Skip to content

Managing Lifecycle User Roles

User roles define the permissions and level of access granted to an end user of the system, as well as which users are allowed access to the admin console.

You can create and manage custom user roles within Lifecycle with extremely granular controls. In addition, there are two default user roles within the product that can grant users specific permissions related to profile types.

Refer to Managing Administrators for details on creating the administrator role.

Note

Lifecycle roles can't be applied to portal users, and collaboration roles can't be applied to lifecycle users. Refer to Collaboration User Roles to create and manage collaboration roles for portal users.

Roles can be assigned to users two ways:

  • By assigning roles to the users in the form of entitlements, within Identity Security Cloud.
  • Based on the permissions sent by your identity provider in the SAML assertion.

By default, new tenants are configured to use roles that have been assigned as entitlements within Identity Security Cloud for lifecycle roles.

Important

Use caution when updating this setting. If you have roles assigned to users already, updating this setting can cause your current users to lose access to Non-Employee Risk Management.

Assigning Roles with Identity Security Cloud

You can configure your tenant to grant roles to your users automatically within Identity Security Cloud. This allows those roles to be governed, in the form of entitlements, within Identity Security Cloud, through processes such as certification campaigns and lifecycle states.

Prerequisites:

  • You have created a Non-Employee Risk Management Users source within Identity Security Cloud.
  • Identity Security Cloud Entitlements for Roles** is set to ON. You can verify this setting in Admin > System > Authentication on the ISC AUTHENTICATION tab.

Important

Use caution when updating this setting. If you have roles assigned to users already, updating this setting can cause your current users to lose access to Non-Employee Risk Management.

To prevent your users from losing access when you enable this setting, make sure that your Non-Employee Risk Management Users source has been set up correctly and has aggregated users and entitlements at least once. After this, you can enable the Use Identity Security Cloud Entitlements for Roles setting.

To manage Non-Employee Risk Management roles as entitlements using Identity Security Cloud:

  1. Go to Lifecycle > User Roles.

  2. On the ASSIGNABLE ROLES tab, select the + New Role button.

    For each role you want to assign in your tenant, create a role.

    • Enter a unique name for the role.

      The UID is generated automatically based on the name. This can be modified during the role's creation, but it can't be edited later.

    • Select the Private checkbox to hide this role from users on the user dashboard within the profile's CONTRIBUTORS tab.

    • Assign permissions to your role.

    • Select create.

  3. When you have finished creating roles, go to Identity Security Cloud.

  4. Within Identity Security Cloud, go to Admin > Connections > Sources and select the Non-Employee Risk Management Users source.

  5. In Entitlement Management, select Entitlement Aggregation.

  6. Select Start Aggregation.

    The roles you created earlier within Non-Employee Risk Management will be aggregated to Identity Security Cloud as entitlements.

  7. Assign those entitlements to Identity Security Cloud users who will be given Non-Employee Risk Management access.

    Users can be assigned this entitlement in any way that entitlements are granted. For example:

    • The entitlement can be added to an access profile that is marked as requestable, and users can request access to it.
    • The entitlement can be added to an Identity Security Cloud role that is assigned to users automatically.
    • The entitlement can be added to an access profile that is added to a lifecycle state and assigned to users automatically.

  8. When provisioning is configured for your Non-Employee Risk Management users source, those identities can be provisioned to your Non-Employee Risk Management tenant. The entitlements that have been assigned to them are provisioned to those users, and the roles are assigned to the appropriate users within Non-Employee Risk Management.

Assigning Roles with your Identity Provider

You can configure specific groups from your identity provider's SAML assertion to grant roles to Non-Employee Risk Management users.

Prerequisite: - Identity Security Cloud Entitlements for Roles** is set to ON. You can verify this setting in Admin > System > Authentication on the ISC AUTHENTICATION tab.

Important

Use caution when updating this setting. If you have roles assigned to users already, updating this setting can cause your current users to lose access to Non-Employee Risk Management.

To prevent your users from losing access when you disable this setting, ensure that your users have been granted the appropriate groups within your identity provider and that those groups are assigned to roles within Non-Employee Risk Management. After this, you can disable the Use Identity Security Cloud Entitlements for Roles setting.

To manage Non-Employee Risk Management roles using your identity provider:

  1. Go to Admin > Lifecycle > User Roles.

  2. On the DIRECTORY GROUPS tab, select the + New Role button.

  3. In the BASIC SETTINGS section:

    • Enter a unique name for the role.

      The UID is generated automatically based on the name. This can be modified during the role's creation, but it can't be edited later.

    • Select the Private checkbox to hide this role from users on the user dashboard within the profile's CONTRIBUTORS tab.

    • In the Directory groups field, enter the complete and exact names of one or more groups from your identity provider.

      Users with one or more of these groups will be granted this role and the access that comes with it. These groups must be included within the groups attribute in the SAML assertion sent by your identity provider during authentication to be applied to the user.

    • Assign permissions to your role.

    • Select the create button.

Your roles have been created and are granted to users with the appropriate groups when they authenticate for the first time.

Assigning Permissions to Roles

In the PERMISSIONS section, choose the permissions you want users with this role to have.

  • In the Application section, choose the access users with this role should have within your Non-Employee tenant, such as whether they can perform bulk approvals and rejections of requests, bulk cancellations of requests, add additional contributors to a profile, or whether they can delegate their assigned work to other users.

Note

To perform bulk approvals and rejections, approval workflows must have the Allow bulk approval or rejection setting enabled.

  • In the Profile Access section, choose the access this role should grant to the profile types in your tenant. If you choose All Users With This Role, users with this role can manage profiles in that profile type. If you choose Only Contributors, users with this role won't be able to manage profiles in this profile type unless they are already marked as a profile contributor for the profile.

Selecting a profile type in this section grants users the access you select in the Attributes and Workflows sections for this profile type.

  • In the Attributes section, choose whether users with this role can view or edit attributes on the profiles they can access, or whether they should have no access to those attributes.
  • In the Workflows section, choose which workflows users with this role should be allowed to execute on the profiles they're assigned to. Users with this role who don't have permission to execute workflows can still approve or deny requests associated with the workflow, complete fulfillment tasks, and contribute to the workflow in other ways.
  • Under API Access, choose the types of API calls users with this role should be permitted to make related to a variety of functions within Non-Employee. This doesn't impact what the users can access within the UI. This section is only available to customers using a legacy on-premise implementation.

Note

When a user has more than one role, including default roles, the permissions applied to each user for a profile type are cumulative.

Editing a Custom Lifecycle Role

You can view and edit existing custom roles.

  1. Go to Admin > Lifecycle > User Roles.

    In the DIRECTORY GROUPS page, you can see the active and archived user roles in your tenant.

  2. Make any necessary changes to the roles on the list.

Review the possible changes you can make below.

Update Roles in Bulk

You can make some changes to the roles in your tenant in bulk.

  1. Select the checkbox beside the roles you want to edit.

    To select all roles, select the the checkbox next to the NEPROFILE GROUP ROLES header.

  2. Select the ellipsis icon next to the Actions button to display the available actions.

    • Archive - Immediately deactivates the selected roles and moves them to the Archived tab.
    • Unarchive - Immediately activates the selected roles and moves them to the Active tab.
    • Export - Generates a JSON file containing the metadata about the selected roles and any related configuration. When the file has been generated, select Download to save the metadata to a local file.

Update an Individual Role

You can make updates to the details and permissions for a specific role.

  1. Select the name of the role you want to edit.

  2. In the BASIC SETTINGS section, make any necessary changes to the name and other settings for the role.

    Note

    • The Uid of a role can't be edited once the role has been created.
    • Removing a group from the Directory groups list causes users with that group to lose access to the role, unless they have another group in the list.

  3. In the PERMISSIONS section, make any necessary changes to the permissions this role grants to users.

    Users with this role will have their permissions updated when you save the role.

  4. Select save.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.