Role definitions must be entered into a user provisioning system.
Since there may be many Roles representing many
groups of users, it makes sense to analyze existing data about
user-to-resource assignment, drawn from target systems,
to streamline this process.
The process of mining actual user-to-resource mapping data to
extract role definitions is called Role Mining.
There are three approaches to Role Mining:
- Top-down Role Mining: identify sets of identifying attributes that
should collect users with identical Resource requirements.
Define a Role based on the common rights that matching
- Bottom-up Role Mining: identify sets of Resources that should
appear together, define them as Roles, and search for users
who have these Resources, and consequently should be assigned
- By Example Role Mining: ask managers to identify which of their
subordinates do the same job. Check to see if those users
have the same Privileges. If they do, define a Role to
represent that group of users and attach the users to the Role.
Optionally, seek out users who report to other managers that
have the same Privileges, and attach them as well.