IdentityNow / ISC: Can an Access Application Owner run reports only for identities/access related to their own application?

Identity Security Cloud (ISC) ISC Discussion and Questions
1

Hi everyone,

I’m working on a delegated-governance requirement in SailPoint IdentityNow / Identity Security Cloud and I’m trying to understand what’s possible in terms of reporting scope.

Requirement

We want to allow an internal user who is configured as Access Application Owner to do reporting / analytics (e.g., view/export/search reporting data) but strictly limited to:

identities (users) that have access to that application, and/or

access items (access profiles/entitlements) related to that application

In other words:

1. The user can report on “their” application population

2.The user must not be able to report on identities/access outside that application

We’re referring to Access Application Owner as described here:

We have multiple application owners and we want each of them to be able to do self-service reporting (download/export, scheduled reports, etc.) without granting tenant-wide visibility.

My initial idea (proposed solution): I initially thought this might be achievable using Custom User Levels, by creating a custom role that includes reporting/search permissions and assigning it to application owners:

The goal was to grant “reporting ability” while ensuring the data returned is automatically scoped to only the application they own.

From what I’ve read so far, Custom User Levels appear to control permissions/capabilities, but I can’t find a documented way for them to enforce data scoping (row-level filtering) based on ownership of an Access Application.

So I have a few questions:

  1. Is it possible in IdentityNow/ISC to scope reporting/search results so that an Access Application Owner can only see identities/access for the application they own?

  2. If yes, what is the recommended mechanism? (e.g., segmentation, governance groups, some other approach)

  3. If no, what is the best practice pattern to meet this requirement?

  • Example: delegated reporting via admin-generated scheduled reports?

  • Or a supported approach using Segmentation (if applicable), governance groups, etc.

Any guidance or pointers (docs, configuration patterns, limitations) would be appreciated. Thanks!

Kind Regards,

Paolo

2

admin need to prepare reports, filter application owned by xyz and send result to them. This exactly what you said as Example: delegated reporting via admin-generated scheduled reports?