Symantec IGA

We want to implement RBAC / ABAC using CA Identity Governance tools - Client tools.

Is there a guide to implement the top-down and bottom-up methods in addition to a procedure guide to perform proper Role and / or Attribute mining with Client tool?

We await your answers and thank you in advance.

Best regards.

@caIdentityManager
@caIdententyGovernance
​​

------------------------------
Ricardo Fernández
------------------------------

Original Message------

We want to implement RBAC / ABAC using CA Identity Governance tools - Client tools.

Is there a guide to implement the top-down and bottom-up methods in addition to a procedure guide to perform proper Role and / or Attribute mining with Client tool?

We await your answers and thank you in advance.

Best regards.

@caIdentityManager
@caIdententyGovernance
​​

------------------------------
Ricardo Fernández
------------------------------

Original Message------

Hi Ricardo,

Have you seen this guide?  It goes into detail about each role discovery method and how to set the parameters to refine your searches.  

https://docops.ca.com/ca-identity-governance/14-3/EN/client-tools/role-discovery/common-role-discovery-operations#CommonRoleDiscoveryOperations-BasicRoles  

Hope this gets you started!

Lynn McMorrow

Hi Ricardo,

It's more of an art than a detailed step-by-step procedure. 

I can give you some guidelines of how:

Get your data ready:

1) First of all, you need to enrich your users' records with HR information. The more the merrier, since this is what top-down role mining and especially auditing relies on.

2) Import entitlements from every possible endpoint where users have access

3) Consolidate the entitlement data into a single configuration file.

4) Adjust the Evaluation Weight of each attribute. Different weight value can and will lead to different outcome. You can do this by going to Audit --> Audit Parameters --> Evaluation Weigh (Click update by CFG and adjust those that you think need to be adjusted - but usually Update by CFG should give you a good weight distribution)

a) Attributes that are unique to users such as Numeric Employee ID, Person ID (global user ID), email, etc. have zero impact on role modeling and their weight should be set to zero
b) Attributes that are common to most users should have a value close to zero (say 1 or 2) - things like  company name, or attributes that hardly have any values for most users
c) Attribute values that are shared by fewer users should have higher values 7, 8, 9, or 10 depending on how much or less they are shared


Role Discovery:

1) Examine how many direct links you have between users and resources. This should be your guiding principle (to achieve 70 or 80% coverage of these links with roles) - you can find the number of links under View --> Configuration Properties:



2) Use any of the discovery techniques to discover roles (adjust your percentage of user's and resources coverage with each group - typically you want a minimum of 2 resources and 80% users coverage as a starting point - increase or decrease your percentage of users coverage depending on how many or few roles you discover) - but I personally always set my Preferred Search Mode to 'Prefer Many User-Resource Connections) - remember that the goal is to reduce the the number of direct links between users and resources:
Also, depending on how large your users population is, you may need to set a high number for the Maximum number of Roles to find:



3) Merge the roles that you find into the original configuration file you started with - just drag and drop
(make sure you always have a copy of the original saved on disk) 

4) Run an audit on the merged configuration and find all the outliers - those who should be connected by HR values but are not. This step will produce an audit card. Click control A to select everyone in the audit card and right-click --> Auto-fix model

5) Select all users, right-click and choose 'Remove Redundant Links' (this will remove the direct user-resource links that are covered by roles, and therefore will reduce your overall direct links in the configuration

6) Repeat from step 2 until step 5, the same role discovery technique until no more roles are found for this technique

7) Move to the next role discovery technique and perform steps 2 through 6

8) Repeat step 7 for all available role discovery techniques

Role Engineering:

CA Identity Governance, allows you to audit the roles that you discovered for overlap, common percentage coverage or users, and resources, and nesting relationship between roles. It's all in the Audit menu. They are all here under Audit --> Pattern-based Audit:



Additional tools and techniques are also available by right clicking on a single, 2, or more roles. 
You can choose to merge roles, or make a role a parent of child roles. 
Examine your direct link and see how much you manged to reduce them percentage-wise

Finally, remember this is not exact science. It is only meant to give you an understanding oh how entitlements are allocated so you can have a more intelligent discussion with the application and business owners. You can take your findings to LOB owners and ask if you are on track. Usually you are close but not 100% spot on. 

Hope this helps!
Original Message:
Sent: 09-11-2019 11:02 AM
From: Ricardo Fernandez
Subject: RBAC/ABAC with CA Identity Governance - Client tools

Thank you very much Lynn for your response.

Yes, we are seeing that part of docops.

We are working with those concepts.

What I am looking for is an explanation of "the best way to perform Roles and Attributes mining" using the Clien tool as RBAC dictates.

Original Message------

Hi Ricardo,

Have you seen this guide?  It goes into detail about each role discovery method and how to set the parameters to refine your searches.  

https://docops.ca.com/ca-identity-governance/14-3/EN/client-tools/role-discovery/common-role-discovery-operations#CommonRoleDiscoveryOperations-BasicRoles  

Hope this gets you started!

 

 

Lynn McMorrow

Original Message------

Hi Ricardo,

It's more of an art than a detailed step-by-step procedure. 

I can give you some guidelines of how:

Get your data ready:

1) First of all, you need to enrich your users' records with HR information. The more the merrier, since this is what top-down role mining and especially auditing relies on.

2) Import entitlements from every possible endpoint where users have access

3) Consolidate the entitlement data into a single configuration file.

4) Adjust the Evaluation Weight of each attribute. Different weight value can and will lead to different outcome. You can do this by going to Audit --> Audit Parameters --> Evaluation Weigh (Click update by CFG and adjust those that you think need to be adjusted - but usually Update by CFG should give you a good weight distribution)

a) Attributes that are unique to users such as Numeric Employee ID, Person ID (global user ID), email, etc. have zero impact on role modeling and their weight should be set to zero
b) Attributes that are common to most users should have a value close to zero (say 1 or 2) - things like  company name, or attributes that hardly have any values for most users
c) Attribute values that are shared by fewer users should have higher values 7, 8, 9, or 10 depending on how much or less they are shared

Role Discovery:

1) Examine how many direct links you have between users and resources. This should be your guiding principle (to achieve 70 or 80% coverage of these links with roles) - you can find the number of links under View --> Configuration Properties:

2) Use any of the discovery techniques to discover roles (adjust your percentage of user's and resources coverage with each group - typically you want a minimum of 2 resources and 80% users coverage as a starting point - increase or decrease your percentage of users coverage depending on how many or few roles you discover) - but I personally always set my Preferred Search Mode to 'Prefer Many User-Resource Connections) - remember that the goal is to reduce the the number of direct links between users and resources:
Also, depending on how large your users population is, you may need to set a high number for the Maximum number of Roles to find:

3) Merge the roles that you find into the original configuration file you started with - just drag and drop
(make sure you always have a copy of the original saved on disk) 

4) Run an audit on the merged configuration and find all the outliers - those who should be connected by HR values but are not. This step will produce an audit card. Click control A to select everyone in the audit card and right-click --> Auto-fix model

5) Select all users, right-click and choose 'Remove Redundant Links' (this will remove the direct user-resource links that are covered by roles, and therefore will reduce your overall direct links in the configuration

6) Repeat from step 2 until step 5, the same role discovery technique until no more roles are found for this technique

7) Move to the next role discovery technique and perform steps 2 through 6

8) Repeat step 7 for all available role discovery techniques

Role Engineering:

CA Identity Governance, allows you to audit the roles that you discovered for overlap, common percentage coverage or users, and resources, and nesting relationship between roles. It's all in the Audit menu. They are all here under Audit --> Pattern-based Audit:

Additional tools and techniques are also available by right clicking on a single, 2, or more roles. 
You can choose to merge roles, or make a role a parent of child roles. 
Examine your direct link and see how much you manged to reduce them percentage-wise

Finally, remember this is not exact science. It is only meant to give you an understanding oh how entitlements are allocated so you can have a more intelligent discussion with the application and business owners. You can take your findings to LOB owners and ask if you are on track. Usually you are close but not 100% spot on. 

Hope this helps!