What is a Role?

Roles in Clarity are based on the concept of Role Based Access Control (RBAC). Roles can be either automatically generated based on chose attributes (default) or customized by hand.

An example of a standard Role Based Access Control setup would be utilizing Department and Job Title Attributes from a Source of Truth application. This configuration would allow you to assign permissions to users at the Department level and Job Title level, resulting in user access comprising a set of permissions from the Department role and a set of permissions from the Department\Job Title role.

Topics we will cover:

• What generates roles
• Access from a Role
• Creating, modifying, and deleting roles
• Role purge and rebuild
• Special Roles
• Where the data comes from
• How is the data stored

What generates roles

By default, Clarity will generate roles based on attributes that you define in the Organizational Units section of the settings page. The attributes you select should be from a Source of Truth Downstream Application which can organize the users in your organization in a helpful and logical way.

A typical method is to use a "Department > Job Title" structure since users in the same department often have similar access requirements to organizational tools and users with the same Job Title typically have a very high degree of access overlap.

Access from a Role

Entitlements outlined in a role define the expected entitlements for a member of your organization; in addition, if you use Clarity for Lifecycle Management then a role also defines the base level of access an Identity would receive if someone is hired or moves to the role. Each Entitlement an Identity has will either be role or exception for its Grant Type (depicted below).

Grant Type: Role

If you are viewing an Identity's Entitlements (depicted above), and you see Grant Type role, this would indicate that the Entitlement is part of the the Identity's roles (an Identity typically has at least 2 roles, Department and Department/Job Title).

Grant Type: Exception

If an Identity has any Entitlements that are not associated with their role, then Clarity will mark these with the Grant Type exception. This is to indicate that the Identity has the Entitlement, but it is an exception to the entitlements outlined in their roles.

Creating, modifying, and deleting roles

Clarity allows for the creation and modification of existing roles in Clarity.

Creating

While typically Roles are generated from the attributes you select, you can create custom roles in the UI if it is necessary for your environment or you plan to combine (alias) other roles under another.
Roles can also be created by using the Clone feature, this lets you clone an existing role to create a new role with the same entitlements.

Modifying

Roles can be modified in several ways including: combining, renaming, tagging.
Combining a role into another role create an alias relationship in the database, which tells any member of role B (an alias of role A) that they should be treated as a member of role A.
Renaming a role creates a new role with the desired name, and then makes the original role an alias of the newly created role with the desired name.
Tagging a role lets you use filtering and perform reviews against particular roles. Similar to tagging, you can also flag a Role as High Risk.

Deleting

At this time, clarity does not allow for deleting roles from the User Interface. You can contact your Clarity Support team if a role was created incorrectly or needs to be deleted.

Role purge and rebuild

Role structures can be completely restarted from scratch by using the Purge and Rebuild Options in the settings menu. This lets you completely rebuild your Role Based Access Control structure and perform the role-mining process from the beginning.
This is particularly helpful if you are initially setting up Clarity, completely reorganizing your company, or simply need to change which Organizational Units your Role Based Access Control is based on.

Special Roles

Global (Everyone) - This role is always present, and cannot be removed. Every identity in Clarity is a member of this role and can be used to provide all Active Identities with an entitlement you specify.
Default or Intermediary/Default - For any identities that exist in Clarity, but are missing a valid attribute (for the corresponding Organizational Units), a role (intermediary or terminal) will be generated using Default. Check out the examples below for more details on roles generated with the name Default.

Where the data comes from

The data for Roles predominantly comes from the role-mining process. This process starts with first selecting your hierarchical Organizational Units to define your Role Based Access Control structure. Once this is complete (and Role building is enabled or triggered) then your Role structure will be generated. After your roles are generated, Clarity will then iterate through all the entitlements from every user in each role, and create a list of common entitlements (entitlements that every member of the role is assigned). This creates the base of your Role Based Access Control and should be further improved by your Clarity Administrators.

In addition to the initial role mining process, roles can be customized manually as indicated in the Creating, modifying, and deleting roles section of this article.

How is the data stored

Role data is stored in the single tenant database for your Clarity tenant. Along with the general metadata for the role, the list of Entitlements assigned to the role are also stored in the table.

Need help?