SailPoint AI-Driven Identity Security: Role Discovery
Date Posted:
5 Sept 2025
Category:
Security
SailPoint AI-Driven Identity Security: Role Discovery
Date Posted:
5 Sept 2025
Category:
Security
SailPoint AI-Driven Identity Security: Role Discovery
Date Posted:
5 Sept 2025
Category:
Security
How to Use Role Discovery in SailPoint AI-Driven Identity Security
Introduction Of SailPoint AI-Driven Identity Security: Role Discovery
SailPoint’s AI-Driven Identity Security helps organizations decide who should have access to what, at scale. With Access Modelling, you can build roles that reflect the user needs. Role Discovery reveals new roles that mirror how users actually access systems. Role Insights improves existing roles by analysing usage and suggesting updates.
Role Discovery
Role Discovery uses network graph analysis to cluster entitlements and identities. It identifies potential new roles based on shared access patterns.
Example: Sales users who all use CRM, dashboard, and analytics tools might form a “Sales potential role”
You can start Role Discovery from the Role Insights page via the Discover Roles button or from Search after selecting identities. You filter identities (e.g., department or job title), then choose Common Access (widely used access) or Specialized Access (specific to a function).
After the role discovery process, the Potential Role Results page lists all the potential roles. In this page select,
Session Criteria: To view the filters or search queries which are used for the role discovery
Filters & Sorting: To Narrow the results or sort by criteria like High Impact, identity count, or similarity. Roles labelled High Impact are those with strong alignment and broad utility, by creating those roles would improve the role model significantly.
Settings:
Role Granularity: High Granularity shows fewer potential roles, but each role has highly similar entitlements (tight, accurate bundles). High granularity might suggest: Marketing Analyst Role = 10 users all with the same 6 entitlements.
Low granularity shows more potential roles, but each role may include broader identity groups with looser similarity. Low granularity might suggest: General Marketing Role = 100 users with 3 common entitlements, but other access varies.Minimum Identities: This sets the minimum population size required to suggest a potential role. If you set it to 10, it will only suggest roles that at least 10 identities share. If you set it to 2, it will also suggest small roles (like a 2-person role).
Attribute View: The Attributes icon in each potential role shows the distribution of identities in a potential role by job title, department, and location (percent-based breakdown). If any attribute (job title, department, and location) is missing or not mapped, it may show Not Applicable. Additional attributes require extra configuration.
To see detailed information for a potential role, click the particular potential role it will show the following tabs,
Composition: Lists entitlements grouped by source or application with popularity percentage that forms the particular potential role. popularity percentage is percentage of how common the entitlement is across identities in the potential role.
Example:
Let’s say this potential role has 100 identities:95 have Active Directory - Employee Group entitlement - 95% popularity.
88 have Salesforce - Basic User entitlement - 88% popularity.
30 have Jira -Developer entitlement - 30% popularity.
So, in the Composition tab, you would see:
AD - Employee Group - 95%
Salesforce - Basic User - 88%
Jira - Developer - 30%
you can bulk exclude or individually exclude entitlements in the Composition page. if you choose to bulk exclude by popularity, for example, you could remove all entitlements with popularity < 40%.
Exclude Entitlements shows entitlements that were not include in the potential role by default. You can add these entitlements in the potential role manually if needed by select the particular entitlement.
Identity Attributes shows the distribution of identities in this potential role by attributes (like job title, location, department). This helps you understand who the role would apply to and this is essentially a detailed view of the “Attributes” percentages mentioned in attributes view.
Saving, Exporting, Creating Roles
After refining a Potential Roles can save the draft, and you'll see them in the left sidebar of the Access Model-> Access insights page for further editing.
You can export the refined role data as a ZIP file containing CSVs for offline review.
You can also create a new role right from the Potential Role screen:Clicking Create Role will redirect you to the Access Model -> Role’s page.
You can choose to include identities during creation or add them later manually.
The new role initially lands in a disabled state by default
When you enable a role, it becomes requestable. Access requests are sent to the role owner for approval.
Conclusion
Role Discovery helps create roles by grouping common access, removing guesswork and improving security. This makes role models easier to manage and scale. With SailPoint’s AI, role management becomes more efficient.
Stay tuned to our blog to see more posts about
Sailpoint products implementation and its related updates.
Stay tuned to our blog to see more posts about
Sailpoint products implementation and its related updates.
Category:
Security
Stay tuned to our blog to see more posts about
Sailpoint products implementation and its related updates.
Stay tuned to our blog to see more posts about
Sailpoint products implementation and its related updates.
Category:
Category:
Security
Security
Get your
Tailored Quote for your
Organisation
Get your
Tailored Quote for your
Organisation
How to Use Role Discovery in SailPoint AI-Driven Identity Security
Introduction Of SailPoint AI-Driven Identity Security: Role Discovery
SailPoint’s AI-Driven Identity Security helps organizations decide who should have access to what, at scale. With Access Modelling, you can build roles that reflect the user needs. Role Discovery reveals new roles that mirror how users actually access systems. Role Insights improves existing roles by analysing usage and suggesting updates.
Role Discovery
Role Discovery uses network graph analysis to cluster entitlements and identities. It identifies potential new roles based on shared access patterns.
Example: Sales users who all use CRM, dashboard, and analytics tools might form a “Sales potential role”
You can start Role Discovery from the Role Insights page via the Discover Roles button or from Search after selecting identities. You filter identities (e.g., department or job title), then choose Common Access (widely used access) or Specialized Access (specific to a function).
After the role discovery process, the Potential Role Results page lists all the potential roles. In this page select,
Session Criteria: To view the filters or search queries which are used for the role discovery
Filters & Sorting: To Narrow the results or sort by criteria like High Impact, identity count, or similarity. Roles labelled High Impact are those with strong alignment and broad utility, by creating those roles would improve the role model significantly.
Settings:
Role Granularity: High Granularity shows fewer potential roles, but each role has highly similar entitlements (tight, accurate bundles). High granularity might suggest: Marketing Analyst Role = 10 users all with the same 6 entitlements.
Low granularity shows more potential roles, but each role may include broader identity groups with looser similarity. Low granularity might suggest: General Marketing Role = 100 users with 3 common entitlements, but other access varies.Minimum Identities: This sets the minimum population size required to suggest a potential role. If you set it to 10, it will only suggest roles that at least 10 identities share. If you set it to 2, it will also suggest small roles (like a 2-person role).
Attribute View: The Attributes icon in each potential role shows the distribution of identities in a potential role by job title, department, and location (percent-based breakdown). If any attribute (job title, department, and location) is missing or not mapped, it may show Not Applicable. Additional attributes require extra configuration.
To see detailed information for a potential role, click the particular potential role it will show the following tabs,
Composition: Lists entitlements grouped by source or application with popularity percentage that forms the particular potential role. popularity percentage is percentage of how common the entitlement is across identities in the potential role.
Example:
Let’s say this potential role has 100 identities:95 have Active Directory - Employee Group entitlement - 95% popularity.
88 have Salesforce - Basic User entitlement - 88% popularity.
30 have Jira -Developer entitlement - 30% popularity.
So, in the Composition tab, you would see:
AD - Employee Group - 95%
Salesforce - Basic User - 88%
Jira - Developer - 30%
you can bulk exclude or individually exclude entitlements in the Composition page. if you choose to bulk exclude by popularity, for example, you could remove all entitlements with popularity < 40%.
Exclude Entitlements shows entitlements that were not include in the potential role by default. You can add these entitlements in the potential role manually if needed by select the particular entitlement.
Identity Attributes shows the distribution of identities in this potential role by attributes (like job title, location, department). This helps you understand who the role would apply to and this is essentially a detailed view of the “Attributes” percentages mentioned in attributes view.
Saving, Exporting, Creating Roles
After refining a Potential Roles can save the draft, and you'll see them in the left sidebar of the Access Model-> Access insights page for further editing.
You can export the refined role data as a ZIP file containing CSVs for offline review.
You can also create a new role right from the Potential Role screen:Clicking Create Role will redirect you to the Access Model -> Role’s page.
You can choose to include identities during creation or add them later manually.
The new role initially lands in a disabled state by default
When you enable a role, it becomes requestable. Access requests are sent to the role owner for approval.
Conclusion
Role Discovery helps create roles by grouping common access, removing guesswork and improving security. This makes role models easier to manage and scale. With SailPoint’s AI, role management becomes more efficient.