Axonius Documentation
Start typing to search…

Working with Scopes

Use Scopes to define the type and range of identities data presented in the Role Mining simulator.

This may include:

  • Identities
  • Entitlements and from which applications
  • Group permissions
  • Roles

There are entitlements assigned specifically to individual users and entitlements granted or inherited to a user by way of the role or group of which they are a member. Scopes allow you to filter all the existing entitlements to help clearly define what entitlements you want displayed in the simulator to reduce the bandwidth use in the system and make your work faster.

The Scopes Window

You manage scopes in the Scopes window.

To apply a scope to the Role Mining simulator:

  1. In the Role Mining simulator page, click **Scope: **.

    You can also select a scope from the list or select Add Scope to create a new one.

  2. The Scopes window appears with the [Base Scope] selected.

By default, the Base Scope is selected and applied to the simulator graph. It includes identity information from all connected applications and their associated entitlements. The Base Scope cannot be edited or deleted. You can create custom scopes that include subsets of the data in the Base Scope.

You can select the scope you want to apply from the list on the left, edit existing scopes or create a new one. Existing scopes are listed along the left. Select a scope to view its configuration.

  • Click Add Scope to create a new Scope.
  • Click Delete to delete the selected Scope.
  • Click Edit to edit the selected Scope.
  • Click Apply to apply the Scope to the Role Mining Simulator. The query configured for the Scope is run and the Role Mining Simulator chart is updated. Once a scope is created it will take a few minutes for the ML engine to calculate the entitlements graph and clusters. but in the meantime, there is an option to present the data based on the base scope data that was generated by the ML engine

Scope Configuration

A scope configuration includes the following: Adapter connections - A list of adapter connections through which the identity data is fetched. Identities query - The query used to determine what data to include in the scope. Entitlements types - The types of entitlements to include in the scope. Assignment type - How the entitlement is assigned to the identity. Either directly or by way of a role. Data points - Shows how many of each type of entitlements and identities are included in the scope.

Creating a New Scope

To create a new Scope:

  1. From the Role Mining Simulator, click **Scope: **.

  2. Click Add Scope.

  3. Give the new scope a name and a description.

  4. In Adapter connections, all available adapter connections are loaded by default. Click the X next to each connection you want to remove from the list.

  5. In Identities query, create a query that returns the managed identities you want included in the scope.

  6. In Entitlement types, all entitlement types are selected by default. Deselect those you don't want to include in the scope.

  7. In Assignment types, Direct entitlement assignments is selected by default.

  8. In Data Points, you can view the number of entitlements and identities that are included in the current scope configuration. Click (Refresh) to do a recount after making changes to the scope configuration.

  9. Click Save to save the new scope and apply it to the simulator graph. The new scope is listed in the Scopes window.

A complete Scope looks like this:

Selecting a Scope

You can select a scope either from the Scopes window or from the Scopes list in the Role Mining Simulator page.

The Base Scope

The Base Scope is the scope that includes all data fetched via the adapter connections configured in Adapter connections to analyze (Base Scope) option under Role Mining Settings. This is found in System Settings -> Data -> Data Processing.

Updated about 11 hours ago