# Current State RBAC
The RBAC Analyzer is a unique capability provided by BalkanID that maps the current accesses within an organization to role buckets based on a combination of HRIS data (Department, Job titles, etc.) and integrated application data (connections, resources, etc.). This analysis produces a blueprint that helps organizations understand their current Role-Based Access Control (RBAC) posture based on realtime data. Through this analysis, BalkanID's heuristics provide insights into how employees, their unique identities, and connections are grouped into BalkanID roles. These system-generated roles are further given unique names to help users identify how and why these groups were created.
The BalkanID Generated Roles do not actually exist in your systems, but its a virtual mapping clusters of how your existing connections (role, group etc), resources and permissions can be grouped. You should be able to use the BalkanID Generated Roles from the RBAC Analyzer to refine your IDP roles such as Okta groups or Azure AD groups. This can help organizations keep their RBAC (that typically end up becoming stale) up-to-date at all times.
#### **Role Generation and Recommendation**
BalkanID’s approach combines both **bottom-up** and **top-down** methodologies to create a robust RBAC system.
**Bottom-Up Approach**
* **Data Analysis**: Examines existing entitlement data, including permissions and access levels.
* **Permissive Power Evaluation**: Assesses how powerful each permission is, identifying high-risk privileges.
* **Resource Sensitivity Assessment**: Determines the sensitivity of resources based on data classification, wherever available.
* **Behavioral Attributes**: Analyzes user activity such as last login time and frequency of resource usage, wherever available to understand actual needs.
**Top-Down Approach**
* **HRIS Integration**: Incorporates data from Human Resource Information Systems to understand organizational structure.
* **Peer Grouping**: Groups users with similar roles or departments to standardize permissions.
* **User Trust Levels**: Assigns trust scores based on factors like tenure, role criticality, and past behavior.
### Key Features
* **AI-driven Role Creation:** The RBAC Analyzer automatically generates roles based on HR, IT, and usage data across all your enterprise applications.
* **Confidence Levels:** The heuristics-driven confidence levels on employee → identity → role/group/resource mapping help define and audit your RBAC posture.
* **Data-driven Approach:** Advanced analytics provide the necessary telemetry to proactively detect and remediate both security and compliance issues.
* **Risk-based Remediation:** Achieve least privilege while right-sizing your permissions without disrupting business activities.
### BalkanID Generated Roles
The **Generated Roles** tab in BalkanID serves as a blueprint for the baseline access privileges automatically granted to new employees during the onboarding process. These roles ensure that individuals receive the appropriate level of access from day one - tailored to their position, responsibilities and team structure, enabling them to be productive immediately and securely.
BalkanID intelligently classifies these roles into distinct categories based on organizational structure and access patterns:
1. **Organization Birthright**: Access privileges that are granted to **all employees across the organization**, regardless of department, role, or location. These typically include universal tools or systems such as email, messaging platforms, etc.
2. **App Birthright:** Baseline access that **every user has within a particular application**. This ensures that all users have consistent foundational permissions in apps they are expected to use, while more specific privileges can be added based on their role or function.
3. **Department Birthright**: Access privileges assigned to **all employees within a specific department**. For example, everyone in the Engineering department may receive access to code repositories, development tools, and issue tracking systems relevant to their function.
4. **Manager Birthright**: Access given to **all employees who report directly to a specific manager**. This ensures consistency in access among team members working under the same leader, based on shared responsibilities or team-wide tools.
5. **Job Title and Department Birthright:** A combined classification that assigns access based on **both the employee's job title and their department**. For example, a “Product Designer” in the Design department may require different access than a “Product Designer” in the Marketing department. This role ensures precision in access provisioning by accounting for both factors.
6. **Team Birthright:** A refined category that represents access based on a **unique combination of Department** and **Job Title** and **Manager**. This approach allows for highly tailored access configurations for specific team structures, particularly useful for cross-functional or matrixed organizations.
Furthermore, administrators can drill down into individual BalkanID generated roles to obtain a detailed list of identities, connections, resources and entitlements associated with that role by clicking on that particular role. This will lead to the **BalkanID Generated Role Details Page** providing a granular view that facilitates a deeper understanding of the access privileges granted by each role, i.e the list of connections, resources and identities.
#### Role Risk Factor
**Overview**
The **Role Risk Factor** is an aggregate risk signal computed per BalkanID Generated Role, derived directly from the role's confidence profile across all department, job title, and manager combinations. It is the inverse of role confidence at the generated-role level: roles with a high proportion of low-confidence mappings carry a higher risk factor.
This gives administrators a single, actionable signal per generated role to quickly identify which roles in their RBAC posture warrant attention, review, or remediation.
**How It Is Calculated**
For each BalkanID Generated Role:
1. All role-confidence rows associated with that role are examined across every department, job title, and manager combination.
2. The percentage of rows that are not rated High confidence is computed.
3. That percentage is mapped to a risk bucket as follows:
| Risk Factor | Interpretation |
| ------------- | ------------------------------------------------------------------------------------------------------------------------------------------ |
| **Low** | Most combinations are High confidence. The role is well-aligned to the employees it covers. |
| **Medium** | A meaningful portion of combinations fall below High confidence. Some review recommended. |
| **High** | A significant share of combinations are Low or Very Low confidence. The role likely covers access that is inconsistent across its members. |
| **Very High** | The majority of combinations are not High confidence. The role represents a material RBAC risk and should be reviewed promptly. |
A role with all High-confidence rows receives a Low risk factor. As the share of non-High rows increases, the risk factor escalates toward Very High.
**Role Risk Factor Column**
The BalkanID Generated Roles table (in both Current State and Ideal State RBAC views) includes a **Role Risk Factor** column displaying the computed risk bucket for each role with color coding:
* **Green** -- Low risk
* **Yellow** -- Medium risk
* **Orange** -- High risk
* **Red** -- Very High risk
Clicking the risk factor badge for any role navigates directly to the Role Confidence table, pre-filtered to show only the confidence rows associated with that generated role, so administrators can immediately inspect which department, job title, or manager combinations are driving the risk.
**Role Risk Factor Dashboard Chart**
The main dashboard includes a **Current State RBAC Risk Factor** chart, automatically enabled when the RBAC module is active. This pie chart shows the distribution of all generated roles by risk factor bucket for a selected application.
**Usage:**
* Use the application dropdown selector to scope the chart to a specific integrated app.
* Each slice of the pie represents one risk bucket (Low, Medium, High, Very High).
* Clicking a slice navigates to the BalkanID Generated Roles table with filters applied for that application and the selected risk bucket, allowing for immediate drill-down and action.
Note: Risk factor data is point-in-time and does not include historical trendlines.
**Using Role Risk Factor for Remediation**
* Start with roles rated **Very High** or **High** and click through to the Role Confidence table to identify which department or job title combinations are misaligned.
* Review whether the access represented by these roles reflects intentional provisioning or access drift over time.
* Use the drill-down view to determine if the role should be narrowed, split, or retired.
* After making adjustments to role assignments or RBAC policies in your IDP (such as Okta groups or Azure AD groups), re-run the RBAC analysis to monitor whether the risk factor improves.
### Role Confidence
The Role Confidence tab provides a comprehensive mapping between departments, job titles, and the roles they have been assigned within BalkanID, along with their respective Role Confidence Scores. These roles are generated through an advanced algorithm that calculates the most relevant roles for each department and job title based on their access patterns and permissions.
#### Role Confidence Score
Along with identifying BalkanID roles for RBAC, we calculated the significance of the role for a job title, department and manager (confidence score). In our technical analysis, we aim to discern the importance of roles within job titles and departments, spotlighting those that are prevalent or considered "birthright." Additionally, we want our approach to draw attention to a specific role within a job title and department that warrants closer monitoring to prevent potential security issues, ensure productivity (address any decline in performance) or clean-up due to employee’s lateral or upward movement.
The confidence score is calculated based on 3 factors - department, job title and manager. High scores indicate strong alignment between the roles and the department, job title, manager. Lower scores highlight areas that may require further review.
#### Legend:
* **Green** means greater than 75% of employees with a job title and department and manager have access to the role (high confidence).
* **Yellow** means greater than 50% and less than equal to 75% of employees with a job title and department and manager have access to the role (medium confidence).
* **Orange** means greater than 25% and less than equal to 50% of employees with a job title and department and manager have access to the role (low confidence).
* **Red** means less than equal to 25% of employees with a job title and department and manager have access to the role (very low confidence).
**To improve confidence scores:**
* For roles with lower confidence scores, review the associated permissions and compare them with the actual needs of the department or job title under a manager.
* Adjust role assignments as necessary to ensure that each role accurately reflects the permissions required for the specific functions of the department or job title.
* Regularly update the roles and their associated permissions based on evolving organizational needs and feedback.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.balkan.id/iam-risk-analyzer/current-state-rbac.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.