New Capability: Data Segmentation!

Announcements Product News
, ,
1

Description

:bangbang: SailPoint® is excited to announce the launch of Data Segmentation in Identity Security Cloud!

This feature provides a programmatic method for restricting access to data within core ISC objects, ensuring users can only access the records they’re authorized to see. Data Segmentation enables organizations to lock down access at a more granular level, ensuring least privilege and reducing privacy concerns. Initially available for Entitlement Administration, additional object support will be introduced in future releases.

New Capabilities

For enterprise-level customers with complex organizational structures, Data Segmentation ensures they can lock down access to records at a more granular level for users - ensuring least privilege and diminishing privacy concerns.

Problem

  1. Customers often have information within their environment that they consider privileged or need to be visible on a need-to-know basis. This stems from the basic security principal of least privilege (NIST Definition). However, when a user is granted any given piece of Identity Security Cloud (ISC) access in the user interface, they are also granted access to any given piece of information that user interface can access. Specific objects like Access Model Items, Identities, Sources, etc. which customers would like to restrict visibility for are currently visible globally.

  2. Customers often have a smaller, dedicated ISC Administration teams that would like to grant administrative functionality to distributed teams. For example, Conglomerate A would like to delegate administration for the Identities, Sources, and Access Model Items within it’s two companies: Company 1 and Company 2. However, they want to limit the data access that Identity Security Cloud administrators at Company 1 and 2 have to see each other’s configurations without limiting the access of Conglomerate A’s ISC Administrators.

Solution

For the initial General Availability release, Entitlement Administration will be the only use case support. Follow-up subsequent releases will add additional support.

Segmentation Definition
Segmentation Definition624×666 37.2 KB

Segmentation Definition

Entitlement Builder
Entitlement Builder624×508 30.8 KB

Entitlement Builder

Who is affected?

  • Global ISC Administrators
  • Privacy Officers & Teams
  • Data Segmentation is available for Identity Security Cloud Business Plus customers only

Important Dates

Delivery date of Data Segmentation will start Thursday, October 10th, 2024 for select tenants and will be slow rolled out by region.

Staging Dates:

  • Tenants not in useast1 week of 11/11
  • Tenants in useast1 week of 11/21 We have temporarily paused this release. A new date is coming soon!

Production Dates: We have temporarily paused production release. A new date is coming soon!

  • Tenants not in eucentral or useast1 week of 12/2
  • Tenants in eucentral week of 12/9
  • Tenants in useast1 week of 12/16

If you’re unsure what region your tenant is in, this may be found in “Org Details” on the Administrative Dashboard. This feature is being targeted for Fedramp environments in Q1 2025.

3 Likes
2

Sounds interesting @aaron_andrew, could be useful for us. :grin:

I do think some more information is needed. Can you share (a link to the) documentation? I wonder how we can use this.

  1. Can we use the search UI/API to easily view these object types and is management of these objects consistent with other objects?
  2. What are the available operations? Equals or also not Equals, starts with, contains, not contains? Can we only do this based of identity attributes or also based on having a specific role or entitlement, governance group membership or user level?
  3. What effect will this release have on already current defined segments?
  4. This announcement says that the upcoming functionality will be limited to entitlements only. Is there an ETA on when we can segment roles? Can we still use the old way of segmenting in the meantime?
  5. Will segmentation still only effect what you can request? Or will it also go to other functionality like what you can revoke, for who you can request it or something else?
  6. Currently if you try to open/edit a segment in the UI which points to a lot of access items, it will take multiple minutes before the page is open, since the UI is fetching all objects associated with that segment instead of only the first page. Will this functionality inherit the same design issue?
  7. What are the limitations of this? How many segments can we define in total? How many segments can point to the same access objects or identities?
  8. Can we still use the search API/UI to search for access items based on segmentation?
  9. Can we use the search API/UI to search for segments (based on access items)?
  10. What happens if we create or update a segment, how long until it goes into effect?
  11. What happens if we try to delete a segment? How long until it goes into effect?

The release schedule does not mention dates specifically for sandbox environments and production environments. Can you give this information? Or are they released on all environment levels at once?

Also I would like to emphasize again that timing of these announcements are important. This announcement arrived on the 9th of October (it says it was created on the 2nd of October, but then it was probably not visible for end users yet, and even that I would consider too late compared to the release date), while releasing apparently already started on the 10th of October. This means we lost the possibility of properly testing this new functionality before the release to production and perhaps raise issues, concerns or bugs to you and perhaps to communicate and potentially train our relevant end users. Please release announcements before the staging occurs such that we can start planning on this from our side.

Kind regards,
Angelo

2 Likes
3

Hi Angelo -

This is the record level feature you and I have talked quite a few times in the context of “Delegated Administration” :grinning:

Doc Link: Data Segmentation Overview - SailPoint Identity Services

  1. Can we use the search UI/API to easily view these object types and is management of these objects consistent with other objects?

The initial release of Entitlement Administration will also apply to the Top Level Search Object for Search API/UI (Entitlements Tab). As we continue to integrate this functionality, you will see it applied more and more to Search.

  1. What are the available operations? Equals or also not Equals, starts with, contains, not contains? Can we only do this based of identity attributes or also based on having a specific role or entitlement, governance group membership or user level?

Equals, Does Not Equal, Contains, Starts With, Ends With are the operations. Identities attributes are what we’re looking at with the launch of this feature.

  1. What effect will this release have on already current defined segments?

No effect - as this initial release contains Entitlement Administration - not access request. In the long view, we are looking to merge Access Request Segmentation into this more powerful framework.

  1. This announcement says that the upcoming functionality will be limited to entitlements only. Is there an ETA on when we can segment roles? Can we still use the old way of segmenting in the meantime?

Please continue to use the old way - our intention today is to make this seamless in the future when we get to Access Request Segmentation. Roles is one of our next items up - we’ve already begun development. Our current timelines are looking at releasing this in Q1. As always, that’s general guidance based on what we know today and not a firm commit. :slight_smile:

  1. Will segmentation still only effect what you can request? Or will it also go to other functionality like what you can revoke, for who you can request it or something else?

This will only control the Administrative UI for Entitlements as well as the Entitlements visible in Role and Access Profile UIs - this should unlock delegating administration/unlocking sub-administration for entitlement sub-populations.

  1. Currently if you try to open/edit a segment in the UI which points to a lot of access items, it will take multiple minutes before the page is open, since the UI is fetching all objects associated with that segment instead of only the first page. Will this functionality inherit the same design issue?

Like we reviewed together during research, there is much more flexibility in the way access items are selected. This includes the ability to “Build Criteria” with a query builder on the entitlements. You can apply these and see the results, but these are also paginated to avoid long load times.

  1. What are the limitations of this? How many segments can we define in total? How many segments can point to the same access objects or identities?

2000 total segments. There is no limit to how many times a segment can point to an access object or identity, but we’d recommend keeping the number of segments any given user is in to sub-20. From the 60+ research calls we did, no customer had a use case that was above 12.

  1. Can we still use the search API/UI to search for access items based on segmentation?

#1 answer covered this

  1. Can we use the search API/UI to search for segments (based on access items)?

Negative. Because we anticipate customers using this as a security and privacy policy, it will only be visible to Org Admins in the purpose-built UI.

  1. What happens if we create or update a segment, how long until it goes into effect?

Most new segment or change to a segment will be applied most commonly within around ~10 seconds. Super large changes affecting tens of millions of identities and their access to tens of millions of entitlements could take up to 30 minutes to be applied.

  1. What happens if we try to delete a segment? How long until it goes into effect?

Same as #10

The release schedule does not mention dates specifically for sandbox environments and production environments. Can you give this information? Or are they released on all environment levels at once?

This feature requires a slow roll out over months for technical reasons. More information will come on this over time.

This means we lost the possibility of properly testing this new functionality before the release to production and perhaps raise issues, concerns or bugs to you and perhaps to communicate and potentially train our relevant end users. Please release announcements before the staging occurs such that we can start planning on this from our side.

This feature ships - as many do - by default “off” so there will be no impact to you or your users. This announcement is well in advance of most customer’s staging release, per your point.

Let me know if you have other questions or concerns I can help with!

3 Likes
4

Thank you for the quick and clear answers @aaron_andrew! It’s been a while since we talked about this so my memory wasn’t that great and perhaps things had changed in the meantime. Also it is good that others can read this information including that documentation link :grin:

I understand there will be a slow release due to technical reasons. However, is there any indication on which region will get this feature deployed in roughly which timeframe? Will this get deployed in our sandbox environment before it goes to production environment and is there an estimated time difference between the two? Even if the feature is suppose to be deployed in off-state, I think it would be good if we can test it truly has no effects in off-state before we get it deployed to production. Bugs can appear in unexpected places after all.

5

Agreed on that front - helps others for sure.

Unfortunately, I can’t commit today on larger staging rollout timelines. This will definitely be going to staging for at least one week before production though and likely longer. This announcement well in advance notice that this is coming for the majority of customers.

1 Like
6

Is this feature only for Business and Business Plus ISC customers or all customers? Also, any idea when a read-only admin might be defined?

7

Hi Renee - The segmentation of entitlement administration, which is the first functionality released with the foundation of Data Segmentation, is a Business Plus feature. More to come on future objects.

8

Hi @angelo_mekenkamp We’re moving to ISC in the near future and I’m interested in segmentation for roles. You make reference to the old way of segmentation, how is this currently being done?

Thanks and Regards

9

Hi @Bhekamandla,

I was referring to this functionality: Managing Access Request Segments - SailPoint Identity Services :slight_smile:

1 Like
10

Please Note: The Important Dates section has been updated with more specificity for when this feature will be available by region.

1 Like
11

Hi Aaron,

Is it possible to add ‘Does Not Contain’ ?

12

Is this feature available on all Staging tenants or still been rolled out?

13

Hi @aaron_andrew - this is definitely an exciting feature as it relates to “Delegated Administration”. We are a business plus customer in us-east-1 but don’t see this feature in our staging tenant yet.

Staging Dates:

Tenants not in useast1 week of 11/11
Tenants in useast1 week of 11/21
14

We will evaluate this for future releases. I’d recommend opening an Idea for this, as I don’t think I’ve seen one! There was some architectural complexity to including this in the first version, but it was considered.

15

Hi Raju - I’ve just updated the schedule above. Unfortunately, we had some internal environmental issues which have delayed the release after the first two batches in Staging. I’m hoping to have new timelines soon!

16

Hi Shail - The issue is on our end. I’ve just updated the schedule above. Unfortunately, we had some internal environmental issues which have delayed the release after the first two batches in Staging. I’m hoping to have new timelines soon!