Discovering Roles

This document describes how to discover roles in your organization using Access Modeling, powered by SailPoint Predictive Identity.

See the following sections for more information:


About Access Modeling and Role Discovery

Access Modeling enables organizations to dynamically determine who should have access to what, increasing the efficiency and accuracy of their access model, at scale.

Role Discovery uses patented machine learning algorithms to identify user access patterns and determine potential roles, or bundles of access, that accurately align with what users actually do in an organization. You can then use this potential role data to evaluate your current roles and consider new roles in IdentityNow and IdentityIQ.


Process Overview

1.  Enter a Search query in IdentityNow or an Advanced Analytics query in IdentityIQ.

2.  Launch Role Discovery.

3.  Explore and customize potential roles.

4.  Export the potential role data to a ZIP file.

5.  Use potential role data to evaluate current roles and create new roles.


Discovering, Exploring, and Exporting Potential Roles

Complete the following steps to discover, explore, and export a potential role:

1. Enter a query:

  • In IdentityNow, click Search, and enter a search query. For information on Search syntax, see Using Search in IdentityNow.

  • In IdentityIQ, enter a query in Intelligence > Advanced Analytics.

NOTE:  When new identities and entitlements are added to your organization, they are not available for Role Discovery until the next day.


2.  Click Role Discovery to display potential roles based on the optimal role granularity derived from our AI algorithms.

3.  (Optional) To modify the potential roles displayed, click the Settings icon RoleDiscovery_Settings_icon2.png to adjust the Role Granularity and Minimum Number of Identities. See Understanding Role Granularity to learn more.

4.  Click on Attributes for any potential role to quickly view the role’s top 3 job titles, departments, and locations (by percentage) shared among the included identities.


  • If none of the identities in the potential role have attributes for job title, department, or location, another attribute is displayed.

  • The attributes available depend on the way the mapping from your source is configured by the solution architect during the onboarding process.

  • If the job title, department, and location attributes show Not Applicable, it means those attributes were not mapped for any identities included in the potential role. For example, this could be the case for a potential role that includes contract workers not assigned job titles or departments.


5.  To see detailed information for a potential role, click the potential role name or Work On This Role in the Attributes view. The Composition screen for the potential role displays the role’s entitlements along with their % Popularity.


6.  Customize the potential role with the following controls:

  • Exclude Popularity Less Than - Enable this control to exclude entitlements with popularity less than the percentage you enter. An entitlement’s % Popularity is the percentage of identities in this potential role with the entitlement.

  • Exclude Common Access - This control is enabled by default and excludes entitlements that are broadly popular across your whole organization.

Best Practices: 

  • To avoid entitlement proliferation, SailPoint recommends removing low popularity entitlements (< 70%) from your role definitions.

  • SailPoint recommends excluding common access from your roles to focus roles more on job functions and less on access that everyone gets.


7.  Click Identity Overview to see a list of all identities in the potential role and their job titles, departments, and locations.

You can also click Show Chart to see distribution graphs for these identity attributes.


8.  Click Export to save the entitlements, identities, and identity distribution data for the potential role in a  ZIP file.

You have completed the Role Discovery process. You can use the exported potential role data to evaluate your current roles and consider new roles in IdentityNow and IdentityIQ.


Understanding Role Granularity

After entering a search query and launching Role Discovery, you can click the Settings icon RoleDiscovery_Settings_icon2.png to modify the potential roles displayed:



  •  Use the Role Granularity slider to adjust the size and specialization of the potential roles. The orange pin on the slider represents the smart default value that our AI algorithms used to discover the initial set of potential roles displayed. 

  •  Adjust the Minimum Number of Identities to display only the potential roles that include at least that number of identities.

  • Click Apply to update the list of potential roles based on your changes.

A lower role granularity percentage displays potential roles with broader access. The potential roles discovered will each include higher numbers of identities with less entitlement similarity. In general, the included identities are less similar to each other. The roles are easier to manage, but it is possible that some identities might gain access that isn’t completely essential to their job function.

A higher role granularity percentage displays potential roles with more specialized access. The potential roles discovered will each include fewer identities with more entitlement similarity. It can take longer to evaluate and maintain a large number of potential roles with higher specialization. However, the potential roles will have a higher level of relative security due to more entitlement similarity.


Labels (1)
Version history
Revision #:
4 of 4
Last update:
‎May 21, 2020 11:43 AM
Updated by: