common is the basis for discovering candidate roles.

To specify user-entitlement clusters for role discovery:

1. Specify user-entitlement cluster matching criteria:

• Use the Users Matching filter to specify a pool of users based one or more user attributes values as candidates for the discovered roles. For example, if you want to restrict the pool of users to those who belong to a particular business unit from a particular location, specify those values. Business Role Manager indicates the number of users that meet your specification.

• Use the Entitlements Matching filter to specify a pool of entitlements based on one or more entitlement attribute values that candidate users must have as the basis for the cluster. Business Role Manager indicates the number of entitlements that meet your specification.

2. Specify the clustering method:

• Select Allow Duplicate Entitlements if you want to allow the same entitlements to be included in multiple candidate roles.

• Select Allow duplicate users if you want to allow the same users to be included in multiple candidate roles.

3. Specify the minimum number of users and entitlements for candidate roles:

• Use the Only create roles with at least this many users slider to specify a minimum number of users for candidate roles.

• Use the Only create roles with at least this many entitlements slider to specify a minimum number of entitlements for candidate roles.

4. Click Next.


5. Accept the default variable for the expression, and then click Next.




Discover Roles Based on Entitlement Attribute Values

You can specify multiple shared entitlement attribute values as the basis for discovering candidate roles.

To specify entitlement attributes for role discovery:

1. Specify a set of entitlements from which you want to create roles using the Entitlements Matching filter. You can specify multiple entitlement attribute values. For example, if you want to restrict the pool of entitlements to those that belong to a particular application or directory and have a particular administrator, specify those values. Business Role Manager indicates the number of entitlements that meet your specification.

2. Specify the entitlement attribute values that you want to use as the basis for discovering roles using the Create Roles Split on these Attributes option. For example, if you want to discover roles based on unique technical owner and business unit attribute values, specify those values. Business Role Manager indicates the number of roles it would create based on the specification.

3. Click Next.


4. Specify role information expressions. The expressions specify how the discovered roles are named. For example, if you are basing discovery on unique attribute value pairs, Business Role Manager uses the values for those attributes to assign names to the roles. You can change the role names later after you have saved the roles. See “Combine Roles” on page 31 for more information.

5. Click Next.


Managing RolesYou can manage roles in the following ways:

• Edit a role’s profile to change the role’s owner or backup owner or role type, to enable or disable a role, or to designate a parent role for the role. See “Edit a Role’s Profile” on page 31.

• Use the Actions feature to explicitly combine and split roles, enable and disable roles, apply and revert changes to roles, create a common parent role for a group of roles, remove all members from roles, delete roles, import and export roles, add entitlements to and remove entitlements from multiple roles, and edit attributes for multiple roles. See “Working with Role Actions” on page 31.

• Use the Analysis feature to have Business Role Manager suggest which roles should be combined, which entitlements and members should be added to or removed from a role, and which roles should be deleted based on role aspect criteria you specify. See “Working with Role Analysis” on page 36.

• Specify who can access and work with roles for which you are the role owner. See “Managing Access Privileges to Roles” on page 39.



Edit a Role’s Profile

You can edit a role’s profile, the settings specified under the General tab, anytime after you have created it if the role does not have any changes pending. For example, if members or entitlements have been added to the role and the change request for the adds has not been completed, you cannot edit the role’s profile. See “Edit Attributes” on page 33 for information on editing attribute values for multiple roles in a single operation.

To edit a role’s profile:


2. Click the name of the role you want to edit.

3. Click Edit.

4. Change settings as required, and then click OK.

5. Click Apply Changes to commit your pending changes. See “Applying and Reverting Changes to Roles” on page 21 for more information.

Note: See “Perform a Role Definition Review” on page 116 in the User Tasks Guide for information on how to update a role profile from a role review.

Working with Role Actions

Role actions enable you to explicitly reconfigure roles in a variety of ways. If, instead, you would prefer to allow Business Role Manager to suggest which reconfiguration actions you should consider, see “Working with Role Analysis” on page 36 for information on how to submit roles for analysis.

For actions that change roles, you must commit those changes before the changes take effect. See “Apply Changes to One or More Roles” on page 35 for more information.

Combine Roles

You can combine two or more roles into a new role that consolidates the member and entitlement sets from the roles. A combined role falls into the global role category when you combine different types of roles. A combined role for roles of the same type adopts that type. Business Role Manager designates the user who combined the roles as the new role’s owner.

To combine roles:


2. Click Actions and select Combine Roles.

A role selection window appears.

3. Select two or more roles, and then click Next.

4. Enter a new role name. The default is a concatenation of the names of the roles you are combining.

5. Click Finish.



Copy Roles

You can create roles by copying and saving new versions of the roles that have most of the configuration settings, members, entitlements, or any combination of the aforementioned you want in the new roles. Then you can revise the new, copied roles to meet your particular requirements.

To copy roles:


1. Click Actions and select Copy Roles.


2. Select one or more roles, and then click Next.

3. Enter new role names for the copied roles. The default is a the name of the copied role with “Copy” appended to it.

4. Click Finish.

Delete Roles

You can delete committed roles that you no longer require.

To delete roles:


2. Click Actions and select Delete Roles.



4. Click Finish.

Disable Roles

You can disable one or more roles in the system.

To disable roles:


2. Click Actions and select Disable Roles.



4. Click Finish.

Enable Roles

You can enable one or more roles in the system.

To enable roles:




2. Click Actions and select Enable Roles.



4. Click Finish.

Edit Attributes

You can modify attributes for one or more roles. This enables you to change an attribute value shared by multiple roles in a single operation (you want to designate a single person as the owner of multiple roles for example).


2. Click Actions and select Edit Attributes.



The Edit Attributes window appears.

4. Select the attributes you want to modify, change the attribute values, and then click Finish.

Add Entitlements

You can add entitlements to one or more roles. This enables you to add entitlements to multiple roles in a single operation (you want to add one or more entitlements to multiple roles).


2. Click Actions and select Add Entitlements.




4. Select the entitlements you want to add to the roles, and then click Next.

5. Click Finish.

Remove Entitlements

You can remove entitlements from one or more roles. This enables you to remove entitlements from multiple roles in a single operation (you want to remove one or more entitlements from multiple roles).


2. Click Actions and select Remove Entitlements.



The Remove Entitlements window appears.



4. Select the entitlements you want to remove from the roles. The In Roles column indicates the number of roles that include the entitlements specified. The Not In Roles column indicates the number of roles that do not include the entitlements specified.

5. Click Next.

6. Click Finish.

Remove All Members

You can remove all members from one or more roles in the system.

To remove all members from roles:


2. Click Actions and select Remove All Members.



4. Click Finish.

Create a New Parent Role for One or More Roles

You can select a one or more roles from which you can derive a parent role that inherits the entitlements from the selected roles.

To create a parent role for one or more roles:


2. Click Actions and select Create Common Parent.



4. Provide a name for the parent role.

5. Click Finish.

Split Roles by User Attribute Criteria

You can split roles based on specific user attribute criteria. When you split a role using this criteria, the split role’s members are removed and distributed to the generated roles. You can choose to retain the original role. In this case, the original role becomes the parent role of the generated roles, and the original role’s entitlements are retained.

To split a role based on user attribute criteria:


2. Click Actions and select Split Roles by User Attribute.



4. Choose a user attribute and, if you want to retain the split roles, select the Keep original role option.



5. Click Next.

6. Select one or more expressions to generate the role information.

7. Click Finish.

Revert Changes to One or More Roles

In a scenario where you and other role designers have made changes to multiple roles and you do not want to apply those changes, you can revert the changes to the roles in a single operation.

To revert changes to one or more roles:


2. Click Actions and select Revert Changes to Roles.



4. Select one of the following options:

• Version Before <particular date> or Committed Version/Delete New Role

Use this option in the case where you want to revert back to versions of roles that were committed before a particular date, or you want to reverting changes to new roles (that have not had changes applied), which deletes the new role, and you want to revert back to the most recent committed version of an existing role.

• Committed Version/Delete New Role

Use this option in the case where you are reverting changes to new roles (that have not had changes applied), which deletes the new role, and you want to revert back to the most recent committed versions of an existing roles (that have had changes applied previously).

5. Click Finish.

Apply Changes to One or More Roles

In a scenario where you and other role designers have made changes to multiple roles and you want to apply those changes, you can apply the changes to the roles in a single operation.

To apply changes to one or more roles:


2. Click Actions and select Commit Changes to Roles.



A change request preview window appears.

4. Click Finish to initiate a change request.



Export Roles and Import Roles

You can export roles engineered on one system to an role export file and then import the file into another system. This enables you to develop and refine your roles on a staging system before you deploy them into your production environment. If your RSA IMG installation is integrated with the IBM Tivoli Identity Manager (ITIM) provisioning system, you can also export roles directly to ITIM. See “Exporting and Importing Roles” on page 44 for more information.

Working with Role Analysis

The Role Analysis feature leverages role standards you specify along with user, group, entitlement, and role data to generate suggested user and entitlement add and removal and deletion and combining actions you can perform with roles. If, instead, you are certain that you want to, for example, delete or remove members or entitlements from a particular role and you do not require suggestions about whether you should or not, see “Working with Role Actions” on page 31 for information on how to perform the action.

Suggest Users for Roles

Business Role Manager generates a list of suggested users you can choose to add to one or more roles based on your suggestion criteria. You can specify that users who do not belong to the role but should belong to the role as stipulated by the membership rules for the role are suggested, or you can specify that users who have entitlements that role members have are suggested.

To suggest users for roles:


2. Click Analysis and select Suggest Users for Roles.



A suggestion options window appears.


• Add users matching role constraints — This option suggests users who match the membership rule.

• Add users that have the role(s) entitlements — This option suggests users who have role entitlements.

A window listing suggested users appears.

5. Select the users you want to add to the roles, and then click Finish.

Suggest Entitlements for Roles

Business Role Manager generates a list of suggested entitlements you can choose to add to one or more roles based on your suggestion criteria. You can specify that the entitlements a particular percentage of role members have are suggested.

To suggest entitlements for roles:




2. Click Analysis and select Suggest Entitlements for Roles.

A role selection window appears. It lets you specify the pool of potential suggested entitlements and the roles for which the entitlements will be suggested.

3. Do the following:

a.Specify a set of entitlements from which you want to create roles using the Entitlements Matching filter. You can specify multiple entitlement attribute values. For example, if you want to restrict the pool of entitlements to those that belong to a particular application or directory and have a particular administrator, specify those values. Business Role Manager indicates the number of entitlements that meet your specification.

b.Select one or more roles for which you want Business Role Manager to suggest entitlements.



a.Use the slider to set a percentage, or click Show More to reduce the percentage and therefore display more entitlements.

b.Click Refresh to update the entitlements list.

c. Select the entitlements to add to the role.

d.Click Finish.

Suggest Roles to Combine

Business Role Manager generates a list of suggested roles you can choose to combine based on your suggestion criteria. You can specify a user or entitlement similarity standard or a combination of both that Business Role Manager uses to generate a list of suggested roles. Combining roles that are essentially identical reduces the number of roles you have to manage.

To suggest roles to combine:


2. Click Analysis and select Suggest Roles to Combine.


3. Select at least two roles, and then click Next.



• Combine roles with similar sets of users — This option suggests combining roles that at least a particular percentage of identical users. Use the slider to specify a percentage.

• Combine roles with similar sets of entitlements — This option suggests combining roles that have at least a particular percentage of identical entitlements. Use the slider to specify a percentage.

• Combine roles with similar sets of users and entitlements — This option suggests combining roles that have at least a particular percentage of identical users and entitlements. Use the slider to specify a percentage.



5. Click Next.

A window listing suggested role pairs appears.

6. Select the role pairs you want combine. This combines all the role pairs selected, not the paired roles.

7. Revise the suggested combined role name, and then click Finish.

Suggest Roles to Delete

Business Role Manager generates a list of suggested roles you can choose to delete based on your suggestion criteria. You can specify a user or entitlement threshold count or a combination of both that Business Role Manager uses to generate a list of suggested roles. Deleting roles that do not meet role standards, low user or entitlement counts, reduces the number of roles you have to manage.

To suggest roles to delete:


2. Click Analysis and select Suggest Roles to Delete.




4. Select one the following options:

• Remove roles by user count — This option suggests deleting roles that do not have at least a particular number of users. Use the slider to specify a user count threshold.

• Remove roles by entitlement count — This option suggests deleting roles that do not have at least a particular number of entitlements. Use the slider to specify an entitlement count threshold.

• Remove roles by user and entitlement count — This option suggests deleting roles that do not have at least a particular number of users and entitlements. Use the sliders to specify user and entitlement count thresholds.

5. Click Next.

A list of suggested roles to delete appears.

6. Select the roles to delete, and then click Finish.

Suggest Members to Remove

Business Role Manager generates a list of suggested members you can choose to remove from roles based on your criteria. You can specify a user or entitlement threshold count or a combination of both that Business Role Manager uses to generate a list of suggested roles. You can also specify that Business Role Manager suggest a role members who should be removed from one or more roles because they do not meet membership rule criteria for the roles.

To suggest members to remove:




2. Click Analysis and select Suggest Members to Remove.





• Choose redundant members to remove from selected roles — This option enables you to remove members who belong to a role directly and also indirectly resulting from member inheritance from child roles.

• Remove users not matching role constraints — This option enables you to remove users who do not match the membership rule.

5. Click Finish.

Suggest Entitlements to Remove

Business Role Manager generates a list of suggested entitlements you can choose to remove from roles based on your criteria. You can specify a user or entitlement threshold count or a combination of both that Business Role Manager uses to generate a list of suggested roles. Deleting roles that do not meet role standards, low user or entitlement counts, reduces the number of roles you have to manage.

To suggest entitlements to remove:


2. Click Analysis and select Suggest Entitlements to Remove.





• Remove all entitlements from previously selected roles

• Remove redundant entitlements selected below

Redundant entitlements are those belonging to a role directly and also indirectly resulting from entitlement inheritance from a parent role.

5. Click Finish.

Managing Access Privileges to Roles

You can specify which users can access and work with the role sets for which you are the role owner.

To manage access privileges to roles:


2. Click Involve Others and select Manage Access to My Roles.



A window listing users and the ACM entitlements they have to the role sets for which you are the manager.

3. Configure settings as follows:

• To specify access privileges for user, click Add More to open a user selection window, select one or more users, and configure privileges using the Role Set and Action options.

• To remove access privileges from users, select the users, and then click Remove.

• To edit access privileges for users, simply change the Role Set or Action options or both.

Role set access privileges are listed and described in the following table:

4. Click Finish.

Viewing RolesYou can view summary and detailed information about all committed roles in the system and those that are in a state of development and those that have changes pending.

To view roles:

Click the Roles menu.

A list of all roles defined in the system appears.

The following table describes the default roles attributes that appear in the role table.

Note: You can add additional attribute columns and remove columns using the Table Column option.

Privilege Description Actions Allowed on Role Set

Actions Allowed on Roles in Role Set

Manage Can do everything with a role set and all roles in the role set.

Edit Manage

Edit Cannot change the “sandbox” aspects of the role set, but can change everything else and everything on all roles in the role set.

Edit Roles Manage

Edit Roles Cannot change anything on the role set. Can edit but not create or delete roles.

Edit Members/Entitlements

Edit

Edit Members Can edit members of roles in the role set.

View Edit Members

Edit Entitlements Can edit entitlements of roles in the role set.

View Edit Entitlements

View Can view the roles in the role set, but cannot view the role set itself.

Nothing View



Viewing Role Details

A details view of a role provides comprehensive information about the role and lets you perform role management tasks. See “Managing Roles” on page 30 for more information.

To view role details:

1. Click the Roles menu.

A list of roles appears.

2. Click the name of the role you want to view.

Role details are organized under the following tabs:

Roles Summary Information

Attribute Description

Role Name Name of the role.

Users Number of users in the role.

Entitlements Number of entitlements in the role.

Role Quality The role quality value calculated for the role. A higher value represents good quality roles and a lower number represents poor quality roles.

State State of the role:•Applied: A role version that has been editing since the prior committed version, a change request has been submitted to commit it to the system, but the change requests has not been completed.

•Applied Delete: A role version that has been deleted since the prior committed version, a change request has been submitted to delete the role, but the change requests has not been completed.

•Applied New: A new role version has been created, a change request has been submitted to commit it to the system, but the change requests has not been completed.

•Changed: A role that has been editing since the prior committed version.

•Changed Delete: A changed role version that has been deleted since the prior committed version, a change request has been submitted to delete the role, but the change requests has not been completed.

•Committed: A role version that has been submitted, and change request has been completed.

•New: A role version has been created, but it has not been committed to the system.

Note: If a role was modified in a role review, an information icon appears next to the role state. It provides information about the review where the changes were made.

Disabled Indicates whether the role is enabled or disabled in the system.

Role Type The role type: business, global, or technical.

Role Set The name of the role set that contains the role.



• The General tab displays role profile information, including any business description content (alternative role display name, a long description, tooltip text, and a help URL) provided for the role, a history of changes to the role, information about a role’s position in a role hierarchy, information about a role’s relationship in a entitlement request hierarchy relationship, and information about any rule violations related to the role. It also lets you edit the profile if there are no change requests pertaining to the role that have yet to be completed. The tab displays information about pending change requests, and does not allow you to edit the profile until the change request has been completed (fulfilled, rejected, or canceled).

See Chapter 15, “Creating and Managing Business Descriptions,” on page 205 in the Administrators Guide for more information about creating and managing business descriptions for roles.

See Chapter 14, “Managing Application Entitlements,” on page 197 in the Administrators Guide for information on managing entitlement request hierarchy relationships required for custom access request form implementation and how to edit entitlements selectively or in a batch operation.

• The Members tab displays all users in the role. The Directly Entitled view displays those members that have been directly granted the role. The All view displays directly entitled members and those members inherited from child roles.

• The Entitlements tab displays all entitlements in the role. The Directly Entitled view displays those entitlements that have been directly aggregated in the role. The All view displays directly aggregated entitlements and those entitlements inherited from parent roles.

• The Analytics tab provides information about the quality of the role, identifies members who should not be in the role as stipulated by the membership rules for the role, and identifies entitlements role members should have but do not have. See “Viewing Role Analytics” on page 42 for more information.

Viewing Role AnalyticsAnalytics provide detailed statistics on role-based compliance processes and performance. The statistics provide a variety of details about roles, including the role quality value. They help you understand the quality of your roles, what roles are effective in your system, and what roles are not being used.

To view role analytics:

menuA list of roles appears.

3. Click the name of the role for which you want to view analytics, and then click the Analytics tab.

A list of statistics and following information appears:

• Out of Constraint Users lists users in roles who do not match the membership rules for the roles.

• Missing Required Entitlements lists entitlements users do not have but should have as members of the roles.



The following table lists and defines role statistics.

Roles - Statistics


Role Quality A value representing the quality of the role relative to Role Management Target thresholds set for roles.A value of 100% to 200% indicates that the role meets or exceeds the user and entitlement targets. Values below indicate that the role does not meet targets.See “Select Suggested Members to Add to a Role” on page 24 or “Select Suggested Entitlements to Add to a Role” on page 26, and “Combine Roles” on page 31 to increase the user and entitlement numbers.

Number of Users The number of users that are members of this role. This number should meet or exceed the user count target.Role quality can be improved by using the Suggest Users feature for roles.

Number of Groups The number of groups that are entitlements of this role.

Number of Entitlements The number of entitlements that are directly or indirectly members of this role. Each user in the role must have these entitlements.

Number of Unique Entitlements

The number of entitlements that belong only to this role and no others. These entitlements become out-of-role entitlements if this role is deleted. When other roles cover the entitlements, this count decreases.

Number of Sub-Roles The number of child roles that belong to this parent role.

Number of Out of Constraint Users

The number of users (direct members of the role) who do not match the user constraint configured for the role. This number should equal 0.You should review the role if this number is greater than 0. View the list of out of constraint users and decide whether the constraint needs to be changed or the user should be removed from the role.

Number of Missing Required Entitlements

The number of entitlements that role members should have but do not have. This This number should equal 0.

Separation of Duties The number of users who have entitlements they should not have as stipulated by a separation of duties rule. See Chapter 4, “Rules,” on page 129 in the User Tasks Guide for more information.

Member Users Having Violations

The number of users who have entitlements they should not have as stipulated by a user access rule. See Chapter 4, “Rules,” on page 129 in the User Tasks Guide for more information.

Membership Growth Rate (Members/week)

This is the number of membership additions less the membership removals divided by the number of days. This number is calculated at unification time and does not change until the next unification. If this number is positive, the role is gaining use. If this number is 0, the role use is steady (typical for mature roles). If this number is below 0, the role use is declining. This indicates that a role might need to be changed or retired.If membership is declining, determine if the role should be modified or if it has been made obsolete by other roles and should be retired.

Membership Change Rate (Changes/week)

This is the number of membership additions plus the membership removals divided by the number of days. This number is calculated at unification time and does not change until the next unification.If this number is high, the role is unstable. If this number is low, the role membership is stable. An unstable status is expected when the role is new.



Exporting and Importing Roles You would typically export and import roles in the following scenarios:

• You want to develop roles on an RSA IMG staging system, export the roles to an XML file, and then import the roles into a production system.

• You want to define roles with Role Manager, export the definitions to an external role authority, and then collect the roles on an ongoing basis to determine whether they meet quality and security standards.

Export Roles

The Export Role feature supports the following export options:

• If RSA IMG is integrated with IBM Tivoli Identity Manager (ITIM), you can export one or more roles to the ITIM provisioning system. The IBM Tivoli Identity Manager fulfillment handler effects the export to the provisioning system. See Chapter 2, “Configuring Role Management Settings,” on page 13 for more information.

• If RSA IMG is or is not integrated with IBM Tivoli Identity Manager (ITIM), you can generate an XML file containing role definitions in standard XML format.

To export roles:

menuA list of roles appears.

4. Specify the roles you want to export.

• To specify particular roles, select the roles from the list, and then select Export Roles from the Actions tab.

• To specify all roles, select Export Roles from the Actions tab.

The Export Roles dialog box appears.

5. Select the destination. If RSA IMG is integrated with ITIM, you can choose File (for export to an XML file) or IBM Tivoli Identity Manager (for export by the ITIM fulfillment handler if ITIM is integrated with RSA IMG).

6. Accept the Selected roles option if you previously selected roles in the Roles view, or choose All roles if you want to generate an export file containing role definitions for all roles.

7. Specify the type of role data to export.

• If you selected the “File” destination:

- Choose the Unique User Identifier attribute that identifies role members.

Role Change Rate (Changes/week)

The number of activated role versions divided by the number of days in the Frequency window. If this number is 0, it means that the role requires minimal maintenance.

Roles - Statistics




- Select the Include dependent roles option to export parent and contained roles.

- Select the Customize exported attributes option to choose the user, group, application role, or application entitlement attributes to export, and then select the attributes to export for each entity.

• If you selected the “IBM Tivoli Identity Manager” destination:

- Select sub-roles, entitlements, and members to export these entities.

- If you choose to export role members, specify the member attributes to export.

8. Click Export.

If the ITIM fulfillment handler is in effect, it processes the export to the integrated ITIM provisioning system.

If you exported the roles to a file, the Opening ExportedRoles.xml dialog box appears. Choose whether to open or save the file (AveksaRoleData), and then click OK. If you opened the file, you can save it to a location of your choice after you have viewed the file. If you saved the file, the file is saved to the default download location on your computer.

Import Roles

You can import roles you have engineered on one system, typically your staging system, to another system, typically your production system.

To import roles:

1. Click the Roles menu.

A list of roles appears.

2. Select Import Roles from the Action tab.

3. Select the xml file that contains the roles you want to import., and then click Next.

4. Select the roles to import. The Import Reason column lists and dependencies for each role — a role’s role set and any parent roles. For the latter dependency, you must import the parent role along with any role contained by a parent role.

5. Select role import options:

• Overwrite information for existing roles — Select this option if you want the metadata, entitlements, or members in the imported roles to supplant those in their counterpart roles on the target system.

• Create new role when imported role does not exist — Select this option if you want roles in the import file that do not have counterparts on the target system to be created on the target system. You can specify that only role metadata is imported for the new roles or that entitlements or members or both are included in the role.

6. Click Import.


Chapter 4: Role Engineering with Role Sets

Content

• “About Role Sets” on page 48

• “Viewing Role Sets” on page 49

• “Creating Role Sets” on page 51

• “Viewing Role Set Analytics” on page 54

• “Customizing Request Workflows for a Role Set” on page 56

• “Managing Role Sets” on page 58

47


About Role SetsA role set is a container for roles. All roles, whether collected or created with Business Role Manager (local roles), must belong to a role set. A role set is also a laboratory, or a workshop, in which you can create multiple roles in a single procedure based on user and entitlement data criteria and manage and deploy roles as a group.

Business Role Manager provides two ways to create role sets:

• Create single role sets, one at a time. You can do this with the Create Role Set wizard, or you can create a role set when you create a role by simply providing a role set name in the Create Role configuration form. See “Creating Roles” on page 20 for more information.

• Create multiple role sets in one operation. This enables you to deploy role sets and grant role set ownership to multiple business owners and technical owners in your organization. The owners can then develop roles in their role sets and use the roles to manage and track access to their assets in a way that meets their business needs and maintains compliance with access management policies in your organization.

A role set is governed by a policy that stipulates what you can do with roles in the role set. For example, you may or may not want to allow roles to be organized in a hierarchy or allow business roles to include entitlements. You can specify policy settings that override global policies to meet your requirements and those who manage the role sets you create on a per-role-set basis.

See “Configuring Role Type Design Policies” on page 15 for information on global policies for role sets.

About Role Sets and Resource Profiles

A resource profile consists of a set of roles that you do not want users to be able to request or to be included in “suggested entitlements” lists and “suggested roles” lists in role mining operations. By enforcing a restriction on the roles users can request access to for themselves or other users, you not only place some roles as “off limits” but you can also control the way the roles can be requested via their association with groups and other roles rather than on a per-role basis.

See “Viewing Role Sets” on page 49 for information on how to determine whether all or a subset of a role set’s roles are available or unavailable for requests and suggest entitlements lists.

See Chapter 11, “Managing How Entitlements Are Requested Using Resource Profiles,” on page 95 in the Access Request Manager Guide for information on how to define a resource profile for a role set.

About Automatic Fulfillment of Change Requests for Roles in a Role Set

If the Access Fulfillment Express module is enabled for your installation, you can bind a role set to a fulfillment “connector” that automatically completes fulfillment activities in the source endpoint for the collected roles in the role set. A connector can have different capabilities. Consult the administrator of the Access Fulfillment Express module to determine the appropriate connector capabilities you require. See Chapter 5, “Managing Automatic Request Fulfillment for Business Source Endpoints,” on page 45 in the Access Fulfillment Express Guide for more information on managing connector bindings.



If you bind a connector to a role set, you must also associate the Default AFX Fulfillment workflow with the role set. See “Associate an Approval or Fulfillment Workflow to a Role Set” on page 57 for more information. The fulfillment handler for the workflow detects the fulfillment connector that is mapped to the role set and calls the connector to fulfill the change request in the data source the connector is designed to manipulate.

About Access Control and Role Sets

Rule set owners and technical owners and violation managers have view and edit privileges to their rule sets. You can grant these privileges to other users and groups and roles on a per-rule-set basis. These privileges are granted as entitlements, and they take effect immediately when granted to recipients. See “Configuring Access Control for RSA IMG Objects” on page 116 in the Administrators Guide for more information.

Viewing Role SetsYou can view summary and detailed information about all roles sets in the system and the roles that are contained in them.

To view role sets:

Click the Roles menu and select Role Sets.

A list of role sets appears.

The following table lists and describes summary view properties for role sets

To determine whether a role set’s roles are available for requests, display the Exclude from Add Access table column. The Y indicator confirms that they are, although some roles may be unavailable. The N indicator confirms that all are unavailable for requests.

Role Set-Summary


Role Set Name Name of the role set.

Description Any description that has been composed for the role set.

Category The category for the role set. A category is simply a way to organize role sets.

Role Type The type of roles that can be contained in the role set. A role set can contain a single type of role only.

Average Role Quality Average role quality for all roles in the role set.

Modified Roles The number of roles that are undergoing modification and not in the committed state.

Last Modified Date and time the role set was last modified.



Viewing Role Set Details

You can view detailed information about role sets.

1. Click the Roles menu and select Role Sets.

2. Click the name of the role set you want to view.

Information about the role set is organized under the following tabs:

• General — Provides summary information, modification history, policy specifications, the number of missing entitlements, the user and membership rules, and lets you edit and delete the role set. See “Managing Role Sets” on page 58 for information on editing and deleting role sets.

• Policy — The policies in effect for roles in this role set. See “Creating Role Sets” on page 51 for information on overriding global policy settings for a roles. See “Configuring Role Type Design Policies” on page 15 for information configuring global policy settings.

• Roles — Lists the roles in the role set, lets you access role details, and lets you create, mine, and refine roles in the role set. See Chapter 3, “Working with Roles,” on page 19 for more information.

Display the Available for Request table column to determine which roles are available for request and provisioning operations and those that are not available per their inclusion in a resource profile for the role set.

• Resource Profile — Displays the roles included in the resource profile for the role set and lets you create and manage a resource profile. See Chapter 11, “Managing How Entitlements Are Requested Using Resource Profiles,” on page 95 in the Access Request Manager Guide for more information.

• AFX Connector Binding — Lists the change request fulfillment connector mapped to this role set. See “About Automatic Fulfillment of Change Requests for Roles in a Role Set” on page 48 for more information.

• Collectors — Lists role data collectors associated with the role set and lets you create role data collectors. See Chapter 2, “Working with Data Collectors,” on page 27 in the Collectors Guide for information on how to create and manage role data collectors.

• Requests — Displays the workflows used to process submissions, approvals, and fulfillments for requests generated for this role set. It also lets you customize the request submission form for the role set, change the workflows associated with approvals and fulfillments for the roles set, and create new approval and fulfillment workflows that you can associate with the role set. See “Customizing Request Workflows for a Role Set” on page 56 for more information.

Note: The Requests tab appears only when Access Request Manager is enabled.

• Analytics — Lists role set quality statistics. See “Viewing Role Set Analytics” on page 54 for information.



Creating Role SetsA role set is a collection of roles in the system. All roles must belong to a role set. Role sets allow you to review, configure, and deploy roles as a group. The roles remain as part of a set throughout the roles’ lifecycles, letting you see how the roles adapt to change in the enterprise. Role sets can helps you maximize user count per role and unique entitlements per role. You can create a single role set at time or multiple role sets in one operation.

Create a Single Role Set

You can create a single role set for any type of role, business, technical, or global, on an as-required basis. If, instead, you want to create multiple role sets for a particular role type in a single operation, see “Create Multiple Role Sets” on page 53 for more information.

To create a single role set:


2. Click Create Role Set.

3. Specify the following role set settings:

• Role Set Raw Name — Enter a unique system internal name for the role set.

• Role Set Name — Enter a display name for the role set.

• Description (optional) — Enter a description that informs other role designers and managers about, for example, the business rationale for the role set.

Note: See Chapter 15, “Creating and Managing Business Descriptions,” on page 205 in the Administrators Guide for information on configuring Long Description, Tooltip Text, Help Link fields.

• Role Type — Specify whether this role set includes global roles, technical roles, or business roles. A role set cannot contain different role types.

4. All settings in the Role Set Attributes group are optional. Configure settings significant to you and your organization:

• Business Use — How the role set is used in your organization.

• Category (optional) — Enter a category definition. A category is simply a way to help you organize your role sets.

• Classification — The classification or categorization of the role set.

• Functional Ownership — The person who manages the role set.

• Locality — The role set’s geographical or physical location.

• Sensitivity — Business value or “criticality” from a business risk perspective (High, Medium, or Low for example).

Enter values for any attributes in the role set that. See “Viewing Role Set Analytics” on page 54 for more information.



5. Configure settings in the Owners/Escalation group by clicking the default name (the current user) and selecting the designee for each setting:

• Business Owner — The user designated as the owner of the role set. The business owner is typically responsible for participating in reviews that include role set entitlements.

• Technical Owner — The user designated as the manager of technical issues related to the role set.

• Violation Manager — The user designated as the manager of rule violations related to the role set.

Note: See “About Access Control and Role Sets” on page 49 for information on the following settings.

• Other Business Owners — Click Edit, and then select no more than the indicated maximum allowed recipients to receive business owner entitlements to the role set.

• Other Technical Owners — Click Edit, and then select no more than the indicated maximum allowed recipients to receive technical owner entitlements to the role set.

• Other Violation Managers — Click Edit, and then select no more than the indicated maximum allowed recipients to receive violation manager entitlements to the role set.

6. Click Next.

7. Specify role set policy settings as necessary to meet your particular requirements. These settings override global configuration settings specified under the Configuration option as described in “Configuring Role Type Design Policies” on page 15. They specify what type of members entitlements can be aggregated in roles in this role set and whether you can create role hierarchies within the role set.

Policy setting options include:

• Allow — The specific action is allowed.

• Allow with warning — The specific action is allowed, but Business Role Manager warns you that the action may not be recommended.

• Deny — The action is not allowed.

8. Specify a membership rule for the roles in the role set if you plan on including members in the roles in the role set. It lets you specify membership criteria based on any combination of user attribute values, affiliation with objects in the system such as groups and roles, or entitlements users have.

For example, you may want to restrict membership in roles in the role set to only those users who belong to a particular department, are members of another particular role, and have a particular application role. See “Configure Membership Rules” on page 22 for more information.

9. Specify a entitlement rule for the roles in the role set if you plan on aggregating entitlements in the roles in the role set. It lets you specify the criteria for which entitlements can be included in roles in the role set. For example, you want to restrict entitlements to only those that belong to a particular application or directory.

Do the following:

a.Click the Entitlement Rule link.



b.Configure criteria for the rule, enter an optional display name, and click OK.

10.Click Finish to save the role set.

You can now explicitly create or discover roles for the role set and then perform other role management actions with the roles. See Chapter 3, “Working with Roles,” on page 19 for more information on creating, discovering, and managing roles.

Create Multiple Role Sets

You would typically create multiple role sets when you want to deploy a group of role sets for different business users or technical owners in your organization who require the role sets to effectively manage access to its resources. For example, you could create a business role type role set for each department or business unit head in your organization. They would then be able to create roles for the their subordinates and add entitlements to the roles that those users need to do their jobs. You could also create multiple technical roles for each application or directory in your organization. Technical owners could then add entitlement to the roles, which would then be available as entitlements for business or global roles.

To create multiple role sets:


2. Click Create Role Sets.

3. Specify the following role set settings:

• Category — Provide a category name for the role sets you plan to create. A category name simply allows you to organize the roles sets you create.

• Role Type — Select the type of role the role sets are designed for. A role set cannot contain different role types.

• Choose attribute type — Select the attribute type, user or entitlement, to serve as the basis for creating the role sets. For example, user or entitlement attributes for role sets for global roles, user attributes for role sets for business roles, and entitlement attributes for role sets for technical roles.

4. Click Next.

An attribute specification criteria window appears.


a.Set a constraint as required using the Matching link for the type of attribute that is related to the role type for which you creating role sets.

b.Configure criteria for role set creation, enter an optional display name, and click OK.

6. Click Next.

7. Configure the role set expression information:

a.Use the variables available for the Name field. You can also enter text.

b.(Optional) Enter information in the Description field. The description is included with all the role sets you create.



c. Select None, Current User, or Specific User for the Manager setting. You can change the names later after you create the role sets so that the different personnel for whom the role sets are intended will have the necessary access privileges to the role sets.

d.Click Next.

A window providing a preview of the role set candidates appears. You can choose to remove role sets and combine role sets or you can accept the candidates.

8. Remove or combine selected role sets as required, and then click Finish to create the role sets.

The role sets appear in the role sets list. You can now specify the policy for each role set and create or mine roles for each role set in accordance with the role set’s policy. See “Create a Single Role Set” on page 51 for information on specifying a role set manager and other role set configuration settings.

Viewing Role Set AnalyticsAnalytics provide detailed statistics on role-based compliance processes and performance.

To view role set analytics:


2. Click the name of the role set you want to view, and then click the Analytics tab.

A list of statistics and following information appears:

• Out of Constraint Users lists users in roles who do not match the membership rules for the roles.

• Missing Required Entitlements lists entitlements users do not have but should have as members of the roles.

The following table lists and describe role set statistics.

Role Set - Statistics


Total Number of Roles Number of roles in the role set. This number should typically be greater than 1.

Average Role Quality The average quality of the roles in the role set.A number of 100% to 200% indicates that roles on average meet or exceed user and entitlement targets. See “Select Suggested Members to Add to a Role” on page 24 or “Select Suggested Entitlements to Add to a Role” on page 26, and “Combine Roles” on page 31 to increase the user and entitlement numbers.

Average Number of Users Per Role

The average number of users for all roles in the role set.

Average Number of Entitlements Per Role

The average number of entitlements for all roles in the role set.

Total Number of Users Number of users in roles in the role set. This number should be greater than 1.

Total Number of Groups Number of user groups in roles in the role set. This number should be greater than 1.



Total Number of Entitlements Total number of entitlements that are directly or indirectly included in roles in the role set. Each entitlement and each application role is considered an entitlement in this count.See “Select Suggested Members to Add to a Role” on page 24 and “Combine Roles” on page 31 to increase the number of entitlements.

Total Unique Entitlements Total number of entitlements that are not included in any other role. This number should be 0, if you delete the roles in the role set.If you delete a role, create new roles focused on these entitlements that have the users grouped in a different way. When other roles cover the entitlements, this count decreases.

Number of Unique Entitlements

The entitlements that are not included in any other role. This is the number of entitlements that becomes out-of-role entitlements if this role is deleted.Any number should be near 0 if you delete a role. If you delete a role, create new roles focused on the entitlements that might have the users grouped in a different way. When other roles cover the entitlements, this count decreases.

Total Number of Out of Constraint Users

Number of users that are direct members of the role that do not match the user constraint configured for the role. This number should be 0.View the list of out of constraint users and decide on whether the constraint needs to be changed or the user should be removed from the role.

Total Number of Missing Required Entitlements

Total number of entitlements missing from all users. This is a count of user-entitlement pairs. This number should be 0.View the list of users and their missing entitlements and then decide if there is a problem with a user having the entitlement. The entitlement should be made optional or the user should not have the role.

Membership Growth Rate (members/week)

This is the number of membership additions less membership removals divided by the number of days. This number is calculated at unification time and does not change until the next unification. If this number is positive, the role is gaining use. If this number is 0, the role use is stable (typical for mature roles.) If this number is below 0, the role use is declining. This indicates that a role is not meeting the needs of your organization and should be changed or retired.If membership is declining, determine if the role should be modified or if it has been made obsolete by other roles and should be retired. No actions if membership is increasing or stable.

Membership Change Rate (changes/week)

This is the number of membership additions plus the membership removals divided by the number of days. This number is calculated at unification time and does not change until the next unification.If this number is high, the role is unstable. If this number is low, then the role membership is stable. An unstable status is expected for a new role.

Role Change Rate (changes/week)

The number of activated role versions divided by the number of days in the frequency window (role management targets)This number should be 0. That means that the role requires minimal maintenance. If the role structure changes frequently, it should be reviewed for usefulness.

Role Set - Statistics




Customizing Request Workflows for a Role SetNote: You must have the correct ACM privileges to create custom submission, approval, and fulfillment workflows for your role set. Contact your RSA IMG administrator for assistance with acquiring those privileges as required.

You can manage the request workflows associated with a role set that define how requests for access to roles and requests to remove access from roles in the role set are processed to meet your particular requirements. If the Access Request Manager module is enabled, you can do the following:

• Customize the request submission form a requestor interacts with when requesting or changing access to the role set by configuring additional information prompts that requestors are asked or required to respond to before they submit the request.

• Associate an existing approval workflow with a role set, or create a custom approval workflow for a role set.

• Associate an existing fulfillment workflow with a role set, or create a custom fulfillment workflow for a role set.

Customize Submission Form Information for a Role Set

The access request administrator in your organization may have customized the contents of all access request submission forms to meet most, but not all, of your organization’s request information requirements. A standard set of information prompts that requestors respond to in a request submission form, however, may not meet your requirements.

As a role set owner or administrator you may want to include other types of fields and controls in a request submission form that prompt requestors for information required by request approvers and fulfillers to make informed decisions before they complete their tasks. For example, you may want a requestor to assign a priority level to the request or provide a justification for the request, and you may also want to specify that these prompts apply to all request forms for the role set or conditionally to only a sub-set of requestors.

To customize submission form information:


2. Click the name of the role set for which you want to customize a request submission request form.

3. Click the Requests tab.

The Submission section lists Fields specific to the role set (Show: Specific Fields) and global submission form fields (Show: Common Fields)

4. Configure submission form fields as follows:

Note: See Chapter 7, “Customizing Request Submission Forms,” on page 55 in the Access Request Manager Guide for details as required.

• Add a new field to a request submission form for the role set.

a.Click New.



b.In the New Question window, configure a question. As necessary, click the Conditions tab to specify the criteria that must be met for this question to appear on a submission form.

c. Click OK.

• Remove a specific field for the role set.

a.Select the question you want to remove for the role set.

b.Click Delete to remove the specific field from request submission forms for the role set.

The Submission section lists the questions that appear on request submission forms for the role set.

5. Use the arrows for question entries to arrange the questions in the order you want them to appear on a request submission form.

Associate an Approval or Fulfillment Workflow to a Role Set

You can override the default approval and fulfillment workflow for the role set or any other custom workflow that has been previously associated with the role set.

To associate an approval or a fulfillment workflow to the role set:


2. Click the name of the role set to which you want to associate an approval or fulfillment workflow.

3. Click the Requests tab.

The Approval and Fulfillment sections list any workflows explicitly associated with the role set, or none are listed if the default workflows are in effect.

4. Perform the workflow assignment task you want to complete:

• To assign an approval or fulfillment workflow for change requests associated with the role set:

a.Click Change.

b.In the Edit Approval Workflow window, select a workflow and then click OK.

The approval or fulfillment workflow you selected specifies the approval or fulfillment process for the role set.

• To remove an approval or fulfillment workflow for change requests associated with the role set:

a.Click Change.

b.In the Edit Approval Workflow window, deselect the workflow and then click OK.

The default workflow for approvals or fulfillments is now in effect.



• To create an approval or fulfillment workflow to associate with the role set:

a.Click New.

b.Complete the workflow creation procedure as described in “Creating and Managing Workflows” on page 253 in the Administrators Guide.

RSA IMG assigns the new workflow to the role set.

Managing Role SetsYou can modify the profiles roles sets to meet you particular requirements and delete empty role sets you no longer require. See Chapter 3, “Working with Roles,” on page 19 for information on modifying a role set by adding roles to or removing roles from it.

Modify a Role Set

You can modify a role set after you have created it in the following ways:

• Update the role set name, category, manager, and description.

• Update the role set policy.

• Update the role set member and entitlement rules.

To modify a role set:

1. Click the Roles menu and then select Role Sets.

2. Click the name of the role set you want to modify.

3. Click Edit.

See “Create a Single Role Set” on page 51 for information on role set configuration settings.

4. Modify settings as required, and then click Finish.

5. Click Apply Changes to save the changes to the role set.

Delete a Role Set

You can delete an empty role set that you no longer require. If you want to delete a role set with roles, you must first remove the roles from the role set.

To delete an empty role set:

1. Click the Roles menu and then select Role Sets.

2. Click the name of the empty role set you want to delete.

3. Click Delete.

4. Click OK in the deletion confirmation window.

The role set is removed from the system.


Index

Aaccess control

role sets 49access privileges to roles 39add entitlements to roles 33AFX connector binding, for automatic access

request fulfillment 48analytics

role set 54roles 42

applicationsbusiness owner 52manage AFX connector binding 48technical owner 52violations manager 52

apply changes to a role 21apply changes to multiple roles 35

Bbackup role owner 20business description for a role 42business roles

create role set for 51creating 20

Cchange requests

customizing submission form for role set 56generated for membership rule violations 23

combine roles 31configuration options 14copy roles 32creating

business role 20global role 20parent role for multiple roles 34role set 51technical role 20

Ddeleting

role set 58roles 32

description for roles 20disable roles 32

Eedit role attributes 33email notification for membership rule

violation 23enable roles 32endpoint binding, for access request

fulfillment 50entitlements

basis for role set 30in roles 21, 42suggested for role 26

export role 17export roles 44

Ffulfillment handler modification 17

59

Index

Gglobal roles


Iinvalid character rule for role names 15

Llifecycle management 9

Mmembers in roles 20, 42membership rules

actions in response to violations 23membership rules for role members 22mining roles 47missing required entitlements 42, 54modifying

role profile 31role set 58

Oout of constraint users 42, 54

Ppolicies, global settings for role sets 15profiles for roles 42provisioning system, role export 44

Rremove all members from roles 34remove entitlements from roles 33request workflows 50

managing for a role set 57resource profiles, role sets 48, 50revert changes to a role 21revert changes to multiple roles 35reviews generated for membership rule

violations 23role analysis, custom role limit configuration 14role details, viewing 41role engineering 47

best practices principles 11hybrid approach 9least privileges 11maximum users 11role frameworks 10segregation of duties 11top-down approach 9

role management overview 8role management targets 15role mining 47role names, specify invalid characters for 15role quality standards, specifying 15role set 50role sets

access control 49analytics 54creating 51customizing request submission forms for 56deleting 58details 50global design policies 15manage endpoint binding 50modifying 58other business owners 52other technical owners 52other violation managers 52request workflows 57resource profiles for 48, 50viewing 49

rolesaccess privileges 39adding entitlements to 21adding groups to 20adding members to 20analytics 42associating role collector with 20backup owner, specifying 20business description for 42business descriptions for 42configuration options 14description 20entitlements 42import from file 44lifecycle management 9members 42membership rules 22modifying profile 31owner, specifying 20profiles for 42reports 10reviews 10role backup owner, role set

manager 8


Index

role export file 44role owner 8rules 10state 41types 8viewing 40

roles, actionsadd entitlements to roles 33apply changes to roles 35combine roles 31copy roles 32create parent roles 34deleting 32disable roles 32edit role attributes 33enable roles 32remove all members 34remove entitlements from roles 33revert changes to roles 35split roles by user attribute 34

roles, analysis 36suggest entitlements 36suggest entitlements to remove 39suggest members to remove 38suggest roles to combine 37suggest roles to delete 38suggest users 36

roles, design policies for 15roles, management targets

optimal entitlements 16optimal users 16rate change data 16rate of change 16

Ssegregation of duty requirements 11split roles 34state of role 41suggest entitlements

percentage of role members having entitlement 26

suppressing the option 15suggest members

having role entitlements 24matching role constraints 24suppressing the option 15

suggestionsentitlements for role 36role entitlements to remove 39role members to remove 38roles to combine 37roles to delete 38

users for role 36suppressing suggested members/entitlements

option 15

Ttechnical roles


Uuser-entitlement clusters, basis for role set 29users, basis for role set 28

Vviewing

role details 41role set details 50role sets 49roles 40

Businesss Role Manager Guide 61

Index
