Hi, I’m trying to assign an access item (entitlement) based on a user’s user level—specifically when the user is at the Helpdesk Admin user level.
However, when I attempt to use the “Helpdesk Admin” entitlement as a criteria, I encounter the following error:
“An error occurred. If you are unable to continue your work, please contact SailPoint support.”
Is this expected behavior, or is there an additional configuration step I need to complete before this will work? If this approach isn’t supported, I’d appreciate any alternative suggestions for assigning the access item based on Helpdesk Admin privileges.
Yes, encountering an error when directly using “Helpdesk Admin” as an entitlement criterion for an Access Profile or Role is generally expected behavior in SailPoint Identity Security Cloud (ISC).
Why this happens:
The “Helpdesk Admin” privilege in ISC is not a typical “entitlement” Instead, it’s an administrative privilege within Identity Security Cloud itself, usually assigned through ISC’s internal RBAC system (e.g., via Admin Roles within ISC, or direct assignment of capabilities).
“Helpdesk Admin” is not an entitlement aggregated from an external system. It’s a privilege within the Identity Security Cloud platform. Therefore, the system doesn’t have a direct way to use it as a criterion for an Access Profile, which is designed to grant access to external systems.
@mayurSuresh I believe you can work around this by implementing a loopback (ISC connector back to your tenant) connector and using the entitlement off of that as the assignment criteria.
Yes, it will be same case for all such criteria, as I mention expected behaviors is: IdentityNow source should not be available here in the 1st place. I would like to confirm through SailPoint support team officially whether my understanding is correct.
Assigning access based on user level like “Helpdesk Admin” is not directly supported as an entitlement-based condition in SailPoint IdentityNow. The “Helpdesk Admin” designation is a user role within IdentityNow, not a standard entitlement, so it can’t be referenced in access request policies or identity profiles as a criteria. If you’re getting an error, it’s likely because the system doesn’t recognize user levels as valid identity attributes or entitlement values. A workaround is to create a custom identity attribute (e.g., isHelpdeskAdmin) and populate it using a transform or rule that checks the user’s role. You can then use that custom attribute as a condition to assign access items.
@pattabhi I’ve had to put this implementation on hold for the moment. Once I’ve successfully completed it, I’ll share the details of how I implemented it for the benefit of the community, and then I’ll close out this thread. Thank you!
