- Candidates for new role definitions, which appear as sets of users with common identity attributes and entitlements.
- Users who may violate segregation of duties policy.
- Users who may represent especially high business risk, for example, because of the many security entitlements attached to their identity.
- Accounts that have inconsistent identity attributes -- for example, one phone number on one system, but a different phone number on another system.
- Accounts that have empty or invalid identity attributes.
Hitachi ID Identity Manager includes entitlement analytics that can be used to aid in the development of a role model. For example, a built-in report allows an authorized user to find all users with a given set of attributes (e.g., manager=X, location=Y, jobcode=Z, etc.) and to compare their login IDs and group memberships on every integrated system. If the entitlements are consistent, then the set of entitlements shared by these users are a good candidate for a role, to be assigned to these users.
This type of entitlements comparison is illustrated in Figure [link].
Screen shot: Comparing Entitlements for Existing Users (1)