Skip to main content
Early access. This feature is in early access, which means it’s undergoing ongoing testing and development while we gather feedback, validate functionality, and improve outputs. Contact the ConductorOne Support team if you’d like to try it out or share feedback.

What is role mining?

Role mining analyzes the access granted to your organization’s users and identifies patterns that suggest well-defined access profiles. Instead of building access profiles by hand, you can use role mining to let ConductorOne surface which entitlements are commonly held by similar groups of people, then turn those patterns into ready-to-use profiles. ConductorOne offers two ways to use role mining:
  • Suggestions: ConductorOne continuously analyzes access patterns across your organization and surfaces recommended access profiles, grouped by cohorts like department, job title, employment status, and manager’s team.
  • Custom analysis: You define a specific cohort and ConductorOne analyzes the access patterns within that group on demand.

How role mining works

Role mining answers a specific question: “What access does this group of people typically need?” It starts with a defined group — a department, job title, employment status, manager’s team, or another cohort — and discovers the entitlements that group commonly holds. If you’re starting from a specific entitlement and want to know who should have it, role mining isn’t the right tool. Use Governance > Access profiles to build profiles by selecting entitlements directly.

Before you begin

  • You must have the Super Admin role in ConductorOne to use role mining.
  • At least one connector must be configured and have completed a sync. Role mining analyzes existing access grants, so it requires data to work with.

View and act on suggestions

ConductorOne updates suggestions automatically after each connector sync and when you trigger a manual analysis run.

View suggestions

1
Navigate to Governance > Role mining.
2
Click the Suggestions tab. Each suggestion shows the cohort it’s based on (such as a department or manager’s team), the entitlements recommended for that profile, and the confidence score for each entitlement.
3
Click a suggestion to expand it and review the full list of recommended entitlements and their confidence scores.

Accept a suggestion

Accepting a suggestion creates a new access profile based on the recommended entitlements.
1
On the Suggestions tab, click the suggestion you want to accept.
2
Review the recommended entitlements. You can remove any entitlements you don’t want included before accepting.
3
Click Create access profile.
4
Enter a name for the access profile, then click Create access profile.
The new access profile appears in Governance > Access profiles. It’s created with no enrolled members. To enroll users, navigate to the profile’s Enrollment tab and add members.
After accepting a suggestion, check Create requests for currently enrolled users on the access profile if you want ConductorOne to automatically create access request tasks for each new entitlement for each enrolled user.

Dismiss a suggestion

1
On the Suggestions tab, find the suggestion you want to dismiss.
2
Click the x at the end of the row to Dismiss suggestion.
Dismissed suggestions are removed from your active view. ConductorOne may surface a similar suggestion in a future analysis run if the underlying access pattern persists.

Trigger a new analysis

ConductorOne runs role mining analysis automatically after each connector sync. To run an analysis on demand:
1
Navigate to Governance > Role mining.
2
Click Analyze.
Analysis runs in the background. The suggestions list updates when the run completes.
Role mining becomes more accurate as your organization’s data grows. If you’ve recently connected new integrations or enrolled more users in access profiles, running a fresh analysis surfaces more relevant suggestions.

Run a custom analysis

Custom analysis lets you define a specific cohort and analyze that group’s access patterns on demand. Use this when you have a particular team, role, or attribute in mind and want targeted suggestions rather than the automated org-wide analysis.
1
Navigate to Governance > Role mining.
2
Click the Custom analysis tab.
3
Define your cohort by selecting a user attribute and value, such as department or manager.
4
Click Analyze.
ConductorOne analyzes the access held by users matching your cohort definition and surfaces entitlement suggestions with confidence scores. You can accept or dismiss these suggestions the same way as automated suggestions — see Accept a suggestion and Dismiss a suggestion.

Frequently asked questions about role mining

Role mining requires users with existing access grants to analyze. If your connectors haven’t completed a sync yet, or if the user populations in your organization are too small or too varied for a clear pattern to emerge, suggestions may not appear. Try running a connector sync and then triggering a new analysis from the Role mining page.
ConductorOne groups users by shared attributes like department, job title, employment status, and manager’s team. Within each group, it identifies entitlements that appear frequently across members. The confidence score reflects what percentage of group members hold that entitlement.
Accepting a suggestion creates a new access profile with the recommended entitlements. The profile starts with no enrolled members — you’ll need to add members from the profile’s Enrollment tab. The suggestion moves to an accepted state and no longer appears in your active suggestions list.