Skip to main content

NIM

Role mining

Use a role miner to find the initial best fit of existing groups in target systems to roles in the development role model, based on common user accounts. Role mining can be a helpful first step in building your role model. It may be especially useful in large environments (~5-100k accounts, ~20-30k groups).

To get started, follow the example in the App tutorial.

Every role in NIM contains 1) members and 2) groups in which the members will be granted membership. The members come from a parameterized filter. The groups, however, can come from any of the following:

  1. Select them manually on the Groups pane when you Edit a role

  2. Select them programmatically with the Role groups pane of a role generator

  3. Calculate the best fit based on the current target system configuration, using role mining (the topic of this article)

The best-fit calculation in role mining is based on common user accounts. That is, role mining compares the members assigned to your NIM roles against the current members of groups in the target system itself, to find the best fit of those groups to your existing roles. A single group may be placed in multiple roles.

To say it again, to mine means to find the best NIM roles for each target system group, based on the current role memberships vs. the target system's current group memberships. If your target system doesn't have any members in its groups, you cannot do role mining.

The best fit is determined by the smallest distance, i.e., the minimum number of job items (write operations) that NIM has to perform. The distance is the total number of changes in group membership (members added + members removed) if the provisionally calculated fit is applied to the development role model and executed. The ideal distance is always 0. A distance of 0 means that the fit is perfect and NIM does not have to make any changes to bring the actual target system situation in line with the role model.

Role mining is only a first step in building your role model, unless the fit is perfect (i.e., the distance is 0). Typically, the second step after applying a role miner is to manually review all role - group assignments. You'll need to ensure that each role has all the groups it should have, and doesn't have groups it shouldn't.

Configuration tab
Scope pane
2022-02-09_13-11-33.png
Scope

The target system and its user - group table pair to be mined.

Group Selection Filter

A filter with a column that contains the groups from the target system which should be mined. Not necessary if all groups should be mined. Affects the contents of the Included Groups pane and the Excluded Groups pane. The role miner automatically detects the relevant column.

Roles pane
2022-02-09_13-13-56.png

All Roles in the current Development role model. These are the roles for which groups will be mined.

Included Groups pane
2022-02-09_13-14-46.png

The groups to be mined, in the Scope target system.

Excluded Groups pane
2022-02-09_13-15-14.png

Groups in the Scope target system which have been excluded from mining by the Group Selection Filter.

Groups tab
Controls pane
2022-02-09_15-06-49.png
Select All

Select all rows in the Groups pane. Selected rows will be included in mining when you click Mine.

Mine

Mine the selected groups.

Apply

Write the pending mining results of the selected groups to the Development role model. (You must click Save after you click Apply, to complete the apply operation.)

Clear

Remove the selected groups from all roles.

Restore

For the selected groups, reload their current role associations from the Development role model.

Distance

The best fit is determined by the smallest distance, i.e., the minimum number of job items (write operations) that NIM has to perform. The distance is the total number of changes in group membership (members added + members removed) if the provisionally calculated fit is applied to the development role model and executed. The ideal distance is always 0. A distance of 0 means that the fit is perfect and NIM does not have to make any changes to bring the actual target system situation in line with the role model.

This distance value is equal to the sum of all rows in the Distance column of the Groups pane.

Target

The currently selected groups, which will be mined when you click Mine.

Groups pane
2022-02-09_15-07-10.png

The numbers in this pane change based on actions you perform in the Controls pane, as well as roles that you include or exclude in the Roles pane.

Group Name

The groups in the target system available to be mined. When a single row is selected, that group's currently associated roles are displayed in the Roles pane.

# Members

The number of users who are currently members of this group in the target system.

Distance

The number of job items (write operations) that NIM would have to make to the target system, if the current role miner configuration is applied and the role model is executed. Equal to the # Add column plus the # Remove column. Ideally, it is 0, which indicates a perfect fit.

# Matches

The number of members who are currently in the target system group and will remain there, if the current role miner configuration is applied and the role model is executed. Ideally, this number is the same as # Members (in which case the Distance for the group is 0).

# Add

The number of new members who will be added to the target system group, if the current role miner configuration is applied and the role model is executed. Ideally, this number is 0.

# Remove

The number of current members who will be removed from the target system group, if the current role miner configuration is applied and the role model is executed. Ideally, this number is 0.

# Roles

The number of roles in the Development role model that this group is currently in.

Delta Roles

The difference between # Roles, and the number of roles the group will be in, if the role miner configuration is applied and the role model is executed.

Roles pane
2022-02-09_15-07-30.png
Included

Select or clear this checkbox to add or remove the selected group from roles in the Development role model.

Role Name

The roles currently in the Development role model.

# Members

The number of members currently in this role, in the Development role model.

# Matches

The number of members who are currently in this role and will remain there, if the current role miner configuration is applied and the role model is executed . Ideally, this number is the same as # Members.

# Add

The number of members who are not currently in this role, but will be added if the current role miner configuration is applied and the role model is executed. Equal to the # Members column minus the # Matches column. Ideally, this number is 0.

In this section: