Provision privileged accesses to user's privileged account Only

We have multiple account types exist across our sources (Active Directory and Entra ID), including Standard (Normal) and Admin (Privileged) user accounts.

To strengthen access governance and enforce proper security controls, we propose configuring provisioning for Access Profiles / Roles based on the type of access:

• Standard / Normal Access should be provisioned to users’ Standard accounts.

• Privileged Access should be provisioned strictly to users’ Admin / Privileged accounts.

Additionally, we need to enforce a control where users are restricted from requesting or submitting privileged access using their Standard / Normal accounts. All privileged access requests must be associated only with their designated Admin accounts.

This approach will help ensure proper segregation of duties, reduce security risks, and align with best practices for privileged access management.

Please review and confirm if we can proceed with this configuration or share any concerns/suggestions.

Hi Yogesh,

I’d recommend splitting your sources in two - one source for your standard access, and one source for your admin accounts. This ensures that your provisioning happens on the correct account based on roles / access profiles you configure.

Failing that, you can look at account selection rules. Managing Access Profiles - SailPoint Identity Services

Hi @yogeshthokCW ,

As mentioned by @margocbain, you can manage this by using a separate source for dedicated users.

If you prefer not to separate users across different sources, you can utilize Segments to restrict users from requesting sensitive access items in the Request Center.

For more details, refer to the documentation:
https://documentation.sailpoint.com/saas/help/requests/segments.html

Thank you.