Roles in Clarity are based on the concept of Role Based Access Control (RBAC). Roles can be either automatically generated based on chose attributes (default) or customized by hand.
An example of a standard Role Based Access Control setup would be utilizing Department and Job Title Attributes from a Source of Truth application. This configuration would allow you to assign permissions to users at the Department Level and Job Title Level, resulting in user access comprising a set of permissions from the Department role and a set of permissions from the Department\Job Title role.
If you have the same job title in two different departments, these will be considered different roles, since their parent role (Department) is different.
"HR\Manager" vs "Sales\Manager"
Topics we will cover:
- What generates roles
- Creating, modifying, and deleting roles
- Role purge and rebuild
- Where the data comes from
- How is the data stored
What generates roles
By default, Clarity will generate roles based on attributes that you define in the Organizational Units section of the settings page. The attributes you select should be from a Source of Truth Downstream Application which can organize the users in your organization in a helpful and logical way.
A typical method is to use a "Department > Job Title" structure since users in the same department often have similar access requirements to organizational tools and users with the same Job Title typically have a very high degree of access overlap.
Creating, modifying, and deleting roles
Clarity allows for the creation and modification of existing roles in Clarity.
While typically Roles are generated from the attributes you select, you can create custom roles in the UI if it is necessary for your environment or you plan to combine (alias) other roles under another.
Roles can also be created by using the Clone feature, this lets you clone an existing role to create a new role with the same entitlements.
Roles can be modified in several ways including: combining, renaming, tagging.
Combining a role into another role create an alias relationship in the database, which tells any member of role B (an alias of role A) that they should be treated as a member of role A.
Renaming a role creates a new role with the desired name, and then makes the original role an alias of the newly created role with the desired name.
Tagging a role lets you use filtering and perform reviews against particular roles. Similar to tagging, you can also flag a Role as High Risk.
At this time, clarity does not allow for deleting roles from the User Interface. You can contact your Clarity Support team if a role was created incorrectly or needs to be deleted.
Role purge and rebuild
Role structures can be completely restarted from scratch by using the Purge and Rebuild Options in the settings menu. This lets you completely rebuild your Role Based Access Control structure and perform the role-mining process from the beginning.
This is particularly helpful if you are initially setting up Clarity, completely reorganizing your company, or simply need to change which Organizational Units your Role Based Access Control is based on.
Where the data comes from
The data for Roles predominantly comes from the role-mining process. This process starts with first selecting your hierarchical Organizational Units to define your Role Based Access Control structure. Once this is complete (and Role building is enabled or triggered) then your Role strucuture will be generated. After your roles are generated, Clarity will then iterate through all the entitlements from every user in each role, and create a list of common entitlements (entitlments that every member of the role is assigned). This creates the base of your Role Based Access Control and should be further improved by your Clarity Administrators.
Any easy way for to improve the accuracy of the Entitlements in your roles, is to review the Entitlement Suggestions for your organization's role.
In addition to the initial role mining process, roles can be customized manually as indicated in the Creating, modifying, and deleting roles section of this article.
How is the data stored
Role data is stored in the single tenant database for your Clarity tenant. Along with the general metadata for the role, the list of Entitlements assigned to the role are also stored in the table.
If you have any problems, contact your customer success team. You can also get in touch with our general support via email, open a support ticket. Our general support team is available Monday - Friday from 8:00 AM - 6:30 PM CST.