We are applying a segment according to the documentation Managing Access Request Segments - SailPoint Identity Services where we need to segment the viewing and access requests in some Applications via the central, but when creating the Segment, in the define access step, the segment only allows the selection of “Access Profiles, Roles and Entitlements”; we need to be able to segment the “Apps” from the central and not the access profiles. Does anyone know if this is possible or not?
@tiagosouza While you create a segment, you are presented with a search box to enter your query. The query would then return the list of access related objects such as entitlement, access profiles and roles only. The whole purpose of segments is to distinguish between these 3 core access related objects only.
However, if I understand your query, then I’d suggest you to perform the below and test out the scenario:
Lets assume you have 4 access profiles in your system as - AccessProfile1, AccessProfile2, AccessProfile3 and AccessProfile4.
Create Segment1 which is configured with AccessProfile1 & AccessProfile2. Provide the assignment criteria such that only users belonging to Department1 must access this segment.
Similarly create Segment2 which is configured with AccessProfile3 & AccessProfile4. Provide the assignment criteria such that only users belonging to Department2 must access this segment.
Now navigate to Applications tab and create a new application and enable it for access request. Add AccessProfile1, AccessProfile2, AccessProfile3 and AccessProfile4 to it.
Now try to login to ISC system with the user who has department value as Department1 & Department2 respectively.
Validate if Identity1 with Department1 is only able to see AccessProfile1 & AccessProfile2 inside the application while submitting request. Similarly validate if Identity2 with Department2 is only able to see AccessProfile1 & AccessProfile2
As of now, there is no option to directly include entire applications in a segment. However, you can restrict access to an application by ensuring that the identity is part of a segment. All access profiles within the application that are not included in the segment will remain inaccessible to the user.
An application consists of multiple access profiles, such as Ap1, Ap2, and Ap3. If a user has access to a segment (e.g., Seg1), which includes Ap1 and Ap2, they will not be able to view Ap3 in the application if Ap3 is part of a different segment. This restriction is due to segmentation.
If an access profile is part of the application but not assigned to any segment, it will still be visible. Additionally, the Identity Security Center (ISC) will automatically remove access profiles from the application if they are not part of a segment that the user has access to.