Enabling Access Modeling

SailPoint's AI Services includes an Access Modeling service, which uses patented machine learning algorithms to identify user access patterns and determine potential roles that accurately align with what users actually do in an organization.

In IdentityIQ, AI Services Access Modeling gives you the option to use this service for role discovery, to display potential roles based on the optimal role granularity derived from AI Services algorithms.

The Access Modeling feature is part of the AI Services integration. For more information, see Configuring IdentityIQ for Access Modeling.

Note: AI service modules may be licensed separately. Please direct questions to your account manager to clarify your agreement.

To use Access Modeling for role discovery, AI Services must be integrated into your IdentityIQ instance. See Integrating SailPoint AI Services for details.

You can read about AI Services prerequisites, the onboarding process, and deployment steps at Getting Started with AI-Driven Identity Security for IdentityIQ.

Discover Common Access functionality is only available to organizations using IdentityIQ's AI functionality.

Note: Configuration settings automatically copy over for those running the AI Services Access Modeling plugin prior to IdentityIQ version 8.4.

Begin by enabling AI – see Configuring AI Services – then configure Discover Common Access and Role Discovery:

  1. Log in to IdentityIQ as an administrator.

  2. Navigate to gear > Global Settings > AI Services Configuration and enter:

    • Connection information, including AI Services Hostname, Client ID, and Client Secret.

    • IdentityNow URL. This is specific to each customer.

    • Minimum number of identities on which to model roles. The default is 20.

    Note: Selecting fewer identities on which to model roles yields more potential role options. Using a higher minimum number of identities avoids yielding many highly-specific roles.

  3. Select Save.

After the Access Modeling is enabled and configured, you can use it to explore potential roles based on users' current roles and create new roles that align with the access users need.

See Common Access Roles Discovery and Specialized Roles Discovery.