Enable and configure entitlement optimization

Use GuardAPI commands to enable and configure entitlement optimization.

All commands are run on the collector, and use already defined Guardium data sources. First, enable the feature on the collector, and then specify the data sources and enable the specific features.

The most accurate results are obtained by fine-tuning the data that is included in the entitlement optimization.

Users and Roles, and Browse entitlements, are enabled by default, however you must set extractActivity and extractEntitlement to true to extract the relevant data. The other three features (What's New, Recommendations, What If) are enabled individually. For example, you can enable Recommendations while leaving What If disabled.

Entitlement recommendations uses a subset of data, filtered by the userScope and objectScope parameters. Browse Entitlements uses the userScope parameter to filter data. Both parameters specify one or more Guardium® groups. Most likely, you will create specific groups to use for this purpose. Define the groups to extract only the data you want, to minimize storage and processing. The groups should have Full Audit, so that all data is analyzed and the results are conclusive. When you use groups with Full audit, the Browse Entitlements shows all rights of all users, regardless of their activity. A user that is outside of the userScope definition appears in the window, but its activity count is "unknown."

The best practice is to carefully evaluate and design your data collection scheme such that you only rarely change it. This is for two reasons: every time you change the configuration, it takes a week to generate data for reports; the data is compared to data of the previous 3 weeks, and when you change the data definition the comparison is less meaningful for the first 3 weeks.

Data is present in each tab from the first Sunday after you enable the individual feature.

For more information about the entitlement optimization functions, see Entitlement optimization APIs.

Prerequisites

  • Investigation dashboard is enabled. (Required for What-if, Recommendations, and updating activity in Entitlement Browse.)
  • The user that configures the entitlement optimization must have permission to all the meta data and schema tables that are in the configured datasources.