Final solution for Keycloak push notifications
Keycloak is a key component of our Inalogy IAM solution. We are continuously reducing the…
3 good reasons to implement role mining
3 mins read
09 jan 25
Has your company reached a point where you manage more roles than users in your Identity Management system? Does this situation feel unsustainable? Many established organizations find themselves in this position. As employees come and go, each requiring unique access combinations to perform their jobs, access rights accumulate, and eventually, this type of access management becomes overwhelming.
MidPoint IDM version 4.8 introduced a new feature – Role Mining – designed to address these challenges. And it is significantly improved in version 4.9!
What is Role Mining? According to Evolveum’s wiki, role mining is a tool that uncovers relationships between users and roles, producing a list of suggested business roles. These suggestions help reduce the number of direct access right assignments and optimize the organization’s RBAC model. MidPoint employs AI elements like pattern recognition and data clustering to perform this analysis.
01
Business roles recommendation
The primary output of role mining is a set of proposed business roles designed to reduce direct role assignments to users. These recommendations need careful analysis to determine whether they can be practically implemented or if there are business processes and rules not implemented in MidPoint that might prevent their application.
During role mining, MidPoint groups users based on similar access patterns and attributes such as organizational placement, profession, or other characteristics. Within each group, it evaluates which access rights users have in common and suggests combining these into a single business role.
Alternatively, roles can be grouped based on shared user assignments. Again, this leads to evaluating whether such role groups could form effective business roles that would help streamline access management and improve the role model.
Both approaches require an experienced administrator or role engineer familiar with their company’s data to process the output. Successful role mining evaluation demands an understanding of the overall role model and the types of users assigned access. Without this knowledge, making qualified decisions about which proposed business roles are practical becomes extremely challenging.
02
Detection of outliers
Another mode of role mining is outlier detection, where MidPoint identifies users whose access patterns differ from those of their colleagues.
Similar to role mining, users are grouped based on access similarities and other attributes. MidPoint then compares whether any users have additional access rights compared to others in their group. If such access is found, it’s flagged as suspicious.
Again, this requires involvement from an administrator or someone familiar with the company environment to determine whether flagged access is legitimate or needs removal. These identified accesses can also be sent through access certification, delegating the legitimacy decision to the affected user’s manager or the owner of the flagged access role or right.
03
Enhanced security, streamlined operation
Beyond reducing role assignments and improving RBAC model efficiency, role mining significantly enhances information security. Through role mining and RBAC model refinement, the system becomes more transparent and easier to manage, helping reveal role configuration issues that could potentially lead to security incidents.
Outlier detection directly impacts information security by helping identify users with potentially inappropriate access roles. MidPoint administrators can prevent security incidents that occur either through intentional misuse or inadvertently after a successful phishing attack.
These capabilities transform what was once a daunting management task into a streamlined, secure process that supports both operational efficiency and robust security measures.
Want to read more ?
Adaptive midPoint SSH connector – final solution for all SSH based systems (example)
Large organizations hugely rely on systems managed via SSH interface. MidPoint only provides a lightweight…
Inalogy becomes Silverfort partner
Inalogy has established a partnership with Silverfort to address specific technical challenges in identity and…