RBAC Analyzer Overview

The RBAC Analyzer is a unique capability provided by BakanID that generates roles for an organization based on a combination of HRIS data (Department, Job titles, etc.) and integrated application data (connections, resources, etc.). This analysis produces a blueprint that helps organizations understand their Role-Based Access Control (RBAC) posture based on realtime data. Through this analysis, BalkanID's heuristics provide insights into how employees, their unique identities, and connections are grouped into BalkanID roles. These system-generated roles are further given unique names to help users identify how and why these groups were created.

The BalkanID Generated Roles do not actually exist in your systems, but its a virtual mapping of how your existing connections, resources and permissions can be grouped. You should be able to use the BalkanID Generated Roles from the RBAC Analyzer to refine your IDP roles such as Okta groups or Azure AD groups. This can help organizations keep their RBAC (that typically end up becoming stale) up-to-date at all times.

Key Features

• AI-driven Role Creation: The RBAC Analyzer automatically generates roles based on HR, IT, and usage data across all your enterprise applications.

• Confidence Levels: The heuristics-driven confidence levels on employee → connection → role mapping help define and audit your RBAC posture.

• Data-driven Approach: Advanced analytics provide the necessary telemetry to proactively detect and remediate both security and compliance issues.

• Risk-based Remediation: Achieve least privilege while right-sizing your permissions without disrupting business activities.

RBAC Analyzer Components

1. BalkanID Generated Roles

The BalkanID Generated Roles table displays different roles identified by the BalkanID RBAC algorithm, along with their role type and description. Each role signifies a distinct combination of connections and overlapping patterns identified by the algorithm.

There are four different types of BalkanID generated roles:

1. High Variance: Highlights the roles with higher variance in distribution.

2. Birthright: Highlights the roles assigned to employees joining any job title and department as their birthright (i.e., assigned upon joining).

3. Nearly Universal: Highlights the roles with nearly universal access.

4. Universal: Highlights the roles with universal access.

To learn more please refer to the article on BalkanID Generated Roles Page.

2. Role Usage

We create a mapping between departments, job titles and the roles they have been assigned. We calculate the "Role Confidence Score" which highlights the confidence with which a particular department or job title has been assigned to that role. A 100% confidence score indicates the department/job title belong have been rightfully assigned that role. A lower confidence score indicates that the employees in that deparment/job title have permissions that are not relevant to them.

3. Outliers

In addition to identifying various patterns to construct roles, the RBAC Analyzer also focuses on detecting potentially harmful or selectively assigned roles, which may have been aggregated over time or result from user error. While the analyzer currently refrains from pinpointing exact reasons, its aim is to achieve this after initial analysis and tagging from the customer.

The RBAC Analyzer supports the following types of outliers:

• Unique: These outliers denote a connection or group of connections assigned to an individual employee. A user has a unique set of connections compared to his or her peer group so a pattern could not be established resulting in not being assigned to a BalkanID generated role.

• Below Threshold: These outliers indicate rare access to a role generated by BalkanID. If a role doesn't hold significant importance for the job title and department, then only a few people will have access to it. To identify non-significant roles, a threshold is set, and any role below this threshold is labeled as a "below-threshold outlier."

• No Job Title: These outliers indicate the employees with no job title assigned, for whom any of the BalkanID generated roles couldn't be assigned because the job title is not present.

• No Department: These outliers indicate the employees with no department assigned, for whom any of the BalkanID generated roles couldn't be assigned because the department is not present.

To learn more please refer to the article on the RBAC Outliers Page.

4. Connections

The Connection View provides a list of connections and the role it belongs to. It provides insights into the specific connections associated with each role, enabling a better understanding of the access granted to users assigned to that role.

5. User View

The User View provides a perspective of roles assigned to identities in an application, enabling the identification of employees with an unusually high number of roles compared to others. This observation may suggest aggregated roles (due to lack of cleanup), user error, or potentially malicious intent.

6. Connection to Role Mapping

The Connection to Role Mapping view is a crucial feature in BalkanID that provides a comprehensive overview of the membership of connections for roles generated within the platform. This functionality is designed to help users easily understand and manage the relationships between various connections and roles, ensuring clarity and efficiency in role-based access control. To learn more please refer to the article on the RBAC Connections Page.

7. Users to Role Mapping

Similar to the Connection to Role Mapping view, the User to Role Mapping view is an essential feature in BalkanID that provides a detailed overview of the roles assigned to each user within the platform. This functionality enables users to easily understand and manage role assignments, ensuring clarity and efficiency in role-based access control. To learn more please refer to the article on the RBAC Users Page.

Leveraging BalkanID Generated Roles in IDPs

The RBAC Analyzer's ability to generate roles based on organizational data and application access patterns can be leveraged to streamline the provisioning process in Identity Provider (IDP) services such as Okta, Azure Active Directory, and others. While automated provisioning of BalkanID generated roles into IDP services is not currently available, organizations can still leverage the RBAC Analyzer's insights to streamline their access management processes manually or through scripting.

Manually Provisioning BalkanID Generated Roles: The RBAC Analyzer provides a comprehensive view of the BalkanID generated roles, along with the associated users and connections. Using this information, organizational administrators can provision these roles within their IDP services manually, ensuring appropriate access levels for employees across connected applications. Review the BalkanID Generated Roles table, map roles to IDP groups/roles, assign users to roles, and manage role changes as organizational changes occur.

Automated Provisioning Using Exported Data: Organizations can export the BalkanID generated roles, user assignments, and associated connections from the RBAC Analyzer. They can then develop scripts or automation workflows to consume this exported data and translate it into commands or API calls for the target IDP service. This allows automating the creation of roles, user assignments, and access management tasks based on the BalkanID generated roles.

BalkanID is actively working on introducing direct automated provisioning capabilities for BalkanID generated roles into IDP services. Once this feature becomes available, organizations will be able to seamlessly integrate the RBAC Analyzer with their IDP solutions, further enhancing the efficiency and accuracy of their access management processes.

Benefits of RBAC Analyzer

The RBAC Analyzer offers significant benefits for organizations seeking to enhance their security posture, ensure compliance, and streamline access management processes:

• Improved security by identifying and remediating outliers, and ensuring appropriate role assignments, reducing the risk of unauthorized access.

• Compliance adherence through visibility into access control mechanisms and enabling least privilege principles.

• Operational efficiency by automating role generation and providing a centralized view of role assignments, reducing manual effort.

• Risk mitigation by detecting and remediating potential security risks, such as excessive or inappropriate access.

• Data-driven decision-making through advanced analytics, providing the necessary telemetry for informed access control and role management decisions.

By leveraging the RBAC Analyzer, organizations can gain a comprehensive understanding of their role-based access control posture. It provides comprehensive visibility into access rights, identifies potential risks, and ensure compliance.