Manually creating Access Profiles in large SailPoint Identity Security Cloud (ISC) environments can be time-consuming and prone to errors.
When managing dozens or even hundreds of applications, adding profiles one by one through the UI isn’t scalable.
This post explains how administrators can create multiple Access Profiles in bulk using a CSV file through the community-developed ISC Extension in Microsoft Visual Studio Code, a simple and effective approach that leverages SailPoint APIs for automation.
Business Use Case:
Organizations often maintain hundreds of Access Profiles, one for each application, entitlement group, or business function.
Creating and managing these manually can take significant time and often leads to inconsistencies.
Automating the process ensures:
- Consistency across environments
- Reduced manual errors
- Faster onboarding of new applications
- Easy updates and maintenance through reusable templates
The VS Code ISC Extension provides a convenient interface to upload and manage these profiles directly from your local environment, connecting securely to your SailPoint tenant through APIs.
Abstract:
This post demonstrates how to automate bulk Access Profile creation in SailPoint Identity Security Cloud (ISC) using a CSV file and the VS Code ISC Extension.
It covers environment setup, CSV structure, deployment, and common troubleshooting steps to help administrators streamline their configuration process.
Prerequisites:
Before starting, ensure the following setup is ready:
-
SailPoint Identity Security Cloud (ISC) tenant (developer or sandbox)
-
Personal Access Token (PAT) or API Client with administrative privileges
Profile → Preferences → Personal Access Tokens → New Token
Provide the justification, select the scopes, and click on Create. Client ID and Client Secret will be generated
-
Microsoft Visual Studio Code is installed
-
Identity Security Cloud (ISC) Extension for VS Code
This extension is a community-developed tool that interacts with SailPoint APIs. It’s not an official SailPoint product but is widely used by practitioners for automation and testing.
Click on the ‘+’ symbol to add the new tenant. Provide the URL, tenant name, client ID, and client Secret.
-
CSV file containing Access Profile data (UTF-8 format)
Tip: In VS Code, unlock your tenant connection (click the
icon in the SailPoint panel). If it remains locked, uploads will fail because the connection is read-only.
CSV File Structure:
To bulk-create Access Profiles, prepare a CSV file containing the required fields.
| Header | M* | Description | Example Value | Default Value |
|---|---|---|---|---|
| name | Yes | Name of the access profile | HR_App_ReadOnly |
— |
| owner | Yes | Owner of the access profile | Ananya Rao |
— |
| source | Yes | Source associated with the access profile | Corporate Active Directory |
— |
| description | No | Description of the access profile | Provides read-only access to HR application portal |
null |
| enabled | No | Is the access profile enabled? | TRUE |
FALSE |
| requestable | No | Is the access profile requestable? | TRUE |
FALSE |
| commentsRequired | No | Require comments when the user requests access | FALSE |
FALSE |
| denialCommentsRequired | No | Require comments when a reviewer denies the request | TRUE |
FALSE |
| approvalSchemes | No | List of reviewers among APP_OWNER, OWNER, SOURCE_OWNER, MANAGER, or governance groups separated by ; |
"MANAGER;HR_Approvers" |
[] (No approval) |
| revokeApprovalSchemes | No | List of reviewers among APP_OWNER, OWNER, SOURCE_OWNER, MANAGER, or governance groups separated by ; |
"MANAGER" |
[] (No approval) |
| entitlements | No | Entitlements of the access profile | hr_read_group |
[] |
Note: M* refers to a Mandatory field
Access Profile CSV Columns with Examples :
| name | owner | source | description | enabled | requestable | commentsRequired | denialCommentsRequired | approvalSchemes | revokeApprovalSchemes | entitlements |
|---|---|---|---|---|---|---|---|---|---|---|
| Test_AP | XYZ | Active Directory | This is to test VS Code for the creation of bulk access profiles | TRUE | TRUE | TRUE | TRUE | MANAGER | test_group | |
| Test2_AP | ABC | Active Directory | This is to test VS Code for the creation of bulk access profiles | TRUE | TRUE | TRUE | TRUE | “MANAGER;Finance_Approvers” | test2_group |
Note:
- This sample demonstrates how multiple Access Profiles can be uploaded at once using the VS Code ISC extension.
- Make sure the CSV file is saved as UTF-8 (Comma-delimited) before importing.
- Only the first three columns (
name,owner,source) are mandatory, while others are optional. - If you have governance groups or multi-level approvers, separate them using a semicolon (; ) inside double quotes, e.g.,
"MANAGER;Finance_Approvers". - If one of the approvers is Access Profile Owner, then the value should be “OWNER” in the approvalSchemes column.
- Owner field should be filled with the account name of the identity.
Each row represents one Access Profile. Multiple profiles can be listed for batch creation in a single upload.
How it Works:
The VS Code ISC Extension allows administrators to upload this CSV file, automatically translating each row into an Access Profile object in the ISC tenant.
JSON Payload Example for Access Profile Creation:
The following JSON payloads illustrates how an Access Profile can be created programmatically in SailPoint Identity Security Cloud. This structure defines ownership, source association, entitlement linkage, and approval configurations.
{
"name": "Test_AP",
"description": "This is to test VS code for the creation of bulk access profiles",
"enabled": true,
"owner": {
"type": "IDENTITY",
"id": "1109d2b294fb48e7a4303dd3fbeff32b",
"name": "XYZ"
},
"source": {
"id": "a682aaa811734ea7bf7ce5ee6fabf091",
"type": "SOURCE",
"name": "Active Directory"
},
"entitlements": [
{
"id": "3db732405bd233198c1915141118e5bd",
"type": "ENTITLEMENT",
"name": "test_group"
}
],
"requestable": true,
"accessRequestConfig": {
"commentsRequired": true,
"denialCommentsRequired": true,
"approvalSchemes": [
{
"approverType": "MANAGER",
"approverId": null
}
],
"reauthorizationRequired": false
}
}
{
"name": "Test2_AP",
"description": "This is to test VS code for the creation of bulk access profiles",
"enabled": true,
"owner": {
"type": "IDENTITY",
"id": "1109e4b294fb48e7a4303dd3fbeff456",
"name": "ABC"
},
"source": {
"id": "a682aaa811734ea7bf7ce5ee6fabf091",
"type": "SOURCE",
"name": "Active Directory"
},
"entitlements": [
{
"id": "3db732405bd233198d56675141118e5bd",
"type": "ENTITLEMENT",
"name": "test2_group"
}
],
"requestable": true,
"accessRequestConfig": {
"commentsRequired": true,
"denialCommentsRequired": true,
"approvalSchemes": [
{
"approverType": "MANAGER",
"approverId": null
},
{
"approverType": "Finance_Approvers",
"approverId": "93710b34-8a60-477c-9b85-c1a104208237"
}
],
"reauthorizationRequired": false
}
}
Deploying Access Profiles via VS Code ISC Extension:
Once your CSV file is ready:
-
Ensure the tenant is unlocked for write access.
-
Go to Access Profiles in the tenant. Right Click and select “Import Access Profiles CSV”
-
Select the CSV file from the location and click on OK.
-
The extension validates the syntax and imports Access Profiles through the IdentityNow APIs.
Verification Steps:
-
Navigate to Access → Access Profiles in your IdentityNow tenant.
-
Check that the access profile appears with Manager and Owner listed under Approval Schemes.
-
Submit a test access request such that both approvers should receive workflow tasks.
Common CSV Formatting Issues:
When saving from Excel, extra quotes may appear (""") and break the import.
Here’s how to fix them:
Incorrect:
“”“MANAGER;OWNER”“”
Correct:
“MANAGER;OWNER”
How to correct the csv issues:
-
Save the file as CSV UTF-8 (Comma delimited).
-
Open it in VS Code or Notepad++.
-
Replace
"""with"using Find & Replace (Ctrl + H). -
Save again and re-upload.
Pro Tip: If you’re creating large files, tools like LibreOffice Calc handle encoding and quotes more cleanly than Excel.
Troubleshooting Common Errors:
| Error | Cause | Resolution |
|---|---|---|
| Read-only tenant | Locked VS Code connection | Unlock tenant via the ISC extension |
| 500 Internal Error | Invalid or missing source ID | Validate source name and entitlement name |
| 0 lines processed | Encoding or separator issue | Ensure UTF-8 encoding and proper semicolons |
| Approval not triggered | Invalid value in approvalSchemes | Use valid approvers: MANAGER, OWNER, SOURCE_OWNER, APP_OWNERor governance group |
| Parsing error | Extra quotation marks | Clean up CSV or use proper delimiters |
Best Practices:
-
Separate multiple approvers using semicolons (; )
-
Maintain consistent governance group names.
-
Test configurations in a sandbox tenant first.
-
Back up CSV files in a version control repository.
-
Automate recurring updates with API scripts.
Conclusion:
Multi-level approvals are a critical control in Identity Governance.
Using SailPoint’s VS Code ISC Extension and APIs, administrators can automate Access Profile creation with complex approval hierarchies, ensuring both efficiency and compliance.
This approach standardizes access governance, reduces manual intervention, and aligns with enterprise audit requirements.
Key Takeaway:
By combining the flexibility of APIs and the power of the ISC Extension, SailPoint administrators can manage access approvals at scale, enabling faster provisioning while maintaining strong governance across the organization.