SailPoint's Recommendations service empowers users and certifiers in your organization to make more informed access decisions.
The Recommendations service, composed of Access Request Recommendations and Certification and Approval Recommendations, uses peer group analysis and identity attributes to recommend access to your users and help certifiers decided whether access requests should be approved or denied.
IdentityNow customers with the Recommendations service receive recommendations related to certifications and access requests. IdentityNow customers can access Recommendations as soon as it is enabled for their org.
IdentityIQ customers with the Recommendations service receive recommendations related to certifications and approvals. IdentityIQ customers will need to activate the Recommendations service for IdentityIQ before being able to use the Recommendations service.
Understanding Peer Group Analysis
Peer group analysis is a machine learning model that analyzes user data and calculates similarity based on identities and their access. A network graph representation of identity-to-identity, entitlement-based similarity is used to identify densely connected communities of identities.
The SailPoint Identity Platform uses peer group analysis in its AI Services to organize your identities into peer groups based on common entitlements, and simplify the creation and maintenance of a dynamic identity governance program.
Peer groups are constantly evolving with your data and updated on a daily basis.
Empowering Users with Access Request Recommendations
Access request recommendations help IdentityNow end users who are struggling to find the access items they need in the Request Center. Each user is presented with their top 15 access request recommendations, enabling them to confidently request access.
Access request recommendations are generated based on the following:
- Peer group analysis
- Dense clustering based on the “Manager” identity attribute
- Recommendation threshold calculation
- Configurable access request recommendation attributes
Viewing Access Request Recommendations
IdentityNow users can view their access request recommendations in the following ways:
- By selecting View Access Recommendations on the banner that's displayed after logging in to IdentityNow
- On the Request Center's Recommended for You page
- On the Request Center's Applications page
- On the Request Center's Roles page
At Log In
When access request recommendations are available for an IdentityNow user, a banner is displayed to notify them when they log in. Selecting View Access Recommendations opens the Recommended for You Page in the Request Center.
Recommended for You Page
The Recommended for You page lists the user's top 15 recommended access profiles and roles. Depending on whether the access is an access profile or role, recommendations can include information about the percentage of similar teammates who have the same access and the apps associated with the access request.
Selecting an access profile or role displays additional information about the apps involved.
Request Center users can select Request to request the access, or select Ignore to dismiss the recommendation.
Applications and Roles Pages
Recommendations also appear on the Request Center's Applications and Roles pages.
Using Attributes with Access Request Recommendations
You can use the following attributes to fine-tune your organization's access request recommendations. Contact Professional Services to enable, disable, or change your access request recommendation attributes as needed.
By default, the access request recommendations that users see are restricted based on the
location identity attribute. For example, imagine an organization has identities with location attributes of "Austin" and "Remote". If the team members look very similar according to peer group analysis, but the recommendations are restricted by location, "Austin Facilities Access" would be recommended only to identities with the location identity attribute set to "Austin".
The recommendation restriction attribute can be disabled or set to a different identity attribute that makes sense for your organization.
Organizations often bundle access that all new people joining the organization will need. If your organization already has an identity attribute that is used to designate identities as new, such as “joiner”, “newHire”, or “isNew”, a recommendation joiner attribute can be set to this existing identity attribute. SailPoint will not try to infer if an identity is new and will trust the organization's designation.
Start Date Attribute
If identities in an organization do not have new/joiner identity attributes, a different identity attribute can be designated as a start date attribute. This enables SailPoint to infer whether the identity has recently joined. The identity will be considered a joiner for 45 days after the start date.
If the identity does not have a joiner or start date attribute, the date the identity was "created" will be used.
Using Recommendations to Make Access Decisions
Certification and approval recommendations make the access reviewers and approvers in an organization more efficient and confident when approving, revoking, or denying access.
Certification and approval recommendations are generated based on the following:
- Peer group analysis
- The organization’s identity attributes
- Recommendation threshold calculation
Access reviewers in IdentityIQ receive certification and approval recommendations for entitlements.
Access reviewers in IdentityNow receive certification recommendations for entitlements, roles, and access profiles. Recommendations are not available for role composition certifications. Certification recommendations are enabled by default.
Admins and Certification Admins can control whether or not access reviewers see certification recommendations as follows:
- For each IdentityNow certification campaign in Search > Certification Campaigns, use the toggle control to Include Recommendations in your campaign.
- To disable/enable recommendations for IdentityNow certification campaigns in Admin > Certifications, use the Enable Certification Recommendations checkbox found at Admin > Global > System Settings > System Features.
When reviewers and approvers are evaluating access decisions, they will see recommendation icons to help guide their decision-making process. These recommendations leverage statistical methods to automatically determine the best combination of identity attributes and machine learning outputs to inform a decision threshold for making intelligent access recommendations.
Recommendations icons appear differently in IdentityNow and IdentityIQ.
Recommendation icons are used to communicate the following information:
Selecting an icon displays more information about the recommendation.
If no icon is displayed, it means the identity is unique, and does not have a group of peers with similar access.
Recommendations are provided only to help guide reviewers and approvers. They are still ultimately responsible for making access decisions.