Role Sub-Admin User Level

Kurt_Ramsey · February 12, 2024, 9:29pm

With the changes in IdentityNow to allow the direct assignment of entitlements to Roles, that seems to impact how Role Sub-Admin User level could restrict scope of role management.

Documentation on User Level Permissions - SailPoint Identity Services

“they can create, manage, and edit roles with access profiles only on sources that are associated with the governance groups they are members of”

If we have roles where we want to only use direct addition of entitlements, and no access profiles. What are or will be our options to restrict management of those Roles to specific sets of users? As is a role with no Access Profiles can be modified by any Role sub-admin.

colin_mckibben · February 22, 2024, 8:20pm

Hi Kurt,

Thank you for bringing this to our attention. It appears that our documentation is out of date with this new change to roles, and we have a ticket (SAASDOCS-6754) to update the docs. In the meantime, here is what the documentation will say regarding this new functionality.

A user with the Role Sub-admin user level has the same permissions for Search and reports as Role Admins. However, they can create, manage, and edit roles with access profiles and entitlements only on sources that are associated with the governance groups they are members of. Role Sub-admins can also view and work with roles that do not have access profiles or entitlements.

Kurt_Ramsey · February 22, 2024, 10:01pm

I opened a support case on this as well, and still waiting for validation.

But from what I have experienced a Role Subadmin can change ANY aspect of any role, where the only limitation is the ability to add entitlements or profiles from a source they own. They can otherwise change name, description, remove entitlements, change criteria, change approvals.

Kurt_Ramsey · March 14, 2024, 1:57pm

Curious if anyone else is able to replicate this. I have been able to do so in both our Sandbox and Production environments:

1 - Create a Role
2 - Add 1+ entitlements to the role, no Access Profiles
3 - Have an Identity with Role Subadmin, who neither owns that role, or has Governance Group ownership of the source from where the entitlements orignate login
4 - See what of the Role you created that individual is able to modify. Expect it to be name, description, criteria, approvals

system · May 13, 2024, 1:58pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
IdentityNow admin role with limited access ISC Discussion and Questions identity-security-cloud , roles , access-profiles	2	680	August 2, 2023
Source Sub-admin Access ISC Discussion and Questions identity-security-cloud , user-interface	3	63	November 19, 2024
Right-Sizing entitlement membership after creating a role ISC Discussion and Questions identity-security-cloud , roles , entitlements	6	292	April 26, 2024
Restricting a Role to only the direct reports assigned to them ISC Discussion and Questions rules , identity-security-cloud , roles , access-profiles	4	244	May 18, 2024
IdentityNow role assignment for existing users ISC Discussion and Questions identity-security-cloud , roles , access-profiles	3	129	October 1, 2024

Role Sub-Admin User Level

Related topics