Identity AI Services: Role Discovery Queries


I am working on role discovery using IdentityAI. The goal for me is to use the IdentityAI role discovery feature to figure out the best-fit set of roles based on the current access that users have.

There are no access profiles or roles that are currently in place, so this is a green-field task. I want to understand how I can start with the discovery process.

Here’s what I have tried so far:

  1. Got a subset of users that I want the role mining AI to run on, which is with a query narrowing down users from a particular identity profile with a particular source.
  2. Tried to directly feed this user set, which is about 3500 users, to role discovery.
  3. With either broad roles or specialized roles, I did not get any roles to show up even with max granularity or min user per role being 1. (I know this is because my search query does not have any additional criteria like department, job title etc added.)

What I wanted to understand is this: Can I leverage the IdentityAI to figure out what the best attributes will be for creating the roles? My expectation is that the AI figures out the right set of attributes that create the maximum entitlement coverage in roles. Then based on manual review, I can tweak where necessary and get it reviewed by the client/customer team.

Is that possible, or is there no other way but to manually specify through the query, what attributes the AI needs to consider?

Here’s a screenshot with another issue observed: I keep getting “Not Applicable” as the attribute value and I can’t seem to see beyond this point: When I click on more details, there are no entitlements. I can however see the identities (23 in this case) if I work on the role.

Can someone help me with figuring out the problem?

I believe the data used by #ai to create the peer groups are the attributes you would have given to Sailpoint during the initial AI setup; however, I am wondering if this will get you what you are looking for:

  1. Build your Search
  2. Click Role Discovery > Discover Common Access Roles

This will give you entitlements granted to at least 80% or more of target identities (from your Search) have in common. You can then create your role and use your Search criteria in Role Membership Criteria to make it a birthright role if you desire. If desired, but not required, you can mark the role as common access, which will exclude those entitlements from being looked at by AI for other role mining use cases.

Not entirely sure how but this issue auto-resolved after a few days. I am seeing the right data come through now.

@jroozeboom Thanks for the insights.

The top-down approach you’re suggesting makes a lot of sense. What I’m a little unclear on is how the specialized roles are to be discovered at scale.

Once we’re through with the broad roles that apply to everyone in an org, we need to start looking at more specialized roles. Now when we want to do this, what would be the right attribute to use? There’s some decision-making to do to choose the next attribute in the top-down “hierarchy” of roles, if that makes sense.

For instance if we start with the entire user base to find the common access (birthright), the next in line could be, say location for a global organization. Department can then follow, and then, say job titles.

You could also make a case to choose departments over locations as the top level criteria, but how do you come to the right conclusion, was something I was wondering. Could AI help determine the best breakdown?

There is probably someone better suited to answer your questions than me, but once you do the broad roles that apply to organization as a whole, worker type, business unit, etc, you can mark them as common access so they are not evaluated in your non-common access role discovery. Assuming you gave Sailpoint the fields you wanted AI to use, it’s smart enough to just figure it out for you. It looks at the access and then finds common peer groups for you.