Description

SailPoint® is excited to announce the Access Model Metadata Service, enabling customers to enrich ISC Access Model items with custom or pre-defined metadata for enhanced context and tailored business needs!

The Access Model Metadata Service allows customers to add contextual information to ISC Access Model items. Customers can do this by using pre-defined metadata for risk, regulations, privacy levels, etc., or now by creating their own metadata attributes to reflect the unique needs of their business.​

The ability to enrich the ISC Access Model with contextual information is a foundational capability which enables numerous ISC use cases, supports better user experiences, and facilitates more powerful AI capabilities.​

New Capabilities

Customers can now create their own metadata attributes to reflect the unique needs of their business.​

Problem

Many organizations are required to govern access to critical data and services in order to ensure they are complying with various regulations and internal security policies. Governing access involves making sure that the right users have the right access at the right time including making sure that those users have only the access they need to perform their job responsibilities and that any access they no longer need or aren’t using is removed in a timely manner.

Accomplishing this can be challenging. To be successful, organizations must be able to include business context information in their governance processes. They need to be able to provide this information to the business users who are engaged in their governance processes and they must be able to use this business context information to organize their entitlements to align with their business needs.

Solution

Custom Access Model Metadata provides the ability for customers to enrich Roles and Entitlements with business context in the form of custom meta-data attributes which can be leveraged across the SailPoint Identity Security Cloud. Support for Access Profile metadata will be added in a subsequent release.

Custom Metadata Administration1919×970 74.2 KB

Custom Metadata Assignment1857×968 48.6 KB

Who is affected?

• Administrators who are adding context information to access items for the purpose of categorization organization, prioritization, and improving the ability of stake-holders to better understand the access they are approving or certifying.
• Reviewers and Approvers who need to understand the access they are required to make decisions on.
• Developers of workflows and external access request clients who need to drive user experiences based on ISC access item context information.

Important Dates - Updated Enablement Schedule

Custom Metadata enablement was initiated on Thursday, October 3, 2024 for a limited number of tenants.

All remaining tenants will be enabled according to the following schedule:

Staging tenant enablement will resume in mid-November 2024 and is expected to be completed over a 2 week time period.

Production tenant enablement will follow the completion of staging enablement and is expected to be completed by mid-December.

Sounds interesting @PGookin, could be useful for us.

I do think some more information is needed. Can you share (a link to the) documentation? I wonder how we can use this.

1. Can we use the search UI/API to easily view the metadata of the roles?
2. Can we use search to get all roles that match a query, where the query can reference the metadata? This would help in multiple areas. Reporting, but also triggering certification campaigns based of the metadata.
3. Can users in the search of the request center find roles based on the metadata?
4. Will the requesters see the metadata?
5. Can we choose which metadata has a fixed number of possibilities and which metadata allows data in free format? Can those creating roles (either through UI or API) specify the metadata immediately?
6. What are the limitations of this? How many metadata attributes can we define per role. How many values can we assign to the same role per attribute? Tags are useless for us, due to these limits (especially the last one):
   6.1 You can have up to 500 different tags in your tenant.
   6.2 You can apply up to 30 tags to one object.
   6.3 You can have up to 10,000 tag associations, pairings of 1 tag to 1 object, in your tenant.

The release schedule does not mention dates specifically for sandbox environments and production environments. Can you give this information? Or are they released on all environment levels at once?

Also I would like to emphasize again that timing of these announcements are important. This announcement arrived on the 8th of October (it says it was created on the 2nd of October, but then it was probably not visible for end users yet, and even that I would consider too late compared to the release date), while releasing apparently started on the 3th of October. This means we lost the possibility of properly testing this new functionality before the release to production and perhaps raise issues, concerns or bugs to you and perhaps to communicate and potentially train our relevant end users. Please release announcements before the staging occurs such that we can start planning on this from our side.

Kind regards,
Angelo

@PGookin ,
Will this tagging would be extended to Access Policy object too ? How i will know that when this feature will be release to my tenant ?

Is this limited to suites? Either business or business plus?

Hi @PGookin ,
Thank you for posting this. How does the custom metadata enhance workflows or external access request clients? Can you provide examples of how this has been successfully integrated in real use cases?
Also you mentioned support for Access Profile metadata will be added in a subsequent release. Can you provide a timeline or expected capabilities for that update?

Hi Prashanth, one use case for external access request clients and workflows is to determine the approval flow for an item based on metadata. For example, a role that has the value High for Risk might require additional approval steps. We plan to add support for Access Profiles soon. Although the rime frame is not commited, we are targeting Q1 2025.

Updated Enablement Schedule
Custom Metadata enablement was initiated on Thursday, October 3, 2024 for a limited number of tenants.

All remaining tenants will be enabled according to the following schedule:

Staging tenant enablement will resume in mid-November 2024 and is expected to be completed over a 2 week time period.

Production tenant enablement will follow the completion of staging enablement and is expected to be completed by mid-December.

@PGookin in reviewing the APIs available for access meta

• There’s an ability to retrieve metadata elements by themselves, however, there is no way to retrieve the access items associated with a metadata element. Is this something that is planned?
• Example: I cannot pull ALL entitlements have metadata attribute compliance with value as SOX, which always me to pull all SOX entitlements

I see the metadata entries on our roles, and can add out-of-box metadata attributes to our roles in the sandbox tenant. I do not see a menu option to edit/create our own metadata attributes in the GUI, nor do I see it documented in the API documentation. Is that portion forthcoming? Do I need a feature flag turned on?

Hi, are you a suite level customer?

Custom metadata support is limited to customers with standard, business, or business plus suite licenses. If you are not a suites customer you will be able to assign out of the box metadata to roles and entitlements but you will not be able to create custom metadata attributes.

If you are a suites customer and aren’t able to create custom metadata then there may be an enablement issue for this feature on your tenant. Please let me know if that’s the case and I’ll look into it.

Patrick.

We are a Business Plus customer. Is there a way to private message you more information?

I think we have a similar issue. Should we see this as a license in the idn product in /beta/tenants?

I also don’t see the API documentation to delete the attributes added by SailPoint and create/update our own ones. See Access Model Metadata | SailPoint Developer Community only shows GET API requests.

With no API documentation present, I tried to guess what the documentation would be if these APIs exist (assuming these new APIs are consistent with other APIs from SailPoint). Then tried to create an attribute but got a 403 error. Also got a 403 error when trying to update (using PATCH) the description of an attribute that already exists. And when I tried to delete an attribute that already exists, I got this error: 400 Referenced key "iscEnvironment" was not found.

In addition, please note that my questions from 7 weeks ago are still pending: New Capability: Custom Metadata! - #2 by angelo_mekenkamp

I have a suite-level customer with the Business package and the custom metadata feature flag is not checked off in their sandbox environment. I don’t even see the feature flag in their production environment. is this still being rolled out…?

Hi, we are seeing a few cases where the product flag hasn’t been properly enabled and are looking into it.

I just checked, and I see the metadata menu option now. Thanks Patrick and team!

@PGookin , I don’t see Metadata menu in my company stage env.

Hi, we had some issues with the Product Flag being set properly in some tenants. This should be corrected now. If you are still not seeing metadata and you are a suite level customer let me know and I’ll look into it.

@PGookin , Still i can’t see in my tenant . I have messaged you tenant url .

@PGookin, the flag is still not enabled on our DEV/UAT tenants, can you please check, thx

Just had a call with @PGookin to get the answers to these questions. He allowed me to share the answers he gave or the information I figured out myself here in case others are interested as well. Note that I can make mistakes in passing the information I got from him to here, so please don’t rely on this being 100% correct.

1. Access item UI: Visible for example in the landing page of roles, and also when clicking on edit role → metadata attributes.
2. Access item API: You can see the metadata through APIs like GET /v2024/roles. This is already documented.
3. Search UI: Note that search has a 24 hours SLA, so it is not trustable for instant availibility. There is no documentation that suggests you can see this data through the search UI. I can’t see it now, not even when it became visible in the search API.
4. Search API: Not documented here, but it is (eventually) visible in the search JSON. Note that you do need to use the "includeNested":true attribute.

1. Access item UI: Visible in the landing page of roles, using the filters icon.
2. Access item API: I don’t see in this documentation yet how you can use the filters attribute to filter on metadata on the objects on the direct accesible APIs like /v2024/roles. But in any way there is this API you can use.
3. Search UI: Yes. You can use @accessModelMetadata() for filtering in search (although it is not documented here. (Note that search has a 24 hours SLA).
4. Search API: Yes similar to search UI.

Not yet, but the team of @jennifer_mitchell is working on it.

Not yet, but the team of @jennifer_mitchell is working on it.

Only fixed number of possibilities is supported now. SailPoint is looking at options to allow free format.

I forgot to specifically ask about how many attributes can be assigned per role, but I got these other limitations.

1. Only 25 custom attributes can be defined, where they are working to increase it to 50.
2. Each custom attribute can be assigned a maximum of 25 different values, where they are working to increase it to 50.
   Based on this my guess would be that all attributes can be assigned to any role, but I would need to test this.

There was a staged release. I mentioned it would be nice if these specific timetables are communicated.

This should indeed be visible if you have the right product license. It should be visible under idn as

{
  "licenseId": "idn:custom-access-model-metadata",
  "legacyFeatureName": "CUSTOM_ACCESS_MODEL_METADATA"
}

Patrick was surprised to see that API documentation is missing to create/update/delete custom attributes. He will go after it.

No update/deletion of default attributes is supported. I said that custom attributes is very nice and that prefilled (“best practice”) attributes could help organizations to speed up their implementation of ISC, but that by defining default attributes that can not be deleted or updated, you are, from a technical point of view, putting unneeded limitations on your own product (similar to the default correlation mapping nobody can get rid off, additional default identity attributes we can’t delete ourselves etc. that are causing headaches). This can be confusing if metadata attribtues are mappable to roles, but the customer doesn’t want to use those attributes. Better to delete them such that the role admins can’t assign those. I don’t think Patrick will in the near time map ‘default’ and ‘custom’ as one type, where customers will get default values populated with the ability to update or delete, but Patrick did mention he saw value in allowing us to disable these default attributes such that role owners will not see them or use them anymore.

I prefer to be able to delete default attributes, but Patrick and I agreed that if deletion of default attributes is not supported, that the error should then be different than 400 Referenced key "iscEnvironment" was not found.. He will look after it.