SupportDeveloper Docs

Current State RBAC

The RBAC Analyzer is a unique capability provided by BalkanID that maps the current accesses within an organization to role buckets based on a combination of HRIS data (Department, Job titles, etc.) and integrated application data (connections, resources, etc.). This analysis produces a blueprint that helps organizations understand their current Role-Based Access Control (RBAC) posture based on realtime data. Through this analysis, BalkanID's heuristics provide insights into how employees, their unique identities, and connections are grouped into BalkanID roles. These system-generated roles are further given unique names to help users identify how and why these groups were created.

The BalkanID Generated Roles do not actually exist in your systems, but its a virtual mapping of how your existing connections, resources and permissions can be grouped. You should be able to use the BalkanID Generated Roles from the RBAC Analyzer to refine your IDP roles such as Okta groups or Azure AD groups. This can help organizations keep their RBAC (that typically end up becoming stale) up-to-date at all times.

Key Features

  • AI-driven Role Creation: The RBAC Analyzer automatically generates roles based on HR, IT, and usage data across all your enterprise applications.

  • Confidence Levels: The heuristics-driven confidence levels on employee → connection → role mapping help define and audit your RBAC posture.

  • Data-driven Approach: Advanced analytics provide the necessary telemetry to proactively detect and remediate both security and compliance issues.

  • Risk-based Remediation: Achieve least privilege while right-sizing your permissions without disrupting business activities.

BalkanID Generated Roles

The Generated Roles tab in BalkanID serves as a blueprint for the baseline access privileges automatically granted to new employees during the onboarding process. These roles ensure that individuals receive the appropriate level of access from day one—tailored to their position, responsibilities and team structure, enabling them to be productive immediately and securely.

BalkanID intelligently classifies these roles into distinct categories based on organizational structure and access patterns:

  1. Organization Birthright: Access privileges that are granted to all employees across the organization, regardless of department, role, or location. These typically include universal tools or systems such as email, messaging platforms, etc.

  2. App Birthright: Baseline access that every user has within a particular application. This ensures that all users have consistent foundational permissions in apps they are expected to use, while more specific privileges can be added based on their role or function.

  3. Department Birthright: Access privileges assigned to all employees within a specific department. For example, everyone in the Engineering department may receive access to code repositories, development tools, and issue tracking systems relevant to their function.

  4. Manager Birthright: Access given to all employees who report directly to a specific manager. This ensures consistency in access among team members working under the same leader, based on shared responsibilities or team-wide tools.

  5. Job Title and Department Birthright: A combined classification that assigns access based on both the employee's job title and their department. For example, a “Product Designer” in the Design department may require different access than a “Product Designer” in the Marketing department. This role ensures precision in access provisioning by accounting for both factors.

  6. Team Birthright: A refined category that represents access based on a unique combination of Department and Job Title and Manager. This approach allows for highly tailored access configurations for specific team structures, particularly useful for cross-functional or matrixed organizations.

Furthermore, administrators can drill down into individual BalkanID generated roles to obtain a detailed list of identities, connections, resources and entitlements associated with that role by clicking on that particular role. This will lead to the BalkanID Generated Role Details Page providing a granular view that facilitates a deeper understanding of the access privileges granted by each role, i.e the list of connections, resources and identities.

Role Confidence

The Role Confidence tab provides a comprehensive mapping between departments, job titles, and the roles they have been assigned within BalkanID, along with their respective Role Confidence Scores. These roles are generated through an advanced algorithm that calculates the most relevant roles for each department and job title based on their access patterns and permissions.

Role Confidence Score

Along with identifying BalkanID roles for RBAC, we calculated the significance of the role for a job title, department and manager (confidence score). In our technical analysis, we aim to discern the importance of roles within job titles and departments, spotlighting those that are prevalent or considered "birthright." Additionally, we want our approach to draw attention to a specific role within a job title and department that warrants closer monitoring to prevent potential security issues, ensure productivity (address any decline in performance) or clean-up due to employee’s lateral or upward movement.

The confidence score is calculated based on 3 factors - department, job title and manager. High scores indicate strong alignment between the roles and the department, job title, manager. Lower scores highlight areas that may require further review.

Legend:

  • Green means greater than 75% of employees with a job title and department and manager have access to the role (high confidence).

  • Yellow means greater than 50% and less than equal to 75% of employees with a job title and department and manager have access to the role (medium confidence).

  • Orange means greater than 25% and less than equal to 50% of employees with a job title and department and manager have access to the role (low confidence).

  • Red means less than equal to 25% of employees with a job title and department and manager have access to the role (very low confidence).

To improve confidence scores:

  • For roles with lower confidence scores, review the associated permissions and compare them with the actual needs of the department or job title under a manager.

  • Adjust role assignments as necessary to ensure that each role accurately reflects the permissions required for the specific functions of the department or job title.

  • Regularly update the roles and their associated permissions based on evolving organizational needs and feedback.

PreviousFindings (Daily Alert) with BalkanID SlackbotNextIAM risk & RBAC analysis report

Last updated

Was this helpful?