Data Segmentation provides a programmatic method for restricting access to data within core ISC objects, ensuring users can only see the data records they are authorized to access. This release expands this functionality into Role Administration.
New Capabilities
For enterprise-level customers with complex organizational structures, the latest enhancement to Data Segmentation ensures administrators can lock down Roles Admin access at a more granular level for users - ensuring least privilege and diminishing privacy concerns.
Problem
Customers often have information within their environment that they consider privileged or need to be visible on a need-to-know basis. This stems from the basic security principal of least privilege (NIST Definition). However, when a user is granted any given piece of Identity Security Cloud (ISC) access in the user interface, they are also granted access to any given piece of information that user interface can access. Specific objects like Access Model Items, Identities, Sources, etc. which customers would like to restrict visibility for are currently visible globally.
Customers often have a smaller, dedicated ISC Administration teams that would like to grant administrative functionality to distributed teams. For example, Conglomerate A would like to delegate administration for the Identities, Sources, and Access Model Items within it’s two companies: Company 1 and Company 2. However, they want to limit the data access that Identity Security Cloud administrators at Company 1 and 2 have to see each other’s configurations without limiting the access of Conglomerate A’s ISC Administrators.
Solution
To solve for these complex issues faced by ISC customers, SailPoint is implementing the Data Segmentation feature to provide a programmatic method for restricting data within Roles. This segmentation of data ensures users can only see the data records they are authorized to see. With this latest enhancement, Data Segmentation expands to Roles after initially launching for Entitlements in Q4 2024.
I am having a test in our Sandbox environment, and I am trying to select Roles via Criteria, using Metadata. It isn’t allowing me to select the value from a selected metadata attribute (regardless of which one is selected), displaying a red text of “This field is required” warning.
I tried creating a custom Metadata attribute but the same issue persisted. Should this work with Metadata?
Hey Remi - Data Segmentation availability will be on Suites only. As we add more objects, each object can be at it’s own “tier” of suite.
The two objects we’ve released on coverage so far, Entitlements and Roles, are both on the Business Plus Suite tier. That’s a good call-out that I’ll edit into the announcement here.
Hey Tyson - Metadata is supported (custom and out of the box). I’m having a hard time recreating this, that sounds like a generic error message usually indicating that some value (visible or not) is null that shouldn’t be. Are you seeing the metadata value in the criteria Attribute and Value picker?
If so you are, you may have found some kind of bug that I can’t reproduce. If you wouldn’t mind opening a support ticket, that should help us kick off digging into this.
Hi Aaron - I understand that segmentation has not been applicable yet for the customers who use ServiceNow Service catalogue for role requests. With this new release, can we expect something to be coming up in ServiceNow Service catalogue which as well can use the segmentation feature of ISC?
Hey Abhijit - You’re correct- this is for administration only. We are looking to merge Data Segmentation’s power with the legacy Access Request Segmentation on our roadmap, which will unlock a lot more powerful segmentation. With that, we’re also planning to work with our Service Desk Integration team to build the Segmentation into the ServiceNow Service Catalogue. This is definitely something we’ll be looking to do. Unfortunately, it’s further than 6 months out, so I can’t give you a specific time estimate as of now.
@aaron_andrew : For Data segments, can we provide build criteria for Entitlements and Roles. Also I want to build the criteria on meta data attributes for both roles and entitlements
@prachimittal9 Can you open an idea for this in https://ideas.sailpoint.com/? I have some follow-up questions, but we’ll do so over there so I have your feedback in the context of the idea. This is where we track improvement ideas
