Enabling Access Modeling

SailPoint's AI-Driven Identity Security includes an Access Modeling service, which uses patented machine learning algorithms to identify user access patterns and determine potential roles that accurately align with what users actually do in an organization.

In IdentityIQ, AI-Driven Identity Security Access Modeling gives you the option to use this service for role discovery, to display potential roles based on the optimal role granularity derived from AI-Driven Identity Security algorithms.

The Access Modeling feature is part of the AI-Driven Identity Security integration. For more information, see Configuring IdentityIQ for Access Modeling.

Note: AI-Driven Identity Security modules may be licensed separately. Please direct questions to your account manager to clarify your agreement.

To use Access Modeling for role discovery, AI-Driven Identity Security must be integrated into your IdentityIQ instance. See Integrating SailPoint AI-Driven Identity Security for details.

You can read about AI-Driven Identity Security prerequisites, the onboarding process, and deployment steps at Getting Started with AI-Driven Identity Security for IdentityIQ.

Discover Common Access functionality is only available to organizations using IdentityIQ's AI functionality.

Note: Configuration settings automatically copy over for those running the AI-Driven Identity Security Access Modeling plugin prior to IdentityIQ version 8.4.

Begin by enabling AI – see Configuring AI-Driven Identity Security – then configure Discover Common Access and Role Discovery:

  1. Log in to IdentityIQ as an administrator.

  2. Navigate to gear > Global Settings > AI-Driven Identity Security Configuration and enter:

    • Connection information, including AI-Driven Identity Security Hostname, Client ID, and Client Secret.

    • Identity Security Cloud URL. This is specific to each customer.

    • Minimum number of identities on which to model roles. The default is 20.

    Note: Selecting fewer identities on which to model roles yields more potential role options. Using a higher minimum number of identities avoids yielding many highly-specific roles.

  3. Select Save.

After the Access Modeling is enabled and configured, you can use it to explore potential roles based on users' current roles and create new roles that align with the access users need.

See Common Access Roles Discovery and Specialized Roles Discovery.