Building Roles

The first step in building a robust Lifecycle Management process in Clarity is configuring and verifying your roles in the platform.

Before you begin

Before getting your Roles in order, first let's take a look at the Identity Attributes and Organizational Units configurations in Clarity, as these form the framework on which your Role Based Access Control is built.

Identity Attributes

Specifically, for Identity Attributes, we want to ensure that your custom attributes are available for use and properly configured.  In the article linked below, the Identity Attributes are explained in detail to help with configuration.

Identity Attributes

Organizational Units

Next up, we will want to configure or verify the Organizational Units for your desired role structure.  By default, Clarity is configured with the most common scenario (Department > Job Title).  Check out the article below for details on how to configure that.

Organizational Units

Rebuild your Role Structure

If and when you make changes to your Identity Attributes precedence or your Organizational Units, you will want to purge and rebuild your roles.

Purge and Rebuild Roles

If you would like to start over from scratch, you will want to follow these steps in the Settings pages:

See Organizational Units to learn more detail on the steps below.

1. On Settings > Identity Attributes page, make any changes to Identity Attribute Precedence (especially for attributes that will be used as Org Units)

2. Again on Settings > Identity Attributes click the Refresh Identity Attributes this will actualize the attribute changes for your existing Identities.  Note: If org units change for a user change at this time, they will trigger the Identity Modified Workflow.

3. Wait at least 5 min for the Identity Attribute changes to propagate.

4. On Settings > Organizational Units and Provisioning adjust the Organizational Units to match your desired structure. Don't forget to click Save after making the changes.

5. Now you can click the Purge Roles & Role-Entitlements button on Settings > Organizational Units and Provisioning, this will delete your entire role structure (Roles and the Entitlements associated with those roles).

6. Wait about 1 min, then click Build Roles & Role-Entitlements to rebuild your roles.

After your role structure is reset and rebuilt, Clarity will also add the Entitlements that make up the Roles birthright access (Role Mining, detailed below).

Role Mining

In addition to resetting your role structure, Clarity also performs another automated task called Role Mining.  This automatic process occurs when during the Build Roles & Role-Entitlements step above.

When your new Roles are created, Clarity will automatically add entitlements to your roles when certain conditions are met.  For Clarity to add these baseline entitlements to your Roles, the entitlement must be shared by 100% of the role members.

For example, if you have 20 employees in the Information Technology Department and each of them have an Entitlement called IT Department, then Clarity would add this entitlement to the Information Technology role at the department level.

Another example would be if you had the job title IT Manager (same Information Technology Department from above).  For your 3 IT Managers, they have have the following entitlements IT Management and All Managers. Clarity would detect that all members of the Information Technology/IT Manager role have those entitlements in common, and automatically add this to the role.

Defining your Roles

Now that Clarity's Role Mining has taken place, and given you a strong baseline for your roles, you just need to review your roles and identify any entitlements that might still be missing.  Clarity provides several tools and ways for you to investigate likely additions for your roles, or scenarios where combining roles might make sense.

Entitlement Suggestions

When clicking on an individual Role within Clarity, you will be taken to the Roles page, which lets you review Entitlements Clarity has added to the role, the various applications the associated Entitlements are from, and many other items.  If you navigate to the Suggestions tab, Clarity will show you Entitlements that are not already present in the role, but are already held my a significant percentage of the Role members.

In the image below, you see the Information Technology/Systems Engineer role, and all of its members (in this case its just 1 user named Sam McClarity). If Sam had entitlements that were not part of the role, you would see those listed in the Suggestions tab and could add them to the role.

Custom Roles

You may want to create some custom roles for special account types.  A common scenario for this would be service accounts, admin accounts, etc. Often, accounts of these types do not have attributes that would include them in a role, so they are assigned to the Default role within Clarity.
Check out the Special Roles section of the What is a Role? article for more details.

Need Help?