Guidance on configuring Role Criteria using Entitlement metadata attributes in SailPoint ISC

Hello community,
I’m working on a use case in SailPoint Identity Security Cloud (ISC) where we need to define Role Criteria based on entitlement metadata attributes (not the standard entitlement properties). Create/maintain roles whose membership criteria reference values stored in entitlement metadata (e.g., custom attributes attached to entitlements), rather than user attributes or direct entitlement names.

Questions:

1. Is it supported in ISC to reference entitlement metadata attributes directly in Role Criteria?
2. . If not directly supported, are there recommended patterns or best practices (e.g., transforms, calculated/aggregated attributes, access profile tagging, searchable attributes) to achieve metadata-driven role membership?
3. Are there any schema or configuration steps required to make entitlement metadata queryable in role filters (e.g., exposing metadata fields to the search index / identity cube)?

If there are feature limitations here, pointers to any roadmap notes or alternative recommended designs would be very helpful.
Thank you in advance for any guidance

Hi @sunildhawaleT ,

How are you intending to use the metadata as the role criteria? The criteria needs to ultimately have logic to include/exclude identities, but the metadata provides additional attributes on the entitlements themselves.

If you could provide an example that would help!

Thanks,

Liam

HI @liamkokeeffe , The role assignment should occur only if the user possesses the entitlement XYZ and the entitlement’s custom attribute appName has a value of YYC. If either condition is not met, the role should not be granted.