Role Configuration
Role Configuration allows administrators to define how roles are automatically generated based on unique combinations of owner attributes. These generated roles can then be used in role-based access policies and campaign automation.
Overview
Hydden.Control generates roles by combining selected owner attributes (columns) into unique role identifiers. For example, selecting "Department" and "Title" might generate roles like "engineering-senior_engineer" or "sales-account_manager".
Benefits of Role Configuration
- Automatic role discovery - Roles are generated based on actual owner data
- Consistent role definitions - Roles reflect real organizational structure
- Policy foundation - Generated roles enable role-based access policies
- Simplified governance - Review access by role rather than individual
Available Columns
Select from these owner attributes to define role combinations:
| Column | Description | Example Values |
|---|---|---|
| Department | Organizational department | Engineering, Sales, Finance |
| Title | Job title | Senior Engineer, Account Manager |
| Location | Office location | New York, London, Remote |
| Owner Type | Type of identity owner | Employee, Contractor, Vendor |
| Status | Owner status | Active, Inactive |
| Manager | Manager identifier | Manager name or ID |
| Identity Name | Owner's full name | John Smith |
| Identity Email | Owner's email | john.smith@company.com |
Column Selection Guidelines
- Department + Title - Most common combination; creates roles like "engineering-developer"
- Department only - Broader roles for department-level access
- Department + Title + Location - More specific roles for location-based access control
- Fewer columns - Fewer, larger roles with more owners each
- More columns - More specific roles with fewer owners each
Role Statistics
The Role Configuration page displays statistics about generated roles:
| Statistic | Description |
|---|---|
| Total Roles | Number of unique role combinations generated |
| Total Owners | Number of owners assigned across all roles |
| Average Owners per Role | Mean distribution of owners across roles |
| Size Range | Minimum and maximum owners in any single role |
Use these statistics to understand how your column selection affects role granularity.
Configuring Roles
Setting Up Role Generation
- Navigate to Settings and select the Role Config tab.
- In the Available Columns section, click to select the columns you want to combine for role generation.
- Selected columns appear highlighted with a checkmark.
- The Role Name Format Preview shows an example of how role names will be formatted.
- Review the Role Statistics to understand the impact of your selection.
- Click Save Settings to save your column selection.
Policy Configuration
Configure how roles interact with policies:
- Policy Threshold - Set the percentage threshold (0-100%) for policy compliance evaluation. Roles meeting this threshold percentage of policy criteria are considered compliant.
- Auto-Analyze on Create - Toggle to automatically run policy role evaluations when roles are created or regenerated.
Regenerating Roles
After changing column selections or when owner data changes significantly:
- Click Regenerate Roles.
- A confirmation dialog appears warning that existing roles will be replaced.
- Confirm to start the regeneration process.
- The regeneration runs asynchronously. Monitor progress in Job History.
Regeneration Impact
Regenerating roles replaces all existing generated roles. Any campaigns or policies referencing roles by ID may need to be updated.
Role Name Format
Role names are generated by combining selected column values with hyphens:
| Selected Columns | Example Role Name |
|---|---|
| Department | engineering |
| Department, Title | engineering-senior_engineer |
| Department, Title, Location | engineering-senior_engineer-new_york |
Values are:
- Converted to lowercase
- Spaces replaced with underscores
- Special characters removed
- Joined with hyphens
Using Generated Roles
In Policies
Generated roles can be used in Access Policies:
- Role-Based Access policies reference roles to auto-approve access
- Select generated roles when configuring policy resources
- Policies evaluate role membership for access decisions
In Campaigns
Roles support campaign targeting:
- Role-Based Review campaigns review access by role assignment
- Filter campaign scope by specific roles
- Review all accounts belonging to owners in selected roles
Role Analysis
When Auto-Analyze on Create is enabled:
- Each generated role is analyzed against policies
- Compliance scores are calculated based on policy threshold
- Analysis results help identify roles that may need policy adjustments
Best Practices
- Start simple - Begin with Department + Title before adding more columns
- Review statistics - Ensure role sizes are manageable (not too broad or too specific)
- Test with sync - Regenerate roles after significant data syncs
- Document purpose - Keep notes on why specific columns were chosen
- Monitor size range - Very small or very large roles may indicate column selection issues
Troubleshooting
No Roles Generated
Cause: No synchronized owner data, or selected columns have no values.
Solution: Verify Data Sync completed successfully and owners have values for selected columns.
Too Many Roles
Cause: Too many columns selected, creating overly specific combinations.
Solution: Remove some columns to create broader role groupings.
Too Few Roles
Cause: Too few columns selected, or column has limited distinct values.
Solution: Add more columns or verify data quality for selected columns.
Related Topics
- Access Policies - Using roles in policies
- Campaigns - Role-based review campaigns
- Data Sync - Synchronizing owner data
- Settings Overview - All Settings options