Custom User Level Matrices
Custom user levels provide least privileged access that is unique to your specific tenant. If your organization has Custom User Levels, these may be built from various access permissions, identity permissions, and connections permissions, as detailed below.
Access Permissions
The following permissions are related to access.
| Access Profiles Read Only | Access Profiles Management | Roles Read Only | Roles Management | Entitlements Read Only | Entitlements Management | AIC Reader | AIC Author | |
| Access Profiles | View | ✓ | ✓ | Create | ✓ | Manage | ✓ | Delete | ✓ |
| Roles | View | ✓ | ✓ | Create | ✓ | Manage | ✓ | Delete | ✓ |
| Entitlements | View | ✓ | ✓ | Create | ✓ | Manage | ✓ | Delete | ✓ |
| Access Intelligence Center | View | ✓ | ✓ | Filter | ✓ | ✓ | Export | ✓ | ✓ | Create | ✓ | Modify | ✓ | Manage | ✓ | Delete | ✓ |
Identity Permissions
The following are identity read-only permissions.
| Identity Read Only | Identity Details | Identity Events | Identity Accounts | Identity Access | Work Reassignment | View Identity Details | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | View Identity Events | ✓ | ✓ | View Identity Accounts | ✓ | ✓ | View Identity Access | ✓ | ✓ | View Work Reassignment | ✓ | ✓ |
The following are identity management permissions.
| Identity Management | Identity Accounts Management | Revoke Identity Access | Enable Identity | Delete Identity | Invite Identity | Export Identity List | Export Identity Events | Set Lifecycle State | Add and Delete Work Reassignment | Process Identity | Reset Identity | Set User Levels | Reset MFA | Disable Identity | Synchronize Attributes | Reset Password | View Identities | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | Manage Identities | ✓ | Delete Identities | ✓ | ✓ |
| Account Attributes and Objects for Identity Accounts | View | ✓ | ✓ | Manage | ✓ | ✓ | Remove | ✓ | ✓ | ||||||||
| Access to Entitlements, Roles, and Access Profiles | Revoke | ✓ | ✓ | ||||||||||||||
| Identity Functions (with Read Only for Identities) | Enable Identities | ✓ | ✓ | Invite Identities | ✓ | ✓ | Export Identity List | ✓ | ✓ | Export System Activity Events | ✓ | ✓ | Change a Lifecycle State | ✓ | ✓ | Add and Delete Work Reassignment | ✓ | ✓ | Process Identity | ✓ | ✓ | Reset Identity | ✓ | ✓ | Reset Password | ✓ | ✓ | Reset MFA | ✓ | ✓ | Set User Levels | ✓ | ✓ | Synchronize Attributes | ✓ | ✓ | Disable Identity | ✓ | ✓ |
The following are additional identity permissions.
| Identity Access History Read Only | Human and Uncorrelated Accounts Read Only | Human and Uncorrelated Accounts Management | |
| Access History Page | View | ✓ | |
| Human and Uncorrelated Accounts | View | ✓ | ✓ | Manage | ✓ | Remove | ✓ | Delete | ✓ |
Connections Permissions
The following permissions are related to connections.
| VA Read Only | VA Management | |
| Virtual Appliances | View | ✓ | ✓ | Create | ✓ | Manage | ✓ | Delete | ✓ |
Identity Graph Permissions
The following permissions are related to Identity Graph.
| Identity Graph Admin | Identity Graph Read Only | |
| Identity Graph | View | ✓ | ✓ | Export Data | ✓ | ✓ | Create Snapshots | ✓ | ✓ | Actions | ✓ |
Governance Group Permissions
Some governance group permissions require that additional permissions are in place before they can be granted.
Prerequisites are:
- Governance Group Management - Requires Identity Accounts, which grants read-only access to identity accounts and identity details. This is required so the user can see a list of available accounts that can be added as members of the group.
- Governance Group Membership Management - Requires Governance Group Read Only so they can access and view the Governance Group list itself, and Identity Accounts so they can see the list of available accounts that can be added as members of the group
- Governance Group Read - No prerequisites. This permission functions independently.
The following permissions are related to governance groups.
| Governance Group Management | Governance Group Membership Management | Governance Group Read | |
| Governance Groups | View | ✓ | ✓ | ✓ | Add members | ✓ | ✓ | Remove members | ✓ | ✓ | Create groups | ✓ | Update groups | ✓ | Delete groups | ✓ |
Documentation Feedback
Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.