Access Modeling

About Access Modeling

SailPoint Access Modeling, composed of Role Insights and Role Discovery, enables organizations to dynamically determine who should have access to what. Access Modeling works at scale to increase the efficiency and accuracy of your organization's access model.

Improving Roles with Role Insights

Role Insights, part of Access Modeling, provides you with a greater understanding of your organization's role program, and suggests changes to your existing roles to make them more secure.

You can explore the following role insights and use them to improve the security of your existing roles in IdentityNow and IdentityIQ:

• Your progress toward role program benchmarks for best security practices, such as the principle of least privilege

• Suggested entitlement additions for your current roles

• The percentage of identities with a role that also hold a suggested entitlement

• Lists of specific identities that would be impacted by the suggested role change

Role Insights looks for updates nightly and offers new role insights as access in your organization changes. You can check for new role insights any time to see valuable information and suggestions to keep your roles up-to-date and as secure as possible.

Role Insights can be accessed by Admins and users with the role admin user level.

Role Insights Prerequisites

• IdentityIQ customers with Access Modeling must sign in to their SailPoint org to access Role Insights.

• IdentityNow customers with Access Modeling do not need to do anything to access Role Insights.

Note

For Role Insights to be able to provide insights and suggestions, your organization must have a basic role model configured in IdentityNow or IdentityIQ. There must be roles configured that include entitlements and are assigned to identities.

Role Insights Process Overview

Each process overview step is described in detail in the sections that follow.

1. Launch Role Insights.

2. Select a role to investigate.

3. Explore suggested entitlement additions and how they impact identities.

4. Export suggested role updates and add entitlements to your organization's roles in IdentityNow and IdentityIQ.

Understanding Role Insights

Role insights are calculated only for business roles. Business roles are defined differently in IdentityNow and IdentityIQ:

• In IdentityNow, all roles are business roles. (Access profiles are not business roles.)

• In IdentityIQ, a business role is defined in its role type as "requestable” or “auto-assignable”.

Note

“Requestable” is also an attribute for roles in IdentityNow, but it is not used to determine whether or not a role is a business role like it is in IdentityIQ.

SailPoint algorithms determine the recommended entitlements to be added to a business role based on the following criteria:

1. The organization must have entitlements that do not belong to any business role. These kinds of entitlements are usually assigned directly to individual identities.

2. A candidate list of entitlements is made that are at least 80% popular among identities in a business role, but are not defined in the role. SailPoint Services can configure the percent popularity upon request.

3. The candidate list is reduced to include only entitlements with sources in the business role.

The remaining entitlements are presented as role insights for your consideration.

Exploring Role Insights and Entitlement Additions

Complete the following steps to explore role insights:

1. In the SailPoint interface, select the Role Insights dashboard panel or navigate to Admin > Access > Role Insights.

   The Role Insights page provides an overview of your role program and lists roles with suggested updates. It also includes a Role Discovery button that is a pathway to the Role Discovery feature where you can define a group of identities and discover new potential roles. For more information, refer to Discovering Roles.

   The top of the Role Insights page displays the status of essential benchmarks that measure the progress of your role program:

   • Access Included in Roles - The percentage of all access in your organization that is included in roles.

   • Identities with Access from Roles - The percentage of identities in your organization that have access from roles.

   The goal percentages listed for each benchmark let you know how you are progressing in your development of a more secure role program. The goal percentages are set by SailPoint based on best practices and are there for general guidance.

   In the list of Roles with Entitlement Updates, you can browse the roles with entitlements updates, or search role names or owners that start with a specific string. Numerical columns on the Role Insights page can be sorted by selecting or toggling through the sort icons: Unsorted , Descending , and Ascending .

   The Impacted Identities column shows how many identities would be affected if you decide to add the entitlement to the role. If it shows 0 impacted identities, it means that all of the identities in the role already have the suggested entitlement through other means, so the suggested entitlement should be added to the role.

   

2. To explore the suggested updates for a role, select View.

   The Updates for Role_Name page lists entitlements on two tabs:

   • Entitlements to Add - This tab lists suggested entitlements that are not currently in the role. A suggested entitlement is already held by 80% of identities that hold the role, but it is not part of the role.

   • Current Entitlements - This tab lists all of the entitlements currently included in the role.

   You can browse the entitlements, or search entitlement names and descriptions that start with a specific string. You can also select the Column Chooser to customize what columns are visible, and select Export to download the suggested entitlement additions to a CSV file.

   

3. On the Entitlements to Add tab, select a suggested entitlement to launch the Identity Overview page and see how it affects identities with the role.

   The Identity Overview page lists identities on two tabs:

   • Impacted Identities - This tab lists the identities with the role that currently do not have the suggested entitlement. These are the identities that will be impacted if you decide to add the suggested entitlement to the role in IdentityNow or IdentityIQ.

   • Identities with Entitlement - This tab lists the identities with the role that currently also have the suggested entitlement.

   You can browse the identities or search display names for a specific string. You can also select the Column Chooser to customize what columns are visible.

   

4. After examining insights into your organization's roles and the suggested entitlement updates, return to the Updates for Role_Name page and select Export to download suggested entitlement additions for the role to a CSV file.

   Repeat this step to export suggested entitlement additions for each role that you would like to update.

5. Use the exported entitlement additions to update your roles in IdentityNow or IdentityIQ.

You have completed the Role Insights process. Check Role Insights regularly for new insights into how to improve your roles as access in your organization changes.

Discovering Common Access

Access Modeling helps IdentityNow administrators discover and manage access that is common across an organization and not tied to a specific job function. Bundling common, or birthright, access into roles that can be assigned to large groups of employees improves your access model by enabling:

• Faster and more efficient onboarding
• Fewer access requests and certifications of non-risky items
• More relevant insights and suggestions from Role Discovery and Access Request Recommendations

Important

The entitlements included in common access roles are excluded from future Role Discovery and Access Request Recommendations processes.

IdentityNow users can discover new common access roles in the following ways:

• Confirm discovered common access roles after signing in

• Discover common access roles during role discovery

Both IdentityIQ and IdentityNow users can manually designate existing roles as common access.

Confirm Discovered Common Access Roles After Signing In

1. Sign in to IdentityNow. When SailPoint has discovered common access roles, admins receive a notification.

   

2. In the notification, select Confirm common access to see the discovered common access roles.

3. Deselect the Common Access checkbox for any roles you do not want to designate as common access.

4. Select Confirm. SailPoint will check to see if there are any more common access roles and display them.

Discover Common Access Roles During Role Discovery

IdentityNow users can select the Discover Common Access Roles option when they discover roles starting from either Role Insights or Search.

Manually Designate an Existing Role as Common Access

IdentityNow users can designate an existing role as common access on the role page (Admin > Access > Roles > <role name>) by selecting the Common Access checkbox.

IdentityIQ and IdentityNow users can both designate an existing role as common access using the IAI Common Access API.

Discovering Roles

Role Discovery, part of Access Modeling, identifies user access patterns and determines potential roles, or bundles of access, that accurately align with what users actually do in an organization.

To discover potential roles, SailPoint uses a patented network graph analysis. Entitlement-based similarities are found among the identities in an organization, and identities are organized into cluster communities, or peer groups, with similar access. This network graph enables SailPoint to detect and discover roles with least-privileged access for groups of very similar identities.

After potential roles have been discovered, users can:

• Save the role discovery session to explore and work with later.

• Save potential roles as drafts to work with later.

• Automatically create a new role in IdentityNow or IdentityIQ.

• Export potential role data and use it to evaluate the accuracy or effectiveness of their current roles and then manually create new roles that better align with the access users need.

Role Discovery Prerequisites

• IdentityIQ customers with Access Modeling must follow the directions in Configuring IdentityIQ for Access Modeling to access Role Discovery.

  Note

  If you are an IdentityIQ user, and previously installed the role-discovery-plugin.zip plugin file, make sure to install the updated access-modeling-plugin.zip plugin file available here.

• IdentityNow customers can access Role Discovery as soon as Access Modeling is enabled for their org.

Role Discovery Process Overview

Each process overview step is described in detail in the sections that follow.

1. Define a group of identities and launch Role Discovery.

2. Work with the potential role results and save the role discovery session to work on later.

3. Explore potential roles.

4. Refine the entitlements for a potential role and save the role as a draft to work on later.

5. Export the potential role data to a ZIP file for evaluating offline and manually creating new roles.

6. Automatically create a new role from a potential role.

Discovering Potential Roles

You can access Role Discovery from either IdentityNow or IdentityIQ.

New identities and entitlements added to your organization are available for Role Discovery on the following day.

Discovering Potential Roles for IdentityNow Users

IdentityNow users can launch Role Discovery from either Role Insights or Search to display potential roles based on the optimal role granularity derived from our AI algorithms.

In Role Insights:

1. Go to Admin > Access > Role Insights and select Role Discovery to launch the Define a Group of Identities page.

   

   On this page you can use the filters to define a group of identities that you expect to have shared entitlements through roles.

2. Select an attribute type and value(s) from the dropdown lists. The attribute type and value dropdown lists can each hold up to 1,000 items.

3. Select the Add filter icon to apply the filter. Multiple filters can be applied and will be combined with AND operators to narrow the number of identities.

   Caution

   Searching for dates in the Attribute Value search field will result in an error. Instead, scroll through the list and select specific date attribute values.

4. After adding filters to define a group of identities, select Discover Roles.

5. Select either Discover Common Access Roles or Discover Specialized Roles.

   Common access roles contain broad access that is common across an organization and not tied to a specific job function. Specialized roles contain access that is specific to a functional area within the organization.

   After the role discovery process completes, the Potential Roles page lists all the potential roles that were discovered.

In Search:

1. Go to Admin > Search and enter a search query.

   Search has a limit of 10,000 identities returned, so it is important to use a targeted, specific search query to narrow down the identities to groups that you want to have shared entitlements through roles. We do not recommend searching on *(all). For information on Search syntax, refer to Building a Search Query.

2. Select Role Discovery.

3. Select either Discover Common Access Roles or Discover Specialized Roles.

   Common access roles contain broad access that is common across an organization and not tied to a specific job function. Specialized roles contain access that is specific to a functional area within the organization.

The Potential Role Results page displays high-impact roles at the top of the screen along with the percentage of identities in the potential role that have similar access. High-impact roles are unique with similar access among identities and will improve your organization’s access model the most. The Potential Role Results list can be sorted by role impact, identity access similarity, number of identities, or number of entitlements.

From here, you can customize the potential roles displayed and explore individual potential roles.

Discovering Potential Roles for IdentityIQ Users

After successfully configuring IdentityIQ for Access Modeling, complete the following steps in IdentityIQ to start discovering roles:

1. Select Intelligence > Advanced Analytics, and run a search query for identities.

   For more information about queries in Advanced Analytics, refer to the IdentityIQ Product Guides or the IdentityIQ online help.

   Note

   We recommend using targeted, specific search queries to narrow down the identities to groups that you want to have shared entitlements through roles.

   When searching on *(all), there is a limit of 10,000 identities returned. We do not recommend searching on *(all).

2. Use the checkbox to Select Everything or select a subset of identities.

3. Select Role Discovery to discover potential roles based on the optimal role granularity derived from our AI algorithms.

   This redirects you to the Potential Roles page on the IdentityNow tenant that was entered during plugin configuration. If you are not already logged in to IdentityNow, you will have to enter admin credentials and authenticate first.

Working with Potential Roles Results

After launching Role Discovery from either IdentityNow or IdentityIQ, the Potential Roles Results page appears and lists the potential role results from the role discovery session.

From the Potential Role Results page, you can work with the potential roles list in the following ways:

• View session criteria
• Edit session settings
• Save the role discovery session

High-impact roles are listed at the top of the screen along with the percentage of identities in the potential role that have similar access. High-impact roles with similar access among identities are prioritized and will improve your organization’s access model the most. The potential role results can be sorted by role impact, identity access similarity, number of identities, or number of entitlements.

Viewing Session Criteria

Select Session Criteria at the top of the Potential Role Results page to view the session settings and identity filters applied to the session.

To change the identity filters, select Start a New Session to return to the Define a Group of Identities page and begin a new session.

To edit the session settings, close the Session Criteria window and then select Settings on the Potential Role Results page.

Editing Session Settings

Select Settings to modify the potential roles displayed in the list:

1. Use the Role Granularity slider to adjust the size and specialization of the potential roles. The orange pin on the slider represents the smart default value that our AI algorithms used to discover the initial set of potential roles displayed.

   A lower role granularity percentage displays potential roles with broader access. The potential roles discovered will each include higher numbers of identities with less entitlement similarity. In general, the included identities are less similar to each other. The roles are easier to manage, but it is possible that some identities might gain access that isn’t completely essential to their job function.

   A higher role granularity percentage displays potential roles with more specialized access. The potential roles discovered will each include fewer identities with more entitlement similarity. It can take longer to evaluate and maintain a large number of potential roles with higher specialization. However, the potential roles will have a higher level of relative security due to more entitlement similarity.

2. Adjust the Minimum Number of Identities to display only the potential roles that include at least that number of identities.

3. Select Apply to update the list of potential roles based on your changes.

Exploring Potential Roles

Potential roles can be explored from newly discovered potential role results, a saved role discovery session, or saved draft roles. You can explore the properties and attributes of a potential role as follows:

1. Select Attributes for any potential role to quickly view the role’s top 3 job titles, departments, and locations (by percentage) shared among the included identities. It is possible to add a fourth identity attribute with help from Professional Services.

   Note the following conditions for how attributes are displayed:

   • If none of the identities in the potential role have attributes for job title, department, or location, another attribute is displayed.

   • The attributes available depend on the way the mapping from your source is configured by the solution architect during the onboarding process.

   • If the job title, department, and location attributes show Not Applicable, it means those attributes were not mapped for any identities included in the potential role. For example, this could be the case for a potential role that includes contract workers not assigned job titles or departments.

2. To see detailed information for a potential role, select the potential role name or Work On This Role in the Attributes view. The Composition screen for the potential role displays the role’s entitlements along with their % Popularity.

   

3. Select the Identity Overview tab to display a list of all identities in the potential role and their job title, department, and location attributes. You can also select Show Chart to see distribution graphs for these identity attributes. The Identity Overview tab reflects only the identities in the original potential role discovered and does not update based on entitlement changes made in the Composition tab.

   Reviewing the Identity Overview tab is a way to double-check that the initial identities in the potential role composition should have the included entitlements.

   

You can customize an individual potential role by refining the entitlements and save the role as a draft.

Refining Entitlements for a Potential Role

You can refine the entitlements for a potential role in the IdentityNow interface. Refining entitlements changes the contents of the potential role data you will export and the roles you can automatically create in IdentityNow or IdentityIQ.

You should refine entitlements first in bulk and then individually.

Bulk Entitlement Exclusion

The first part of refining entitlements is to exclude all entitlements below a certain popularity threshold or all entitlements considered common access.

To exclude entitlements from a potential role in bulk:

1. Select a potential role. The potential role opens on the Composition tab.

   

2. Exclude entitlements below popularity threshold.

   This visualization allows you to see the popularity distribution of the entitlements in the potential role. Hover over different steps in the visualization to see how many entitlements fall above, at, and below different percentages of popularity.

   Note

   The steps in the visualization will change if you individually exclude all the entitlements in a step.

   Use the Popularity Threshold slider to select a popularity threshold, below which entitlements will be excluded from the potential role.

   Best Practice

   To avoid entitlement proliferation, SailPoint recommends removing low-popularity entitlements (< 70%) from your role definitions.

3. Select Apply when you are finished. The Apply button becomes selectable only if you made changes.

4. To hide the visualization section of the Composition tab, select the X icon. To display the visualization again, select Refine Entitlements.

   Caution

   If you select Back to Potential Roles to return to the initial Potential Roles screen before exporting or creating a new role, all applied changes for bulk entitlement exclusion will be lost and you’ll have to repeat the steps you took to refine the entitlements in bulk for a potential role.

   Individual entitlement exclusions are remembered if you select Back to Potential Roles.

   If you have made bulk entitlement exclusions, save the role as a draft to avoid losing your changes.

Individual Entitlement Exclusion

The next part of refining entitlements is to select specific entitlements to exclude from the potential role.

To exclude specific, individual entitlements from a potential role:

1. On the Composition tab, select the checkboxes next to the entitlements you want to exclude, or select the checkbox in the table header to exclude all entitlements in the table.

2. Select Exclude. The selected entitlements are removed from the Composition tab and are now listed on the Excluded Entitlements tab.

To add excluded entitlements to a potential role:

1. On the Excluded Entitlements tab, select the checkboxes next to the entitlements you want to include, or select the checkbox in the table header to include all entitlements in the table.

2. Select Include. The selected entitlements are removed from the Excluded Entitlements tab and are now listed on the Composition tab.

When you have finished adjusting the entitlements in the potential role, you are ready to export the potential role data or create a new role from the potential role.

Saving Role Discovery Sessions and Draft Roles

To allow time for thorough access model development and review, Role Discovery lets you save role discovery session results and draft roles to work on later. Saved sessions and draft roles are accessible in the left pane when you go to Admin > Access > Role Insights.

Saving Role Discovery Sessions

Saving a role discovery session allows you to return to the saved session at your convenience for further evaluation and modification.

To save a role discovery session:

1. On the Potential Role Results page, select Save Session.
2. Enter a session name and select Save.

To access your saved role discovery sessions, go to Admin > Access > Role Insights > Role Discovery Sessions. Each saved session is listed with the identity filters (search criteria) used for the session, the number of potential roles discovered, the total number of identities returned by the identity filters, who created the session, and the date created.

You can work with your saved sessions in the following ways:

• View the saved session potential role results
• Rename saved sessions
• Edit saved session settings
• Delete saved sessions

Saving Draft Roles

Saving a potential role as a draft allows you to return to the draft role at your convenience for further refinement and evaluation before implementing it in your organization.

To save a draft role:

1. On a potential role page, select Save Draft.
2. Enter a Role Name and Description.
3. If the draft role's session has not already been saved, Save Session is enabled an you will also need to enter a Session Name.
4. Select Save.

To access your saved draft roles, go to Admin > Access > Role Insights > Draft Roles. You can work with your saved draft roles in the following ways:

• View entitlements and identity attributes
• Use the Popularity Threshold slider to exclude entitlements below the selected popularity threshold
• Include and exclude individual entitlements
• Edit role details such as role name and description
• Create a new role from the saved draft role
• Delete saved draft roles

Once a draft role has been saved, the draft stays in the saved session until deleted, even if the session settings are changed in such a way that the potential role would no longer be included in the session’s results.

Exporting and Using Potential Role Data

On the potential role page in IdentityNow, select the Export Data button to save the entitlements, identities, and identity distribution data for the potential role in a ZIP file.

Use the exported potential role data to add identities or membership criteria to auto-created roles, share with stakeholders, evaluate your current roles, or manually create new roles in IdentityNow or IdentityIQ.

Creating New Roles from Potential Roles

After you have explored a potential role and customized/refined it, you can automatically create a new role in IdentityNow or IdentityIQ.

Note

Additional configuration is required to automatically create roles in IdentityIQ.

Complete the following steps:

1. On the potential role page in IdentityNow, select Create Role. The Create a New Role dialog box appears.

   

2. Fill in the information for the new role. The role name entered must be unique from other role names in your organization. If you enter an preexisting role name, you will not be able to create the role and will be prompted to choose another name.

3. IdentityNow users can select Include Identities to save the potential role's identities with the new role. Identities can also be added later from exported potential role data.

4. Select Create Role. A banner appears to inform you that the new role was successfully created.

   At this point, the newly created role is available in IdentityNow or IdentityIQ for you to work with.

   IdentityNow users can select View New Role in the success banner to go directly to the Role page for your newly created role.

Created Roles in IdentityNow

The newly created role is saved with your other roles (Admin > Access > Roles) in a disabled state without identities. You can add identities later from exported potential role data.

If you selected Include Identities, the potential role's identities are saved, and the role is saved with your other roles in an enabled, requestable state. Users that request the new role must be approved by the role owner.

The role creation process creates one or more access profiles that are included only in the new role. It also generates an AI_CREATED tag for each new role and access profile.

Optionally, you can generate a role composition certification campaign in IdentityNow so others in your organization can review the role before enablement.

1. Add identities to the new role if not already included.

2. Go to Admin > Search and enter "AI_CREATED" in the query field.

3. Start a certification campaign.

Important

If you delete a role, be sure to also delete the access profiles that were created.

To delete access profiles in IdentityNow, go to Admin > Access > Roles or Admin > Access > Access Profiles.

Deleting access profiles and roles that were already assigned to identities does not automatically remove the entitlements from those identities. For information about deprovisioning entitlements related to access profiles or roles, refer to Managing Access Profiles and Managing Roles.

Created Roles in IdentityIQ

A newly created IT role and corresponding business role are saved with your other roles (Role Management > Role Viewer) without identities. If you do not see the newly created roles, select Refresh.

You can add identities from previously exported potential role data. Verify that the new role is in your desired enabled/disabled state before adding identities.

For information about how to work with roles in IdentityIQ, refer to the IdentityIQ Product Guides or the IdentityIQ online help.