Skip to content

Discovering Common Access

The AI Access Modeling – Discover Common Access feature uses AI analytics and scoring methodologies to evaluate access for a given population, then presents a recommended role that includes the entitlements that are common across those identities. You can create and assign the common access role to large populations of employees to provide broad-based access from the first day an employee joins your organization. Once entitlements are labeled as part of a common access role, they are excluded from future access modeling role mining, role insights, and access request recommendations, which helps simplify your AI model.

This feature is available to organizations using AI Access Modeling. You need the ManageIAICommonAccessDiscovery SPRight, which is part of the AIAccessModelingAdministrator and AIServicesAdministrator capabilities. Your system configuration needs to have AI enabled. See About SailPoint AI-Driven Identity Security.

Note

Access Modeling, available prior to version 8.4 as an IdentityIQ plugin, may be part of your AI subscription as of version 8.4. You will no longer need to download a separate plugin, and you will no longer see it listed with your Installed Plugins.

Note

AI-Driven Identity Security modules may be licensed separately. Please direct questions to your account manager to clarify your agreement.

Common Access Roles Discovery

IdentityIQ Administrators can use this functionality to determine which access should be common to nearly all identities in an organization. Common access roles are not tied to specific job functions.

Note

Only roles created using Discover Common Access will be designated as common access in AI, and only these roles will have their entitlements excluded from future Access Modeling mining sessions.

To discover a common access role:

  1. Navigate to Intelligence > Advanced Analytics.
  2. In the Search Type field, make sure Identity is selected.
  3. Enter and apply search criteria.

  4. Select the identity or identities to discover roles for.

    Note

    AI Access Modeling limits the number of identities to 25,000 per population to be mined.

  5. Select the Discover Common Access Roles button.

  6. You will be redirected to the Access Modeling page in Identity Security Cloud, using the URL that you configured in Enabling Access Modeling. If you are not already logged in to Identity Security Cloud, you will have to enter admin credentials and authenticate.

    AI displays the potential role.

    Note

    Once you are in a role mining session, you can select the Settings button at the right side of the screen to adjust settings and use the granularity slider to adjust the minimum number of identities in a group.

  7. The Potential Role page includes the following tabs:

    • On the Composition tab, use the slider to exclude entitlements beyond your chosen popularity threshold, then select Apply.
    • On the Exclusions tab, indicate exclusions.
    • On the Identity Overview tab, use the Show Chart dropdown to view the Identity Attributes. A list of identities shows those that would be included in this role, listed by display name, department, job title, and location.

  8. Select the Create a Role button. Alternately, you may select Save Draft if it needs additional work.

  9. On the Create a Role page, enter a name, owner, and description to create it. This role will be excluded from future Access Modeling role mining, role insights, and Access Request recommendations. Select the Include Identities checkbox to indicate that you want the identities listed in the Identity Overview tab to be included in the new role when it is created.

  10. Select the Create a Role button.

Specialized Roles Discovery

Specialized Roles Discovery, part of Access Modeling, identifies user access patterns and determines potential roles, or bundles of access, that accurately align with what users actually do in an organization. IdentityIQ Administrators can use this functionality to generate roles for specific job functions, such as Accounting or Sales.

To discover specialized roles:

  1. Navigate to Intelligence > Advanced Analytics.
  2. In the Search Type field, make sure Identity is selected.
  3. Enter and apply search criteria.
  4. Select the identity or identities to discover roles for.

Note

AI Access Modeling limits the number of identities to 25,000 per population to be mined.

  1. Select the Discover Specialized Roles button.

  2. You will be redirected to the Access Modeling page in Identity Security Cloud, using the URL that you configured in Enabling Access Modeling. If you are not already logged in to Identity Security Cloud, you will have to enter admin credentials and authenticate.

    AI displays a list of potential roles.

    Note

    Once you are in a role mining session, you can select the Settings button at the right side of the screen to adjust settings and use the granularity slider to adjust the minimum number of identities in a group.

  3. Select a role from the list.

  4. The Potential Role page includes the following tabs:

    • On the Composition tab, use the slider to exclude entitlements beyond your chosen popularity threshold, then select Apply.
    • On the Exclusions tab, indicate exclusions.
    • On the Identity Overview tab, use the Show Chart dropdown to view the Identity Attributes. A list of identities shows those that would be included in this role, listed by display name, department, job title, and location.

  5. Select the Create a Role button. Alternately, you may select Save Draft if it needs additional work.

  6. On the Create a Role page, enter a name, owner, and description to create it. This role will be excluded from future Access Modeling role mining, role insights, and Access Request recommendations.

  7. Select the Include Identities checkbox to indicate that you want the identities listed in the Identity Overview tab to be included in the new role when it is created.

  8. Select the Create a Role button.