Skip to content

Role-Based Access Control (RBAC)

SailPoint Entro's RBAC feature provides granular control over user permissions, ensuring only authorized users can take actions and view relevant information across the platform.

Each user may be assigned one or more roles. When multiple roles are assigned, the user's effective permissions are the union of the capabilities of all assigned roles. Access restrictions are enforced both in the UI (hiding navigation items, buttons, and pages) and at the API layer, every endpoint re-checks the user's role server-side, and unauthorized actions return 403 Forbidden.


Roles at a Glance

SailPoint Entro defines six roles, five primary roles and one specialized integration role:

Role Intended Persona Scope
Admin Security leads, platform owners Full access to every feature, setting, and admin operation.
Operator SOC analysts, security engineers handling day-to-day ops View and act on secrets, risks, NHIs, and notifications, no settings.
Viewer Auditors, executives, read-only stakeholders Read-only access to all operational data, plus exports and comments.
Engineer DevOps and application engineers responsible for remediation Secrets, risks, NHIs and API-key self-service, seeing only items related to them.
API Key Manager Automation owners who only need to provision keys Create and delete REST API keys; minimal visibility elsewhere.
Integrator Users onboarding cloud accounts and SaaS integrations Add, edit, validate, and tag accounts, no secrets, NHIs or risk data.

Most users will have a single role. When multiple roles are assigned, effective permissions are the union of every role held.


Role Hierarchy

Admin, Operator, Viewer, Engineer, and API Key Manager form a partial hierarchy, stronger roles implicitly include the privileges of weaker ones for relative-strength checks (used for "who can act on behalf of whom" logic):

Admin
  └── Operator
        ├── Viewer
        │     └── API Key Manager
        └── Engineer
              ├── API Key Manager
              └── Integrator
  • Admin is the apex role and is stronger than every other role.

  • Operator is stronger than Viewer, Engineer, and API Key Manager.

  • Viewer is stronger than API Key Manager.

  • Engineer is stronger than API Key Manager and Integrator.

  • Integrator sits outside the main chain and is intended to complement another role rather than stand alone.

  • API Key Manager sits at the bottom of the chain.

The hierarchy governs relative strength only. The actual set of actions each role can perform is defined explicitly per role in the sections below, a role does not automatically inherit every action from the role beneath it.


Roles Defined

1. ADMIN

Persona: Security leadership, platform administrators, tenant owners.

Default landing page: Main Dashboard.

Admins have full, unrestricted access to the application. Admin is the only role that can change platform settings, manage organization policies, run operational tooling, and govern NHI owner attestation campaigns and zero trust policies.

Permissions:

  • All capabilities available to Operator, Viewer, Engineer, API Key Manager, and Integrator, plus the admin-exclusive capabilities listed below.

  • Full access to every Settings section: Alert Configuration, Risk Configuration, Organization Configuration, Webhooks, Exposed Secrets, Beta Features, Scanned Repositories Rules, Exclusion Rules, DLP Custom Patterns, User Management, Secret Type Control.

  • Manage customer configuration, organization policies, and group-to-role mapping.

  • Full access to the Employee Audit and Employee Management pages.

  • View, create, and manage NHI Owner Attestation Campaigns, including approving, disabling, and rotating campaign tokens and changing campaign owners.

  • Create, update, and delete Zero Trust Policies.

  • Manage AI Governance policy.

  • Operational tooling: create remote agents, trigger scans, generate QBR reports, accept EULA on behalf of the tenant, apply data migrations, retrieve overview stats, invoke troubleshooting APIs, and access Storybook.

Exclusions:

  • None.

2. OPERATOR

Persona: SOC analysts and security engineers running day-to-day secret and risk operations.

Default landing page: Main Dashboard.

Operators have broad view and action access across all operational surfaces. They can investigate, triage, remediate, and communicate with stakeholders, but cannot change platform settings, manage accounts, or perform admin-only operations.

Permissions:

  • Views: All Exposed Secrets (table, drawer, export), Risks (table, drawer, dashboard, comments, export), Non-Human Identities (table, drawer, dashboard, export), NHIDR Risks (table, drawer), Vault Secrets (table, drawer, dashboard, export), AI Agents (table, dashboard), Agentic AI NHI table, AI MCP table, Accounts (table, drawer), Employees (table, drawer, export), Main Dashboard, Zero Trust Policies.

  • Triage actions: Mark exposed secrets and exposed risks as "not a secret"; revalidate exposed secrets and exposed risks; revoke NHI tokens; change risk status and severity; archive risks.

  • Tagging and comments: Add and remove employee tags and exposed-secret tags; add comments to risks.

  • Remediation and communication: Create Jira tickets; send Slack, Teams, and email notifications; redact Slack messages.

  • Update zero trust state on entities.

Exclusions:

  • No access to any Settings page (including API Keys).

  • Cannot add, edit, validate, or enable/disable accounts.

  • Cannot manage organization policies or customer configuration.

  • Cannot create API keys.

  • Cannot manage NHI owner attestation campaigns.

  • Cannot create, update, or delete zero trust policies.

  • No access to admin-only operational tooling (remote agents, scans, QBR reports, troubleshooting, migrations).

  • No access to the Employee Audit or Employee Management pages.


3. VIEWER

Persona: Auditors, compliance stakeholders, executives, or any read-only consumer of platform data.

Default landing page: Main Dashboard.

Viewers have full visibility into operational data with the ability to export reports and add comments on risks, but cannot change the state of anything.

Permissions:

  • Views: The same surface as Operator, All Exposed Secrets, Exposed Risks, NHI Inventory, NHIDR Risks, Vault Secrets, AI Agents, Accounts, Employees (table and drawer), Main Dashboard, Zero Trust Policies.

  • Exports: All Exposed Secrets, NHIs, Vaults, Employees, Risks.

  • Add comments to risks.

Exclusions:

  • Any state-changing action: cannot mark as "not a secret," revalidate, revoke tokens, change risk status or severity, archive, or tag.

  • Cannot send notifications (Slack, Teams, email) or create Jira tickets.

  • Cannot manage accounts, employees, campaigns, zero trust policies, or AI policy.

  • No access to any Settings page.

  • Cannot update zero trust state on entities.


4. ENGINEER

Persona: DevOps and application engineers responsible for triaging and fixing exposed secrets and NHIs for risks in their own services, and for provisioning their own automation API keys.

Default landing page: Exposed Inventory - Engineers skip the Main Dashboard and land directly on the remediation work queue.

Engineer is a technical remediation role with a narrower lens than Operator. Engineers can work on secrets, NHIs, risks, and API keys, but do not have visibility into employees, vaults, or AI agents.

Permissions:

  • Views: All Exposed Secrets (table, drawer, export), Exposed Risks (table, drawer), NHI Inventory, NHIDR Risks, All Risks (drawer, dashboard, comments, export), Accounts (table only, no drawer), the Settings sidebar button and the Settings → API Keys tab.

  • Triage actions: Mark exposed secrets and exposed risks as "not a secret"; revalidate exposed secrets and exposed risks; revoke NHI tokens; change risk status and severity; archive risks.

  • Tagging and comments: Add comments to risks; add and remove exposed-secret tags.

  • Remediation and communication: Create Jira tickets; send Slack, Teams, and email notifications; redact Slack messages.

  • API Keys: Create and delete REST API keys.

  • Update zero trust state on entities.

Exclusions:

  • Cannot view Employees, Vault Secrets, or AI Agents.

  • Cannot add, edit, validate, or manage accounts (view-only, table, no drawer).

  • No access to any Settings section other than API Keys.

  • Cannot view or manage NHI owner attestation campaigns.

  • Cannot create, update, or delete zero trust policies.

  • Cannot manage AI policy, customer configuration, or organization policy.

  • No access to admin operational tooling.


5. API KEY MANAGER

Persona: Owners of automation or CI/CD pipelines whose only need is provisioning and rotating REST API keys - typically assigned in tightly-scoped, least-privilege environments.

Default landing page: Settings → API Keys. The role lands directly on the one page it can use.

API Key Manager is the most restricted primary role. It exists so that an individual or service identity can manage keys without being granted access to operational data. The narrow scope makes it safe to assign to service accounts or individuals who only need key-lifecycle access.

Permissions:

  • Views: The Settings sidebar button and the Settings → API Keys tab, the Exposed Secrets table (list only).

  • Actions: Create and delete REST API keys.

Exclusions:

  • Everything else. No ability to export data, modify secrets, change risk status, send notifications, or view Employees, NHI, Vaults, Accounts, Dashboards, or any Settings section other than API Keys.

6. INTEGRATOR

Persona: Users responsible for onboarding and maintaining cloud-account and SaaS integrations, without a need to see findings data.

Default landing page: Accounts & Integration page.

Integrator is a specialized role scoped to the Accounts surface. It is intended for users whose job is to connect and maintain integrations but who should not have access to the secrets, risks, or employee data those integrations produce. Integrator is commonly assigned alongside another role when a user needs integration responsibilities in addition to another scope.

Permissions:

  • Views: Accounts (table and drawer).

  • Actions: Add new accounts; edit account credentials; edit account environment configuration; enable or disable accounts; validate accounts; add and remove account tags.

Exclusions:

  • Cannot view or act on secrets, exposed secrets, exposed risks, risks, NHIs, NHIDR, vault secrets, or employees.

  • No access to any Settings page.

  • Cannot send notifications, create tickets, or manage API keys.

  • Cannot manage zero trust policies, AI policy, or NHI campaigns.

  • No access to admin-only operations.


Capability Matrix

Legend: ✅ allowed · ⬜ not allowed

Capability Admin Operator Viewer Engineer API Key Manager Integrator
Secrets
View Exposed Secrets table ✅ (related to the user)
View Exposed Secrets drawer
View Exposed Secrets dashboard
Export Exposed Secrets
Mark exposed secret as "not a secret"
Revalidate exposed secret
Add / remove exposed-secret tags
View Prevention Logs
Risks
View Risks table ✅ (related to the user)
View Risks drawer / dashboard / comments
Export Risks
Change risk status / severity
Archive risks
Add comments to risks
View Exposed Risks (table, drawer)
View Exposed Risks dashboard
Mark exposed risk as "not a secret"
Revalidate exposed risk
NHI / AI
View NHI / NHIDR / Vault ✅ (related to the user)
Export NHI / Vault
Revoke NHI tokens
View AI Agents / Agentic NHI
View AI MCP table
Manage AI Policy
Accounts
View Accounts table
View Accounts drawer
Add / edit / validate / enable / tag accounts
Employees
View Employees table / drawer
Export Employees
Add / remove employee tags
Employee Audit / Management pages
Notifications & Tickets
Send Slack / Teams / Email
Redact Slack message
Create Jira ticket
API Keys
View Settings → API Keys
Create / delete REST API key
Zero Trust
View Zero Trust Policies
Update zero trust state
Create / update / delete zero trust policy
Settings (Admin-only)
Alert / Risk / Org Config, Webhooks, Scanned Repos Rules, Exclusion Rules, User Management, Secret Type Control, Org Policies
Change customer configuration
Request new secret pattern
Configure group-to-role mapping
NHI Campaigns
View / create / manage campaigns and tokens
Help Center

Choosing the Right Role

If the user needs to… Assign
Run the platform end-to-end, including settings and policies Admin
Work daily with secrets, risks, and NHIs, and communicate with stakeholders Operator
See everything for reporting or audit, but make no changes Viewer
Remediate exposed secrets and NHI risks in their own services only Engineer
Only rotate automation API keys API Key Manager
Onboard and maintain cloud / SaaS integrations Integrator (typically alongside another role)

FAQ

Can a user have more than one role? Yes. Effective permissions are the union of all their roles' capabilities.

What happens when RBAC is disabled for a tenant? Every authenticated user behaves as an Admin. This is a legacy compatibility mode; most tenants run with RBAC enabled.

Where are roles assigned? Once SSO and SCIM are configured, managing the roles is available in Settings → User Management. Administrators manage role membership; changes take effect on the user's next sign-in.

Are role checks enforced on the API, or just the UI? Both. The UI hides items the user cannot use, and every API endpoint re-checks the user's role server-side. Bypassing the UI is not a way to gain additional privileges.

What happens if an API endpoint has no role configuration? Access defaults to Admin-only.


Groups-Roles Mapping

SAML and SCIM Provisioning allows you to define user groups within your IdP. These groups can be mapped directly to specific SailPoint Entro roles via a service provided by SailPoint Entro's authentication provider. When a user logs in via SAML, their group membership is sent in the SAML assertion, and the authentication provider maps those groups to roles within SailPoint Entro, allowing you to control access based on the user's group.

Detailed provisioning instructions for Okta and Entra ID are documented separately, see Configure Okta Groups Provisioning and Configure Entra ID Groups Provisioning.