SailPoint's Recommendations service empowers users and certifiers in your organization to make more informed access decisions.
The Recommendations service, composed of Access Request Recommendations and Certification and Approval Recommendations, uses peer group analysis and identity attributes to recommend access to your users and help certifiers decided whether access requests should be approved or denied.
Availability and Prerequisites
IdentityNow customers with the Recommendations service receive recommendations related to certifications and access requests. IdentityNow customers can access Recommendations as soon as it is enabled for their org.
IdentityIQ customers with the Recommendations service receive recommendations related to certifications and approvals. IdentityIQ customers will need to complete steps to integrate or activate the Recommendations service. For integration information, see IdentityIQ Integration with IdentityAI for Decision.
For implementation/activation information see the following documentation:
Understanding Peer Group Analysis
Peer group analysis is a machine learning model that analyzes data based on groups.
The SailPoint Identity Platform uses peer group analysis in its AI Services to organize your identities into peer groups based on common entitlements, and simplify the creation and maintenance of a dynamic identity governance program.
Peer groups are constantly evolving with your data and updated on a daily basis.
Empowering Users with Access Request Recommendations
Access request recommendations help IdentityNow end users who are struggling to find the access items they need to request in the IdentityNow Request Center. Each user's top 15 access request recommendations, based on peer group analysis, are presented to them, enabling them to confidently request access for themselves.
Viewing Access Request Recommendations
IdentityNow users can view their access request recommendations in the following ways:
- By selecting View Access Recommendations on the banner that's displayed after logging in to IdentityNow
- On the Request Center's Recommended for You page
- On the Request Center's Applications page
- On the Request Center's Roles page
At Log In
When access request recommendations are available for an IdentityNow user, a banner is displayed to notify them when they log in. Selecting View Access Recommendations opens the Recommended for You Page in the Request Center.
Recommended for You Page
The Recommended for You page lists the user's top 15 recommended access profiles and roles. Depending on whether the access is an access profile or role, recommendations can include information about the percentage of similar teammates who have the same access and the apps associated with the access request.
Selecting an access profile or role displays additional information about the apps involved.
Request Center users can select Request to request the access, or select Ignore to dismiss the recommendation.
Applications and Roles Pages
Recommendations also appear on the Request Center's Applications and Roles pages.
Using Attributes with Access Request Recommendations
You can use the following attributes to fine-tune your organization's access request recommendations. Contact Professional Services to enable, disable, or change your access request recommendation attributes as needed.
By default, the access request recommendations that users see are restricted based on the
location identity attribute. For example, imagine an organization has identities with location attributes of "Austin" and "Remote". If the team members look very similar according to peer group analysis, but the recommendations are restricted by location, "Austin Facilities Access" would be recommended only to identities with the location identity attribute set to "Austin".
The recommendation restriction attribute can be disabled or set to a different identity attribute that makes sense for your organization.
Organizations often bundle access that all new people joining the organization will need. If your organization already has an identity attribute that is used to designate identities as new, such as “joiner”, “newHire”, or “isNew”, a recommendation joiner attribute can be set to this existing identity attribute. SailPoint will not try to infer if an identity is new and will trust the organization's designation.
Start Date Attribute
If identities in an organization do not have new/joiner identity attributes, a different identity attribute can be designated as a start date attribute. This enables SailPoint to infer whether the identity has recently joined. The identity will be considered a joiner for 45 days after the start date.
If the identity does not have a joiner or start date attribute, the date the identity was "created" will be used.
Using Recommendations to Make Access Decisions
Certification and approval recommendations make the access reviewers and approvers in an organization more efficient and confident when approving, revoking, or denying access.
Access reviewers in IdentityNow receive certification recommendations. Access reviewers in IdentityIQ receive certification and approval recommendations.
When reviewers and approvers are evaluating access decisions, they will see recommendation icons to help guide their decision-making process.
Recommendation icons are used to communicate the following:
Selecting an icon displays more information.
If no icon is displayed, it means the identity is unique, and does not have a group of peers with similar access.
Recommendations are provided only to help guide reviewers and approvers. They are still ultimately responsible for making access decisions.