Large environments (tested with 80.000 users and > 200.000 permissions) require that mining can be started for smaller portions of data. Tech Role Mining already provides some of the mechanism mentioned:

1. Attributes can be configured in IG to be used for candidate proposal. It is essential that values can be
selected for those attributes. The usual mechanisms for filters in IG can
be applied (like e.g. in the Business Role members rule), also an explicit list of chosen permissions.
Sample: mining for department "IT" only

2. It should also be possible to limit the set of permissions used for mining. The usual mechanisms for
filters in IG can be applied, also an explicit list of chosen permissions.
Sample: mining for permissions of category "SAP" only
Sample: mining for business roles of a certain level. This would mean that business roles of a lower
level are handled like permissions when mining higher business role levels

3. The filters as described for 1. and 2. must be usable in combination.

4. It should be possible to merge and separate candidates. This function simply copies the membership
rule/ configuration and also the administration configuration but allows to split and merge the list
of permissions.

5. An indicator for role system quality should exist, e.g. based on a combination of
- number of business roles
- number of users
- number of permissions
- number of hierarchy levels (business roles, permissions)
- business role coverage
The indicator should show historic values for these numbers (trending).

6. Role Mining should also support business role hierarchy (refer to 2.). Business role candidate proposal
should take existing business roles into account. This is a very special case that applies if a more
specific business role exists (membership and permission subset of the mined role).
This process should be controlled by an option (e.g. option "include appropriate business roles")

by: Klaus S. | over a year ago | Configuration