We’ve been using ISC for some time (was IDN when we started) and primarily just for birthright access and AD roles.
We’ve taken on new systems since and provide access to these systems via entitlement allocation. We currently use Roles, and this works well for the small subset of users as its in pilot stage, but this doesn’t use any internal roles for the logic, just a training requirement.
Going forward this will be rolled out across the organisation and the end users internal role will dictate which entitlements are allocated (along with the aforementioned training). The crux of the issue is that we have 100s of internal roles and configuring all of these with the requisite logic (LCS, training, internal role) is very daunting.
My question is, what’s the best practice going forward to handle this large number of internal roles.
Always do it in the same order with the ‘must haves’ first followed by the role specific criteria. That way, when you export your role config from VSC, error checking becomes way simpler
it’s a very common challenge when scaling access provisioning in SailPoint Identity Security Cloud (ISC, formerly IDN). Here’s a breakdown of best practices and recommendations for handling hundreds of internal roles and associated entitlement logic in a scalable and manageable way.
Here are streamlined best practices:
Use Dynamic Roles
Define roles using user attributes (e.g., department, title, location, training) instead of creating one role per job. This reduces manual role management.
Decouple Logic from Roles
Track training completion via a user attribute. Don’t bake it into each role. This keeps logic centralized and maintainable.
Leverage Access Request Policies
For non-birthright access, allow entitlements to be requested based on user attributes like internal role and training status.
Group and Rationalize Roles
Combine similar internal roles into broader business roles. Aim to reduce 100s of roles to manageable access layers (base access, business function, conditional add-ons).
Consider Layered Role Design
Use tiers:
Base access (everyone)
Functional roles (based on job)
Conditional access (based on training/location)
This approach scales better and is easier to manage in the long term. Let me know if you need help creating a role mapping.