Tools

• Clear redundant roles
• Disable inactive users
• Disable inactive accounts
• Role mining

Clear redundant roles

Description

A high level profile can contain or grant application permissions. On the other side, application permissions can contain or grant low level permissions. All of them are referred to generally as roles.

Some users could have been granted both high level profiles and application permissions or low level permissions.

In that case, low level roles can be removed from the Soffid database, as they are inherited through role inheritance rules.

This tool identifies any low level roles granted to users at the same time that its owner high level role, and removes them.

Screen overview

Related objects

1. Roles
2. User

Actions

Introduction

A brief description of this process.

Next	Allows you to browse to the Filter roles step.

Filter roles

Allows you to filter a subset of roles to apply the process.

Undo	Allows you to return to the previous step without applying any changes.
Next	Once you search for the proper Roles, you can click the Next button to browse to the Preview result step.

Preview result

Displays a list with the subset filtered of roles.

Undo	Allows you to return to the previous step without applying any changes.
Next	Allows you to run the Clear redundant roles process to the subset of roles & accounts there are in the list.

Disable inactive users

Description

Probably there are some users that do not need access to any information system. Using this tool you will be able to identify them and act upon them.

The process is a two step process:

1. Filter out the universe of users to analyze.
2. Select the actions to perform on these users.

The available actions are the following:

• Send an email.
• Disable the user.
• Remove accounts from the target system.

It's usual to initially use this tool for only a subset of your users.
For instance, you can send a message when the password is reaching the expiration date, disable the user when no login has been made in the last 90 days or completely remove its accounts when the identity has been disabled for 30 days.

Screen overview

* Send an email message: Send To: #{userName} #{attributes.manager} issuers@soffid.com

Related objects

1. User

Actions

Introduction

A brief description of this process.

Next	Allows you to browse to the Filter roles step.

Filter users

Allows you to filter a subset of users to apply the process

Undo	Allows you to return to the previous step without applying any changes.
Next	Once you search for the proper Users, you can click the Next button to browse to the Criteria result step.

Criteria

Allows you to establish the action to perform on these users.

Undo	Allows you to return to the previous step without applying any changes.
Next	Once you search for the proper Users, you can click the Next button to browse to the Criteria result step.

Preview result

Displays a list with the subset filtered of users.

Undo	Allows you to return to the previous step without applying any changes.
Next	Allows you to run the process to the subset of users there are in the list.

Disable inactive accounts

Description

Probably there are some accounts that are no longer used. Using this tool you will be able to identify them and act upon them.

The process is a two step process:

1. Filter out the universe of accounts to analyze.
2. Select the actions to perform on that accounts.

The available actions are the following:

• Send an email.
• Disable the user.
• Remove accounts from the target system.

It's usual to initially use this tool for only a subset of your accounts.
For instance, you can send a message when the password is reaching the expiration date, disable the account when no login has been made in the last 90 days or completely remove it when the account has been disabled for 30 days

Screen overview

* Send an email message: Send To: #{userName} #{attributes.manager} issuers@soffid.com

Related objects

1. Account

Actions

Introduction

A brief description of this process.

Next	Allows you to browse to the Filter roles step.

Filter accounts

Allows you to filter a subset of accounts to apply the process

Undo	Allows you to return to the previous step without applying any changes.
Next	Once you search for the proper Accounts, you can click the Next button to browse to the Criteria result step.

Criteria

Allows you to establish the action to perform on these accounts.

Undo	Allows you to return to the previous step without applying any changes.
Next	Once you search for the proper Accounts, you can click the Next button to browse to the Criteria result step.

Preview result

Displays a list with the subset filtered of accounts.

Undo	Allows you to return to the previous step without applying any changes.
Next	Allows you to run the process to the subset of accounts there are in the list.

Role mining

Description

Soffid’s role mining feature applies data mining technology to create business profiles based upon current application permissions in order to minimize the number of roles to be managed and maintained with the relevant cost saving.

In this context, Soffid allows the administrator to select different role management strategies:

• More roles with fewer permissions.
• Fewer roles with more permissions.
• Balanced approach.

Once you configure the role mining strategy, you will run the Role mining process (Scheduled task)

Screen overview

Custom attributes

Scope

• Description: a brief description to identify the operation.
• Groups: This component allows you to add groups to the list. Those groups will be evaluated with the role mining process.
• Applications: This component allows you to add applications to the list. Those applications will be evaluated with the role mining process.

Parameters

• User entitlement management cost How much does it cost to assign a role to a user?
• Role entitlement management cost: How much does it cost to assign a role to a profile?
  
• Role management cost: How much does it cost to create a role? 
• Status:
  • Preparation
  • Scheduled
  • Review
  • Finished

Results

• Name: name for the new role.
• Description: a brief description.
• Actual Users: actual users number.
• Permission: roles number.
• Benefit: benefit to be obtained.
• Cost: current cost.
• Status:
  • Proposed.
  • Accepted.
  • Rejected.

Reports

• Permissions per role
• Users per role
• Entitlement changes

Actions

Role mining query actions

Query	Allows you to query the role mining process through different search systems, Basic and Advanced.
Add or remove columns	Allows you to show and hide columns in the table. You can also set the order in which the columns will be displayed. The selected columns and order will be saved the next time Soffid displays the page.
Add new	Allows you to add a new role mining process in the system. You can choose that option on the hamburger menu or by clicking the add button (+).
Delete	Allows you to remove one or more role mining processes by selecting one or more records and next clicking the button with the subtraction symbol (-). To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.
Download CSV file	Allows you to download a CSV file with the basic information of all role mining processes.
Merge	Allows you to merge two identities when you identify that is necessary. First of all, you need select two identities. Second, you need to click the hamburger icon and select the merge action. Then Soffid will display a window where you need to select the correct value for each standard and custom parameter. Finally, you need to apply changes to save the updates, or back to cancel that action.

Role mining scope

Save	Allows you to save the scope defined. It will be mandatory to select some groups and information systems before continuing. When the role mining process is created, the default status will be Preparation.
Add Groups	Allows you to add new groups to be evaluated. You need to click the add groups button (+) and search the proper groups, then click the Add group button.
Add Applications	Allows you to add new applications to be evaluated. You need to click the add application button (+) and search the proper groups, then click the Add application button.
Undo	Allows you to quit without applying any changes.
Next	Allows you to browse to the Parameter step. It will be mandatory to select some groups and information systems before continuing.

Parameters

Start	If you click the start button, Soffid will change the process status to Scheduled.
Undo	Allows you to quit without applying any changes.

Result

Next	If you click the Next button, Soffid will browse to the Reports tab.
Undo	Allows you to quit without applying any changes.

Reports

Download	Allows you to download a report with the permissions matrix.
Apply changes	If you click the Apply changes button, Soffid will make the changes in the roles of users and entitlements.
Undo	Allows you to quit without applying any changes.