Access Modeling

Access Modeling (also known as role mining) analyzes existing user-to-entitlement assignments and discovers candidate access roles describing how people use access in your environment. It uses advanced machine learning algorithms and analytics thresholds to:

Examine current roles and entitlements across your access landscape.
Propose new role candidates and changes to existing roles.
Calculate confidence scores and driving factors for each role and entitlement assignment.

PingOne Identity Governance add-on capability

Access Modeling is an additional add-on capability for PingOne Identity Governance. Contact your Ping Identity representative if you want to add the Access Modeling (Role Mining) add-on SKU to your PingOne Advanced Identity Cloud Identity Governance subscription. Learn more in Add-on capabilities.

What is confidence scoring?

Every entitlement assignment carries an implicit question: should this end user have this access? At enterprise scale, no reviewer can independently evaluate every single access assignment from scratch. Confidence scores provide the answer empirically.

Identity Governance analyzes your workforce data, for example job function, department, location, cost center, and other HR attributes, alongside existing entitlement assignments. It discovers which combinations of attributes reliably predict which entitlements. For each user-entitlement pair, the confidence score answers a simple question: of all employees who share this end user’s relevant attributes, what percentage also hold this entitlement? A score of 0.93 means 93% of comparable employees have this access. A score of 0.12 means almost no one with this end user’s profile has it.

Identity Governance computes the score from observed data across your entire population. It reflects actual provisioning patterns rather than any single approver’s judgment or any one team’s interpretation of policy. High-confidence assignments are consistent with how the organization actually operates. Low-confidence assignments warrant review.

The same mechanism powers access recommendations. When an end user joins or changes roles, Identity Governance evaluates their updated attributes against known patterns and surfaces entitlements where confidence exceeds your configured threshold and the access their peers already have.

Why mine roles?

Organizations pursue automated access modeling (or role mining) for two reasons. First, manual role engineering doesn’t scale to large enterprises. You can’t realistically define and maintain roles for 50,000 users and 15,000 entitlements through workshops, interviews, and spreadsheets. Automated mining turns a months-long consulting exercise into a repeatable process that covers the entire organization.

Second, access landscapes drift. People change jobs or transfer, new applications come online, and entitlements pile up. Roles that accurately described access six months ago might no longer match reality. Periodic re-mining compares newly discovered role candidates to your active roles. It flags where role definitions no longer match what the data supports and highlights new patterns that justify new roles. This gives role owners a structured, data-driven basis for governance decisions, instead of relying on periodic manual audits.

How does Identity Governance’s top-down access modeling help in compliance?

Confidence scores tell you whether an individual assignment is expected. Access modeling answers the next question: which assignments belong together?

The term "top-down" here doesn’t mean someone designs roles from an organization chart and pushes them out. It means Identity Governance starts discovery from organizational attributes. HR attributes, such as department, location, and job code, act as the explanatory variables. Access is what gets explained. It asks: given these attributes, what access does the data predict? Access modeling is still a data-driven discovery process, but it’s anchored in the structure the business already uses to describe its workforce.

The system looks at all discovered attribute-to-entitlement rules and finds places where they converge—where the same attribute combinations consistently predict the same entitlements. When it finds this pattern, it groups those entitlements into a candidate role. The attribute combinations that produced the grouping become the role’s driving factors.

For example, a candidate role might appear because employees in the Finance department in the Western region almost always have the same five entitlements. The system doesn’t name this role. Instead, it presents the entitlement set, the driving factors, and confidence scores for a role engineer to review, refine, and name before publishing.

Every discovered role comes with a built-in justification: the attribute combination that produced it. If an auditor asks, “Why does this role contain these entitlements?” you can point directly to the observed workforce pattern that created the role.

Role states

Roles in access modeling have one of three states indicating their readiness for production use:

Status	Description
Candidate	Suggested role generated by role mining analytics job.
Draft	A user-created draft of a role either from scratch or based on a candidate role.
Active	A draft role that has been approved, created in Advanced Identity Cloud identity management, and marked active in governance.

Status

Description

Candidate

Suggested role generated by role mining analytics job.

Draft

A user-created draft of a role either from scratch or based on a candidate role.

Active

A draft role that has been approved, created in Advanced Identity Cloud identity management, and marked active in governance.

For Identity Governance administrators

In a typical scenario, an administrator or authorized end user runs a role mining job as part of the analytics pipeline in the Advanced Identity Cloud end-user UI. During a role mining analytics run, Identity Governance discovers candidates for new roles and displays them on the Access Modeling page with confidence scores and user access patterns. Administrators and authorized users can review these roles, make edits to entitlements and access patterns, and rerun the role mining analytics until the correct mix of entitlements meets your threshold objectives for given rules. If the threshold objectives require adjustments, administrators can make the changes in the Advanced Identity Cloud admin console. Learn more in Configure access modeling thresholds.

Before you start

Make sure that:

Your organization has purchased and enabled the Access Modeling SKU in your Identity Governance tenant.
You can access the governance configuration and job scheduling pages for your Identity Governance environment.
Set up a test user account with access to the Access Modeling user interface (UI) for testing and review purposes.

Role user types

Identity Governance supports two user role types to manage roles within Identity Governance. You can assign these roles using the Manage Identities function.

User type	Description
Role administrator	As a role administrator, you can view, edit, delete, and export all roles. Role administrators can create drafts from mined candidates and assign role owners to the draft. They can also create custom roles for further evaluation and testing. The system automatically assigns this role to Identity Governance administrators.
Role owner	As a role owner, you can view, edit, delete, and export active and draft roles assigned to you.

User type

Description

Role administrator

As a role administrator, you can view, edit, delete, and export all roles. Role administrators can create drafts from mined candidates and assign role owners to the draft. They can also create custom roles for further evaluation and testing. The system automatically assigns this role to Identity Governance administrators.

Role owner

As a role owner, you can view, edit, delete, and export active and draft roles assigned to you.

Roles workflow

The Access Modeling page displays roles in three states: Candidate, Draft, and Active.

Candidate: A candidate is a template role that is discovered through the latest role mining analytics job. After each role mining job, all newly mined roles are marked as a candidate. Role admins can review a candidate and create a draft.

Candidate roles are read-only; you must create a draft from a candidate to change its details. Identity Governance retains candidate roles for later adjustments and for creating additional new roles until it runs the next role mining job, when it deletes all candidates and rebuilds a new candidate pool.

Draft: A draft is a role that requires review and approval by an authorized approver to become active. Role admins can re-run a role mining job to pick up the latest changes in the access landscape. The Access Modeling page displays the latest confidence scores, access patterns, and a Recommendations section that shows a suggested course of action for the role. Also, when you create a custom role, Identity Governance saves the role in draft status. You can edit the draft, publish the role for production, or delete the draft.
Active: After an approver approves a draft, the role is considered active for production use. The role has an Active status and appears on the Roles page in the Advanced Identity Cloud admin console and is available for assignment to users and groups. Role owners can maintain the role over time by reviewing its access patterns and recommendations, and by re-running the role mining job to keep the role aligned with changes in the access landscape.

Role-mined and custom roles

You can create roles in two different ways: based on role-mined candidates or custom. Role-mined roles are discovered through Identity Governance’s machine learning process. The role mining job analyzes your access landscape and identifies patterns of access that form the basis of candidate roles. You can create a draft role based on a candidate role, which you can then refine and publish for production use.

You can create a new role on the Manage Identities page by selecting the add New Alpha realm - Role button.

Custom roles don’t have recommendations as those are based on the difference between a mined role and its candidate.

Configure access modeling thresholds

Identity Governance implements a dedicated machine learning model configuration that controls the role mining process. These parameters determine how strict Identity Governance is when proposing new roles and help ensure that discovered roles are meaningful in production.

To configure access modeling thresholds:

In the Advanced Identity Cloud admin console, go to Governance > Requests.
On the Requests page, click the Settings tab.
In the Governance LCM section, click Activate.

Governance lifecycle management (LCM) is the underlying machine learning model that powers both Identity Governance Access Modeling and Recommendations features.
In the Governance LCM modal, read what activating this feature entails, and click Next.
In the Governance LCM modal, click Role LCM, and then click Activate. The governance LCM is now active on your tenant.
In the Advanced Identity Cloud admin console, click Governance > Recommendations.
On the Recommendations page, click Activate Recommendations. The status changes to Active.
In the User Properties field, enter the user attributes that you want to use as features for role mining. These attributes help Identity Governance identify patterns in access based on user characteristics (for example, department, location, or job title).
On the Recommendations page, set the confidence scores by moving the threshold sliders to determine whether the recommended role is listed as low, medium, or high confidence.
Click Save.

Add end users to the access modeling administrator group

To run the role mining job, end users must belong to the access-modeling-administrator group.

In the Advanced Identity Cloud admin console, go to Identities > Manage.
Click Alpha realm - Groups.
Click ellipsis (more_horiz) next to access-modeling-administrator, and select Edit.
On the access-modeling-administrator group page, click the Members tab.
Click add Add Members.
In the Add Members modal, search for and select the users you want assigned to the group, and click Save.

Run an access modeling job

The role mining job is part of the Identity Governance analytics pipeline. When enabled, Identity Governance automatically kicks off a training job to build the machine learning model based on the latest role data.

After the model is trained, governance administrators or access modeling administrators must sign on to the Advanced Identity Cloud end-user UI as a test user to run a job. The role mining job analyzes the latest access data and generates candidate roles and updates to existing roles.

To run the role mining job, learn more in Run a role mining job.