Hi all,
In ISC, I’ve observed that entitlements added via dimensions in dynamic roles are NOT treated as Common Access, which seems like a limitation.
Is this expected behavior?
Is there any way to make these dimension-based entitlements behave like Common Access or handle them similarly?
Any insights or workarounds would be appreciated.
Thanks!
Yes—this is expected behavior today. Entitlements added via dimensions in Dynamic Roles are not treated as “Common Access” in SailPoint Identity Security Cloud. They are evaluated dynamically at runtime, but they don’t inherit the same classification or reporting treatment as Common Access entitlements. There is currently no supported way to make dimension‑based entitlements behave exactly like Common Access.
If you need common access behavior, use access profiles or static role assignments.
@Santhakumar what do you mean when you say use If you need common access behavior, use access profiles?
I meant that if you want entitlements to behave like Common Access, you should group them into an Access Profile and then attach that profile to the role—instead of attaching the entitlements directly via dimensions.
Access Profiles are the building blocks SailPoint uses to group entitlements.
When you assign an Access Profile to a role, the entitlements inside it are treated as Common Access.
This means they show up correctly in certifications, reports, and policy checks as “always-granted” access.
When an entitlement is added to an access profile and that access profile is included in a role, it is still not treated as common access. However, this is not the main issue. The actual problem is that entitlements added through dimensions in dynamic roles are not being treated as common access.
SailPoint ISC still treats dimension‑based entitlements in dynamic roles differently from common access entitlements, and that’s expected behavior today.