We have integrated IdentityNow and IdentityAI to perform role rationalization. This question is related to potential roles created from IdentityAI role discovery.
Is anyone using or having a recommendation of process to evaluate and find 2 sets of identities:
a) The identities which will be provisioned more access based on new membership criteria of the potential roles ( say potential role has 82% coverage from the existing role, 18% of users will be provisioned the role who do not have access to it but belong to the same membership criteria).
b) List of identities who may lose access due to membership criteria ( say a user has all the entitlements of a new role but does not match the membership criteria will lose the role).
I think the CSV download in app can help with the issue you describe. Once you have found a role, and trimmed the entitlements for a role you are happy with, you should download the CSV before pushing the role into IDN. The CSV has columns that will note identities that currently have, and who doesn’t have, each entitlement we are suggesting for the role so you can find the identities who will gain access when you create the role. Is that helpful?
I would like to confirm that entitlement.csv which we get from the download of potential role would have “Included Identities” and “Missing Identities” columns.
Does Included Identities mean - to be impacted identities who will get this entitlement with this new role being created?
Does Missing identities mean - to be impacted identities who already has this entitlement and will lose this entitlement now with this new role being created with new membership criteria?
Is our understanding correct with these two columns?
Does Included Identities mean - to be impacted identities who will get this entitlement with this new role being created?Yes
Does Missing identities mean - to be impacted identities who already has this entitlement and will lose this entitlement now with this new role being created with new membership criteria? Not exactly.We aren’t taking entitlements away from identities with this process I am describing in Access Modeling. The CSV will tell you who has the entitlement and who doesn’t though which will help you determine who to remove the entitlements from if you so choose
The CSV has the following columns: entitlement name, entitlement description, entitlement attribute, application, % popularity, included identities, missing identities.