Does the new custom role feature cover this use case?

Identity Security Cloud product enhancements

Recently ‘Custom Roles’ was announced. Does this new feature cover this gap we’re facing in IDN?

We have a set of semi-technical business users. They manage access to their AD based entitlements via the tool “Active Directory Users & Computers’“. They have been made ‘owner’ of those AD Groups and are comfortable using that tool to manage the membership of their groups. (it’s not very complicated/technical)

We’ve met with these owners and shared with them IDN’s capabilities. Role membership via Criteria, Request Access with approval, etc.

Some % of those owners took us up on the offer to bring in their entitlements under IDN.

However, not enough did.

The issue is that these two methods (formula, or end-user-initiated membership) weren’t what these entitlement owners needed.

They wanted to control the membership and the membership timing more directly.

Master Data to support Formulas was not present/possible.

The timing and tracking of end-user-initiated membership was an additional burden for them. (Under the request model, when it came time for their memberships to consume the entitlement, people ‘missed the memo’ that they were supposed to go request it, etc.)

The IDN platform has some limitations that are blocking us.

• We cannot use Role membership via ‘identity list’ here*****. This would give these entitlement owners the ability to affect membership across all AD roles.
• We cannot pull in the membership management to our SailPoint admin team. This breaks our resourcing/delegation model, clear audit goals, or adds additional burdens to re-establish auditing of membership changes by a separate team.

*So, here’s the question, do the new custom roles allow for that “Role Owner can manage that role (only) membership via identity list”? or am I still stuck not able to bring a portion of our IAM operations under SailPoint?

I am not sure i follow what exactly you are asking.

First, the Compass article you linked to does not have “Custom Roles” listed in it. I would guess that you are talking about the “Custom User Levels” from that link, but would need you to clarify that.

Second, if I can distill down what you are asking, you would like to know if a Role/entitlement owner can be set up to be able to manage the membership of the roles or the entitlements associates with the roles? If that is the case, then I don’t believe that can it can be limited to specific entitlements at this time.

Lastly, there are some non-standard terms being used here:

• Master Data - Is this an application? Or a source of Data?
• Formulas - I assume this is queries/rules/etc
• End-User-Initiated Membereship - This sounds like Access Requests made by the user themselves for membership
• IDN - I know (assume I guess) this is IdentityNow, which has become Identity Security Cloud (ISC). I assume this is just because you are used to the old acronym (as was I for the longest time) and not something else entirely.

What I would do is define what the requirements that you are looking to accomplish in more detail, and then ask if that is possible. Currently you are trying to explain what you need in terms of teh recent feature, which might be confusing.

Thanks for the reply. Yes, I’m referring to custom user levels, ISC, Role criteria, and Requestable roles.

I’m really just trying to recreate a way for a semi technical business user to manage a single role’s membership themselves arbitrarily in ISC.

And then repeat that granular design a few dozen times.

Today, we use Active Directory, AD groups, and set those semi technical business owners as group owners.

They use the tool “Active Directory Users and Computers” (ADUC) to manage the group memberships of the groups they own.

They don’t have the ability to edit the memberships of other groups, just the ones they own.

We are starting to do something similar now with Entra ID (AAD) groups. Microsoft has a web page that group owners can manage their group memberships easily. (it reduces the technical skill required/installed software).

Our business users who are comfortable with managing the membership/access to the entitlements they own via ADUC/Entra ID web, see this as enabling them to work efficiently/a positive.. (“We are giving them the tools they need”)

We are also trying to get more of our Groups to be managed within SailPoint ISC.

We are struggling because there doesn’t seem to be a way to replicate that ‘just let the owner of the entitlement manage the membership themselves’ in SailPoint ISC.

It looks like I only have Role membership by Criteria, or by Request.

I can’t use ‘by criteria’ because I don’t have identity data to drive that match/membership process, and that data is either not going to be available for a long time or will never be available.

I can’t use ‘by request’ because our users don’t respond in a timely fashion (the requests come in spread out, or don’t come in at all).

These entitlement owners that are today managing access to their entitlements themselves, see a move to SailPoint as a step backwards because we are forcing them to use ‘by request’. It now takes them more effort and time to use ISC than it did to use ADUC/Entra ID.

In essence, I really need the “Role owner” role in ISC, to include the capability to manage how that role’s membership is populated (or in this case use “identity list’“ and allow the role membership to be maintained by that particular role owner).

That is not how it is today/pre custom user level change.

I was hoping that Custom user levels provided that “Entitlement owner can manage entitlement membership” capability (or in this case Role Owner can manage role membership)