Entitlement Hierarchy

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

Hello Team,

I hope you are doing well.

Can someone explain in detail, how can I configure entitlement hierarchy.

I have tried to configure entitlement hierarchy in SailPoint ISC, But I didn’t find any detailed document on that. So, I didn’t get the expected results.

Any insights or assistance would be greatly appreciated.

Thank you!!

2

Access Profiles → Collection of entitlements within one source.
Example: An Access Profile groups entitlements like:

  • AD group A
  • AD group B
  • AD group C

Roles → collection of access profile multiple Access Profiles and/or identity attributes.
Example: A Role might include:

  • Access Profile: AD Finance
  • Access Profile: SAP Finance
  • Identity Attribute: Department = Finance
1 Like
3

Roles can also contain entitlements that are independent of an access profile

4

@SreejaAgamamidi Could you expand on what you are looking to do?

Do you want entitlements to contain other entitlements?

Do you want to better understand how the Entitlements relate to the Access Profiles and Roles?

Could you provide details for what you have tried so that we can better help you with where you are getting stuck?

5

Hello @gmilunich

I am looking for parent and child relationship between entitlements. (i.e. entitlements contain other entitlements)

6

In roles u can place other entitlements

7

Hello @Chaithu9110

Yes, I agree. But, I want to configure parent child relationship among entitlements. So I want to place entitlements within entitlements.

8

You’re looking for a concrete example of how hierarchyAttribute is configured in Identity Security Cloud (ISC). Let’s use the most common scenario: Active Directory nested groups.

The hierarchyAttribute tells how to find the parent(s) of an entitlement during aggregation, allowing it to build an internal representation of the hierarchy.

9

@SreejaAgamamidi The documentation for this is sparse, but can be found here:

The link provided to the API takes you to this page: put-source-schema | SailPoint Developer Community

If you look at the right side, there is an example of the body there that references the hierarchyAttribute that was mentioned previously.

Screenshot 2025-06-03 at 11.55.40 AM
Screenshot 2025-06-03 at 11.55.40 AM1938×1240 342 KB

Looking at the example (pulled here for reference), we can see the AD Groups are being modeled here:

{
  "id": "2c9180835d191a86015d28455b4a2329",
  "name": "account",
  "nativeObjectType": "User",
  "identityAttribute": "sAMAccountName",
  "displayAttribute": "distinguishedName",
  "hierarchyAttribute": "memberOf",
  "includePermissions": false,
  "features": [
    "PROVISIONING",
    "NO_PERMISSIONS_PROVISIONING",
    "GROUPS_HAVE_MEMBERS"
  ],
  "configuration": {
    "groupMemberAttribute": "member"
  },
  "attributes": [
    {
      "name": "sAMAccountName",
      "type": "STRING",
      "isMultiValued": false,
      "isEntitlement": false,
      "isGroup": false
    },
    {
      "name": "memberOf",
      "type": "STRING",
      "schema": {
        "type": "CONNECTOR_SCHEMA",
        "id": "2c9180887671ff8c01767b4671fc7d60",
        "name": "group"
      },
      "description": "Group membership",
      "isMultiValued": true,
      "isEntitlement": true,
      "isGroup": true
    }
  ],
  "created": "2019-12-24T22:32:58.104Z",
  "modified": "2019-12-31T20:22:28.104Z"
}

So you can see here that the memberOf attribute is listed as the hierarchyAttribute and the value is set to the group, with it’s own schema that is referenced by ID.

I am not sure how you would do an example with just one Entitlement type that can be nested, if that is what you are looking for. I am not sure how it would handle having a reference to itself. From the UI, you can not set an attribute on your Entitlement to be a reference to it’s own type, but unsure if that works via the API. And if it does, what side effects does it have?