Description

Data Segmentation provides a programmatic method for restricting access to data within core ISC objects, ensuring users can only see the data records they are authorized to access. This release expands this functionality into Role Administration.

New Capabilities

For enterprise-level customers with complex organizational structures, the latest enhancement to Data Segmentation ensures administrators can lock down Roles Admin access at a more granular level for users - ensuring least privilege and diminishing privacy concerns.

Problem

1. Customers often have information within their environment that they consider privileged or need to be visible on a need-to-know basis. This stems from the basic security principal of least privilege (NIST Definition). However, when a user is granted any given piece of Identity Security Cloud (ISC) access in the user interface, they are also granted access to any given piece of information that user interface can access. Specific objects like Access Model Items, Identities, Sources, etc. which customers would like to restrict visibility for are currently visible globally.
2. Customers often have a smaller, dedicated ISC Administration teams that would like to grant administrative functionality to distributed teams. For example, Conglomerate A would like to delegate administration for the Identities, Sources, and Access Model Items within it’s two companies: Company 1 and Company 2. However, they want to limit the data access that Identity Security Cloud administrators at Company 1 and 2 have to see each other’s configurations without limiting the access of Conglomerate A’s ISC Administrators.

Solution

To solve for these complex issues faced by ISC customers, SailPoint is implementing the Data Segmentation feature to provide a programmatic method for restricting data within Roles. This segmentation of data ensures users can only see the data records they are authorized to see. With this latest enhancement, Data Segmentation expands to Roles after initially launching for Entitlements in Q4 2024.

Important Dates

Sandbox Rollout: The week of March 10th, 2025

Production Rollouts: The week of March 17, 2025

Will Data Segmentation for Roles be available on ISC business suite?

I am having a test in our Sandbox environment, and I am trying to select Roles via Criteria, using Metadata. It isn’t allowing me to select the value from a selected metadata attribute (regardless of which one is selected), displaying a red text of “This field is required” warning.

I tried creating a custom Metadata attribute but the same issue persisted. Should this work with Metadata?

Hey Remi - Data Segmentation availability will be on Suites only. As we add more objects, each object can be at it’s own “tier” of suite.

The two objects we’ve released on coverage so far, Entitlements and Roles, are both on the Business Plus Suite tier. That’s a good call-out that I’ll edit into the announcement here.

Hey Tyson - Metadata is supported (custom and out of the box). I’m having a hard time recreating this, that sounds like a generic error message usually indicating that some value (visible or not) is null that shouldn’t be. Are you seeing the metadata value in the criteria Attribute and Value picker?

image1170×453 13.4 KB

If so you are, you may have found some kind of bug that I can’t reproduce. If you wouldn’t mind opening a support ticket, that should help us kick off digging into this.

Hi Aaron,
I suspected as much! Ticket raised.
What I am seeing is:

metadata_with_error1694×568 28.2 KB

Though the data values are available (values redacted):

metadata_with_dropdown1674×566 29 KB