Identity Governance Access Modeling

Access Modeling (also known as role mining) analyzes existing user-to-entitlement assignments and discovers candidate access roles describing how people use access in your environment. It uses advanced machine learning algorithms and analytics thresholds to:

Examine current roles and entitlements across your access landscape.
Propose new role candidates and changes to existing roles.
Calculate confidence scores and driving factors for each role and entitlement assignment.

PingOne Identity Governance add-on capability

Access Modeling is an additional add-on capability for PingOne Identity Governance. Contact your Ping Identity representative if you want to add the Access Modeling (Role Mining) add-on SKU to your PingOne Advanced Identity Cloud Identity Governance subscription. Learn more in Add-on capabilities.

What is confidence scoring?

Every entitlement assignment carries an implicit question: should this end user have this access? At enterprise scale, no reviewer can independently evaluate every single access assignment from scratch. Confidence scores provide the answer empirically.

Identity Governance analyzes your workforce data, for example job function, department, location, cost center, and other HR attributes, alongside existing entitlement assignments. It discovers which combinations of attributes reliably predict which entitlements. For each user-entitlement pair, the confidence score answers a simple question: of all employees who share this end user’s relevant attributes, what percentage also hold this entitlement? A score of 0.93 means 93% of comparable employees have this access. A score of 0.12 means almost no one with this end user’s profile has it.

Identity Governance computes the score from observed data across your entire population. It reflects actual provisioning patterns rather than any single approver’s judgment or any one team’s interpretation of policy. High-confidence assignments are consistent with how the organization actually operates. Low-confidence assignments warrant review.

The same mechanism powers access recommendations. When an end user joins or changes roles, Identity Governance evaluates their updated attributes against known patterns and surfaces entitlements where confidence exceeds your configured threshold and the access their peers already have.

Why mine roles?

Organizations pursue automated access modeling (or role mining) for two reasons. First, manual role engineering doesn’t scale to large enterprises. You can’t realistically define and maintain roles for 50,000 users and 15,000 entitlements through workshops, interviews, and spreadsheets. Automated mining turns a months-long consulting exercise into a repeatable process that covers the entire organization.

Second, access landscapes drift. People change jobs or transfer, new applications come online, and entitlements pile up. Roles that accurately described access six months ago might no longer match reality. Periodic re-mining compares newly discovered role candidates to your active roles. It flags where role definitions no longer match what the data supports and highlights new patterns that justify new roles. This gives role owners a structured, data-driven basis for governance decisions, instead of relying on periodic manual audits.

How does Identity Governance’s top-down access modeling help in compliance?

Confidence scores tell you whether an individual assignment is expected. Access modeling answers the next question: which assignments belong together?

The term "top-down" here doesn’t mean someone designs roles from an organization chart and pushes them out. It means Identity Governance starts discovery from organizational attributes. HR attributes, such as department, location, and job code, act as the explanatory variables. Access is what gets explained. It asks: given these attributes, what access does the data predict? Access modeling is still a data-driven discovery process, but it’s anchored in the structure the business already uses to describe its workforce.

The system looks at all discovered attribute-to-entitlement rules and finds places where they converge—where the same attribute combinations consistently predict the same entitlements. When it finds this pattern, it groups those entitlements into a candidate role. The attribute combinations that produced the grouping become the role’s driving factors.

For example, a candidate role might appear because employees in the Finance department in the Western region almost always have the same five entitlements. The system doesn’t name this role. Instead, it presents the entitlement set, the driving factors, and confidence scores for a role engineer to review, refine, and name before publishing.

Every discovered role comes with a built-in justification: the attribute combination that produced it. If an auditor asks, “Why does this role contain these entitlements?” you can point directly to the observed workforce pattern that created the role.

Role states

Roles in access modeling have one of three states indicating their readiness for production use:

Status	Description
Candidate	Suggested role generated by role mining analytics job.
Draft	A user-created draft of a role either from scratch or based off of a candidate role.
Active	A draft role that has been approved, created in Advanced Identity Cloud identity management, and marked active in governance.

Status

Description

Candidate

Suggested role generated by role mining analytics job.

Draft

A user-created draft of a role either from scratch or based off of a candidate role.

Active

A draft role that has been approved, created in Advanced Identity Cloud identity management, and marked active in governance.

For Identity Governance administrators

Access Modeling supports a powerful role analysis and management system that examines all roles and their assigned entitlements within your access landscape. It uses machine learning rules and analytics thresholds to determine the confidence scores and driving factors for each role.

The central hub of the roles management system is Access Modeling. Access Modeling lets authorized users review, edit, and test new or existing roles before publishing them to production.

In a typical scenario, an administrator or authorized end user runs a role mining job as part of the analytics pipeline. During a role mining analytics run, Identity Governance discovers candidates for new roles and displays them in Access Modeling with confidence scores and user access patterns. Authorized users can review these roles, make edits to entitlements and access patterns, and re-run the role mining analytics until the correct mix of entitlements meets your threshold objectives for given rules.

Before you start

Make sure that:

Your organization has purchased and enabled the Access Modeling SKU in your Identity Governance tenant.
You can access the governance configuration and job scheduling pages for your Identity Governance environment.
Set up a test user account with access to the Access Modeling user interface (UI) for testing and review purposes.

Role user types

Identity Governance supports two user role types to manage roles within Identity Governance. You can assign these roles using the Manage Identities function.

User type	Description
Role administrator	A user who has the ability to view, edit, delete, and export all roles. Role administrators can create drafts from mined candidates and assign role owners to the draft. They can also create custom roles for further evaluation and testing. The system automatically assigns this role to Identity Governance administrators.
Role owner	A user who has the ability to view, edit, delete, and export active and draft roles assigned to them.

User type

Description

Role administrator

A user who has the ability to view, edit, delete, and export all roles. Role administrators can create drafts from mined candidates and assign role owners to the draft. They can also create custom roles for further evaluation and testing. The system automatically assigns this role to Identity Governance administrators.

Role owner

A user who has the ability to view, edit, delete, and export active and draft roles assigned to them.

Roles workflow

The Access Modeling page displays roles in three states: Candidate, Draft, and Active.

Candidate: A candidate is a template role that is discovered through the latest role mining analytics job. After each role mining job, all newly mined roles are marked as a candidate. Role admins can review a candidate and create a draft.

Candidate roles are read-only; you must create a draft from a candidate to change its details. Identity Governance retains candidate roles for later adjustments and for creating additional new roles until it runs the next role mining job, when it deletes all candidates and rebuilds a new candidate pool.

Draft: A draft is a role that requires review and approval by an authorized approver to become active. Role admins can re-run a role mining job to pick up the latest changes in the access landscape. The Access Modeling page displays the latest confidence scores, access patterns, and a Recommendations section that shows a suggested course of action for the role. Also, when you create a custom role, Identity Governance saves the role in draft status. You can edit the draft, publish the role for production, or delete the draft.
Active: After a draft has been approved, the role is considered active for production use. The role has an Active status and appears on the Roles page in the Advanced Identity Cloud admin console and is available for assignment to users and groups. Role owners can maintain the role over time by reviewing its access patterns and recommendations, and by re-running the role mining job to keep the role aligned with changes in the access landscape.

Role-mined and custom roles

You can create roles in two different ways: based on role-mined candidates or custom. Role-mined roles are discovered through Identity Governance’s machine learning process. The role mining job analyzes your access landscape and identifies patterns of access that form the basis of candidate roles. You can create a draft role based on a candidate role, which you can then refine and publish for production use.

You can create a new role on the Manage Identities page using the add New Alpha realm - Role.

Custom roles don’t have recommendations as those are based on the difference between a mined role and its candidate.

Configure access modeling thresholds

Identity Governance implements a dedicated machine learning model configuration that controls the role mining process. These parameters determine how strict Identity Governance is when proposing new roles and help ensure that discovered roles are meaningful in production.

To configure access modeling thresholds:

In the Advanced Identity Cloud admin console, go to Governance > Requests.
On the Requests page, click the Settings tab.
In the Governance LCM section, click Activate.

Governance lifecycle management (LCM) is the underlying machine learning model that powers both Identity Governance Access Modeling and Recommendations features.
In the Governance LCM modal, read what activating this feature entails, and click Next.
In the Governance LCM modal, click Role LCM, and then click Activate. The governance LCM is now active on your tenant.
In the Advanced Identity Cloud admin console, click Governance > Recommendations.
On the Recommendations page, click Activate Recommendations. The status changes to Active.
In the User Properties field, enter the user attributes that you want to use as features for role mining. These attributes help Identity Governance identify patterns in access based on user characteristics (for example, department, location, or job title).
On the Recommendations page, set the confidence scores by moving the threshold sliders to determine whether the recommended role is listed as low, medium, or high confidence.
Click Save.

Add end users to the access modeling administrator group

To run the role mining job, end users must belong to the access-modeling-administrator group.

In the Advanced Identity Cloud admin console, go to Identities > Manage.
Click Alpha realm - Groups.
Click ellipsis (more_horiz) next to access-modeling-administrator, and select Edit.
On the access-modeling-administrator group page, click the Members tab.
Click add Add Members.
In the Add Members modal, search for and select the users you want assigned to the role, and click Save.

Run an access modeling job

The role mining job is part of the Identity Governance analytics pipeline. When enabled, Identity Governance automatically kicks off a training job to build the machine learning model based on the latest role data.

After the model is trained, governance administrators or access modeling administrators must sign on to the Advanced Identity Cloud end-user UI as a test user to run a job. The role mining job analyzes the latest access data and generates candidate roles and updates to existing roles.

To run the role mining job, learn more in Run an access modeling job.

For end users

This section is for governance practitioners, role owners, and other Identity Governance users who interact with Access Modeling but don’t manage the underlying analytics configuration.

Authorized access modeling administrators who are part of the access-modeling-administrator group can run a role mining job in the Advanced Identity Cloud end-user UI.

Best practice is to run the role mining job on a daily basis. This cadence lets Identity Governance capture access and attribute changes and refresh recommendations. It keeps roles aligned with real-world usage. However, depending on your environment and how quickly access changes, you might run the job more or less frequently.

Run an access modeling job

The Identity Governance machine learning analytics pipeline includes the role mining job. The role mining job analyzes the latest access data and generates candidate roles and updates to existing roles.

Only users in the access-modeling-administrator group and governance administrators can run the role mining job on the Advanced Identity Cloud end-user UI. If you don’t have access, contact your administrator.

To run the role mining job:

In the Advanced Identity Cloud end-user UI, sign on as a test user who has role mining permissions.
Click Access Modeling.

Click Run Role Mining Job. The system queues the role mining job in the analytics pipeline. When you select the button, Identity Governance runs the role mining job with the current configuration and thresholds.

Only one role mining job can run at a time. Depending on your environment size and analytics load, the job can take from several minutes to a few hours to complete. After the Run Role Mining button becomes active again, you’ll know the job completed.

Search roles using the filter

Most companies have a large number of roles within their system. The Access Modeling page provides a useful filter to locate specific roles.

In the Advanced Identity Cloud end-user UI, click Access Modeling.
On the Access Modeling page, click Show Filters.
On the Filter Roles modal, select the criteria you want to filter by:
- Entitlement: Display only roles that include a specific entitlement.
- Status: Select Candidate or Draft.
- Users: Number of users in the role.
- Minimum number of members: Display only roles with at least minimum specified members.
- Minimum number of entitlements: Display only roles with at least minimum specified entitlements.
Click Apply Filters.

Examine role details

For each candidate or existing role, Access Modeling provides a Details tab.

To examine a specific role:

On the Access Modeling page, select a candidate, draft, or active role.
On the role details page, review the following information:

UI element	Description
General role information	Displays when the role mining analytics were last refreshed, role status, and role identifier.
Export	Downloads the role definition JSON for use outside the UI.
Identity Coverage	Displays what percentage of identities are currently in this role.
Average Assignment Confidence	Displays the average confidence score for entitlements in this role.
Name	Lets you edit the display name for the role.
Description	Lets you add a short explanation of what the role is for.
Requestable	Designates a role as searchable and requestable in the Access Modeling page and other governance areas.
Role Owner	Assigns a role owner responsible for managing this role.
Delete	Removes the role from access modeling.
Create Draft	Creates a draft version of the role you can refine and publish.

UI element

Description

General role information

Displays when the role mining analytics were last refreshed, role status, and role identifier.

Export

Downloads the role definition JSON for use outside the UI.

Identity Coverage

Displays what percentage of identities are currently in this role.

Average Assignment Confidence

Displays the average confidence score for entitlements in this role.

Name

Lets you edit the display name for the role.

Description

Lets you add a short explanation of what the role is for.

Requestable

Designates a role as searchable and requestable in the Access Modeling page and other governance areas.

Role Owner

Assigns a role owner responsible for managing this role.

Delete

Removes the role from access modeling.

Create Draft

Creates a draft version of the role you can refine and publish.

Examine role entitlements details

For each candidate or existing role, Access Modeling provides an Entitlements tab that displays the entitlements included in the role and their confidence scores.

On the Access Modeling page, select a candidate, draft, or active role.
Click the Entitlements tab.
On the role details page, review the following information:

UI element	Description
Entitlements	Lists the entitlements included in the role. Click the entitlement to review its details.

UI element

Description

Entitlements

Lists the entitlements included in the role. Click the entitlement to review its details.

Examine the role’s members

For each candidate or existing role, Access Modeling provides a members tab displaying the users included in the role and their attributes.

On the Access Modeling page, select a candidate, draft, or active role.
Click the Members tab.

On the role members page, review the following information:

UI element	Description
Attribute Distribution	Introduces the chart that summarizes member attributes.
Attribute selector	Lets you choose which attribute to analyze in the distribution chart. If you’re not sure what an attribute means, learn more in Examine the role’s access patterns.
Attribute distribution	Displays how many members share the selected attribute value.
Search	Filters the members list by username or other visible data.
Username	Displays each member’s username.
Attribute	Displays key attribute values (such as manager, location, or flags) for each member.

UI element

Description

Attribute Distribution

Introduces the chart that summarizes member attributes.

Attribute selector

Lets you choose which attribute to analyze in the distribution chart. If you’re not sure what an attribute means, learn more in Examine the role’s access patterns.

Attribute distribution

Displays how many members share the selected attribute value.

Filters the members list by username or other visible data.

Username

Displays each member’s username.

Attribute

Displays key attribute values (such as manager, location, or flags) for each member.

Examine the role’s access patterns

For each candidate or existing role, Access Modeling provides an Access Patterns tab displaying the rules that define the driving factors for the machine learning analytics job.

On the Access Modeling page, select a candidate, draft, or active role.
Click the Access Patterns tab.

On the role access patterns page, review the following information:

UI element	Description
Sort by	Displays options to sort access patterns, such as by Attribute Count or User Count and by Ascending or Descending order.
Users	Displays how many users match the access pattern.
Attribute label	Displays the name of a user attribute used in the pattern.

UI element

Description

Sort by

Displays options to sort access patterns, such as by Attribute Count or User Count and by Ascending or Descending order.

Users

Displays how many users match the access pattern.

Attribute label

Displays the name of a user attribute used in the pattern.

Create drafts and publish roles

Access Modeling lets authorized users review discovered candidate roles.

On the Access Modeling page, select a candidate role.
Review the role details, entitlements, members, and access patterns.
Click Create Draft. This creates a draft role based on the candidate role, which you can refine and publish.

You’ll see an additional Recommendations tab. In the Recommendations tab, you can review and accept or reject suggested changes to the role definition based on other candidates.
Update the role draft, and then click Publish. This submits the role for approval and publishing to Identity Governance.
In the Request Submitted modal, click View Request to see the request details and approval workflow.
If the request is approved, Identity Governance creates the role and marks it as Active. If the request is rejected, click Comments to view the error message or feedback from the approver.

Maintain and export roles

Over time, use Access Modeling to keep roles accurate and useful:

Re-run the role mining job daily to capture changes in access and refresh recommendations.
Create new drafts from existing active roles when mining suggests significant changes or when roles become stale.
Unpublish or delete roles that no longer represent meaningful patterns.

To export the role definition:

On the Access Modeling page, select a candidate role.
Review the role details, entitlements, members, and access patterns.
Click Export to download the role definition as JSON for offline analysis or integration with other systems.

Delete a role

Access Modeling lets role admins and role owners delete a draft or candidate role.

On the Access Modeling page, select a candidate or draft role.
Review the role details, entitlements, members, and access patterns.
Click Delete.

Keep roles aligned with your access landscape

As an Identity Governance end user (for example, a role owner or governance analyst), you help keep Access Modeling effective by:

Reviewing new candidate roles after each analytics run.
Cleaning up roles that no longer represent meaningful patterns (for example, roles with very low membership or stale entitlements).
Providing feedback to administrators when thresholds are too strict or too permissive based on what you see in the UI.
Together, administrators and end users use Access Modeling to maintain a clean, accurate set of roles that reflect real-world access and support effective governance.