Skip to content

Access Modeling

About Access Modeling

Access Modeling, composed of Role Insights and Role Discovery, enables organizations to dynamically determine who should have access to what. Access Modeling works at scale to increase the efficiency and accuracy of your organization's access model.

Improving Roles with Role Insights

Role Insights, part of SailPoint's Access Modeling service, provides you with a greater understanding of your organization's role program, and suggests changes to your existing roles to make them more secure.

You can explore the following role insights and use them to improve the security of your existing roles in IdentityNow and IdentityIQ:

  • Your progress toward role program benchmarks for best security practices, such as the principle of least privilege

  • Suggested entitlement additions for your current roles

  • The percentage of identities with a role that also hold a suggested entitlement

  • Lists of specific identities that would be impacted by the suggested role change

Role Insights looks for updates nightly and offers new role insights as access in your organization changes. You can check for new role insights any time to see valuable information and suggestions to keep your roles up-to-date and as secure as possible.

Role Insights can be accessed by Admins and users with the role admin user level.

Prerequisites

  • IdentityIQ customers with Access Modeling must log in to their SailPoint org to access Role Insights.

  • IdentityNow customers with Access Modeling do not need to do anything to access Role Insights.

Note

For Role Insights to be able to provide insights and suggestions, your organization must have a basic role model configured in IdentityNow or IdentityIQ. There must be roles configured that include entitlements and are assigned to identities.

Process Overview

Each process overview step is described in detail in the sections that follow.

  1. Launch Role Insights.

  2. Select a role to investigate.

  3. Explore suggested entitlement additions and how they impact identities.

  4. Export suggested role updates and add entitlements to your organization's roles in IdentityNow and IdentityIQ.

Understanding Role Insights

Role insights are calculated only for business roles. Business roles are defined differently in IdentityNow and IdentityIQ:

  • In IdentityNow, all roles are business roles. (Access profiles are not business roles.)

  • In IdentityIQ, a business role is defined in its role type as "requestable” or “auto-assignable”.

Note

“Requestable” is also an attribute for roles in IdentityNow, but it is not used to determine whether or not a role is a business role like it is in IdentityIQ.

SailPoint algorithms determine the recommended entitlements to be added to a business role based on the following criteria:

  1. The organization must have entitlements that do not belong to any business role. These kinds of entitlements are usually assigned directly to individual identities.

  2. An candidate list of entitlements is made that are at least 80% popular among identities in a business role, but are not defined in the role. SailPoint Services can configure the percent popularity upon request.

  3. The candidate list is reduced to include only entitlements with sources in the business role.

The remaining entitlements are presented as role insights for your consideration.

Exploring Role Insights and Entitlement Additions

Complete the following steps to explore role insights:

  1. In the SailPoint interface, select the Role Insights dashboard panel or navigate to Admin > Access > Role Insights.

    The Role Insights page provides an overview of your role program and lists roles with suggested updates. It also includes a Role Discovery button that is a pathway to the Role Discovery feature where you can define a group of identities and discover new potential roles. For more information, refer to Discovering Roles.

    The top of the Role Insights page displays the status of essential benchmarks that measure the progress of your role program:

    • Access Included in Roles - The percentage of all access in your organization that is included in roles.

    • Identities with Access from Roles - The percentage of identities in your organization that have access from roles.

    The goal percentages listed for each benchmark let you know how you are progressing in your development of a more secure role program. The goal percentages are set by SailPoint based on best practices and are there for general guidance.

    In the list of Roles with Entitlement Updates, you can browse the roles with entitlements updates, or search role names or owners that start with a specific string. Numerical columns on the Role Insights page can be sorted by selecting or toggling through the sort icons: Unsorted Unsort column., Descending Sort descending., and Ascending Sort ascending..

    The Impacted Identities column shows how many identities would be affected if you decide to add the entitlement to the role. If it shows 0 impacted identities, it means that all of the identities in the role already have the suggested entitlement through other means, so the suggested entitlement should be added to the role.

[Screenshot to be updated with final Save Sessions UI]

  1. To explore the suggested updates for a role, select View.

    The Updates for Role_Name page lists entitlements on two tabs:

    • Entitlements to Add - This tab lists suggested entitlements that are not currently in the role. A suggested entitlement is already held by 80% of identities that hold the role, but it is not part of the role.

    • Current Entitlements - This tab lists all of the entitlements currently included in the role.

    You can browse the entitlements, or search entitlement names and descriptions that start with a specific string. You can also select the Column Chooser to customize what columns are visible, and select Export to download the suggested entitlement additions to a CSV file.

  2. On the Entitlements to Add tab, select a suggested entitlement to launch the Identity Overview page and see how it affects identities with the role.

    The Identity Overview page lists identities on two tabs:

    • Impacted Identities - This tab lists the identities with the role that currently do not have the suggested entitlement. These are the identities that will be impacted if you decide to add the suggested entitlement to the role in IdentityNow or IdentityIQ.

    • Identities with Entitlement - This tab lists the identities with the role that currently also have the suggested entitlement.

    You can browse the identities or search display names for a specific string. You can also select the Column Chooser to customize what columns are visible.

  3. After examining insights into your organization's roles and the suggested entitlement updates, return to the Updates for Role_Name page and select Export to download suggested entitlement additions for the role to a CSV file.

    Repeat this step to export suggested entitlement additions for each role that you would like to update.

  4. Use the exported entitlement additions to update your roles in IdentityNow or IdentityIQ.

You have completed the Role Insights process. Check Role Insights regularly for new insights into how to improve your roles as access in your organization changes.

Discovering Common Access

SailPoint’s Access Modeling service helps IdentityNow administrators discover and manage access among your existing roles that is common across an organization and not tied to a specific job function. Bundling common, or birthright, access into roles that can be assigned to large groups of employees improves your access model by enabling:

Complete the following steps to discover, evaluate, and designate roles as common access:

  1. Log in to IdentityNow. When SailPoint has discovered common access roles, admins receive a notification at log in.

  2. In the notification, select Confirm common access to see the discovered common access roles.

  3. Deselect the Common Access checkbox for any roles you do not want to designate as common access.

  4. Select Confirm. SailPoint will check to see if there are any more common access roles and display them.

Notes

  • IdentityNow users can designate an existing role as common access on the role page (Admin > Access > Roles > <role name>).
  • IdentityIQ and IdentityNow users can designate an existing role as common access using the IAI Common Access API.

Common access roles are excluded from Access Request Recommendations.

Discovering Roles

Role Discovery, part of SailPoint's Access Modeling service, identifies user access patterns and determines potential roles, or bundles of access, that accurately align with what users actually do in an organization.

To discover potential roles, SailPoint uses a patented network graph analysis. Entitlement-based similarities are found among the identities in an organization, and identities are organized into cluster communities, or peer groups, with similar access. This network graph enables SailPoint to detect and discover roles with least-privileged access for groups of very similar identities.

After potential roles have been discovered, users can:

  • Save the role discovery session to explore and work with later.

  • Automatically create a new role in IdentityNow or IdentityIQ.

  • Export potential role data and use it to evaluate the accuracy or effectiveness of their current roles and then manually create new roles that better align with the access users need.

Prerequisites

  • IdentityIQ customers with Access Modeling must follow the directions in Configuring IdentityIQ for Access Modeling to access Role Discovery.

    Note

    If you are an IdentityIQ user, and previously installed the role-discovery-plugin.zip plugin file, make sure to install the updated access-modeling-plugin.zip plugin file available here.

  • IdentityNow customers can access Role Discovery as soon as Access Modeling is enabled for their org.

Process Overview

Each process overview step is described in detail in the sections that follow.

  1. Define a group of identities and launch Role Discovery.

  2. Work with the potential role list and save the role discovery session.

  3. Explore potential roles.

  4. Refine the entitlements for a potential role.

  5. Export the potential role data to a ZIP file for evaluating offline and manually creating new roles.

  6. Automatically create a new role from a potential role.

Discovering Potential Roles

You can access Role Discovery from either IdentityNow or IdentityIQ.

New identities and entitlements added to your organization are available for Role Discovery on the following day.

IdentityNow Users

IdentityNow users can launch Role Discovery from either Role Insights or Search to display potential roles based on the optimal role granularity derived from our AI algorithms.

In Role Insights:

  1. Navigate to Admin > Access > Role Insights and select Discover Roles.

  2. On the Define a Group of Identities page, use the filters to define a group of identities that you expect to have shared entitlements through roles. After selecting an attribute name and value(s), select the Add filter icon to apply the filter.

    The attribute type and value dropdown lists can each hold up to 1,000 items.

    Caution

    Searching for dates in the Attribute Value search field will result in an error. Instead, scroll through the list and select specific date attribute values.

  3. After defining a group of identities, select Discover Roles.

    After the role discovery process completes, the Potential Roles page lists all the potential roles that were discovered.

In Search:

  1. Navigate to Admin > Search and enter a search query.

    Search has a limit of 10,000 identities returned, so it is important to use a targeted, specific search query to narrow down the identities to groups that you want to have shared entitlements through roles. We do not recommend searching on *(all). For information on Search syntax, refer to Building a Search Query.

  2. Select Role Discovery.

    After the role discovery process completes, the Potential Roles page lists all the potential roles that were discovered.

IdentityIQ Users

After successfully configuring IdentityIQ for Access Modeling, complete the following steps in IdentityIQ to start discovering roles:

  1. Select Intelligence > Advanced Analytics, and run a search query for identities.

    For more information about queries in Advanced Analytics, refer to the IdentityIQ Product Guides or the IdentityIQ online help.

    Note

    We recommend using targeted, specific search queries to narrow down the identities to groups that you want to have shared entitlements through roles.

    When searching on *(all), there is a limit of 10,000 identities returned. We do not recommend searching on *(all).

  2. Use the checkbox to Select Everything or select a subset of identities.

  3. Select Role Discovery to discover potential roles based on the optimal role granularity derived from our AI algorithms.

    This redirects you to the Potential Roles page on the IdentityNow tenant that was entered during plugin configuration. If you are not already logged in to IdentityNow, you will have to enter admin credentials and authenticate first.

Working with the Potential Roles List

After launching Role Discovery from either IdentityNow or IdentityIQ, the Potential Roles page appears and lists the potential roles that were discovered.

From the Potential Roles page, you can work with the potential roles list in the following ways:

  • Edit identity filters
  • Adjust the role granularity
  • Save the role discovery session

High-impact roles are listed at the top of the screen along with the percentage of identities in the potential role that have similar access. High-impact roles with similar access among identities are prioritized and will improve your organization’s access model the most. The Potential Roles list can be sorted by role impact, identity access similarity, number of identities, or number of entitlements.

Editing Identity Filters

The identity filters listed at the top of a Potential Roles list or previously saved session are a selectable link. You can view or edit identity filters as follows:

  1. Select the linked Identity Filters at the top of the page.

    The Session Identity Filters page lists all identity filters that were applied to the role discovery session.

  2. Select Edit Identity Filters to return to the Define a Group of Identities page and modify the identity filters.

  3. Select Discover Roles to .

Adjusting Role Granularity

Select Settings to modify the potential roles displayed in the list:

  1. Use the Role Granularity slider to adjust the size and specialization of the potential roles. The orange pin on the slider represents the smart default value that our AI algorithms used to discover the initial set of potential roles displayed.

    A lower role granularity percentage displays potential roles with broader access. The potential roles discovered will each include higher numbers of identities with less entitlement similarity. In general, the included identities are less similar to each other. The roles are easier to manage, but it is possible that some identities might gain access that isn’t completely essential to their job function.

    A higher role granularity percentage displays potential roles with more specialized access. The potential roles discovered will each include fewer identities with more entitlement similarity. It can take longer to evaluate and maintain a large number of potential roles with higher specialization. However, the potential roles will have a higher level of relative security due to more entitlement similarity.

  2. Adjust the Minimum Number of Identities to display only the potential roles that include at least that number of identities.

  3. Select Apply to update the list of potential roles based on your changes.

Saving Role Discovery Sessions

Select Save Session to save the list of potential roles so you can work with it later.

To access your saved sessions later, select Admin > Access > Role Insights > Role Discovery Sessions.

Exploring Potential Roles

On an initial Potential Roles page or in a saved role discovery session, you can explore the properties and attributes of individual potential roles as follows:

  1. Select Attributes for any potential role to quickly view the role’s top 3 job titles, departments, and locations (by percentage) shared among the included identities. It is possible to add a fourth identity attribute with help from Professional Services.

    Note the following conditions for how attributes are displayed:

    • If none of the identities in the potential role have attributes for job title, department, or location, another attribute is displayed.

    • The attributes available depend on the way the mapping from your source is configured by the solution architect during the onboarding process.

    • If the job title, department, and location attributes show Not Applicable, it means those attributes were not mapped for any identities included in the potential role. For example, this could be the case for a potential role that includes contract workers not assigned job titles or departments.

  2. To see detailed information for a potential role, select the potential role name or Work On This Role in the Attributes view. The Composition screen for the potential role displays the role’s entitlements along with their % Popularity.

  3. Select the Identity Overview tab to display a list of all identities in the potential role and their job title, department, and location attributes. You can also select Show Chart to see distribution graphs for these identity attributes. The Identity Overview tab reflects only the identities in the original potential role discovered and does not update based on entitlement changes made in the Composition tab.

    Reviewing the Identity Overview tab is a way to double-check that the initial identities in the potential role composition should have the included entitlements.

You can customize an individual potential role by refining the entitlements.

Refining Entitlements for a Potential Role

You can refine the entitlements for a potential role in the IdentityNow interface. Refining entitlements changes the contents of the potential role data you will export and the roles you can automatically create in IdentityNow or IdentityIQ.

You should refine entitlements first in bulk and then individually.

Bulk Entitlement Exclusion

The first part of refining entitlements is to exclude all entitlements below a certain popularity threshold or all entitlements considered common access.

To exclude entitlements from a potential role in bulk:

  1. Select a potential role. The potential role opens on the Composition tab.

  2. Use the provided controls as follows:

    • Exclude Entitlements Below Popularity Threshold - This visualization allows you to see the popularity distribution of the entitlements in the potential role. Hover over different steps in the visualization to see how many entitlements fall above, at, and below different percentages of popularity.

      Note

      The steps in the visualization will change if you individually exclude all the entitlements in a step.

      Use the Popularity Threshold slider to select a popularity threshold, below which entitlements will be excluded from the potential role.

      Best Practice

      To avoid entitlement proliferation, SailPoint recommends removing low-popularity entitlements (< 70%) from your role definitions.

    • Exclude Common Access - This control is enabled by default and excludes entitlements that are broadly popular (> 50%) across your entire organization.

      Best Practice

      SailPoint recommends excluding common access from your roles to focus roles more on job functions and less on access that everyone gets.

  3. Select Apply when you are finished. The Apply button becomes selectable only if you made changes.

  4. To hide the visualization section of the Composition tab, select the X icon. To display the visualization again, select Refine Entitlements.

    Caution

    If you select Back to Potential Roles to return to the initial Potential Roles screen before exporting, all applied changes for bulk entitlement exclusion will be lost and you’ll have to repeat the steps you took to refine the entitlements in bulk for a potential role.

    Individual entitlement exclusions are remembered if you select Back to Potential Roles.

Individual Entitlement Exclusion

The next part of refining entitlements is to select specific entitlements to exclude from the potential role.

To exclude specific, individual entitlements from a potential role:

  1. On the Composition tab, select the checkboxes next to the entitlements you want to exclude, or select the checkbox in the table header to exclude all entitlements in the table.

  2. Select Exclude. The selected entitlements are removed from the Composition tab and are now listed on the Excluded Entitlements tab.

To add excluded entitlements to a potential role:

  1. On the Excluded Entitlements tab, select the checkboxes next to the entitlements you want to include, or select the checkbox in the table header to include all entitlements in the table.

  2. Select Include. The selected entitlements are removed from the Excluded Entitlements tab and are now listed on the Composition tab.

When you have finished adjusting the entitlements in the potential role, you are ready to export the potential role data or create a new role from the potential role.

Exporting and Using Potential Role Data

On the potential role page in IdentityNow, select the Export Data button to save the entitlements, identities, and identity distribution data for the potential role in a ZIP file.

Use the exported potential role data to add identities or membership criteria to auto-created roles, share with stakeholders, evaluate your current roles, or manually create new roles in IdentityNow or IdentityIQ.

Creating New Roles from Potential Roles

After you have explored a potential role and customized/refined it, you can automatically create a new role in IdentityNow or IdentityIQ.

Note

Additional configuration is required to automatically create roles in IdentityIQ.

Complete the following steps:

  1. On the potential role page in IdentityNow, select Create Role. The Create a New Role dialog box appears.

  2. Fill in the information for the new role. The role name entered must be unique from other role names in your organization. If you enter an preexisting role name, you will not be able to create the role and will be prompted to choose another name.

  3. IdentityNow users can select Include Identities to save membership criteria with the new role. Membership criteria can also be added later from exported potential role data.

  4. Select Create Role. A banner appears to inform you that the new role was successfully created.

    At this point, the newly created role is available in IdentityNow or IdentityIQ for you to work with.

    IdentityNow users can select View New Role in the success banner to go directly to the Role page for your newly created role.

IdentityNow Users

The newly created role is saved with your other roles (Admin > Access > Roles) in a disabled state without membership criteria. You can add identities from exported potential role data.

If you selected Include Identities, membership criteria is included, and the role is saved with your other roles in an enabled, requestable state. Users that request the new role must be approved by the role owner.

The role creation process creates one or more access profiles that are included only in the new role. It also generates an AI_CREATED tag for each new role and access profile.

Important

If you delete a role, be sure to also delete the access profiles that were created.

To delete roles and access profiles in IdentityNow, go to Admin > Access > Roles or Admin > Access > Access Profiles.

Optionally, you can generate a role composition certification campaign in IdentityNow so others in your organization can review the role before enablement.

  1. Enter membership criteria in the new role, if you haven't already.

  2. Go to Admin > Search and enter "AI_CREATED" in the query field.

  3. Start a certification campaign.

IdentityIQ Users

A newly created IT role and corresponding business role are saved with your other roles (Role Management > Role Viewer) without identities. If you do not see the newly created roles, select Refresh.

You can add identities from previously exported potential role data. Verify that the new role is in your desired enabled/disabled state before adding identities.

For information about how to work with roles in IdentityIQ, refer to the IdentityIQ Product Guides or the IdentityIQ online help.