Restricting Access Profile Visibility to Multiple Departments Using Transforms and Segments in SailPoint ISC

Introduction

In many organizations, Access Profiles should not be visible to all users in the Request Center.

For example:

  • HR Access Profiles should be visible only to HR users

  • Finance Access Profiles should be visible only to Finance users

While SailPoint Identity Security Cloud (ISC) allows scoping Access Profiles using Segments, the UI condition builder allows selecting only one value at a time for certain attributes.

If we need to restrict visibility to multiple departments (e.g., HR and Finance) under a single logical condition, we need a more flexible approach.

In this blog, we’ll see how to:

  • Create a custom identity attribute using a transform

  • Use that attribute to build a Segment

  • Scope an Access Profile to that Segment

Use case

We want an Access Profile to be visible only to users who belong to the following departments:

  • HR

  • Finance

Instead of creating separate Segments or complex UI conditions, we create a Department Segment identity attribute using a transform and use it in segmentation.

Prerequisites

  • Admin access to SailPoint ISC

  • An identity source, such as an authoritative source, that provides the department attribute

  • Basic familiarity with transforms and Identity Profiles

Step 1: Set up Postman

Before creating the transform, we need to configure Postman with the SailPoint ISC API collection and environment. If you already have a workspace configured for SailPoint ISC, you can skip to Step 2.

  1. Open Postman and create a new workspace (or use an existing one).
  2. Navigate to the SailPoint Postman Collections page:
    Postman Collections | SailPoint Developer Community
  3. Select the relevant API collection and click Run in Postman to import it into your workspace.
  4. Similarly, import the SailPoint Environment collection by clicking Run in Postman in the Configure your environment section of the same page.
  5. Update the following environment variables in Postman:
Variable Description
tenant Your ISC tenant name (e.g., company.identitynow.com)
clientId Personal Access Token client ID
clientSecret Personal Access Token secret

  1. To generate your clientId and clientSecret:
  • Log in to your SailPoint ISC tenant.
  • Go to Account → Preferences → Personal Access Tokens.
  • Click New Token, enter a justification, set an expiry date, and select the sp:scopes:all scope. (For this example, sp:scopes:all was used for simplicity; in production environments, it is recommended to grant only the scopes required for the intended operation).
  • Copy the clientId and clientSecret, update them in your Postman environment, and click Save.

  1. To validate that Postman is configured correctly, select the environment and navigate to Collections → Identity Security Cloud V3 API → Sources → Lists All Sources in IdentityNow, then click Send. A 200 success response confirms the setup is working.

Note: Make sure to select the correct environment from the environment dropdown in Postman before sending any request. Requests will fail if no environment is selected.

Step 2: Create the Department Segment transform

With Postman configured, we can now create the transform using the ISC Transforms API.

  1. In Postman, navigate to Transforms → Create transform (/v3/transforms endpoint).
  2. Set the request method to POST and ensure the correct environment is selected.
  3. Below is the transform used to derive the identity attribute. Paste it into the Body tab (raw, JSON format).
  4. When the transform is created successfully, Postman returns a 201 Created response.
{
	"name":"Department Segment",
	"type":"static",
	"attributes":{
		"dept":{
			  "type": "firstValid",
			  "attributes": {
			   "values": [
					{
						"type": "accountAttribute",
						"attributes": {
							"sourceName":"Authoritative Source",
							"attributeName":"Department"
						}
					},
					"None"      
				]
			}
			
		},
		"value":"#set($departments=['HR','Finance'])#set($flag='')#foreach($i in $departments)#if($i==$dept)Yes#set($flag='no')#break#end#end#if($flag!='no')No#end"
	}
	
}

The transform has two parts:

  • dept (firstValid): Reads the department attribute from the authoritative source. Falls back to ‘None’ if the attribute is missing or empty.
  • value (Velocity script): Loops through the allowed departments list. If the identity’s department matches one of the configured department values (HR or Finance), the transform returns ‘Yes’. Otherwise, it returns ‘No’.

Understanding the Velocity logic

Velocity snippet What it does
#set($departments=[‘HR’,‘Finance’]) Defines a list containing the allowed departments
#set($flag=‘’) Initializes an empty flag variable
#foreach($i in $departments) Loops through each item in the departments list
#if($i==$dept)Yes If the identity’s department matches, output ‘Yes’
#set($flag=‘no’)#break Sets the flag and exits the loop early
#if($flag!=‘no’)No#end If no match was found, output ‘No’

Step 3: Create the identity attribute (Department Segment)

Map the transform output to a new identity attribute so the Segment can use it as a filter criterion.

  1. Log in to SailPoint ISC.
  2. Go to Admin → Identity Management → Identity Profiles and open the relevant Identity Profile.
  3. Click the Mappings tab, then click Add Attribute.
  4. Set the attribute name to Department Segment (technical name: departmentSegment).

  1. Select the Department Segment transform.

image

  1. Save the changes.
  2. Preview the changes to confirm the output before applying the changes to all identities.

  1. Identities in the HR or Finance departments should show the Department Segment attribute value as Yes, while identities from other departments should show No.

  1. Click Apply Changes.

Step 4: Create the Segment

With the Department Segment attribute populated, create a Segment that includes only identities where its value is ‘Yes’.

  1. Go to Admin → Access Model → Segments → New.
  2. Name it Department Segment.

  1. Under Define Segment, choose Identity Attribute “Department Segment” as the filter type and set Value to ‘Yes’.

  1. Check the identity count preview to confirm it’s capturing the right population and save it.
  2. Under Define Access, add the relevant Access Profile and click Save.

  1. Review the Segment and click Done.

  1. Enable the Segment to apply the changes.

Once the changes are applied, the Access Profile is visible in the Request Center only to HR and Finance departments. The Access Profile is not displayed in the Request Center for identities outside the Segment.

Step 5: Validate the results

Before the Segment is enabled: The Access Profile is visible to all users in the Request Center. In the screenshot below, the Access Profile Segment_Test_AP appears in the catalog for a user who is not part of the HR or Finance department.

After the Segment is enabled: Once the Segment is enabled, the Access Profile Segment_Test_AP does not appear for a user outside HR and Finance. It is hidden from their view.

End-to-end flow

  1. Identity processing runs, Department Segment transform reads department attribute from the authoritative source.
  2. For HR or Finance employees, Department Segment attribute is set to ‘Yes’.
  3. For all others, Department Segment is set to ‘No’.
  4. The Segment includes all identities where Department Segment attribute equals ‘Yes’.
  5. Access Profiles attached to this Segment appear only for those identities in the catalog.
  6. If an employee changes departments, the attribute is updated during the next identity processing and visibility adjusts automatically.

Conclusion

Using transforms with Segments provides a flexible and scalable way to restrict Access Profile visibility based on multiple department values.

This approach can be extended further for:

  • Role-based segmentation

  • Location-based access visibility

  • Lifecycle state-based scoping

By using transforms, we move beyond UI limitations and design more governance-aligned access models in SailPoint ISC.

Note: Access request segmentation capabilities may evolve over time as SailPoint continues to enhance the platform. The transform-based approach described in this blog is particularly useful when multiple attribute values need to be grouped into a single segment condition.

5 Likes

Very clever workaround for Segments. Thanks for sharing.

2 Likes

Awesome workaround..!

1 Like