Description

Viewing application access just got easier. Admins can now see a detailed view of machine identity access through the new Access page.

We’ve also added support for User Entitlements under Machine Identities → Applications, giving admins visibility into which entitlements in their sources are required to use an application.

Problem

Machine identities are complex entities that can represent applications or bots, often with thousands of correlated accounts and entitlements. Admins need to answer diagnostic questions not only about what access these identities hold, but also which entitlements are needed to access them. Without this context, troubleshooting and audits are made more difficult.

Solution

Access Page

Under Admin → Identity Management → Machine Identities → Applications → [Application name] → Access, admins can now see a comprehensive list of entitlements that correlated machine accounts hold. Filtering and pagination make it easy to quickly answer diagnostic questions.

Access Entitlements1282×735 59.3 KB

Filters1282×1007 74.7 KB

User Entitlements

Admins can define which user entitlements authorize access to an application. Each application can have up to 10 entitlements from multiple sources, evaluated with OR logic (e.g., membership in Group A or Group B grants access). Admins can:

• Assign entitlements when creating or editing an application.
  

  

  User Entitlements1282×1007 88.8 KB

• View entitlements on the Application Details page.
  

  

  View entitlements on the Application Details page1356×588 52.4 KB

Who is affected?

Customers who have licensed Machine Identity Security.

Action Required

No immediate action is required. However, admins can explore the new Access page and configure User Entitlements on applications to gain full visibility into machine identity access.

Important Dates

Sandbox Rollout: September 15, 2025
Production Rollout: The week of September 22, 2025

In your third screenshot you show entitlement names, but this is ambiguous in two ways. You don’t know which source they are from and you don’t know which entitlement type it originates from.

In your last screenshot you are showing entitlement names and source names, but you are not showing entitlement type. Which entitlement schema does it come from? This is also ambiguous and could lead to wrong entitlements being chosen.

Entitlements are not uniquely defined by source name and entitlement name. It can be uniquely defined by combination of source name, entitlement value and entitlement type. Two entitlements can exist from same source with same value, but different types. And two entitlements can exist from same source and same type, but different values.

And all of these cases are actually happening as well, which is causing issues. Not only in UI, but also in API, due to SailPoint engineering not respecting this properly.

To be fully correct there is a last example: Two entitlements can even technically have the same source name entitlement type and entitlement name, but just different entitlement values, since entitlement name it just a display name on the target application side, but I do consider that bit bad design on the target application side. However it is worth to know it could still happen.

Kind regards,
Angelo