Role Mining Stage 4

Shape repeatable access into candidate roles before scoring and review begin.

Stage 4 converts the strongest access patterns into named role candidates. Bundle recurring entitlements, check ownership and risk, and prepare a small set of role-shaped candidates that are ready for scoring instead of sending raw clusters downstream.

Back to Discover Patterns Open Score Review
Candidate drafting

Live candidate role generation will appear here once the queue is rendered.

Candidate roles 0 Generated from recurring, curated access bundles
Ready for score review 0 Candidates strong enough to move into scoring
Avg bundle size 0 Mean entitlement count per candidate role
Needs risk review 0 Candidates carrying high-risk or exception-heavy access

Candidate Pipeline Board

Track which generated roles are ready to move forward, which still need refinement, and which must be stopped for risk review.

Pipeline pulse
0% of live candidate roles are currently strong enough to move into score review.

Candidate role commentary will appear here once the live queue is rendered.

In queue 0
Need refinement 0
Good candidate generation stays disciplined: keep the bundle explainable, minimize privileged sprawl, and promote only the candidates that survive ownership, risk, and business-context review with a coherent access story.

Generated Candidate Queue

Rank the role-shaped bundles most likely to survive score review based on fit, coverage, ownership clarity, and risk posture.

Live queue
Role candidates generated from the current curated footprint

Each candidate groups recurring access into a role-shaped bundle. The best rows preserve coverage while staying explainable enough to move into score review.

Top candidates will be highlighted here once the queue is rendered.

Candidate Cohort Bundle Fit score Risk / State Next Step

Packaging Checklist

Short checks that keep candidate roles clean before scoring and review.

  • Name the candidate for a real use case Candidate names should map to a business function, operating lane, or job family instead of just repeating a technical access bundle.
  • Preserve a coherent shared core If only a small portion of the bundle repeats across the cohort, the candidate likely still needs refinement or splitting.
  • Separate privileged exceptions High-risk entitlements can stay in the candidate, but only if they are part of the true shared role rather than one-off exceptions.
  • Prepare for scoring evidence By the end of this stage, each candidate should have a clear steward, a user cohort, and enough rationale to survive score review.

Candidate Quality Mix

See how much of the current queue is ready to move forward, needs refinement, or must pause for risk review.

A healthy queue contains a small number of obvious promotions and a limited number of candidates that still require substantial analyst intervention.

Bundle Depth vs Cohort Size

Compare candidate coverage and bundle depth so broad but shallow candidates do not outrank smaller, more reusable role shapes.

  • Broad but shallow Large cohorts with only a thin shared bundle often indicate remaining common access rather than a stable role candidate.
  • Focused and reusable Candidates with a compact cohort and a dense shared core are usually easier to explain, score, and review downstream.
IAM/IGA Portal — Internal Use Only. See documentation for policies. Copyright © 2026. All rights reserved.