Skip to content

Access Modeling

About Access Modeling

Access Modeling, composed of Role Insights and Role Discovery, enables organizations to dynamically determine who should have access to what. Access Modeling works at scale to increase the efficiency and accuracy of your organization's access model.

Improving Roles with Role Insights

Role Insights, part of SailPoint's Access Modeling service, provides you with a greater understanding of your organization's role program, and suggests changes to your existing roles to make them more secure.

You can explore the following role insights and use them to improve the security of your existing roles in IdentityNow and IdentityIQ:

  • Your progress toward role program benchmarks for best security practices, such as the principle of least privilege

  • Suggested entitlement additions for your current roles

  • The percentage of identities with a role that also hold a suggested entitlement

  • Lists of specific identities that would be impacted by the suggested role change

Role Insights looks for updates nightly and offers new role insights as access in your organization changes. You can check for new role insights any time to see valuable information and suggestions to keep your roles up-to-date and as secure as possible.

Role Insights can be accessed by Admins and users with the role admin user level.

Prerequisites

  • IdentityIQ customers with Access Modeling must log in to their SailPoint org to access Role Insights.

  • IdentityNow customers with Access Modeling do not need to do anything to access Role Insights.

Note

For Role Insights to be able to provide insights and suggestions, your organization must have a basic role model configured in IdentityNow or IdentityIQ. There must be roles configured that include entitlements and are assigned to identities.

Process Overview

  1. Launch Role Insights.

  2. Select a role to investigate.

  3. Explore suggested entitlement additions and how they impact identities.

  4. Export suggested role updates and add entitlements to your organization's roles in IdentityNow and IdentityIQ.

Exploring Role Insights and Entitlement Additions

Complete the following steps to explore role insights:

  1. In the SailPoint interface, click the Role Insights dashboard panel or navigate to Admin > Access > Role Insights.

    The Role Insights page provides an overview of your role program and lists roles with suggested updates.

    The top of the Role Insights page displays the status of essential benchmarks that measure the progress of your role program:

    • Access Included in Roles - The percentage of all access in your organization that is included in roles.

    • Identities with Access from Roles - The percentage of identities in your organization that have access from roles.

    The goal percentages listed for each benchmark let you know how you are progressing in your development of a more secure role program. The goal percentages are set by SailPoint based on best practices and are there for general guidance.

    In the list of Roles with Entitlement Updates, you can browse the roles with entitlements updates, or search role names or owners that start with a specific string. Various columns can be sorted in Role Insights pages by clicking through , , and .

    The Impacted Identities column shows how many identities would be affected if you decide to add the entitlement to the role. If it shows 0 impacted identities, it means that all of the identities in the role already have the suggested entitlement through other means, so the suggested entitlement should be added to the role.

  2. To explore the suggested updates for a role, select View.

    The Updates for Role_Name page lists entitlements on two tabs:

    • Entitlements to Add - This tab lists suggested entitlements that are not currently in the role. A suggested entitlement is already held by 80% of identities that hold the role, but it is not part of the role.

    • Current Entitlements - This tab lists all of the entitlements currently included in the role.

    You can browse the entitlements, or search entitlement names and descriptions that start with a specific string. You can also select to customize what columns are visible, and select Export to download the suggested entitlement additions to a CSV file.

  3. On the Entitlements to Add tab, click on a suggested entitlement to launch the Identity Overview page and see how it affects identities with the role.

    The Identity Overview page lists identities on two tabs:

    • Impacted Identities - This tab lists the identities with the role that currently do not have the suggested entitlement. These are the identities that will be impacted if you decide to add the suggested entitlement to the role in IdentityNow or IdentityIQ.

    • Identities with Entitlement - This tab lists the identities with the role that currently also have the suggested entitlement.

    You can browse the identities, or search display names for a specific string. You can also select to customize what columns are visible.

  4. After examining insights into your organization's roles and the suggested entitlement updates, return to the Updates for Role_Name page and select Export to download suggested entitlement additions for the role to a CSV file.

    Repeat this step to export suggested entitlement additions for each role that you would like to update.

  5. Use the exported entitlement additions to update your roles in IdentityNow or IdentityIQ.

You have completed the Role Insights process. Check Role Insights regularly for new insights into how to improve your roles as access in your organization changes.

Discovering Common Access

SailPoint’s Access Modeling service helps IdentityNow administrators discover and manage access among your existing roles that is common across an organization and not tied to a specific job function. Bundling common, or birthright, access into roles that can be assigned to large groups of employees improves your access model by enabling:

Complete the following steps to discover, evaluate, and designate roles as common access:

  1. Log in to IdentityNow. When SailPoint has discovered common access roles, admins receive a notification at log in.

  2. In the notification, select Confirm common access to see the discovered common access roles.

  3. Deselect the Common Access checkbox for any roles you do not want to designate as common access.

  4. Select Confirm. SailPoint will check to see if there are any more common access roles and display them.

Notes

  • IdentityNow users can designate an existing role as common access on the role page (Admin > Access > Roles > <role name>).
  • IdentityIQ and IdentityNow users can designate an existing role as common access using the IAI Common Access API.

Common access roles are excluded from Access Request Recommendations.

Discovering Roles

Role Discovery, part of SailPoint's Access Modeling service, identifies user access patterns and determines potential roles, or bundles of access, that accurately align with what users actually do in an organization.

To discover potential roles, SailPoint uses a patented network graph analysis. Entitlement-based similarities are found among the identities in an organization, and identities are organized into cluster communities, or peer groups, with similar access. This network graph enables SailPoint to detect and discover roles with least-privileged access for groups of very similar identities.

After potential roles have been discovered, users can:

  • Automatically create a new role in IdentityNow or IdentityIQ.

  • Export potential role data and use it to evaluate the accuracy or effectiveness of their current roles and then manually create new roles that better align with the access users need.

Prerequisites

  • IdentityIQ customers with Access Modeling must follow the directions in Configuring IdentityIQ for Access Modeling to access Role Discovery.

    Note

    If you are an IdentityIQ user, and previously installed the role-discovery-plugin.zip plugin file, make sure to install the updated access-modeling-plugin.zip plugin file available here.

  • IdentityNow customers can access Role Discovery as soon as Access Modeling is enabled for their org.

Process Overview

  1. Enter a Search query in IdentityNow or an Advanced Analytics query in IdentityIQ.

  2. Launch Role Discovery.

  3. Customize and explore potential roles.

  4. Refine the entitlements for a potential role.

  5. Export the potential role data to a ZIP file for evaluating offline and manually creating new roles.

  6. Automatically create a new role from a potential role.

Discovering Potential Roles

You can access Role Discovery from either IdentityNow or IdentityIQ.

Note

New identities and entitlements added to your organization are available for Role Discovery on the following day.

IdentityNow Users

Complete the following steps in IdentityNow to discover potential roles:

  1. Select Search, and enter a search query. For information on Search syntax, see Building a Search Query.

    Note

    We recommend using targeted, specific search queries to narrow down the identities to groups that you want to have shared entitlements through roles.

    When searching on *(all), there is a limit of 10,000 identities returned. We do not recommend searching on *(all).

  2. Select Role Discovery to display potential roles based on the optimal role granularity derived from our AI algorithms.

    The Potential Role Results page displays high-impact roles at the top of the screen along with the percentage of identities in the potential role that have similar access. High-impact roles are unique with similar access among identities and will improve your organization’s access model the most. The Potential Role Results list can be sorted by role impact, identity access similarity, number of identities, or number of entitlements.

    From here, you can customize the potential roles displayed and explore individual potential roles.

IdentityIQ Users

After successfully configuring IdentityIQ for Access Modeling, complete the following steps in IdentityIQ to start discovering roles:

  1. Select Intelligence > Advanced Analytics, and run a search query for identities.

    For more information about queries in Advanced Analytics, refer to the IdentityIQ Product Guides or the online help in IdentityIQ.

    Note

    We recommend using targeted, specific search queries to narrow down the identities to groups that you want to have shared entitlements through roles.

    When searching on *(all), there is a limit of 10,000 identities returned. We do not recommend searching on *(all).

  2. Use the checkbox to Select Everything or select a subset of identities.

  3. Select Role Discovery to discover potential roles based on the optimal role granularity derived from our AI algorithms.

    You are now redirected to the Role Discovery page on the IdentityNow tenant that was entered during plugin configuration. If you are not already logged in to IdentityNow, you will have to enter admin credentials and authenticate first.

    The Potential Role Results page displays high-impact roles at the top of the screen along with the percentage of identities in the potential role that have similar access. High-impact roles are unique with similar access among identities and will improve your organization’s access model the most. The Potential Role Results list can be sorted by role impact, identity access similarity, number of identities, or number of entitlements.

    From here, you can customize the potential roles displayed and explore individual potential roles.

Customizing and Exploring Potential Roles

You can customize and explore potential roles in the IdentityNow interface as follows:

  1. To modify the potential roles displayed, click the Settings icon to adjust the Role Granularity and Minimum Number of Identities. See Understanding Role Granularity to learn more.

    • If the slider is not set to the orange pin, move it there. The orange pin on the Role Granularity slider represents the smart default value that our AI algorithms used to discover the initial set of potential roles displayed.

    • Click Apply to update the list of potential roles.

  2. Click on Attributes for any potential role to quickly view the role’s top 3 job titles, departments, and locations (by percentage) shared among the included identities. It is possible to add a fourth identity attribute with help from Professional Services.

    Note the following conditions for how attributes are displayed:

    • If none of the identities in the potential role have attributes for job title, department, or location, another attribute is displayed.

    • The attributes available depend on the way the mapping from your source is configured by the solution architect during the onboarding process.

    • If the job title, department, and location attributes show Not Applicable, it means those attributes were not mapped for any identities included in the potential role. For example, this could be the case for a potential role that includes contract workers not assigned job titles or departments.

  3. To see detailed information for a potential role, click the potential role name or Work On This Role in the Attributes view. The Composition screen for the potential role displays the role’s entitlements along with their % Popularity.

  4. Select the Identity Overview tab to see a list of all identities in the potential role and their job title, department, and location attributes. You can also select Show Chart to see distribution graphs for these identity attributes. The Identity Overview tab reflects only the identities in the original potential role discovered and does not update based on entitlement changes made in the Composition tab.

    Reviewing the Identity Overview tab is a way to double-check that the initial identities in the potential role composition should have the included entitlements.

You can further customize an individual potential role by refining the entitlements.

Refining Entitlements for a Potential Role

You can refine the entitlements for a potential role in the IdentityNow interface. Refining entitlements changes the contents of the potential role data you will export and the roles you can automatically create in IdentityNow or IdentityIQ.

You should refine entitlements first in bulk and then individually.

Bulk Entitlement Exclusion

The first part of refining entitlements is to exclude all entitlements below a certain popularity threshold or all entitlements considered common access.

To exclude entitlements from a potential role in bulk:

  1. Select a potential role. The potential role opens on the Composition tab.

  2. Use the provided controls as follows:

    • Exclude Entitlements Below Popularity Threshold - This visualization allows you to see the popularity distribution of the entitlements in the potential role. Hover over different steps in the visualization to see how many entitlements fall above, at, and below different percentages of popularity.

      Note

      The steps in the visualization will change if you individually exclude all the entitlements in a step.

      Use the Popularity Threshold slider to select a popularity threshold, below which entitlements will be excluded from the potential role.

      Best Practice

      To avoid entitlement proliferation, SailPoint recommends removing low-popularity entitlements (< 70%) from your role definitions.

    • Exclude Common Access - This control is enabled by default and excludes entitlements that are broadly popular (> 80%) across your entire organization.

      Best Practice

      SailPoint recommends excluding common access from your roles to focus roles more on job functions and less on access that everyone gets.

  3. Select Apply when you are finished. The Apply button becomes selectable only if you made changes.

  4. To hide the visualization section of the Composition tab, select Exclude Entitlements.

    Caution

    If you select Back to Potential Roles to return to the initial Potential Roles screen before exporting, all applied changes for bulk entitlement exclusion will be lost and you’ll have to repeat the steps you took to refine the entitlements in bulk for a potential role.

    Individual entitlement exclusions are remembered if you select Back to Potential Roles.

Individual Entitlement Exclusion

The next part of refining entitlements is to select specific entitlements to exclude from the potential role.

To exclude specific, individual entitlements from a potential role:

  1. On the Composition tab, select the checkboxes next to the entitlements you want to exclude, or select the checkbox in the table header to exclude all entitlements in the table.

  2. Select Exclude. The selected entitlements are removed from the Composition tab and are now listed on the Excluded Entitlements tab.

To add excluded entitlements to a potential role:

  1. On the Excluded Entitlements tab, select the checkboxes next to the entitlements you want to include, or select the checkbox in the table header to include all entitlements in the table.

  2. Select Include. The selected entitlements are removed from the Excluded Entitlements tab and are now listed on the Composition tab.

When you have finished adjusting the entitlements in the potential role, you are ready to export the potential role data.

Exporting and Using Potential Role Data

On the potential role page in IdentityNow, select Export Data to save the entitlements, identities, and identity distribution data for the potential role in a ZIP file.

Use the exported potential role data to add identities or membership criteria to auto-created roles, share with stakeholders, evaluate your current roles, or manually create new roles in IdentityNow or IdentityIQ.

Creating New Roles from Potential Roles

After you have explored a potential role and customized/refined it, you can automatically create a new role in IdentityNow or IdentityIQ.

Note

Additional configuration is required to automatically create roles in IdentityIQ.

Complete the following steps:

  1. On the potential role page in IdentityNow, select Create Role. The Create a New Role dialog box appears.

  2. Fill in the information for the new role. Role names must be unique from other role names in your organization.

  3. Select Create Role. A banner appears to inform you that the new role was successfully created.

    At this point, the newly created role is available in IdentityNow or IdentityIQ for you to work with.

    IdentityNow users can select View New Role in the success banner to go directly to the Role page for your newly created role.

IdentityNow Users

The newly created role is saved with your other roles (Admin > Access > Roles) in a disabled state without membership criteria. You can add membership criteria from exported potential role data.

The role creation process creates one or more access profiles that are included only in the new role. It also generates an AI_CREATED tag for each new role and access profile.

Important

If you delete a role, be sure to also delete the access profiles that were created.

To delete roles and access profiles in IdentityNow, go to Admin > Access > Roles or Admin > Access > Access Profiles.

Optionally, you can generate a role composition certification campaign in IdentityNow so others in your organization can review the role before enablement.

  1. Enter membership criteria in the new role, if you haven't already.

  2. Go to Admin > Search and enter "AI_CREATED" in the query field.

  3. Start a certification campaign.

IdentityIQ Users

A newly created IT role and corresponding business role are saved with your other roles (Role Management > Role Viewer) without identities. If you do not see the newly created roles, select Refresh.

You can add identities from previously exported potential role data. Verify that the new role is in your desired enabled/disabled state before adding identities.

For information about how to work with roles in IdentityIQ, refer to the IdentityIQ Product Guides or the online help in IdentityIQ.

Understanding Role Granularity

When initially exploring the list of potential roles after launching Role Discovery, you can click the Settings icon to modify the potential roles displayed:

  • Use the Role Granularity slider to adjust the size and specialization of the potential roles. The orange pin on the slider represents the smart default value that our AI algorithms used to discover the initial set of potential roles displayed.

  • Adjust the Minimum Number of Identities to display only the potential roles that include at least that number of identities.

  • Click Apply to update the list of potential roles based on your changes.

A lower role granularity percentage displays potential roles with broader access. The potential roles discovered will each include higher numbers of identities with less entitlement similarity. In general, the included identities are less similar to each other. The roles are easier to manage, but it is possible that some identities might gain access that isn’t completely essential to their job function.

A higher role granularity percentage displays potential roles with more specialized access. The potential roles discovered will each include fewer identities with more entitlement similarity. It can take longer to evaluate and maintain a large number of potential roles with higher specialization. However, the potential roles will have a higher level of relative security due to more entitlement similarity.

Configuring IdentityIQ for Access Modeling

To configure IdentityIQ for Access Modeling, you will complete the following tasks:

  1. Generate client credentials in your IdentityNow tenant

  2. Import the init-ai.xml file

  3. Configure AI Services in IdentityIQ

  4. Install the Access Modeling plugin

  5. Configure automatic role creation

Generating Client Credentials in Your IdentityNow Tenant

To create a secure connection between IdentityIQ and the Access Modeling service, you’ll need to generate client credentials within IdentityNow and configure IdentityIQ (the client) to use them to communicate with the service.

Complete the following steps to generate a Client ID and Client Secret in your IdentityNow tenant:

  1. Log in to IdentityNow as an Administrator.

  2. From the IdentityNow Admin Dashboard, select Admin > Security Settings.

  3. Click API Management in the options on the left.

  4. Click +New to display the New API Client dialog.

  5. Enter a description for how the access token will be used.

  6. Check Client Credentials as the method you want the client to use to access the APIs.

  7. Click Create.

A Client ID and Client Secret are generated for you to use when you configure Access Modeling. Save these offline. You’ll need them later when you configure AI Services in IdentityIQ.

Importing the init-ai.xml File

Complete the following steps to import the init-ai.xml file in IdentityIQ:

  1. Verify that plugins.enabled=true in the WEB-INF/classes/iiq.properties file of your IdentityIQ installation. Plugins must be enabled to use Access Modeling.

  2. Log on to your browser instance of IdentityIQ as an administrator.

  3. Click Global Settings under the gear icon and select Import from File.

  4. Click Browse and navigate to the following directory:

    Windows: <identityiq_home>\WEB-INF\config

    UNIX: <identityiq_home>/WEB-INF/config

    where: <identityiq_home> is the directory to which you extracted the identityiq.war file during IdentityIQ installation.

  5. Select the init-ai.xml file and click Import.

  6. When the import is complete, click Done.

You may notice that the plugin for SailPoint's Recommendations service is also installed as part of this process, but access is enabled for licensed users only. Please contact your CSM for Recommendations service pricing and licensing.

Configuring AI Services in IdentityIQ

Complete the following steps to configure AI Services in IdentityIQ:

  1. From the IdentityIQ gear icon, select Global Settings > AI Services Configuration.

  2. Complete following fields with information from your IdentityIQ installation and the client credentials from your IdentityNow tenant:

    • AI Services Hostname (Example: https://<org>.api.sailpoint.com)
    • Client ID
    • Client Secret
  3. Click Test Connection to ensure that the connection information is correct and operating.

  4. Click Save.

Installing the Access Modeling Plugin

The Access Modeling plugin can be used with IdentityIQ 7.3p3 and later.

Complete the following steps to install the plugin:

  1. Get the Access Modeling plugin .zip file available here.

  2. From the IdentityIQ gear icon, select Plugins.

  3. Use the Plugins page to install the plugin.

  4. Click the Configure button for the Access Modeling plugin and provide the URL for the IdentityNow tenant.

    Example: https://<tenant>.identitynow.com

Configuring Automatic Role Creation in IdentityIQ

To be able to automatically create a new role in IdentityIQ, there is some additional configuration required. Contact Professional Services for help with this.

After successfully configuring AI Services, you are now ready to discover roles and explore role insights.