I am trying to enforce segmentation for my organization but for some odd reason, it is not working as per the segment documentation.
So i have created 2 segments and define the identity criteria and Roles for each of them. However, the identity in Segment A is still able to view the role i have defined in Segment B. I know it takes a while for the segmentation to kick in and sync but this is over a week. Any help with what i am missing will be appreciated
Hi @skillz007 ,
Try the below troubleshooting steps:
- Pick one affected user in ISC.
- Navigate to ISC → Access Model → Segments tab.
- Confirm which segment(s) the user belongs to. If the user is in both A and B → adjust your identity criteria. If the user is only in A → check if the role in B was directly assigned or tied to an entitlement/group outside segmentation.
Thanks
Hello Manish,
I can confirm that the criteria for selecting those identities are different. Therefore, the identities (also the Role) in Segment A is not included in Segment B and vice-versa. The role in Segment A is not yet assigned to any identity as its only just included in that segment but theoretically, that Role in segment A should not be seen by identities in Segment B irrespective of either i’ve assigned the role to identities in segment A or not.
Please share the configuration screenshot of the segments that you have defined in your tenant.
Note: When a user in a segment visits the Request Center, they are usually presented with the access items/roles defined in their segment and all other access items/roles that are not included in any segment. So, make sure that your all roles which you want to restrict the views are present in some Segment.
Hello,
Just be sure that the identities that you are testing are not org admin, segments do not apply do them!
Segments is a feature that really struggle with synch, maybe delete and create a new one!!
Hello Manish,
I have checked this and ensured that the users are not org admin and also the roles are well defined in the segment. Completely understand the user will only see roles/access in their segments and any other roles/access that is not in any other segment. But this is not the outcome.
Yea it really does have a lot of bad reviews from the post i have read here so far. Hopefully SailPoint have a look at it and improve it. I will share the config here and i can’t get any help, i’ll delete it and recreate.
I created few segments and it worked fine for me . Can you check by invoking API
What is the value populated in visibleSegments attribute for the user which is seeing multiple segment.
{{baseUrl}}/identities
It may also happen that visibleSegments was populated for that user , later you changed the criteria and it didn’t got refreshed.
Thanks for the response Vishal,
I have not changed the criteria since i configured it last week. Also, i just checked the visibleSegments on the identity and can confirm the value is what is expected and matches the configured segments. However, the identity is still able to see Role configured in another segment.
I am hoping that same role is not added in both the segment . Would recommend creating sailpoint support ticket .
Yes you are correct. The roles in each segment is not replicated. I will post screenshot of my segment configuration just incase anyone can spot if i got something wrong before i raise a support ticket.
Pls find below the configuration of my segment:
Segment A
- Attribute criteria. Note only 6 users are returned here and the user MIC is not part of them.
- Role in the segment
Segment B
- Attribute criteria. Note only MIC is returned here and is the only user in this segment
- Role in the segment
- User in segment B seeing the role in Segment A. Basically MIC is seeing the role i have configured in segment A and the user is not an admin (No admin tab at the top).
Pls find below the configuration of my segment:
Segment A
- Attribute criteria. Note only 6 users are returned here and the user MIC is not part of them.
- Role in the segment
Segment B
- Attribute criteria. Note only MIC is returned here and is the only user in this segment
- Role in the segment
- User in segment B seeing the role in Segment A. Basically MIC is seeing the role i have configured in segment A and the user is not an admin (No admin tab at the top)