Policy Violation Report Access Restriction

Hi all,

With SailPoint sending report links to policy violation owners, violation owners can’t access the report as standard users.

I’ve temporarily assigned Report Admin, but that feels too broad.

Is there a way to allow users to view only specific policy reports (like terminated users with active AWS accounts) without granting full report admin access?

Thanks!

You cannot grant “report‑only” access to policy violation reports in SailPoint Identity Security Cloud today—violation owners without elevated roles cannot open those links. The supported way is to use policy subscriptions (SoD subscriptions) that email violation details directly or to assign a limited role like Policy Admin rather than the broad Report Admin.

Why Violation Owners Can’t Access Reports

  • Report links generated by subscriptions require Report Admin or Org Admin privileges.

  • Standard users (even if they are violation owners) cannot open those links because reports are considered administrative objects.

  • This is documented behavior — SailPoint treats reports as admin‑level artifacts, not end‑user accessible content.

Alternative methods you can try

  • Policy Subscriptions

    • Instead of sending a report link, configure a subscription on the SoD policy.

    • Subscribers receive violation details directly via email (daily, weekly, or monthly).

    • This avoids the need for Report Admin rights.

  • Report Admin role

    • If you want owners to view violations in the UI, assign ReportAdmin.

    • This grants access to policy objects but not full reporting privileges.

  • Scheduled Search API

    • Use the Scheduled Search API to generate violation reports and send them to specific users.

    • This bypasses the need for Report Admin while still delivering structured violation data.

@Santhakumar Do we have policy admin user level in ISC?

Not policy Admin it’s report Admin my bad.

I will recommend using the saved search query and making the subscription and sending it to the particular user you want to send the policy report to.

Hey @ROHPU It looks like SailPoint announced the new user level for SOD policy admin. Check out the below link for more details.

Thanks for the reply. I will look into it.