Description

SailPoint® is excited to announce the Access Model Metadata Service, enabling customers to enrich ISC Access Model items with custom or pre-defined metadata for enhanced context and tailored business needs!

The Access Model Metadata Service allows customers to add contextual information to ISC Access Model items. Customers can do this by using pre-defined metadata for risk, regulations, privacy levels, etc., or now by creating their own metadata attributes to reflect the unique needs of their business.​

The ability to enrich the ISC Access Model with contextual information is a foundational capability which enables numerous ISC use cases, supports better user experiences, and facilitates more powerful AI capabilities.​

New Capabilities

Customers can now create their own metadata attributes to reflect the unique needs of their business.​

Problem

Many organizations are required to govern access to critical data and services in order to ensure they are complying with various regulations and internal security policies. Governing access involves making sure that the right users have the right access at the right time including making sure that those users have only the access they need to perform their job responsibilities and that any access they no longer need or aren’t using is removed in a timely manner.

Accomplishing this can be challenging. To be successful, organizations must be able to include business context information in their governance processes. They need to be able to provide this information to the business users who are engaged in their governance processes and they must be able to use this business context information to organize their entitlements to align with their business needs.

Solution

Custom Access Model Metadata provides the ability for customers to enrich Roles and Entitlements with business context in the form of custom meta-data attributes which can be leveraged across the SailPoint Identity Security Cloud. Support for Access Profile metadata will be added in a subsequent release.

Custom Metadata Administration1919×970 74.2 KB

Custom Metadata Assignment1857×968 48.6 KB

Who is affected?

• Administrators who are adding context information to access items for the purpose of categorization organization, prioritization, and improving the ability of stake-holders to better understand the access they are approving or certifying.
• Reviewers and Approvers who need to understand the access they are required to make decisions on.
• Developers of workflows and external access request clients who need to drive user experiences based on ISC access item context information.
• Accenture is also a primary customer for this.

Important Dates - Updated Enablement Schedule

Custom Metadata enablement was initiated on Thursday, October 3, 2024 for a limited number of tenants.

All remaining tenants will be enabled according to the following schedule:

Staging tenant enablement will resume in mid-November 2024 and is expected to be completed over a 2 week time period.

Production tenant enablement will follow the completion of staging enablement and is expected to be completed by mid-December.

Sounds interesting @PGookin, could be useful for us.

I do think some more information is needed. Can you share (a link to the) documentation? I wonder how we can use this.

1. Can we use the search UI/API to easily view the metadata of the roles?
2. Can we use search to get all roles that match a query, where the query can reference the metadata? This would help in multiple areas. Reporting, but also triggering certification campaigns based of the metadata.
3. Can users in the search of the request center find roles based on the metadata?
4. Will the requesters see the metadata?
5. Can we choose which metadata has a fixed number of possibilities and which metadata allows data in free format? Can those creating roles (either through UI or API) specify the metadata immediately?
6. What are the limitations of this? How many metadata attributes can we define per role. How many values can we assign to the same role per attribute? Tags are useless for us, due to these limits (especially the last one):
   6.1 You can have up to 500 different tags in your tenant.
   6.2 You can apply up to 30 tags to one object.
   6.3 You can have up to 10,000 tag associations, pairings of 1 tag to 1 object, in your tenant.

The release schedule does not mention dates specifically for sandbox environments and production environments. Can you give this information? Or are they released on all environment levels at once?

Also I would like to emphasize again that timing of these announcements are important. This announcement arrived on the 8th of October (it says it was created on the 2nd of October, but then it was probably not visible for end users yet, and even that I would consider too late compared to the release date), while releasing apparently started on the 3th of October. This means we lost the possibility of properly testing this new functionality before the release to production and perhaps raise issues, concerns or bugs to you and perhaps to communicate and potentially train our relevant end users. Please release announcements before the staging occurs such that we can start planning on this from our side.

Kind regards,
Angelo

@PGookin ,
Will this tagging would be extended to Access Policy object too ? How i will know that when this feature will be release to my tenant ?

Is this limited to suites? Either business or business plus?

Hi @PGookin ,
Thank you for posting this. How does the custom metadata enhance workflows or external access request clients? Can you provide examples of how this has been successfully integrated in real use cases?
Also you mentioned support for Access Profile metadata will be added in a subsequent release. Can you provide a timeline or expected capabilities for that update?

Hi Prashanth, one use case for external access request clients and workflows is to determine the approval flow for an item based on metadata. For example, a role that has the value High for Risk might require additional approval steps. We plan to add support for Access Profiles soon. Although the rime frame is not commited, we are targeting Q1 2025.

Updated Enablement Schedule
Custom Metadata enablement was initiated on Thursday, October 3, 2024 for a limited number of tenants.

All remaining tenants will be enabled according to the following schedule:

Staging tenant enablement will resume in mid-November 2024 and is expected to be completed over a 2 week time period.

Production tenant enablement will follow the completion of staging enablement and is expected to be completed by mid-December.

@PGookin in reviewing the APIs available for access meta

• There’s an ability to retrieve metadata elements by themselves, however, there is no way to retrieve the access items associated with a metadata element. Is this something that is planned?
• Example: I cannot pull ALL entitlements have metadata attribute compliance with value as SOX, which always me to pull all SOX entitlements