In organizations, there are often scenarios where employees require temporary administrative access to systems or applications for a specific duration. This could be for maintenance activities, system upgrades, or other time-bound tasks. Granting permanent administrative privileges poses a security risk, as it increases the attack surface and the potential for misuse. To address this concern, SailPoint Identity Security Cloud provides a feature that allows for temporary administrative access through the use of roles with sunset dates.
Creating a Role with Administrative Privileges
Navigate to the “Roles” section in the Identity Security Cloud console.
Click on “Create Role” and provide a descriptive name for the role (e.g., “Helpdesk Admin Access”).
Check “Require Approval” and select Approvers of the role.
Save and Enable the role.
Available ISC Entitlements Admin Levels
Identity Security Cloud provides a wide range of entitlements that can be assigned to roles for administrative access. These entitlements are typically organized into different levels, such as:
The requestor can now perform the necessary administrative tasks during the specified time window.
When the sunset date is reached, the role will automatically be revoked, and the temporary administrative access will be removed.
By implementing this process, organizations can strike a balance between granting necessary administrative access and maintaining a secure environment. The temporary nature of the access, combined with the automatic revocation upon expiration, minimizes the risk of privileged access misuse and ensures compliance with security policies and regulations.
I created the role without an approver, included the “Helpdesk” entitlement, and submitted the role request. I can confirm that I see the “Helpdesk” entitlement for the user under the “Access” tab. However, the USER LEVELS shows “–”. Additionally, when I check the same user using the API v3/auth-users/idOfTheIdentityFromUI, I see null in capabilities.
Could you please test for a new user with “–” as the “USER LEVEL” and check if the “USER LEVEL” updates after adding IdentityNow entitlement?
It looks like an API sync issue to me, when you add (from old UI) any other permission (other than Helpdesk which is granted through Role), the capability shows up:
And another thing I noticed is when an Identity who got this role tried to login to the tenant, they will see the admin tab (confirming that they have the access) but the tab isn’t opening and after login user gets a 403 forbidden error message.
Access granted can be seen through cc api and Search but for some reason it is not being synced properly.
@atarodia Firstly thanks for the detailed blog. Adding user level entitlements to roles will ease the process to add temporary admin access.
Could you please provide an update if this has been working for you? I even tried implementing this for CERT_ADMIN. But the highlighted issues still persist.
I still see this issue persists. I submitted a role request containing “ORG_ADMIN” entitlement from IdentityNow source. The role request was successfully submitted and I can see that entitlement on the identity but the user level is still blank:
You need to add an additional step for this to work by adding a workflow with trigger “Access Request Decision” and call patch-auth-user | SailPoint Developer Community to assign the capability and use the wait action to wait till the sunset date of the request and use the same call to remove the assignment.
Thanks @atarodia for the insights. I think thats a good workaround.
However, shouldn’t this functionaly work without workflows being involved? Because this seems to be a native way of user capability assignment but somehow doesn’t update the user level in that case.
