Skip to content

Custom User Levels

Admins can create up to 100 named user levels and customize what rights those user levels grant in your tenant. Custom user levels provide least privileged access, an essential part of good identity governance. Your custom user levels are unique to your specific tenant.

While you can’t edit the default user levels provided by SailPoint, admins can edit the permissions in your custom user levels.

As is the case with SailPoint’s standard user levels, users will have the combined access of all user levels assigned to them.

Adding a Custom User Level

You can add a new custom user level to your tenant.

  1. Go to Admin > Global > User Levels.

  2. Select New User Level.

    Note

    The New User Level option is disabled when your tenant has reached the maximum 100 custom user levels.

  3. On the Details page, enter a name, description, and owner for your new user level.

  4. Select Save Draft.

    A success message lets you know that your user level draft was saved.

  5. On the left navigation, select Permissions > Access.

  6. Select Select Permissions.
  7. Use the checkboxes to select access permissions to add to the custom user level.
  8. Select Add.
  9. Permissions are listed on the Access page. If you want to remove any access permissions that you've added, select Remove on that permission card.
  10. On the left navigation, select Permissions > Identity.
  11. Select Select Permissions.

  12. Use the checkboxes to select identity permissions to add to the custom user level.

    Note

    All of the Identity Read Only permissions include access to view the Identity Details page.

  13. Select Add.

  14. Permissions are listed on the Identity page. If you want to remove any identity permissions that you’ve added, select Remove on that permission card.
  15. On the left navigation, select Permissions > Connections.
  16. Select Select Permissions.
  17. Use the checkboxes to select permissions related to virtual appliance connections to add to the custom user level.
  18. Select Add.

  19. Permissions are listed on the Connections page. If you want to remove any connections permissions that you've added, select Remove on that permission card.

    Note

    After a custom user level is created, enabled, and identities are assigned, the Identities tab will show users who are assigned to the custom user level and allow you to unassign them. You are not directed to use that tab at this point because you can’t assign identities to a new user level here.

  20. On the left navigation, select Review.

  21. Review your custom user level, then select Save Draft to save an inactive draft or Apply Changes to save and apply, making your user level active and ready for use.
    • In the Apply Changes confirmation, select Cancel or Apply Changes.
  22. Select X to close the details page.
  23. The new user level appears on the User Levels page.

On the User Levels page, you can search by name or status and/or filter by name, description, owner, or status to find user levels. Columns list the following user level information:

  • Name - Name of the user level.
  • Description - Briefly describes the user level.
  • Owner - Identity that manages the user level.
  • Status - Indicates whether the user level is active and available to be assigned to users, or a draft, which is not able to be assigned to users.
  • Associated identities - A count of how many identities have been assigned to the user level.
  • Actions - Actions that are available for the user level, e.g., Delete.

Assigning Custom User Levels

You can assign custom user levels to users and remove them the same way you do when working with default user levels. Refer to Setting User Level Permissions.

Managing Custom User Levels

Once you have added custom user levels to your tenant, you can edit details, add permissions, or remove permissions from them. Set user level permissions for users and remove them the same way you do with default user levels.

Editing User Level Details

You can make changes to custom user levels in your tenant.

  1. Go to Admin > Global > User Levels.
  2. Select the name of the user level you want to edit.
  3. On the User Level page, make any changes you want to the name, owner, or description.

  4. If the user level is a draft, select Save Draft on this page or on the Review page. If the user level is active, go to the Review page and select Apply changes.

    A success message lets you know that the update was successful.

  5. Select X to close the page.

Adding User Level Permissions

You can add permissions to existing custom user levels.

  1. Go to Admin > Global > User Levels.
  2. Select the name of the user level you want to edit.
  3. On the left navigation, select Permissions > Access, Permissions > Identity, or Permissions > Connections.
  4. Select Select Permissions.
  5. Use the checkboxes to select permissions to add to the custom user level.
  6. Select Add.
  7. Review the updated permissions on the Access, Identity, or Connections page.
  8. On the left navigation, select Review.
  9. Review your custom user level, then select Save Draft to save an inactive draft or Apply Changes to save and apply, making your user level active and ready for use.
    • In the Apply Changes confirmation, select Cancel or Apply Changes.
  10. Select X to close the details page.

The new user level appears on the User Levels page.

Removing User Level Permissions

You can remove permissions from existing custom user levels.

  1. Go to Admin > Global > User Levels.
  2. Select the name of the user level you want to edit.
  3. On the left navigation, select Permissions > Access, Permissions > Identity, or Permissions > Connections.
  4. Find the permission you want to remove and select Remove on the right side of the card.
  5. On the left navigation, select Review.
  6. Review your custom user level, then select Save Draft to save an inactive draft or Apply Changes to save and apply, making your user level active and ready for use.
    • In the Apply Changes confirmation, select Cancel or Apply Changes.
  7. Select X to close the details page.

Deleting Custom User Levels

You can only delete custom user levels, not those that are provided by default. Before you can delete a custom user level, first you must remove all identities’ assignments to that user level. You can unassign identities either from the Identity List or from the User Level UI.

Unassign identities from the Identity List:

  1. Go to Admin > Identity > Identity List.
  2. Find identities and select Actions > Set User Levels.
  3. Deselect the custom user level that you want to delete.

  4. Select Save.

    A success message confirms that the update was successful.

Unassign identities from the User Level UI:

  1. Go to Admin > Global > User Levels.
  2. Find and select the user level you want to delete.
  3. From the left navigation, select Identities.
  4. Search or scroll to find the identity for whom you want to remove user level access.

  5. In the Actions column, select Unassign.

    A success message confirms that the update was successful.

Once the identities' assignments are removed and the user level is empty, you can delete the user level itself. If any identities are still assigned to the user level, an error message will let you know that it cannot be deleted because it is currently in use.

Delete the User Level:

  1. Go to Admin > Global > User Levels.
  2. Find the user level you want to delete. In the Actions column, select Delete.
  3. A success message confirms that the user level was deleted and the entry is removed from the User Levels page.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.