Role Mining & Optimization
Role Mining
for Enterprise IAM
Refine enterprise identity and access management roles with data-driven mining—fewer toxic combinations, clearer RBAC, and recertification campaigns that teams can actually finish.
The EmpowerID Difference
Why Organizations Choose EmpowerID
What's different vs. the usual IGA vendors.
Top-Down Analytical
Unique to EmpowerID—optimizes access based on business function, not just entitlements.
HR-Driven
Leverage existing HR, HCM, and Active Directory data for business role information.
80% Reduction
Minimize security roles significantly—reduces direct assignments by 80%.
Streamline Recertification
Managers certify compact lists of business-friendly roles, not hundreds of technical entitlements.
Role Mining and Optimization
Compliant Access by design is the capability to map out the following in advance: position-appropriate access for employees, partners, and customers, and the risk policies that will measure and ensure continued compliance.
Unfortunately, defining position-appropriate access for a large organization can be a huge and daunting task. It can also lead to unavoidable project delays. However, not having such guidelines forces IT organizations to resort to costly and inefficient manual processes which often create security vulnerabilities.
EmpowerID's Role Mining engine solves this challenge by intelligently scanning your organization and then recommending an optimal initial set of roles. This initial set is based on the combination of your organization's existing HR job position data as well as existing access assignments. These initial roles then evolve as your business environment changes, e.g. with reorganizations, mergers and acquisitions, role changes, etc.
Zero Trust & Least Privilege
All the while, EmpowerID's role optimization functionality manages all aspects of role management ensuring they always adhere to Zero Trust and only ever grant optimal least privilege access.
- • Optimal initial role set
- • Evolves with business changes
- • Zero Trust adherence
- • Least privilege access
HR System Integration
To get an initial analysis rolling, EmpowerID connects with your HR system, such as Workday, SuccessFactors, or SAP HCM. Each of these systems maintains a rough organization structure and details of employee positions.
EmpowerID then inventories these "external roles" and locations, and obtains information about user assignments.
- • Workday, SuccessFactors, SAP HCM
- • Active Directory integration
- • Organization structure mapping
- • Employee position data
Leverage Existing Sources of Business Role Information
The starting point for many EmpowerID projects is to establish business roles and organizational locations. The best sources for this data are usually your HR or Human Capital Management system (HCM), and Active Directory.
One major advantage of EmpowerID is that it comes with a wide range of out-of-the-box connectors for such systems.
Once this data resides within the EmpowerID system, it generates an initial business role and organization location tree for "top down analytical" role mining analysis.
To ensure continuous Compliant Access delivery, this information becomes a key driver once roles are defined and access policies are assigned. Subsequent changes in the authoritative system will trigger reevaluation and adjustment of Compliant Access for each user and without any laborious or expensive manual administration.
How It Works
"Top Down Analytical" Role Mining
Unique to EmpowerID—optimizes access based on what users do within your organization
After years of analyzing organizations' security models and sources of data, EmpowerID invented the "Top Down Analytical" Role Mining technique.
Compliant Access requires that user entitlements are appropriate for their position. Top Down Analytical Role Mining facilitates this by leveraging 3 areas:
- The rough outline of an organization's existing business roles.
- The knowledge about which users occupy those positions.
- Their whereabouts in the company, i.e. their department, location, etc.
Primarily, "Top Down Analytics" optimizes access based on what a user does within the organization.
The Top Down Analytical Process
- 1. Snapshot: EmpowerID takes a snapshot of HR data to determine roles and role-based access policies.
- 2. Inventory: EmpowerID inventories all entitlements and access assignments for each user in every system.
- 3. Analysis: EmpowerID uses sophisticated analytical technique to optimally fit existing user access assignments on the business role and location tree.
- 4. Publish: Once optimal matches are identified, they can be published as role-based assignments automated by your HR data.
- 5. Maintain: EmpowerID then maintains changes on an on-going basis.
Bottom Up Role Mining
After completing Top Down role mining, much of each user's access will be optimized, delivered, and then controlled via your business roles.
The remaining unoptimized access will consist of less structured team or matrix-based access and exceptions.
This access can then be optimized using "Bottom up" analytical role mining. Bottom up role mining is a multi-step process that involves creating, running, and analyzing "Role Mining Campaigns".
Role Mining Campaigns analyze entitlements and user data using powerful machine learning algorithms to produce optimal "candidate roles". Candidate roles are combinations of people and entitlements. These combinations are then further analyzed and are either accepted by the organization as being accurate, or they are further manipulated to create subsets of those combinations.
Publishing Candidate Roles
Once candidate roles are accepted, they can be published as standalone management roles, mapped to business roles and locations, or they can be used to create new business roles and locations.
- • Machine learning algorithms
- • Candidate role generation
- • Organization acceptance workflow
- • Flexible publishing options
80% Reduction in Direct Assignments
A role optimization program can reduce the number of direct assignments by 80% and present managers with a compact list of business-friendly roles to certify.
More importantly, your organization's security becomes more manageable and your risk profile is minimized.
Streamline Recertification
Role Mining and Optimization assists organizations by minimizing the number of security roles, reducing administrative workloads, and streamlining audit recertification campaigns.
Without role optimization, your managers are faced with the daunting task of certifying hundreds of individual technical entitlements per direct report.
With role optimization, managers certify compact lists of business-friendly roles instead of hundreds of technical entitlements. This makes recertification efficient, accurate, and manageable.
Proven at Enterprise Scale
Customer success metrics from Fortune 500 role mining deployments
Analyst Recognition
Industry recognition for role mining excellence
KuppingerCole Leadership
Identity & Access Intelligence
Strong role mining and optimization capabilities
Strategic Endorsement
Executive View Report
Top-down analytical approach recognized
