Skip to content

Access Overview

Managing and securing access is key to governing identities in the cloud. IdentityNow governs the following types of access:


Entitlements represent access rights on sources. Basic entitlement information can be aggregated with accounts, but performing regular entitlement-specific aggregations allows you to aggregate additional details about entitlements, as well as entitlements that don't belong to any users.

Nearly anywhere entitlements are visible, you can select them to find more information about them. In addition, you can view the following information about entitlements from select sources:

  • Cloud Access Details - If your site licenses a SailPoint cloud access solution, you can view cloud access data related to entitlements on a source with cloud access. You can mark entitlements as Cloud Enabled by creating or editing cloud-enabled entitlement types.
  • Permissions - Permissions represent individual units of read/write/admin access to a system. If you have any direct or indirect permissions on your supported sources, they can be aggregated into IdentityNow. Direct permissions are aggregated as entitlements, and indirect permissions appear in the attributes of an entitlement.
  • Relationships - View the parent and child relationships each entitlement has.
  • Type - Some sources support multiple types of entitlements, each with a different attribute schema. You can view the type of entitlement.

You can view these details about entitlements everywhere entitlements are displayed in your site.


  • Not all sources support entitlement types, permissions, or relationships. Refer to the source's connector documentation to find out whether it supports those attributes.
  • Newly created sources of supported types can aggregate entitlement types and permissions automatically. To configure an existing source to support this functionality, update the entitlement schema associated with the source by submitting an API call with the Update Source Schema (Full) endpoint.
  • Entitlements can't be deleted directly from IdentityNow. Entitlements are deleted based on their inclusion in aggregations. Visit Deleting Entitlements for more information.

Entitlements are used in many IdentityNow features, including:

  • Certifications: Entitlements can be revoked from an identity that doesn't need them anymore.
  • Roles: Role membership criteria can grant roles to identities based on whether they have an entitlement.

One of the most important functions of an entitlement is its use in access profiles.

Access Profiles

Access profiles are bundles of entitlements, representing a specific set of access from a source. They're the most important unit of access in IdentityNow, and they're used in many features, including:

  • Provisioning: Using the Provisioning service, lifecycle states and roles both grant access to users in the form of access profiles.
  • Certifications: Access profiles can be approved or revoked in certification campaigns, just like entitlements.
  • Access Requests: Assigning access profiles to apps allows your users to request access to an app. If the request is approved, the app and the access profile associated with it are granted to the user.