Skip to content

Managing Roles

Roles allow you to group related sets of access, from a single source or across multiple sources, to simplify access management for your users. Roles often group access according to job functions or other shared user attributes such as departments or locations. You can then configure roles for automated provisioning or for access requests so they can be granted to your users.

You must have Provisioning to use roles.

There are two types of roles: standard and dynamic.

Standard roles group access from entitlements and access profiles and provision the access based on assignment criteria.

Dynamic roles allow you to additionally grant birthright access based on definable role dimensions. This provides for more granular access and assignment options within one role. For more information refer to Working with Dynamic Roles.

Note

In addition to org admins, who have full system access, users granted the Role Admin or Role Sub-admin user levels can also create, manage, and edit roles.

  • Role Admins can do this for all roles.
  • Role Sub-admins can perform these actions only for roles they are authorized for.

Creating Roles

  1. Go to Admin > Access Model > Roles.

  2. Select Create New.

  3. Complete the Configuration page to define the role's most basic information.

  4. Select Save.

The role has been saved and will appear in the Roles list. It will need further configuration for access and assignments before it can be enabled.

Configuring Roles

Once you've created a role, you can define its basic details.

  1. Select Standard or Dynamic for Role Type.

  2. In the Name field, enter a unique and descriptive name for your role.

  3. Select the Owner drop-down list to choose an identity to own this role. This identity can be configured as an approver in access requests or certifications.

  4. In the Description field, provide additional details about the role and the access it grants. This field allows a maximum of 2,000 characters.

    Best Practice

    Provide user-friendly, informative names and descriptions for your roles. Both are visible in certifications, access requests, and approvals. A detailed description will improve the quality and speed of reviewer decisions.

  5. Select Common Access if this role represents access that applies to large sets of users in your organization, generally granted only through automated processes. This field is present for customers who have licensed AI-driven Identity Security.

    Designating a role as Common Access means it will be omitted from access request recommendations in the Request Center.

  6. Select Save.

Optional Role Configuration

You have the option to complete additional role configuration on the following tabs:

  • Define Assignment – Specify criteria for automatic role assignment. For more information, refer to Automating Role Assignment.
  • Access Requests – Enable access requests on a role and set a review process for requests. For more information, refer to Configuring Roles for Requests.

Managing Role Access

Roles can contain entitlements and access profiles. Each role should contain at least one entitlement or access profile.

To add access items to a role:

  1. Select the Manage Access tab.

  2. Select Add Access.

  3. Select Entitlements or Access Profiles, depending on what access you want to add.

  4. Select the checkboxes next to the access items that will be added to the role. Access items that are already assigned to a role have an Assigned status in the Assigned to Roles column.

  5. Select Review.

  6. If you want to remove any of the access items from the list, select the X action for that item.

  7. Select Add Access.

To remove access items from a role:

  1. On the Manage Access tab, select Entitlements or Access Profiles.

  2. Select the Remove action for the access item to be removed. If you decide to keep the access item in the role, select the Cancel action.

  3. Once you have finished removing access items, select Save.

Enabling Roles

Roles usually get enabled after automated assignment criteria are configured or when they are enabled for access requests.

To enable a role:

  1. Go to Admin > Access Model > Roles.
  2. Select Edit for the role you want to enable.
  3. Select Enable Role.

Important

Any new or updated role configurations must be applied to your identities through identity processing. Refer to Applying Changes for details.

Working with Dynamic Roles

In addition to standard roles comprised of access profiles and entitlements, dynamic roles allow you to grant birthright access based on definable role dimensions. The dimension criteria determine which users are assigned the dimension and are provisioned with the dimension's access items.

Dynamic roles provide more granular access and assignment options within a single role, instead of having multiple, separate roles with mostly overlapping access.

For example, a retail store chain could have one, dynamic store clerk role that has a dimension for each location. Each location dimension will have criteria mapping the clerk’s store location to the location-related access they need for their job.

Dynamic roles require configuration of dimensional attributes and dimensions. Once you have configured a role with the Dynamic role type, you can select Edit for the dynamic role to access these tabs.

Enabling Dimension Attributes

You must enable identity attributes to be selectable in role dimensions.

  1. Select the Dimension Attributes tab.
  2. Select the checkboxes under Enable for Dimensions for the identity attributes you want to be available.
  3. Select Save.

Creating Role Dimensions

To use role dimensions with dynamic roles, you must create the dimension, configure the criteria, and add access items.

To add a dimension to a role:

  1. Select the Dimensions tab.
  2. Select Create New.
  3. On the Configuration page, give the dimension a Name and meaningful Description.
  4. Select Save.

To configure the dimension criteria:

  1. Select the Dimension Criteria tab where you will use enabled dimension attributes to define the dimension and which identities will be assigned the role dimension.
  2. Select an Attribute.
  3. Type values in the Values field, pressing enter after each value.
  4. After all attribute values have been entered, select + Add Criteria.
  5. Continue adding criteria attributes and values until the dimension criteria is complete.
  6. Select Save.

To add access to the dimension:

  1. Select the Manage Access tab.
  2. Select Add Access.
  3. On the Add Access page, select entitlements and access profiles to add to the dimension.
  4. Select Review.
  5. Review the listed access items that will be included in the dimension.
  6. If necessary, remove items by selecting X, and use the Back button to add more items on the previous screen.
  7. When the reviewed access items are as you want them, select Add Access.
  8. When all access items have been added, select Save.

Once all desired dimensions have been configured, you can enable the role.

If you later delete a dimension from a role, the dimension is removed from identities, but not the access.

Editing Roles

You can change most of the attributes you defined for the role while creating it.

To edit an existing role:

  1. Go to Admin > Access Model > Roles.

    You can search for a specific role based on characters contained in the role name. You can also use the Sort icon to sort roles by their name, the date they were last modified, or the date they were created.

  2. Select Edit on the role you want to edit.

  3. Make changes to the role’s configuration, dimensions, access, assignment criteria, or access request configurations. Select Save on each page you change.

Important

Changing a role's type from Dynamic to Standard deletes all associated dimensions and dimensional configurations.

Removing Access from a Role

Changing a role definition to remove access from it does not result in entitlement removal from the identities who have the role. This applies to any of these actions:

  • Removing access profiles from the role
  • Removing entitlements from the role
  • Removing entitlements from an access profile associated with the role
  • Deleting an access profile previously attached to the role
  • Deleting a role
  • Deleting a dimension from a role

In each of these cases, the entitlements remain in place for the identities but become independent from the changed/deleted role or access profile.

Revoking Entitlements with Role Changes

If you need to revoke entitlements for users based on role changes, you must:

  1. Define and assign a new role with the access you want the users to retain.

    • For auto-provisioned roles, specify its assignment criteria to match the old role and let identity processing assign the new role.
    • For roles managed by access requests, request the new role for the users.
  2. Remove the old role from all users.

    • For auto-provisioned roles, change the role’s assignment criteria so users do not meet it and let identity processing revoke the old role from the users.
    • For roles managed by access requests, use a certification or manager removal request to revoke the old role from users.
  3. Delete the old role once you verify that it is no longer needed.

Important

  • Deprovisioning entitlements does not remove source accounts, even if the accounts were created by role provisioning or if all entitlements are removed from the account.
  • If any of the role’s entitlements overlap with another assigned role for the user, the user will retain the entitlements for the role they still have.

Deleting Dimensions

When deleting a dimension from a dynamic access role, the dimension is automatically removed from all identities that hold the dimension. The access included in the dimension is not removed from the identities, but it is no longer associated with the dimension.

Applying Changes

Role configuration changes are not immediately applied to identities. When a user's identity attributes change, event-based processing can adjust role assignments and provision access changes based on the new information. Otherwise, you must select Apply Changes on the role list page to initiate identity processing for all identities in your organization, to recalculate users’ access based on your changes.

Best Practice

For best system performance, wait to select Apply Changes until you are ready to apply the whole set of configuration changes to your whole set of identities. Selecting it for roles, access profiles, or applications automatically processes all three.

Disabling or Deleting a Role

You can temporarily or permanently disable roles, or you can delete them if you no longer need them.

To disable a role:

  1. Go to Admin > Access Model > Roles.

  2. Select Actions > Edit on the role you want to edit.

  3. Select the Enable Role toggle to turn it off.

To delete a role:

  1. Go to Admin > Access Model > Roles.

  2. Select Actions > Delete on the role you want to edit. You can also select the checkbox beside the name of each role you want to delete and select the Delete button.

Disabling or deleting a role has these implications:

  • Removes the role from the Request Center
  • Prevents future automated assignment of the role
  • Removes the role from your identities
  • Does not deprovision the role’s access for identities which previously held it. Identities will keep entitlements they were granted through this role, but they will no longer be associated with the role.

Viewing Role Assignments

  1. Go to Admin > Access Model > Roles.

  2. Select View Details for a role to view its details.

  3. Select Identities in the details overlay.

The Details overlay for roles. The Identities option is selected.

This list includes identities who obtained this role through automated assignment and access requests.

Revoking Requested Roles

Roles obtained through an access request can be revoked from the user by an administrator with Admin, Role Admin, or Role Sub-admin access to the role. Auto-assigned roles cannot be manually revoked.

  1. Go to Admin > Access Model > Roles.

  2. Select View Details on a role card to view its details.

  3. Select Identities in the details overlay.

  4. Select an identity from the list.

  5. Select Revoke. This option only appears if the role was granted through a request.

  6. Enter a Comment about the revocation and select Revoke.

  7. Refresh the page to see the user immediately removed from the list.

Notes

  • Revocation of the role's entitlements from the user's source account may be automatic and immediate or may require the source owner to complete a manual task.
  • No notification is sent for this administrative revocation, but the action is captured in audit records.

Tip

Managers can also initiate revocation of requested roles for members of their team.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.