GenAI Descriptions for Entitlements

IdentityIQ uses Generative AI (GenAI) to generate descriptions for your organization’s entitlements. On the Entitlement Catalog page, users can select one or more entitlements to request a generated description. The progress of these requests can be tracked on the GenAI Entitlement Descriptions page, which also allows users to submit new descriptions for approval.

For each approval request:

• Users can select either single or multiple entitlements to request descriptions.
• Once generated, a description can be submitted. If approvals are enabled for GenAI Description for Entitlements, then they must be approved before the new description is applied to the entitlement.
• A workflow determines who can approve the initial description that GenAI generates. Typically, this is the Entitlement Owner, but the feature can be configured to let users approve their own generated descriptions themselves.

See:

• GenAI Entitlements on the Entitlement Catalog Page
• GenAI Entitlement Descriptions Page

GenAI Entitlements on the Entitlement Catalog Page

To access the Entitlement Catalog page, select Applications > Entitlement Catalog. See Entitlement Catalog(LINK IN DOC) for details and functionalities on Entitlement Catalog page.

In addition to the details and functionalities described in Entitlement Catalog(LINK IN DOC), users with the AI Entitlement Description Administrator capability will see these options in the Entitlement Catalog table:

• Checkbox in the Application column
• Magic Wand icon in the Description column
• Review GenAI Descriptions button

Users with this capability can also generate GenAI Descriptions for Entitlements associated with applications on the page.

See Assigning GenAI Administrator Capability for more information on how to assign the AI Entitlement Description Administrator capability to a user.

Use the checkbox to select a single Entitlement or multiple Entitlements, then right click and select Generate Descriptions to generate a request for generating GenAI Descriptions for Entitlements. A maximum of 100 entitlements can be selected in a single request. See Generating GenAI Descriptions for Entitlements for more information.

The Entitlement Catalog table displays a magic wand icon for entitlement descriptions generated through GenAI. The color of the magic wand represents its status in the workflow as follows:

Magic Wand Icon Color	Status	Description
Grey	Requested	GenAI Description for Entitlement has been requested but has not yet been created.
Purple	Suggested	GenAI Description for Entitlement has successfully created.
Red	Failed	GenAI Description for Entitlement was not created, due to an error.
Yellow	Pending Approval	GenAI Description for Entitlement has been sent to an approver but has not yet been approved.
Green	Approved	GenAI Description for Entitlement has been approved or provisioned without need for approval.
Amber	Rejected	GenAI Description for Entitlement has not been approved, due to it not meeting the quality and accuracy standards of the approver.

Select the Review GenAI Descriptions button to navigate to the GenAI Entitlement Descriptions page. See GenAI Entitlement Descriptions Page for more information.

GenAI Entitlement Descriptions Page

Users with the AI Entitlement Description Administrator capability can access the GenAI Entitlement Descriptions page to monitor the request progress by selecting the Review GenAI Descriptions button on the Entitlement Catalog page.

Users can also access this page directly via a URL: https://<hostname>/identityiq/define/groups/entitlementDescription.jsf#/genai.

The GenAI Entitlement Descriptions page provides a comprehensive overview of the suggested descriptions, status, and actions buttons. Users should refresh the page to see the progress of requests.

The GenAI Entitlement Descriptions page displays a table with all relevant data associated with entitlements and descriptions generated using GenAI.

Column	Description
Application	The application to which the managed attribute belongs.
Display Name	Display the name of the managed attribute. If no display name was defined, this field displays the value of the attribute.
Suggested Description	GenAI suggested entitlement descriptions.
Creation Date	The creation date and actual time of the request to generate GenAI Descriptions for Entitlement.
Status	Status of the request for generating GenAI Descriptions for Entitlement. The status can be Requested, Suggested, Failed, Pending Approval, Approved, or Rejected.
Action	The action that users can take on the suggested descriptions under various statuses. Users can submit or discard a description.

The table data is displayed by the entitlement Creation Date in descending order, with the most recent entitlements created displayed first, independent of their status. Users can reposition (drag and drop) and sort the table columns as required.

The page has both “full text” and “contains” type search functionality. The search includes all entitlements on all pages in the table, and the result count is displayed on the page.

To configure which columns appear in the table, select the column configure icon.

Users can perform the following actions on the page:

• Submit – Submits the GenAI Descriptions for Entitlement to the workflow approver for approval.
• Discard – Discards the GenAI Descriptions for Entitlement. This action will remove the entitlement descriptions from the table, but the user can resubmit the request.

Generating GenAI Descriptions for Entitlements

Users with the AI Entitlement Description Administrator capability can generate entitlement descriptions on the Entitlement Catalog page. They can generate descriptions for a single entitlement or multiple entitlements through a single request.

They can generate descriptions for entitlements with and without existing descriptions.

Currently, IdentityIQ supports GenAI Descriptions for Entitlement only in English, irrespective of the browser locale settings.

Generating a Single Entitlement Description

To generate a description for a single entitlement:

1. Select the checkbox and right-click on the table OR on the entitlement. A contextual menu is opened.

2. On the contextual menu, select Generate Descriptions. The GenAI Entitlement Descriptions page loads, including the additional selected entitlements.

   Note

   You cannot generate descriptions for entitlements that already have a GenAI description, or that have a status of Requested, Suggested or Pending Approval.

Generating Multiple Entitlement Descriptions

To generate descriptions for multiple entitlements through a single request:

1. On the Entitlement Catalog table, select the checkboxes for the entitlements. You can also select all entitlements on the page by selecting the header checkbox and selecting Select Current Page from the contextual menu.

   Note

   Once you have initiated a request for a description, the checkbox is disabled, except when the entitlement generation has failed or was approved or rejected by the approver.

   Note

   You can select a maximum of 100 entitlements in a single request to generate descriptions. If you try to select more than 100 entitlements, an error message will appear.

2. On the table, right-click in the selected area. A contextual menu display.

3. Select Generate Descriptions. The GenAI Entitlement Descriptions page loads, including the additional selected entitlements.

   Note

   When you select multiple entitlements, the Edit and Delete options on the contextual menu are disabled, because multiple edits and multiple deletes of entitlements are not allowed.

Reviewing Generated Descriptions for Entitlements

The GenAI Entitlement Descriptions page provides a comprehensive overview of the suggested descriptions, status, and actions buttons. The page shows the progress of the requests.

Submitting an Entitlement Description

Select Submit to submit the entitlement description, with Suggested status, for approval. An approval workflow (or whichever workflow is registered as the workflowManagedAttribute workflow) is launched, and the request is routed to the Entitlement approver for approval. If approvals are turned off via the Enable approvals for GenAI Descriptions for Entitlements checkbox, the descriptions will be auto approved once submitted. See Configuring GenAI Descriptions for Entitlements for details.

Note

The requester for the description can also be the approver. In this scenario, the entitlement description is instantly approved. See Configuring GenAI Descriptions for Entitlements for information on how to configure a requester as an approver.

Discard an Entitlement Description

If an entitlement description is incorrect, users can discard the entitlement descriptions with Failed, Suggested, and Rejected status. To discard an entitlement description, select Discard icon. It will remove the description from the GenAI Entitlement Descriptions page. Users can then select the entitlement again from the Entitlement Catalog page to generate a description, if they want.

Entitlement Description Status Change

When a user takes an action on the GenAI Entitlement Descriptions page, the entitlement description status changes as follows:

No action = Suggested status

Submit = Pending Approval status

When the user sends the descriptions to the Entitlement approver, the status changes according to the approver’s action, or changes to Approved if approvals were auto-approved. See Approving GenAI Entitlement Description for more information.

Approving GenAI Descriptions for Entitlements

As an Entitlement approver, you may be asked to review and approve a GenAI Descriptions for Entitlement.

Entitlements are the access that an application can provide to an identity. Entitlement descriptions should provide useful information about the entitlement and its access. To ensure that a GenAI Descriptions for Entitlement is accurate, approval by the Entitlement approver is optionally required before the suggested description can be applied to the entitlement. If the Entitlement owner does not exist, the description is approved by the Application owner.

When you need to approve an entitlement description, you will receive an email notifying you that it is ready for your review.

1. Select the Approvals Quicklink card to open the Approvals page, where you can view the GenAI-generated Descriptions for Entitlement received for approval.

Alternatively, navigate to My Tasks > Approvals to open the Approvals page.

1. Review the proposed description.

2. Select Approve or Deny.

When you approve a description, it is instantly updated on the entitlement.

Entitlement Description Status Change

When the Entitlement approver takes an action on the approval request for an entitlement description, the entitlement description status on the GenAI Entitlement Descriptions page changes as follows:

No action = Pending Approval status

Approve = Approved status

Deny = Rejected status

Assigning GenAI Administrator Capability

The IdentityIQ administrator can assign the AI Entitlement Description Administrator capability to other users. The capability enables the users to generate GenAI Descriptions for Entitlements on the Entitlement Catalog page and review the descriptions on the GenAI Entitlement Descriptions page.

To assign the capability to a user, perform the following:

1. Log in as an IdentityIQ administrator.

2. Navigate to Identities > Identity Warehouse.

3. On the Identity Warehouse page, search for the user you want to assign the AI Entitlement Description Administrator capability to.

4. Select the identity to open the View Identity page.

5. Select the User Rights tab.

6. Select AI Entitlement Description Administrator under User Capabilities.

7. Select Save.

Configuring GenAI Descriptions for Entitlements

IdentityIQ Administrator can activate the GenAI Descriptions for Entitlements feature in IdentityIQ.

From the IdentityIQ gear icon, select Global Settings > AI-Driven Identity Security Configuration.

Select the Enable GenAI Descriptions for Entitlements checkbox under the GenAI Settings section to see all the settings available in the section.

1. Delete GenAI Descriptions for Entitlements requests older than (days) – Deletes all stored requests for GenAI Descriptions for Entitlements older than the defined number of days with the statues; Requested, Suggested, Failed, Pending Approval, Approved, and Rejected. However, GenAI Descriptions for Entitlements that have been approved will still be applied to the entitlements.

2. Enable approvals for GenAI Descriptions for Entitlements – Enable workflow approvals for GenAI Descriptions for Entitlements. When this is enabled, GenAI Descriptions for Entitlements will follow established workflow approvals when they are submitted.

   Note

   If an Entitlement approval workflow has not been configured and the Enable approvals for GenAI Descriptions for Entitlements is selected, entitlement descriptions will be automatically approved when submitted through the GenAI Entitlement Descriptions page due to no approver existing.

3. Provide the following details under Connection Information for GenAI:

   a. GenAI Hostname – The API Gateway URL for your tenant. For example: https://<org>.api.identitynow.com OR https://<org>.api.saas.sailpointfedramp.com.

   b. Client ID – OAuth client ID for the GenAI API.

   c. Client Secret – OAuth client secret for the GenAI API.

   Note

   See Generating Client Credentials in Your Tenant to generate Client ID and Client Secret.

4. Provide the following details under Advance Connection Settings for GenAI:

   a. Read Timeout – The number of seconds IdentityIQ will wait to read GenAI Descriptions for Entitlements before reporting failure.

   b. Connection Timeout – The number of seconds IdentityIQ will wait to connect to GenAI LLM proxy before reporting a failure.

5. Select Test Connection to ensure that LLM APIs are being called to establish connection with the GenAI host.

6. Select Save.