Rights and Capabilities for Identities

IdentityIQ uses a security model based on rights that are granted to users, to control access to product features. These rights (also called SPRights) turn on or off menus, tools, pages, and tabs in the UI, and thus can limit the actions users can take within IdentityIQ.

Capabilities group one or more access rights within IdentityIQ, and are used to group rights logically by job function, streamlining their assignment to users or workgroups.

Rights tend to be limited and granular, and are often used in combination to provide full access to a feature or area of the UI. The granular nature of rights helps administrators fine-tune access – allowing them, for example, to give read-or-view-only privileges to some users in a given feature, but to allow other users full access to that feature, including creating, editing, and deleting data.

There are several ways capabilities can be assigned to users, or used in other ways in IdentityIQ:

  • Identities can have capabilities assigned directly to them. This is done via Identities > Identity Warehouse > User Rights tab

  • Workgroups can have capabilities assigned to them, and users who are members of the workgroup inherit the capabilities. This is done via Setup > Groups > Workgroups tab

  • Certifications can include the capabilities assigned to users as part of the access being reviewed and certified.

  • Quicklink Populations can include assigned capabilities as part of their membership criteria; in other words, you can create Quicklink Populations (dynamic scopes) based on assigned capabilities.

Mapping Rights to Capabilities

IdentityIQ provides a wide variety of pre-defined capabilities out of the box. The rights associated with each capability can vary from release to release of IdentityIQ. With each release, SailPoint publishes a matrix of rights and capabilities on Compass. You can find a list of all these matrices here: IdentityIQ Capabilities Matrix - All Versions

In addition, a document on Compass provides definitions of all the individual SPRights in IdentityIQ. See IdentityIQ Rights and Capabilities - Definitions.

You can view the rights associated with each capability at the object level, via the Debug Pages. In Debug, choose Capability as the object type, then select a capability to view. Rights are defined in the <RightRefs> element.