- 09 Dec 2024
- 6 Minutes to read
- Print
- DarkLight
- PDF
Building Roles
- Updated on 09 Dec 2024
- 6 Minutes to read
- Print
- DarkLight
- PDF
The first step in building a robust Lifecycle Management process in Clarity is configuring and verifying your roles in the platform.
Before you begin
Before getting your Roles in order, first let's take a look at the Identity Attributes and Organizational Units configurations in Clarity, as these form the framework on which your Role Based Access Control is built.
Identity Attributes
Specifically, for Identity Attributes, we want to ensure that your custom attributes are available for use and properly configured. In the article linked below, the Identity Attributes are explained in detail to help with configuration.
Changes made to your Identity Attribute Precedence will not be reflected in an Identity until you select the Refresh Identity Attributes button at the top of the page.
Organizational Units
Next up, we will want to configure or verify the Organizational Units for your desired role structure. By default, Clarity is configured with the most common scenario (Department > Job Title). Check out the article below for details on how to configure that.
Rebuild your Role Structure
If and when you make changes to your Identity Attributes precedence or your Organizational Units, you will want to purge and rebuild your roles.
Purge and Rebuild Roles
If you would like to start over from scratch, you will want to follow these steps in the Settings pages:
See Organizational Units to learn more detail on the steps below.
- On Settings > Identity Attributes page, make any changes to Identity Attribute Precedence (especially for attributes that will be used as Org Units
- Again on Settings > Identity Attributes click the Refresh Identity Attributes this will actualize the attribute changes for your existing Identities. Note: If org units change for a user change at this time, they will trigger the Identity Modified Workflow.
- Wait at least 5 min for the Identity Attribute changes to propagate.
- On Settings > Organizational Units and Provisioning adjust the Organizational Units to match your desired structure. Don't forget to click Save after making the changes.
- Now you can click the Purge button on Settings > Organizational Units and Provisioning, this will delete your entire role structure (Roles and the Entitlements associated).
- Wait about 1 min, then click Soft Refresh to rebuild your roles.
After your role structure is reset and rebuilt Clarity will also add the Entitlements that make up the Roles birthright access (Role Mining, detailed below).
The Purge action will delete all of your roles and the entitlements already associated with them. If you have already spent time adjusting your roles, customizing the associated Entitlements after Role Mining was completed, this effort will be deleted during the Purge and Rebuild process, only Role-Entitlement relationships created during the subsequent Role Mining process will be added back, see the section below for more details about Role Mining.
Role Mining
In addition to resetting your role structure, Clarity also performs another automated task called Role Mining. This automatic process occurs when during the Hard Refresh step above.
When your new Roles are created, Clarity will automatically add entitlements to your roles when certain conditions are met. For Clarity to add these baseline entitlements to your Roles, the entitlement must be shared by 100% of the role members.
For example, if you have 20 employees in the Information Technology Department and each of them have an Entitlement called IT Department, then Clarity would add this entitlement to the Information Technology role at the department level.
Another example would be if you had the job title IT Manager (same Information Technology Department from above). For your 3 IT Managers, they have have the following entitlements IT Management and All Managers. Clarity would detect that all members of the Information Technology/IT Manager role have those entitlements in common, and automatically add this to the role.
Defining your Roles
Now that Clarity's Role Mining has taken place, and given you a strong baseline for your roles, you just need to review your roles and identify any entitlements that might still be missing. Clarity provides several tools and ways for you to investigate likely additions for your roles, or scenarios where combining roles might make sense.
Entitlement Suggestions
When clicking the Manage button when viewing a role within Clarity, you will be taken to the Manage Role page, which lets you review Entitlement suggestions Clarity has found for the role. The entitlements listed are suggested based on the overlap of Identities within the Role that have an entitlement not already included in the role. Below we show an example of this from the Entitlement Suggestions tab on the Manage Role page.
In the image below, you see the CS/Implementation Specialist role, and some Entitlements Clarity has suggested be a part of the role based on the overlap of members in the role with the entitlement as an Exception. In the example, all 2 members of the role have the 5 entitlements listed. In the image, the Count column is indicating that this role has 2 Identities, and both of them already have this entitlement. Clicking the Add button would mean the entitlement becomes part of the Role, and any new employees hired would receive that access as part of their birthright access.
Custom Roles
You may want to create some custom roles for special account types. A common scenario for this would be service accounts, admin accounts, etc. Often, accounts of these types do not have attributes that would include them in a role, so they are assigned to the Default role within Clarity.
Check out the Special Roles section of the What is a Role? article for more details.
It is typically recommended that you populate these fields in the Downstream Application (or source) for any Identities that appear in the Default roles, so an appropriate role will be assigned after the next sync.
Need Help?
If you have any problems, contact your customer success team. You can also get in touch with our general support via email, open a support ticket. Our general support team is available Monday - Friday from 8:00 AM - 6:30 PM CST.