Building Roles

The first step in building a robust Lifecycle Management process in Clarity is configuring and verifying your roles in the platform.

Before you begin

Before getting your Roles in order, first let's take a look at the Identity Attributes and Organizational Units configurations in Clarity, as these form the framework on which your Role Based Access Control is built.

Identity Attributes

Specifically, for Identity Attributes, we want to ensure that your custom attributes are available for use and properly configured. In the article linked below, the Identity Attributes are explained in detail to help with configuration.

Identity Attributes

Organizational Units

Next up, we will want to configure or verify the Organizational Units for your desired role structure. By default, Clarity is configured with the most common scenario (Department > Job Title). Check out the article below for details on how to configure that.

Organizational Units

Rebuild your Role Structure

If and when you make changes to your Identity Attributes precedence or your Organizational Units, you will want to purge and rebuild your roles.

Purge and Rebuild Roles

If you would like to start over from scratch, you will want to follow these steps in the Settings pages:

See Organizational Units to learn more detail on the steps below.

1. On Settings > Identity Attributes page, make any changes to Identity Attribute Precedence (especially for attributes that will be used as Org Units
2. Again on Settings > Identity Attributes click the Refresh Identity Attributes this will actualize the attribute changes for your existing Identities. Note: If org units change for a user change at this time, they will trigger the Identity Modified Workflow.
3. Wait at least 5 min for the Identity Attribute changes to propagate.
4. On Settings > Organizational Units and Provisioning adjust the Organizational Units to match your desired structure. Don't forget to click Save after making the changes.
5. Now you can click the Purge button on Settings > Organizational Units and Provisioning, this will delete your entire role structure (Roles and the Entitlements associated).
6. Wait about 1 min, then click Soft Refresh to rebuild your roles.

After your role structure is reset and rebuilt Clarity will also add the Entitlements that make up the Roles birthright access (Role Mining, detailed below).

Role Mining

In addition to resetting your role structure, Clarity also performs another automated task called Role Mining. This automatic process occurs when during the Hard Refresh step above.

When your new Roles are created, Clarity will automatically add entitlements to your roles when certain conditions are met. For Clarity to add these baseline entitlements to your Roles, the entitlement must be shared by 100% of the role members.

For example, if you have 20 employees in the Information Technology Department and each of them have an Entitlement called IT Department, then Clarity would add this entitlement to the Information Technology role at the department level.

Another example would be if you had the job title IT Manager (same Information Technology Department from above). For your 3 IT Managers, they have have the following entitlements IT Management and All Managers. Clarity would detect that all members of the Information Technology/IT Manager role have those entitlements in common, and automatically add this to the role.

Automatic Role-Entitlement Addition

The Automatic Role-Entitlement Addition toggle will allow Clarity to add new entitlements to your roles automatically, if it finds a 100% for all Identities in a given Role. This means that if Clarity finds that all Identities within the role have the entitlement, then it entitlement will be added to the role with a Grant Type of Role.

Defining your Roles

Now that Clarity's Role Mining has taken place, and given you a strong baseline for your roles, you just need to review your roles and identify any entitlements that might still be missing. Clarity provides several tools and ways for you to investigate likely additions for your roles, or scenarios where combining roles might make sense.

Entitlement Suggestions

When clicking the Manage button when viewing a role within Clarity, you will be taken to the Manage Role page, which lets you review Entitlement suggestions Clarity has found for the role. The entitlements listed are suggested based on the overlap of Identities within the Role that have an entitlement not already included in the role. Below we show an example of this from the Entitlement Suggestions tab on the Manage Role page.

In the image below, you see the CS/Implementation Specialist role, and some Entitlements Clarity has suggested be a part of the role based on the overlap of members in the role with the entitlement as an Exception. In the example, all 2 members of the role have the 5 entitlements listed. In the image, the Count column is indicating that this role has 2 Identities, and both of them already have this entitlement. Clicking the Add button would mean the entitlement becomes part of the Role, and any new employees hired would receive that access as part of their birthright access.

Custom Roles

You may want to create some custom roles for special account types. A common scenario for this would be service accounts, admin accounts, etc. Often, accounts of these types do not have attributes that would include them in a role, so they are assigned to the Default role within Clarity.
Check out the Special Roles section of the What is a Role? article for more details.

Need Help?