Entitlement Analysis Configuration

  • 7011236
  • 21-Aug-2012
  • 21-Aug-2012

Resolution

Question:

I am attempting to run "Entitlement Analysis" found under Define->Roles and I've found that when the results of my analysis complete and are displayed in the UI or via CSV export, some expected data appears to be missing from the results.

Answer:

1) How basic entitlement analysis is designed to work (as of identityIQ 6.0)

When you configure your analysis and click the "Search" button, the product code first examines the Application object schema (for applications listed in the "Application' select list) to see what attributes are checked as "Entitlement". Using these entitlement attributes, the code then looks through the spt_link table for link objects that have these attributes with corresponding values (Note link objects are associated with identity objects and are seen in the UI when editing an identity, on the "Application Accounts" subtab). The values found can end up on display in the UI for the entitlement analysis results.

2) Configuration options which control the displayed results of an entitlement analysis

There are two options inside the SystemConfiguration object:

        <entry key="entitlementMiningMaxAppBuckets" value="25"/>
The maximum number of application buckets to display on the entitlement mining page when a user chooses to perform an entitlement mining operation. The list of app buckets will be sorted and the apps with the most buckets will be listed first.

        <entry key="entitlementMiningMaxBuckets" value="25"/>
The maximum number of entitlement buckets to display for each application bucket.  The list of buckets will be sorted based on which buckets have the highest percentage of users.

Note that there is no current notification, via the UI, which will inform the identityIQ user that data has in fact been truncated. ETN 12803 has been opened in order to provide said notificaftion in a future release. If you believe data truncation is occuring, utilize the following log4j tracing and rerun your analysis. The truncated data WILL appear in the log, but not in the UI or CSV export. Said logging can be useful to troubleshoot this type of use case. As with all tracing, please disable the trace on troubleshooting is complete:

log4j.logger.sailpoint.web.EntitlementMiningBean=trace