Description
This feature provides customers with the ability to control whether Identity Security Cloud (ISC) Role and Source Administrators can manage ISC User-Level Entitlement objects in their tenants.
The IdentityNow source is currently visible in ISC. It contains a set of entitlements used to assign and provision ISC user-levels, enabling customers to govern user-levels in ISC. For example, user-levels can be added to roles, enabled for access request and approval processes, and included in certifications.
Previously, Role Admins and Source Admins were allowed by default to manage these entitlements. This meant they could potentially elevate privilege within ISC—for themselves or others—by including user-levels in roles or requesting them without approvals. With this release, customers can now restrict this behavior and define who has the ability to manage these entitlements.
New Capabilities
It is now possible to control whether ISC Role and Source Administrators can manage ISC User-Level Entitlement objects in your tenant.
Previously, ISC Role and Source Administrators were always allowed to add user-level entitlements to roles and configure access request and approval settings for those entitlements.
With this release, a tenant-level configuration option is available to enable or disable this capability for Role Admins, Role Sub-Admins, Source Admins, and Source Sub-Admins. This gives you more control over who can assign user-level entitlements to roles or manage their request and approval configurations.
Problem
Allowing Role and Source Administrators to manage and configure ISC user-level entitlements provides greater administration flexibility. However, it also introduces risk, as it allows administrators below the level of ISC admin to elevate privilege within ISC.
While ISC Role and Source Administrators are considered highly privileged ISC users who have always had the ability to elevate access for themselves or for other users in highly sensitive and critical applications, the decision to accept this risk should be up to each individual customer.
Solution
It is now possible to control whether ISC Role and Source Administrators are able to to manage ISC User-Level Entitlement objects in your tenants.
- A system configuration option is now available to enable or disable the ability for Role and Source Administrators to manage ISC User-Level Entitlement objects.
- By default, this option is disabled.
- When this option is disabled, only ISC Admin level users are allowed to manage and configure ISC user-level entitlements.
- When this option is enabled, ISC Role, Role-Sub, Source, and Source-Sub administrators are also able to mange and configure ISC user-level entitlements.
Who is affected?
This feature will affect all customers.
Action Required
Customers who want to allow Role and Source Administrators to continue to manage and configure ISC user-level entitlements will need to enable this option for their tenants.
Important Dates
Enablement of this capability will begin the week of June 30th 2025. All staging environments will be enabled first with production environments following in stages.