Temporary Admin Access with Roles in Identity Security Cloud

In organizations, there are often scenarios where employees require temporary administrative access to systems or applications for a specific duration. This could be for maintenance activities, system upgrades, or other time-bound tasks. Granting permanent administrative privileges poses a security risk, as it increases the attack surface and the potential for misuse. To address this concern, SailPoint Identity Security Cloud provides a feature that allows for temporary administrative access through the use of roles with sunset dates.

Creating a Role with Administrative Privileges

  1. Navigate to the “Roles” section in the Identity Security Cloud console.
  2. Click on “Create Role” and provide a descriptive name for the role (e.g., “Helpdesk Admin Access”).
  3. Assign the necessary entitlements or permissions required for administrative access from the source “IdentityNow”.
  4. Save the role and navigate to the “Access Requests” tab.
  5. Under the “Request” section, enable the option to make the role requestable.
  6. Check “Require Approval” and select Approvers of the role.
  7. Save and Enable the role.

Available ISC Entitlements Admin Levels

Identity Security Cloud provides a wide range of entitlements that can be assigned to roles for administrative access. These entitlements are typically organized into different levels, such as:

Requesting the Role from the Request Center

  1. Navigate to the “Request Center” section in the UI.

  2. Search for the role you created (e.g., “Helpdesk Admin Access”).

  3. Click on the role and follow the prompts to initiate the request process.

  4. Provide any required information or justification for the temporary access.
    image

  5. Set Expiration Date for when this access should expire.

  6. Submit the request, which will then follow the configured approval workflow.

Access Granted and Automatic Revocation

  1. Once the request is approved, the role with temporary administrative privileges will be granted to the requestor.

  2. The requestor can now perform the necessary administrative tasks during the specified time window.

  3. When the sunset date is reached, the role will automatically be revoked, and the temporary administrative access will be removed.

By implementing this process, organizations can strike a balance between granting necessary administrative access and maintaining a secure environment. The temporary nature of the access, combined with the automatic revocation upon expiration, minimizes the risk of privileged access misuse and ensures compliance with security policies and regulations.

5 Likes

@atarodia, did it work for you?

I created the role without an approver, included the “Helpdesk” entitlement, and submitted the role request. I can confirm that I see the “Helpdesk” entitlement for the user under the “Access” tab. However, the USER LEVELS shows “–”. Additionally, when I check the same user using the API v3/auth-users/idOfTheIdentityFromUI, I see null in capabilities.

image

@Sushantmr,

Yes, it does work for me.

@atarodia, I see the audit events for user, but the “USER LEVELS” field isn’t updating.

Could you please test for a new user with “–” as the “USER LEVEL” and check if the “USER LEVEL” updates after adding IdentityNow entitlement?

Hi @Sushantmr,

Thanks for noticing this.
Interesting, when I try to see User Levels, it doesn’t show up there but it shows here:

And in the tenant account of the Identity as well:

It looks like an API sync issue to me, when you add (from old UI) any other permission (other than Helpdesk which is granted through Role), the capability shows up:

image

I too attempted to grant helpdesk role using this process, and It is not showing up in my user’s capabilities.

My user has the HELPDESK entitlement granted via a role.

But that value isn’t persisted to the user levels

And another thing I noticed is when an Identity who got this role tried to login to the tenant, they will see the admin tab (confirming that they have the access) but the tab isn’t opening and after login user gets a 403 forbidden error message.

Access granted can be seen through cc api and Search but for some reason it is not being synced properly.

@atarodia Firstly thanks for the detailed blog. Adding user level entitlements to roles will ease the process to add temporary admin access.
Could you please provide an update if this has been working for you? I even tried implementing this for CERT_ADMIN. But the highlighted issues still persist.

1 Like

@Samanyu I am still researching on a workaround but till then you can make use of method by @colin_mckibben mentioned in this blog:

1 Like