SailPoint Access Recommendations empowers users and certifiers in your organization to make more informed access decisions. It uses peer group analysis and identity attributes to recommend access to your users and help certifiers decide whether access requests should be approved or denied.
Understanding Peer Group Analysis
Peer group analysis is a machine learning model that analyzes user data and calculates similarity based on identities and their access. A network graph representation of identity-to-identity, entitlement-based similarity is used to identify densely connected communities of identities.
SailPoint AI-Driven Identity Security uses peer group analysis to organize your identities into peer groups based on common entitlements, and simplify the creation and maintenance of a dynamic identity governance program.
Peer groups are constantly evolving with your data and are updated regularly.
Access Request Recommendations
Access request recommendations help IdentityNow end users who are struggling to find the access items they need in the Request Center. Each user is presented with their top 15 access request recommendations, enabling them to confidently request access.
Access request recommendations are generated based on the following:
- Peer group analysis
- Dense clustering based on the “Manager” identity attribute
- Recommendation threshold calculation
- Configurable access request recommendation attributes
Access request recommendations filter out access that is too common or rare across the whole organization.
Common access is access that is widespread across the organization. If users do not have this common access, it will not be recommended to them.
Access that is rare across the whole organization is filtered out. For example, if there are a small number of users with manager-only roles within the organization, that access will not be recommended even if those roles are common with their team.
Viewing Access Request Recommendations
Users can view their access request recommendations in the following ways:
- By selecting View Access Recommendations on the banner that's displayed after logging in to IdentityNow
- On the Request Center's Recommended tab
At Log In
When access request recommendations are available for a user, a banner is displayed to notify them when they log in. Select View Access Recommendations to open the Recommended tab in the Request Center.
The Recommended tab lists the user's top 15 recommended access profiles and roles. Depending on whether the access is an access profile or role, recommendations can include information about the percentage of similar teammates who have the same access and the apps associated with the access request.
Select Details on an access item to display additional information about the access.
Users can select Request to request the access or select Ignore to dismiss the recommendation.
Using Attributes with Access Request Recommendations
You can use the following attributes to fine-tune your organization's access request recommendations. Contact Professional Services to enable, disable, or change your access request recommendation attributes as needed.
By default, the access request recommendations that users see are restricted based on the
location identity attribute. For example, imagine an organization has identities with location attributes of "Austin" and "Remote". If the team members look very similar according to peer group analysis, but the recommendations are restricted by location, "Austin Facilities Access" would be recommended only to identities with the location identity attribute set to "Austin".
The recommendation restriction attribute can be disabled or set to a different identity attribute that makes sense for your organization.
Organizations often bundle access that all new people joining the organization will need. If your organization already has an identity attribute that is used to designate identities as new, such as “joiner”, “newHire”, or “isNew”, a recommendation joiner attribute can be set to this existing identity attribute. SailPoint will not try to infer if an identity is new and will trust the organization's designation.
Start Date Attribute
If identities in an organization do not have new/joiner identity attributes, a different identity attribute can be designated as a start date attribute. This enables SailPoint to infer whether the identity has recently joined. The identity will be considered a joiner for 45 days after the start date.
If the identity does not have a joiner or start date attribute, the date the identity was "created" will be used.
Using Recommendations to Make Access Decisions
Certification recommendations make the access reviewers in an organization more efficient and confident when approving, revoking, or denying access.
Certification recommendations are generated based on the following:
- Peer group analysis
- The organization’s identity attributes
- Recommendation threshold calculation
Access reviewers in IdentityNow receive certification recommendations for entitlements, roles, and access profiles. Recommendations are not available for role composition or uncorrelated accounts certifications. Certification recommendations are enabled by default.
Admins and Certification Admins can control whether or not access reviewers see certification recommendations as follows:
- For campaigns from Search, disable or enable the Include Recommendations in your campaign toggle when creating a campaign.
- For manager or source owner campaigns, go to Admin > Global > System Settings > System Features and clear or select the Enable Certification Recommendations checkbox.
When reviewers and approvers are evaluating access decisions, they will see recommendation icons to help guide their decision-making process. These recommendations leverage statistical methods to automatically determine the best combination of identity attributes and machine learning outputs to inform a decision threshold for making intelligent access recommendations.
Recommendations icons appear in IdentityNow as follows:
Recommendation icons are used to communicate the following information:
- More than 70% of the identities in the peer group have the access.
- The access is unique within the identity's peer group, or 70% or less of the identities in the peer group have the access.
Selecting an icon displays more information about the recommendation.
If no icon is displayed, it means the identity is unique, and does not have a group of peers with similar access.
Recommendations are provided only as guidance. Reviewers and approvers are still ultimately responsible for making access decisions.