Role Analysis with Okta ISPM – Are My Groups and Roles Being Used Effectively

Identity Security, IGA, ISPM 7 Minutes

Okta Identity Security Posture Management (ISPM) performs analysis on groups and roles which can be used to tune access via groups/roles and reduce risk. This article explores how to use ISPM for role analysis.

Background

Roles and a role-based identity system have been the Holy Grail for identity governance and administration (IGA) practitioners and products for a quarter of a century. We’ve been taught that if we can just put everyone into roles and those roles dictate what access you have, life will be simple. Many IGA vendors offer tools for role management, role mining and role certification. Auditors constantly focus on roles for reducing risk.

But the reality is that most organisations cannot spent the time and money to do a full role mining exercise, and often after many dollars and months, the roles have changed as the business has changed, so the role exercise was pointless. In my 25 years of working in identity, I’ve only seen one major organisation get to 100% of access controlled through roles. The reality for everyone else is that there will be a mix of common high-level roles with the remaining access managed through access requests and access certification.

Can we reduce access-related risk without doing a full-blown role mining and definition exercise? Yes. You can look at the user groupings for access (groups/roles in identity management systems and other apps) and see where they are over permissioned or don’t need to have all those users in them. This is where ISPM comes in.

Using ISPM for Group and Role Analysis

Okta Identity Security Posture Management (ISPM) helps you take control of identity and access sprawl in your organisation by uncovering hidden risks, prioritising critical threats, and guiding remediation. It uses a graph engine to correlate users, their groups, the apps they are connected to and resources in those apps. It also looks at usage. Combined, this gives a view of the groups and how well they are being utilised.

The Inventory View for Groups and Roles

A key view in ISPM is the Inventory view which presents risk-related information for the different objects known to ISPM, including groups and roles.

It shows all the groups and roles discovered on the connected systems, such as identity providers (like Okta and Entra ID), apps and cloud services.

It has summary widgets to show the Groups by sources, Groups least privilege and Types.

The main section of the view is a filterable table of the groups.

In addition to the name, type (group or role) and source, it lists:

  • Members – the number of members in the group
  • Apps – icons showing the apps attached to the group (hover for more details)
  • Utilization information – see the next section

Clicking a row will open up a view for that group.

This would be used when deciding what users or apps to remove from the group. You can also click on an account to see more information about that account.

As with all views in ISPM, there is the ability to export the data to a CSV or PDF for offline analysis.

Understanding Group and Role Utilization

The Groups least privilege widget shown above provides a summary of the “underutilization” of the groups. There are three items:

  • Underutilized – this represents the number of groups that are connected to one or more applications, but that the users in that group have not connected to any of those apps in the last three months. This means these groups are potentially pointless. In the examples above there are 30 groups/roles out of a total 0f 330 (9%) that fit this category.
  • Underutilized app assignments – this represents the number of groups where one or more of the connected apps haven’t been accessed by the users in the group in three months. This means that these groups potentially don’t need to be connected to the identified apps.
  • Underutilized memberships – this represents the number of groups where one or more members in the groups have not accessed any app the group is connected to in the last three months. This means those users potentially don’t need to be in the group.

Clicking any of these will apply filters to the groups view. We will use this for some examples below. These will use Okta apps, groups and accounts and show working in the Okta Admin Console, but a similar approach could be used for other apps admin consoles.

An Example – Managing Underutilized App Assignments

Lets walk through an example of using the underutilized app assignments widget to manage a group. In our system there are 34 groups in this category (>10%) and worthwhile investigating.

We start by selecting (clicking on) the Underutilitized app assignments item in the widget.

This applies a filter of Unutilized Apps: More than 0. If we hover over the app name in the , it shows the relevant app that has not been accessed by any of the users in that group in three months (in this case the Okta OPA – Entitlement app).

How do we resolve this risk? We can remove the group from the app (or the app from the group) in Okta.

Opening the app in the Okta Admin Console, you can see the group assignments. In this case there is the PAM All Users group and two groups sourced from AD. You can select the “Kebab menu” icon and click the Unassign option.

This will remove the group from the application but not touch the group or its members.

You may notice an Access Certification box to the right of the group list if you have Okta Identity Governance (OIG). OIG also performs some usage analysis on users and apps. In this case it has detected there are 17 users who have not accessed the app in 90 days.

It allows creation of an access certification campaign to allow the users manager to decide if they should retain access to the app. This might be useful if you want to look at specific users assigned to the app rather than removing the whole group (we will look at underutilized group membership next). Note that this access certification function is only available for apps in Okta where OIG is used. cFor more information see Preconfigured Access Certification Campaigns in Okta Identity Governance.

With that group unassigned from the app, the next time the ISPM load and analysis runs, you will not see the app show up as an underutilized app for that group.

An Example – Managing Underutilized Memberships

Underutilized memberships represent group (or role) members who have not accessed any of the apps the group is mapped to in the last three months, meaning perhaps they shouldn’t be in the group. Lets use a similar example to above.

As before we can start by clicking on the Underutilized memberships item in the widget.

This will apply a filter of Unutilized Memberships: More than 0 to the group list view.

We can see there are 17 users and 9 of them are unitilized. We could click on the group name or member count to see the full list of accounts in the group with their app utilization. Or we could click on the count in the Unutilized Memberships column. This will show the low (<10%) utilization members in a slide-out panel.

You could then go into the Okta Admin Console and open up the group.`

Then using the ISPM list, you can manually remove the users from the group.

Some additional thoughts on approaching the cleanup:

  • What about if you have a large list? You could potentially export the list to CSV then use a workflow to go through the list and automatically (API/Okta Connector cards) remove the users from the group.
  • You could also drill into each user in that slide-out list (or the group drilldown) in ISPM. If there are issues on the account (e.g. unused account or no MFA) you may be able to go directly to the app admin console page via the Remediate button beside the issue. But otherwise you need to go to the app admin console (like Okta) manually.

This concludes the two examples on how to use the inventory view to explore underutilized groups. You could use different filters to slice and dice how you attack the problem, but the goal is to reduce the number of groups containing underutuilized app assignments and users, so that only the people that need access have access, and only the access they need.

Using the Graph View to Identify Unneeded Group Memberships

Up to this point we have looked at the Inventory view of groups (and roles) and how you could use that to work through the groups and remove unutilized app assignments or membership.

There is another tool within ISPM that can also be used to identify redundant group app assignments – the Access graph. The access graph shows the relationships between users, their IdPs and accounts, groups, apps and resources. This includes the ability to drill into a set of app assignments and see what group (or individual) assignment applies.

The following figure shows the Access graph for a user Ali Lesch and we have expanded the app assignments for one of Ali’s accounts. It shows a spiderweb view of the connections between the groups that account is in and the apps.

In many cases there are two groups granting access to an application. This means there is redundant unneeded access via groups. It may be that those groups don’t need access to apps, or that the user does not need to be in all of those groups.

Clicking on any of the groups in this view will take you to the Group view for that group, similar to below.

From here you can perform utilization analysis as before.

This is more of an issue driven approach – looking at users with issues and drilling into specific group mappings. Whereas the approaches described earlier in this article are a more systematic approach to analysing the groups.

Conclusion

Analysis of roles continues to be a challenge for many organisations. The mantra of everything managed through roles isn’t practical for most organisations. Role mining and definition tools provided by many of the IGA vendors can be overwhelming and ineffective with real world data.

A better approach is to balance role-based assignment with request-based assignment. Where roles (and groups) are used to assign applications and rights, Okta Identity Security Posture Management (ISPM) provides effective tools to identify groups and roles where there are underutilized membership and underutilized app assignment which can be removed to reduce the risks associated with group (or role) based assignment.

Published by David Edwards (IAmDavid)

I have been working in Identity Management for a quarter of a century, spending 22 years working on various IAM products at IBM and now three years at Okta. Over that time I have worked across pre- and post-sales, including stints in services, fly-in support and technical enablement. I have covered access management, single signon (desktop, web and federated), identity governance and administration (IGA), directories and directory integration, and privileged access management (PAM). I'm one of the few identity practitioners with experience with mainframes and legacy on-premise systems like SAP. And I love to write!

Published

3 thoughts on “Role Analysis with Okta ISPM – Are My Groups and Roles Being Used Effectively

  1. Great article! It’s fascinating to learn about how ISPM can help organizations manage identity and access sprawl effectively.

    A question for the author: How does ISPM differentiate between groups with truly underutilized memberships versus those with low utilization but still necessary for business operations?

    Reply

    1. It doesn’t. It’s analyzing the users in the group accessing apps the group grants access to. It’s up to the analyst looking at ISPM to make that determination.

      Reply

Leave a Reply