Skip to content

Access Modeling

About Access Modeling

Access Modeling, composed of Role Insights and Role Discovery, enables organizations to dynamically determine who should have access to what. Access Modeling works at scale to increase the efficiency and accuracy of your organization's access model.

Improving Roles with Role Insights

Role Insights, part of SailPoint's Access Modeling service, provides you with a greater understanding of your organization's role program, and suggests changes to your existing roles to make them more secure.

You can explore the following role insights and use them to improve the security of your existing roles in IdentityNow and IdentityIQ:

  • Your progress toward role program benchmarks for best security practices, such as the principle of least privilege

  • Suggested entitlement additions for your current roles

  • The percentage of identities with a role that also hold a suggested entitlement

  • Lists of specific identities that would be impacted by the suggested role change

Role Insights looks for updates nightly and offers new role insights as access in your organization changes. You can check for new role insights any time to see valuable information and suggestions to keep your roles up-to-date and as secure as possible.

Role Insights can be accessed by Admins and users with the role admin user level.

Prerequisites

  • IdentityIQ customers with Access Modeling must log in to their SailPoint org to access Role Insights.

  • IdentityNow customers with Access Modeling do not need to do anything to access Role Insights.

Process Overview

  1. Launch Role Insights.

  2. Select a role to investigate.

  3. Explore suggested entitlement additions and how they impact identities.

  4. Export suggested role updates and add entitlements to your organization's roles in IdentityNow and IdentityIQ.

Exploring Role Insights and Entitlement Additions

Complete the following steps to explore role insights:

  1. In the SailPoint interface, click the Role Insights dashboard panel or navigate to Admin > Access > Role Insights.

    The Role Insights page provides an overview of your role program and lists roles with suggested updates.

    The top of the Role Insights page displays the status of essential benchmarks that measure the progress of your role program:

    • Access Included in Roles - The percentage of all access in your organization that is included in roles.

    • Identities with Access from Roles - The percentage of identities in your organization that have access from roles.

    The goal percentages listed for each benchmark let you know how you are progressing in your development of a more secure role program. The goal percentages are set by SailPoint based on best practices and are there for general guidance.

    In the list of Roles with Entitlement Updates, you can browse the roles with entitlements updates, or search role names or owners that start with a specific string. Various columns can be sorted in Role Insights pages by clicking through , , and .

    The Impacted Identities column shows how many identities would be affected if you decide to add the entitlement to the role. If it shows 0 impacted identities, it means that all of the identities in the role already have the suggested entitlement through other means, so the suggested entitlement should be added to the role.

  2. To explore the suggested updates for a role, select View.

    The Updates for Role_Name page lists entitlements on two tabs:

    • Entitlements to Add - This tab lists suggested entitlements that are not currently in the role. A suggested entitlement is already held by 80% of identities that hold the role, but it is not part of the role.

    • Current Entitlements - This tab lists all of the entitlements currently included in the role.

    You can browse the entitlements, or search entitlement names and descriptions that start with a specific string. You can also select to customize what columns are visible, and select Export to download the suggested entitlement additions to a CSV file.

  3. On the Entitlements to Add tab, click on a suggested entitlement to launch the Identity Overview page and see how it affects identities with the role.

    The Identity Overview page lists identities on two tabs:

    • Impacted Identities - This tab lists the identities with the role that currently do not have the suggested entitlement. These are the identities that will be impacted if you decide to add the suggested entitlement to the role in IdentityNow or IdentityIQ.

    • Identities with Entitlement - This tab lists the identities with the role that currently also have the suggested entitlement.

    You can browse the identities, or search display names for a specific string. You can also select to customize what columns are visible.

  4. After examining insights into your organization's roles and the suggested entitlement updates, return to the Updates for Role_Name page and select Export to download suggested entitlement additions for the role to a CSV file.

    Repeat this step to export suggested entitlement additions for each role that you would like to update.

  5. Use the exported entitlement additions to update your roles in IdentityNow or IdentityIQ.

You have completed the Role Insights process. Check Role Insights regularly for new insights into how to improve your roles as access in your organization changes.

Discovering Roles

Role Discovery, part of SailPoint's Access Modeling service, uses patented machine learning algorithms to identify user access patterns and determine potential roles, or bundles of access, that accurately align with what users actually do in an organization. You can then use this potential role data to evaluate your current roles and consider new roles in IdentityNow and IdentityIQ.

Prerequisites

  • IdentityIQ customers with Access Modeling must follow the directions in Configuring IdentityIQ for Role Discovery to access Role Discovery.

  • IdentityNow customers can access Role Discovery as soon as Access Modeling is enabled for their org.

Process Overview

  1. Enter a Search query in IdentityNow or an Advanced Analytics query in IdentityIQ.

  2. Launch Role Discovery.

  3. Customize and explore potential roles.

  4. Refine the entitlements for a potential role.

  5. Export the potential role data to a ZIP file.

  6. Use potential role data to evaluate current roles and create new roles.

Discovering Potential Roles

You can access Role Discovery from either IdentityNow or IdentityIQ.

Note

New identities and entitlements added to your organization are available for Role Discovery on the following day.

In IdentityNow

Complete the following steps in IdentityNow to discover potential roles:

  1. Select Search, and enter a search query. For information on Search syntax, see Using Search in IdentityNow.

    Note

    We recommend using targeted, specific search queries to narrow down the identities to groups that you want to have shared entitlements through roles.

    When searching on *(all), there is a limit of 10,000 identities returned. We do not recommend searching on *(all).

  2. Select Role Discovery to display potential roles based on the optimal role granularity derived from our AI algorithms.

From here, you can customize the potential roles displayed and explore individual potential roles.

In Identity IQ

After successfully configuring AI Services to work with IdentityIQ, complete the following steps in IdentityIQ to start discovering roles:

  1. Select Intelligence > Advanced Analytics, and enter a search query.

    For more information about queries in Advanced Analytics, see the IdentityIQ Product Guides.

  2. Use the checkbox to Select Everything or select a subset of identities.

  3. Select Role Discovery to discover potential roles based on the optimal role granularity derived from our AI algorithms.

    You are now redirected to the Role Discovery page on the IdentityNow tenant that was entered during plugin configuration. If you are not already logged in to IdentityNow, you will have to enter admin credentials and authenticate first.

Customizing and Exploring Potential Roles

To customize the potential roles displayed and explore individual potential roles:

  1. To modify the potential roles displayed, click the Settings icon to adjust the Role Granularity and Minimum Number of Identities. See Understanding Role Granularity to learn more.

    The list of potential roles is updated after making adjustments.

  2. Click on Attributes for any potential role to quickly view the role’s top 3 job titles, departments, and locations (by percentage) shared among the included identities. Note the following conditions for how attributes are displayed:

    • If none of the identities in the potential role have attributes for job title, department, or location, another attribute is displayed.

    • The attributes available depend on the way the mapping from your source is configured by the solution architect during the onboarding process.

    • If the job title, department, and location attributes show Not Applicable, it means those attributes were not mapped for any identities included in the potential role. For example, this could be the case for a potential role that includes contract workers not assigned job titles or departments.

  3. To see detailed information for a potential role, click the potential role name or Work On This Role in the Attributes view. The Composition screen for the potential role displays the role’s entitlements along with their % Popularity.

  4. Select the Identity Overview tab to see a list of all identities in the potential role and their job title, department, and location attributes. You can also select Show Chart to see distribution graphs for these identity attributes. The Identity Overview tab reflects only the identities in the original potential role discovered and does not update based on entitlement changes made in the Composition tab.

    Reviewing the Identity Overview tab is a way to double-check that the initial identities in the potential role composition should have the included entitlements.

You can further customize an individual potential role by refining the entitlements.

Refining Entitlements for a Potential Role

Refining entitlements changes the contents of the potential role data file you will export.

You should refine entitlements first in bulk and then individually.

Bulk Entitlement Exclusion

The first part of refining entitlements is to exclude all entitlements below a certain popularity threshold or all entitlements considered common access.

To exclude entitlements from a potential role in bulk:

  1. Select a potential role. The potential role opens on the Composition tab.

  1. Use the provided controls as follows:

    • Exclude Entitlements Below Popularity Threshold - This visualization allows you to see the popularity distribution of the entitlements in the potential role. Hover over different steps in the visualization to see how many entitlements fall above, at, and below different percentages of popularity.

      Use the Popularity Threshold slider to select a popularity threshold, below which entitlements will be excluded from the potential role.

      Best Practice

      To avoid entitlement proliferation, SailPoint recommends removing low-popularity entitlements (< 70%) from your role definitions.

    • Exclude Common Access - This control is enabled by default and excludes entitlements that are broadly popular (> 80%) across your entire organization.

      Best Practice

      SailPoint recommends excluding common access from your roles to focus roles more on job functions and less on access that everyone gets.

  2. Select Apply when you are finished. The Apply button becomes selectable only if you made changes.

  3. To hide the visualization section of the Composition tab, select Exclude Entitlements.

Caution

If you select Back to Potential Roles to return to the initial Potential Roles screen before exporting, all applied changes for bulk entitlement exclusion will be lost and you’ll have to repeat the steps you took to refine the entitlements in bulk for a potential role.

Individual entitlement exclusions are remembered if you select Back to Potential Roles.

Individual Entitlement Exclusion

The next part of refining entitlements is to select specific entitlements to exclude from the potential role.

To exclude specific, individual entitlements from a potential role:

  1. On the Composition tab, select the checkboxes next to the entitlements you want to exclude, or select the checkbox in the table header to exclude all entitlements in the table.

  2. Select Exclude. The selected entitlements are removed from the Composition tab and are now listed on the Excluded Entitlements tab.

To add excluded entitlements to a potential role:

  1. On the Excluded Entitlements tab, select the checkboxes next to the entitlements you want to include, or select the checkbox in the table header to include all entitlements in the table.

  2. Select Include. The selected entitlements are removed from the Excluded Entitlements tab and are now listed on the Composition tab.

When you have finished adjusting the entitlements in the potential role, you are ready to export the potential role data.

Exporting and Using Potential Role Data

  1. Click Export to save the entitlements, identities, and identity distribution data for the potential role in a ZIP file.

  2. Use the exported potential role data to share with stakeholders, evaluate your current roles, and consider new roles in IdentityNow and IdentityIQ.

Understanding Role Granularity

When initially exploring the list of potential roles after launching Role Discovery, you can click the Settings icon to modify the potential roles displayed:

  • Use the Role Granularity slider to adjust the size and specialization of the potential roles. The orange pin on the slider represents the smart default value that our AI algorithms used to discover the initial set of potential roles displayed.

  • Adjust the Minimum Number of Identities to display only the potential roles that include at least that number of identities.

  • Click Apply to update the list of potential roles based on your changes.

A lower role granularity percentage displays potential roles with broader access. The potential roles discovered will each include higher numbers of identities with less entitlement similarity. In general, the included identities are less similar to each other. The roles are easier to manage, but it is possible that some identities might gain access that isn’t completely essential to their job function.

A higher role granularity percentage displays potential roles with more specialized access. The potential roles discovered will each include fewer identities with more entitlement similarity. It can take longer to evaluate and maintain a large number of potential roles with higher specialization. However, the potential roles will have a higher level of relative security due to more entitlement similarity.

Configuring IdentityIQ for Role Discovery

To configure IdentityIQ for Role Discovery, you will complete the following tasks:

  1. Generate client credentials in your IdentityNow tenant

  2. Import the init-ai.xml file

  3. Configure AI Services in IdentityIQ

  4. Install the Role Discovery plugin

  5. Discover potential roles in IdentityIQ

Generating Client Credentials in Your IdentityNow Tenant

To create a secure connection between IdentityIQ and the Access Modeling service, you’ll need to generate client credentials within IdentityNow and configure IdentityIQ (the client) to use them to communicate with the service.

Complete the following steps to generate a Client ID and Client Secret in your IdentityNow tenant:

  1. Log in to IdentityNow as an Administrator.

  2. From the IdentityNow Admin Dashboard, select Admin > Security Settings.

  3. Click API Management in the options on the left.

  4. Click +New to display the New API Client dialog.

  5. Enter a description for how the access token will be used.

  6. Check Client Credentials as the method you want the client to use to access the APIs.

  7. Click Create.

A Client ID and Client Secret are generated for you to use when you configure Role Discovery. Save these offline. You’ll need them later when you configure AI Services in IdentityIQ.

Importing the init-ai.xml File

Complete the following steps to import the init-ai.xml file in IdentityIQ:

  1. Verify that plugins.enabled=true in the WEB-INF/classes/iiq.properties file of your IdentityIQ installation. Plugins must be enabled to use Role Discovery.

  2. Log on to your browser instance of IdentityIQ as an administrator.

  3. Click Global Settings under the gear icon and select Import from File.

  4. Click Browse and navigate to the following directory:

    Windows: <identityiq_home>\WEB-INF\config

    UNIX: <identityiq_home>/WEB-INF/config

    where: <identityiq_home> is the directory to which you extracted the identityiq.war file during IdentityIQ installation.

  5. Select the init-ai.xml file and click Import.

  6. When the import is complete, click Done.

You may notice that the plugin for SailPoint's Recommendations service is also installed as part of this process, but access is enabled for licensed users only. Please contact your CSM for Recommendations service pricing and licensing.

Configuring AI Services in IdentityIQ

Complete the following steps to configure AI Services in IdentityIQ:

  1. From the IdentityIQ gear icon, select Global Settings > AI Services Configuration.

  2. Complete following fields with information from your IdentityIQ installation and the client credentials from your IdentityNow tenant:

    • AI Services Hostname (Example: https://<org>.api.sailpoint.com)
    • Client ID
    • Client Secret
  3. Click Test Connection to ensure that the connection information is correct and operating.

  4. Click Save.

Installing the Role Discovery Plugin

The Role Discovery plugin can be used with IdentityIQ 7.3p3 and later.

Complete the following steps to install the plugin:

  1. Get the Role Discovery plugin .zip file here.

  2. From the IdentityIQ gear icon, select Plugins.

  3. Use the Plugins page to install the plugin.

  4. Click the Configure button for the Role Discovery plugin and provide the URL for the IdentityNow tenant.

    Example: https://<tenant>.identitynow.com

After successfully configuring AI Services, you are now ready to discover roles.