Skip to content

Improving IdentityIQ Roles with Role Insights

Role Insights, part of Access Modeling, provides you with a greater understanding of your organization's role program, and suggests changes to your existing roles to make them more secure.

You can explore the following role insights and use them to improve the security of your existing roles in IdentityIQ:

  • Your progress toward role program benchmarks for best security practices, such as the principle of least privilege

  • Suggested entitlement additions for your current roles

  • The percentage of identities with a role that also hold a suggested entitlement

  • Lists of specific identities that would be impacted by the suggested role change

Role Insights looks for updates regularly and offers new role insights as access in your organization changes. You can check for new role insights any time to see valuable information and suggestions to keep your roles up-to-date and as secure as possible.

Role Insights can be accessed by Admins and users with the role admin user level in your IdentityNow tenant.

Before using Role Discovery and Access Modeling, ensure that all setup, connection, and configuration steps have been completed.

Role Insights Prerequisites

  • IdentityIQ customers with Access Modeling must follow the directions in Configuring IdentityIQ for Access Modeling to access Role Insights.

  • For Role Insights to be able to provide insights and suggestions, your organization must have a basic role model configured in IdentityIQ. There must be roles configured that include entitlements and are assigned to identities.

  • IdentityIQ customers with Access Modeling must sign in to their SailPoint org to access Role Insights.

Role Insights Process Overview

Each process overview step is described in detail in the sections that follow.

  1. Launch Role Insights.

  2. Select a role to investigate.

  3. Explore suggested entitlement additions and how they impact identities.

  4. Export suggested role updates and add entitlements to your organization's roles in IdentityIQ.

Understanding Role Insights

Role insights are calculated only for IdentityIQ business roles that are defined as "requestable” or “auto-assignable”.

SailPoint algorithms determine the recommended entitlements to be added to a business role based on the following criteria:

  1. The organization must have entitlements that do not belong to any business role. These kinds of entitlements are usually assigned directly to individual identities.

  2. A candidate list of entitlements is made that are at least 80% popular among identities in a business role, but are not defined in the role. SailPoint Services can configure the percent popularity upon request.

  3. The candidate list is reduced to include only entitlements with sources in the business role.

The remaining entitlements are presented as role insights for your consideration.

Exploring Role Insights and Entitlement Additions

Complete the following steps in your IdentityNow tenant to explore role insights:

  1. Select the Role Insights menu or the Role Insights panel on the dashboard.

    The Role Insights page provides an overview of your role program and lists roles with suggested updates.

    The top of the Role Insights page displays the status of essential benchmarks that measure the progress of your role program:

    • Access Included in Roles - The percentage of all access in your organization that is included in roles.

    • Identities with Access from Roles - The percentage of identities in your organization that have access from roles.

    The goal percentages listed for each benchmark let you know how you are progressing in your development of a more secure role program. The goal percentages are set by SailPoint based on best practices and are there for general guidance.

    In the list of Roles with Entitlement Updates, you can browse the roles with entitlements updates, or search role names or owners that start with a specific string. Numerical columns on the Role Insights page can be sorted by selecting or toggling through the sort icons: Unsorted Unsort column., Descending Sort descending., and Ascending Sort ascending..

    The Impacted Identities column shows how many identities would be affected if you decide to add the entitlement to the role. If it shows 0 impacted identities, it means that all of the identities in the role already have the suggested entitlement through other means, so the suggested entitlement should be added to the role.

  2. To explore the suggested updates for a role, select View.

    The Updates for Role_Name page lists entitlements on two tabs:

    • Entitlements to Add - This tab lists suggested entitlements that are not currently in the role. A suggested entitlement is already held by 80% of identities that hold the role, but it is not part of the role.

    • Current Entitlements - This tab lists all of the entitlements currently included in the role.

    You can browse the entitlements, or search entitlement names and descriptions that start with a specific string. You can also select the Column Chooser to customize what columns are visible, and select Export to download the suggested entitlement additions to a CSV file.

  3. On the Entitlements to Add tab, select a suggested entitlement to launch the Identity Overview page and see how it affects identities with the role.

    The Identity Overview page lists identities on two tabs:

    • Impacted Identities - This tab lists the identities with the role that currently do not have the suggested entitlement. These are the identities that will be impacted if you decide to add the suggested entitlement to the role in IdentityIQ.

    • Identities with Entitlement - This tab lists the identities with the role that currently also have the suggested entitlement.

    You can browse the identities or search display names for a specific string. You can also select the Column Chooser to customize what columns are visible.

  4. After examining insights into your organization's roles and the suggested entitlement updates, return to the Updates for Role_Name page and select Export to download suggested entitlement additions for the role to a CSV file.

    Repeat this step to export suggested entitlement additions for each role that you would like to update.

  5. Use the exported entitlement additions as a reference to update your roles in IdentityIQ.

You have completed the Role Insights process. Check Role Insights regularly for new insights into how to improve your roles as access in your organization changes.