Skip to content

Access Overview

Managing and securing access is key to governing identities in the cloud. Identity Security Cloud governs the following types of access:

Entitlements

Entitlements represent access rights on sources. Basic entitlement information can be aggregated with accounts, but performing regular entitlement-specific aggregations allows you to aggregate additional details about entitlements, as well as entitlements that don't belong to any users.

Nearly anywhere entitlements are visible, you can select them to find more information about them. In addition, you can view the following information about entitlements from select sources:

  • Cloud Access Details - If your site licenses a SailPoint cloud access solution, you can view cloud access data related to entitlements on a source with cloud access. You can mark entitlements as Cloud Enabled by creating or editing cloud-enabled entitlement types.
  • Permissions - Permissions represent individual units of read/write/admin access to a system. If you have any direct or indirect permissions on your supported sources, they can be aggregated as well. Direct permissions are aggregated as entitlements, and indirect permissions appear in the attributes of an entitlement.
  • Relationships - View the parent and child relationships each entitlement has.
  • Type - Some sources support multiple types of entitlements, each with a different attribute schema. You can view the type of entitlement.

You can view these details about entitlements everywhere entitlements are displayed in your site.

Notes

  • Not all sources support entitlement types, permissions, or relationships. Refer to the source's connector documentation to find out whether it supports those attributes.
  • Newly created sources of supported types can aggregate entitlement types and permissions automatically. To configure an existing source to support this functionality, update the entitlement schema associated with the source by submitting an API call with the Update Source Schema (Full) endpoint.
  • Entitlements can't be deleted directly from Identity Security Cloud. Entitlements are deleted based on their inclusion in aggregations. Visit Deleting Entitlements for more information.

Entitlements are used in many features, including:

  • Certifications: Entitlements can be revoked from an identity that doesn't need them anymore.
  • Roles: Role membership criteria can grant roles to identities based on whether they have an entitlement.

One of the most important functions of an entitlement is its use in access profiles.

Access Profiles

Access profiles are bundles of entitlements, representing a specific set of access from a source. They're the most important unit of access in Identity Security Cloud, and they're used in many features, including:

  • Provisioning: Using the Provisioning service, lifecycle states and roles both grant access to users in the form of access profiles.
  • Certifications: Access profiles can be approved or revoked in certification campaigns, just like entitlements.
  • Access Requests: You can assign access profiles to access applications, which group those access profiles to the application and make it easier for users to find. Users can then request the access profiles to receive the bundled set of access for their accounts.

Refer to Configuring Access Applications.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.