Multiple Group Object Source Policies
Policy examples for Role
SPOrganizationPolicy
Required for Multiple Group Object Source and must be assigned to the Role of the AWS Account that needs to be managed.
{"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"organizations:ListPoliciesForTarget",
"organizations:ListAccountsForParent",
"organizations:ListRoots",
"organizations:ListAccounts",
"organizations:ListTargetsForPolicy",
"organizations:DescribeOrganization",
"organizations:DescribeOrganizationalUnit",
"organizations:DescribeAccount",
"organizations:ListParents",
"organizations:ListOrganizationalUnitsForParent",
"organizations:DescribePolicy",
"organizations:ListPolicies",
"organizations:ListTagsForResource"
],
"Resource": "*"
}
] }
Required for Multiple Group Object Source and must be assigned to the Role of the AWS Account that needs to be managed.
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0", "Effect": "Allow", "Action": [
"iam:GetPolicyVersion",
"iam:ListServiceSpecificCredentials",
"iam:ListMFADevices",
"iam:ListSigningCertificates",
"iam:GetGroup",
"iam:ListSSHPublicKeys",
"iam:ListAttachedRolePolicies",
"iam:ListAttachedUserPolicies",
"iam:ListAttachedGroupPolicies",
"iam:ListRolePolicies",
"iam:ListAccessKeys",
"iam:ListPolicies",
"iam:GetRole",
"iam:GetPolicy",
"iam:ListGroupPolicies",
"iam:ListRoles",
"iam:ListUserPolicies",
"iam:GetUserPolicy",
"iam:ListGroupsForUser",
"iam:ListAccountAliases",
"iam:ListUsers",
"iam:ListGroups",
"iam:GetGroupPolicy",
"iam:GetUser",
"iam:GetRolePolicy",
"iam:GetLoginProfile",
"iam:ListEntitiesForPolicy",
"iam:GetAccessKeyLastUsed",
"iam:ListUserTags",
"iam:ListRoleTags",
"iam:ListPolicyTags"
],
"Resource": "*"
}
] }
Required for Multiple-group Object Source and must be assigned to the Role of the AWS Account that needs to be managed.
{ "Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:UpdateLoginProfile",
"iam:CreateGroup",
"iam:DeleteAccessKey",
"iam:DeleteGroup",
"iam:AttachUserPolicy",
"iam:DeleteUserPolicy",
"iam:UpdateAccessKey",
"iam:AttachRolePolicy",
"iam:DeleteUser",
"iam:CreateUser",
"iam:CreateAccessKey",
"iam:CreatePolicy",
"iam:CreateLoginProfile",
"iam:RemoveUserFromGroup",
"iam:AddUserToGroup",
"iam:DetachRolePolicy",
"iam:DeleteSigningCertificate",
"iam:AttachGroupPolicy",
"iam:DeleteRolePolicy",
"iam:DetachGroupPolicy",
"iam:DetachUserPolicy",
"iam:DeleteGroupPolicy",
"iam:DeleteLoginProfile"
],
"Resource": "*"
}
]
}Activity Insights Policies are required to pull activity data in the form of events like user logins, password changes, and content updates within the application. Policies must be assigned to the role of the AWS Account that needs to be managed. If you have a license of activity insights, you must add this permission to see the activity data of the connector.
Important
Contact your SailPoint Customer Success Manager (CSM) for more information on Activity Insights. For more information on utilizing activity data, refer to Activity Insights.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudtrail:Get*",
"cloudtrail:Describe*",
"cloudtrail:List*",
"cloudtrail:LookupEvents"
],
"Resource": "*"
}
]
}