PingOne Advanced Identity Cloud

Governance recommendations

In large organizations, managers often face a difficult choice: grant too much access and create security risks, or grant too little and hinder productivity. Governance recommendations eliminates this guesswork.

Contact Ping Identity Support to enable the Identity Governance Recommendations feature.

What are governance recommendations?

The PingOne Identity Governance’s Governance Recommendation feature uses machine learning to simplify access decisions. It analyzes access patterns across your organization to understand what access users with similar job functions and attributes typically have.

When you review a user’s access, the feature presents you with clear recommendations, such as suggesting you approve access that the user’s peers have commonly or flagging access that’s rare and requires a closer look. These insights empower you to make faster, more consistent, and more secure access decisions for your team.

Before you begin

Governance recommendations require the following prerequisites:

  • Your Advanced Identity Cloud must have onboarded applications and entitlements.

  • Entitlements must be set to requestable.

  • If you’re using scoping, you must also configure the application Identity Governance scope rules.

Enable governance recommendations

  1. In the Advanced Identity Cloud admin console, go to Governance > Recommendations.

  2. On the Recommendations page, click Activate Recommendations. The status changes to Active.

Configure recommendation settings

  1. On the Recommendations page, select the User Properties used for analysis to generate recommendations. These values are from the User schema. You’ll need to ensure you have a good data set that generates recommendation data off of these attributes.

    If you need help with preparing user attribute data to ensure accurate recommendations, contact your Ping Identity representative.

    For example, select the following:

    • User Type

    • Created By

    • Employee Type

    • Location

    • Job Title

    • Department

  2. On the Recommendations page, set the confidence scores by moving the threshold sliders to determine whether the recommended access is listed as low, medium, or high confidence. This feature determines how you want to display them in the UI for certifications, approvals, and requests.

  3. Click Save.

    Governance Recommendations page.

Jobs

After you configure your recommendations, two jobs run daily to generate recommendations: AutoIdRecommendation and AutoIdTraining. You can view them on the Advanced Identity Cloud Jobs page.

Click ellipsis () and click Activate.

Governance recommendations run by two jobs on the Jobs page.

Recommendations in certifications

After you enable recommendations, you can add columns in certifications for recommendations.

  1. On the Certification > Templates tab, select a template.

  2. Click Customization.

  3. On the Customization page, configure the default columns of the table for reviewers in the access review.

  4. In the Review section, add Recommendation and click Next.

    Add recommendation to the certification.

  5. In the Summary section, click Save.

  6. On the Certification page, on the Campaigns tab, click the campaign you edited.

  7. On the Identity Certification page that you selected, click Access Reviews.

    Select the certifier to view the recommendations.

  8. On the campaign access review page, the Recommended column displays one of three icons:

    • thumb_up: Green high confidence (recommended) icon

    • thumb_down: Red low confidence (not recommended) icon

    • thumbs_up_down: Yellow mid confidence (no recommendation) icon

      You can hover over an icon for an explanation of the confidence score. In the following example, the recommended accesses are indicated by the green icon:

      Certification template with high confidence results in the Recommended column.

      The system recommends this entitlement with high confidence because 100% of users with similar attributes also have this access.

      For access that aren’t recommended, hover over the red icon to view the explanation:

      Certification template with the not recommended results in the Recommended column.

      The system doesn’t recommend this entitlement because only 9% of users with similar attributes have this access.

      For recommendations that fall in the middle confidence range, hover over the yellow icon to view the explanation:

      Certification tempate with a middle confidence level and a no recommendation result in the Recommendations column.

End-user UI

  1. When an end user is assigned a task, and they log in to the Advanced Identity Cloud end-user UI, the link to the recommended access is displayed at the top of the page.

    End user dashboard with recommendations.

  2. Click the link to view the recommendations.

  3. On the Recommended Access page, review the recommendations. If you hover over the icon, the explanation for the recommendation appears.

    Recommended access with confidence icons.

  4. Click Request.

  5. On the Request Entitlement Access modal, click Add to Request.

    Recommended access Add to Request

    The certifier can then approve the request on their dashboard.