New Capability: Custom User Levels

Announcements Product News
, ,
1

This capability is brought to you by :aha: Idea GOV-I-737

:sparkles: Description

  • Least Privileged Model
    • Custom User Levels enables organizations to create custom permission sets, allowing administrators define specific roles with the right level of access.
  • Read Only View
    • With Custom User Levels, organizations are now able to create read-only views for users who need access to identities, access, entitlements, VAs, and access policies.

:new_button: New Capability

Custom user levels allows administrators to delegate administrative responsibilities while supporting least privileges by providing finer grained permissions to administrative functionalities within Identity Security Cloud. Initially, our permissions focus on access objects (entitlements, access profiles, access history, and roles), identities and the VA, but we have plans to expand custom permissions to other areas of the admin experience.

:red_exclamation_mark: Problem

We’ve heard from customers that our existing user levels could be more adaptable. In some cases, admins found it tricky to align permissions with users’ specific needs. This update adds greater flexibility and precision, making it easier to assign just the right access within ISC.

:light_bulb: Solution

:busts_in_silhouette: Who is affected?

All business, business plus customers

:date: Important dates

Calendar

:bangbang: By RSVP’ing to this event you will be reminded of this release prior.

Sandbox availability: November 3, 2025
Production rollout: Beginning November 10, 2025

:books: Resources

Documentation: Custom User Levels - SailPoint Identity Services

15 Likes
Enhancement: Custom User Levels Usability Improvements
Task Reassignment
Adding additional permissions to Custom User Levels
2

This is really cool! I have been waiting a long time for being able to implement fine-grain access in ISC.

This will help a lot of customers secure their ISC instances.

1 Like
3

Really like this feature and it will be useful.

When will it be enabled in Partner and Ambassador tenants? I would like to show it to some users who will like this feature.

When reviewing the video, I noticed that the Permissions were organized haphazardly. Will this be cleaned up and similar permissions grouped together?

Screenshot 2025-10-30 at 10.20.27 AM
Screenshot 2025-10-30 at 10.20.27 AM1124×1349 99.1 KB

Ideally this would be alphabetical:

  • Access Profile Management
  • Access Profile Read Only
  • Entitlement Management
  • Entitlement Read Only
  • Role Management
  • Role Read Only

But could be by type of permission:

  • Access Profile Read Only
  • Entitlement Read Only
  • Role Read Only
  • Access Profile Management
  • Entitlement Management
  • Role Management

Similarly on the Identity Permission Selection, these could be ordered alphabetically too:

Screenshot 2025-10-30 at 10.20.45 AM
Screenshot 2025-10-30 at 10.20.45 AM1124×1349 108 KB

Expanding on this, could the Identity section have an option to limit access to only those users that the user manages or is downstream from them in the management hierarchy??

3 Likes
4

our team is eagerly waiting for these feature

5

Agree wholeheartedly that the ability to sort alphabetically would be helpful.
That goes for the many pages that don’t let you sort at all.

1 Like
6

Hi @jeremy_southerland ,

Will the new custom roles we are creating also will be available to request as an entitlement under loopback connector in Request Center ?

5 Likes
7

Will these custom user levels be able to be assigned to a role instead of an identity? We have an IT call center that could benefit from getting some read only visibility but there are around 80 employees in that group and have frequent positive turnover from that team. It would be tough to manually keep up with managing customer user level access for a team that large.

1 Like
8

@jeremy_southerland Will there be Read-only permissions for accessing and viewing the configuration items under Global? Having Read-Only access to those areas would be necessary for a true Read-Only Admin role. It does not look like that is the case currently. If there isn’t, is that on the roadmap for an enhancement, and what would the timeline be for that?

9

@jeremy_southerland will these also be available to assign through the IdentityNow source?

10

Really like the custom user level feature. We’ve had some use cases around wanting to give our source owners more visibility specifically on accounts associated with the sources they own. We’ve had some cases where its more information than we can directly provide in a certification review. Do we know if this feature has had discussions around getting that granular? I’d love to be able to grant an owner the ability to read account data specifically for the sources they own, so they can have an expanded set of detail for a more complete certification review.

11

Hey @jeremy_southerland

This is a much anticipated feature, and it’s great to see permissions being scoped around key access objects such as entitlements, access profiles, access history, roles, identities, and the VA.

That said, I’m curious does the “identities” scope also include governance groups, or is support for governance group permissions planned as a separate enhancement in the future under the governance group standalone object?

P.S.: Our sandbox tenant does not currently reflect this change. Could someone confirm whether this rollout is limited to select Business or Business Plus customers, or if it’s intended for all tenants under those tiers?

12

Hi @jeremy_southerland ,

We haven’t received this update in our dev tenant. As this is an key feature expected by our Audit team, we are keen to work on this update

13

Excelent news! Only one question, scope applies to all objects?

14

I see this didn’t get deployed to Sandbox today. Has there been a delay?

15

Awesome to see this, excited to try it out!

I’m curious though, does the fact that the documentation for this was released over a week before the sandbox rollout mean that this issue I was informed of on another post has been addressed?

I was essentially told that your documentation can’t be released until after new features go live in production, would be really happy to hear that that’s no longer the case.

Relevant comment from SailPoint comms team:

We understand the desire for documentation for staging releases. However, the content at documentation.sailpoint.com is the legal warranty of the product. Since features in staging are not fully rolled out, they are not included in the legal warranty until prod releases.

We are currently investigating how we can improve our communications around upcoming releases and appreciate your patience as we continue that work.

16

I second all the questions about if these new user levels will be configurable as entitlements. I’ve played around with the new feature a bit in our Sandbox tenant and so far, it doesn’t seem like they create a corresponding entitlement. This is unfortunate as we will likely want to assign newly created user levels to potentially hundreds of administrative / technical users.

17

Hi @jeremy_southerland ,

We can see the custom roles option now in our dev tenant. Can we make the custom roles we are creating as a requestable option under the source as “Identity Now“ connector ?

2 Likes
18

This is not showing in our sandbox environment. Is there something we need to do to enable this functionality?

2 Likes
19

Is this available in prod tenants?

20

Yes, our production and sandbox reflect the new capability now!