Hello,
Our Service Desk has the user-level “HELPDESK” if they want to open detailed entitlement page on the identity page (Identity->Access-> Entitlements-> click on specific entitlement) they get te error below: “The server understood the request but refuses to authorize it”. My question is: is this a normal behaviour. If do, why is it possible then for the userlevel to click on the entitlement? As end-user you do not want to see such error page.
"The server understood the request but refuses to authorize it."
That’s the standard message for an HTTP 403 (Forbidden). The request is valid & authenticated, but the user doesn’t have permission on that specific resource.
On the “why is the link clickable” part, this looks like a UI gap rather than a security issue. The backend is enforcing authorization correctly, but the frontend isn’t hiding or disabling the link based on user level permissions.
Might be worth raising this as an Idea in the SailPoint Developer Community or Ideas Portal. I agree, the UI should not render or allow navigation to actions the user level cannot access.
The entitlement link shouldn’t be clickable if the user level doesn’t have permission to view it.
Hi @papie66
I tried this in my demo tenant by assigning the HELPDESK user level. The user was able to view identities and account details, but did not have access to the Access Model (Access Profiles/Entitlements).
So it looks like this behavior is due to limited permissions for that role.
Do you have any other user levels apart from HELPDESK assigned to the service desk team that might have additional access?
You can also refer to the below user level matrix for reference
Correct. entitlement details are not accessible to the HELPDESK role. If needed, you can create a custom role and grant it read‑only permissions for entitlements. Custom User Levels - SailPoint Identity Services
It is indeed an UI gap that needs to be fixed. I will check for raising an idea for this.
I tried it also on our acceptance tenant and he was able to see en click on access profile and not on entitlments and he has no other User levels assigned to him. About the Matrix, i am known of that there is a user level matrix
I think this will give the user additional acces then the nly that clickable page.
@papie66 That’s interesting. In my testing, the Helpdesk user level didn’t allow access to Access Models.
its indeed strange, for now we said it’s as designed
