New Capability: MySailPoint GenAI Descriptions Widget

Description

:bangbang: Identity Security Cloud has added a MySailPoint widget that shows sources with blank entitlements!

Problem

Administrators did not have an elegant solution for seeing blank entitlements within Identity Security Cloud. Therefore, it was difficult to identify these entitlements and make sure they had the proper context needed for administrators to make informed decisions.

Solution

Now, Identity Security Cloud highlights sources with the most pressing need to have entitlements described. As a proxy, admin sources can be shown with high nominal numbers of blank entitlement descriptions, and the user can click to generate entitlement descriptions for a source in the list, which will be retrievable via the widget to track progress.

Who is affected?

All Identity Security Cloud customers.

Important Dates

Available now!

3 Likes

Hi @alec

I wonder if ensuring there are descriptions to entitlements should be a responsibility of an IGA solution such as ISC. After all, in contrast to access profiles and roles, which are objects defined in ISC, entitlements are foreign objects, representing access on third party applications. The third party applications should be responsible of having access items with proper value and display names and descriptions. We can then perform entitlement aggregations to load this data. The knowledge of what the entitlements represent and mean is therefore known on the third application, making it more difficult to an AI to generate proper descriptions. In addition, if changes are being made, they are being made on the third application. If we add descriptions on entitlements in ISC, it is not visible in the place of origin, which is the third party application.

I see a low amount of comments and likes here compared to other announcements such as New Capability: Role Change Propagation and New Capability: Remove All Access on Termination. Also I am not seeing anything like this in the idea portal. Perhaps this also demonstrates that that there are better topics to focus on for ISC and better functionality to build or enhance rather that this functionality.

To offer a suggestion which I think actually adds value, in the entitlement schema you can select which field represents entitlement id and which one represents entitlement name. But you can not select here which field represents the description or which field represents the entitlement owner (another data field which we should be able to aggregate automatically during entitlement aggregation and provide owner correlation logic)

Another topic which would add value is this idea from 3 years ago, which has over 200 votes https://ideas.sailpoint.com/ideas/GOV-I-2068, to allow us to delete entitlements that don’t exist anymore in the third party application. Sometimes entitlement aggregation deletes entitlements that don’t exist anymore, but this is not always the case, meaning we have representations of entitlements in ISC that don’t exist anymore in the third party application and we can currently only get rid of this by resetting all entitlements of this source, but this means all access profiles for entitlements we still need will be deleted as well.

So in summary: I would argue that adding descriptions to entitlements should not be a task for an ISC solution, should be performed on the target application itself, and instead of offering AI descriptions, which operate on limited information and therefore can not give good recommendations, I suggest you to add functionality allowing source owners to update the entitlement schema in the UI and specify which field represents the description, and allowing us to delete individual entitlements, both of which can properly help us decreasing the amount of entitlements without descriptions.

Kind regards,
Angelo Mekenkamp

1 Like

Hi @alec

This is a very welcomed enhancement — thank you!

Identifying and managing blank entitlement descriptions has been a persistent challenge, especially when trying to ensure entitlements are well-contextualized for certifiers and access reviewers. The ability to now surface sources with the highest number of missing descriptions and trigger description generation directly is a smart step.

Hi @TheOneAMSheriff, glad to hear you are happy with this enhancement. Guess this shows how different people have different requirements of an IGA solution.

Out of curiosity (and to ensure different arguments are also heard), is your organization actually using this functionality to determine entitlement descriptions. And if so, taking into account the remarks I gave above, why has your organization chosen to use an IGA solution for this?