I am looking for some guidance or ideas on how my organisation could allow application owners the ability to view the users that have access to their applications in SailPoint. I’m not looking for a report to be created as such but more the ability for a application owner to launch SailPoint and to simply have a view of their application users, whether that is a quicklink, enabled by access rights I am not sure what procedure to follow.
Hello @SeanGallagher91
Welcome back to the community!
I suppose the requirement here is for the application owners to view the accounts that are aggregated in SailPoint, not to actually take a look at the identities.
This can be easily achieved by performing the below steps, we did the same in our environment as we didn’t want to provide application administration permission, but the read only access to view the accounts.
These steps ensure when the user is logged in, they only have access to view the Application they are owner of and the accounts that are aggregated.
Hope it helps.
Regards,
Uday Kilambi
There is an SPRight “ViewApplication” you can try assigning that to owners and they will be able to see account holders and will not be able to update any app config.
second approach - create a quicklink and it should be available to only app owners - use Dynamic Scope for that.
When user clicks on it you can display all users/accounts/identities in a Form which are correlated to that app, which is straightforward to do from a Script/Rule.
Hi Uday, late reply sorry but wanted to provide more context. Currently our applications have workgroups assigned as owners. Those workgroups contain the app owners as members. Can the same solution you provided work for this scenario?
Yes capabilities can be assigned to workgroups, and the members inherit those capabilities so it should work for that same use case
Yes it works the same way for all the users in workgroup
@SeanGallagher91 Assign the capability to Workgroup. they will be able to see their own applications.
@SeanGallagher91 - Yes it works also with the workgroup, make sure you assign the custom capability to the workgroup. That should work.
@SeanGallagher91 If you further want to make sure app owners can only see the apps belongs to them and if they open identity, they can only see the apps they are managing, you might want to create a plugin to restrict the view.