Role definitions must be entered into a user provisioning system. Since there may be many Roles representing many groups of users, it makes sense to analyze existing data about user-to-resource assignment, drawn from target systems, to streamline this process.

The process of mining actual user-to-resource mapping data to extract role definitions is called Role Mining.

There are three approaches to Role Mining:

  1. Top-down Role Mining: identify sets of identifying attributes that should collect users with identical Resource requirements. Define a Role based on the common rights that matching users have.
  2. Bottom-up Role Mining: identify sets of Resources that should appear together, define them as Roles, and search for users who have these Resources, and consequently should be assigned the Roles.
  3. By Example Role Mining: ask managers to identify which of their subordinates do the same job. Check to see if those users have the same Privileges. If they do, define a Role to represent that group of users and attach the users to the Role. Optionally, seek out users who report to other managers that have the same Privileges, and attach them as well.

Return to IT Security Concepts