Custom User Levels

If your organization has Custom User Levels, admins can create up to 100 named user levels and customize what rights those user levels grant in your tenant. Custom user levels provide least privileged access, an essential part of good identity governance. Your custom user levels are unique to your specific tenant.

While you can’t edit the default user levels provided by SailPoint, admins can edit the permissions in your custom user levels.

As is the case with SailPoint’s standard user levels, users will have the combined access of all user levels assigned to them.

Adding a Custom User Level

You can add a new custom user level to your tenant.

Go to Admin > Global > User Levels.
Select New User Level.

Note

The New User Level option is disabled when your tenant has reached the maximum 100 custom user levels.
On the Details page, enter a name, description, and owner for your new user level.
Select Save Draft.

A success message lets you know that your user level draft was saved.
From the left navigation, select Permissions.
Select Select Permissions.
Search or filter permissions to find those that you want to add.
- Enter a search term, or select the Filters icon, then enter a name or description, or use the checkboxes to select the category that you want to view. Select Apply.
Use the checkboxes to select permissions to add to the custom user level.
Select Add.
Permissions are listed on the Permissions page. If you want to remove any permissions that you've added, select Remove on that permission card.

Note

All of the Identity Read Only permissions include access to view the Identity Details page.

Note

After a custom user level is created, enabled, and identities are assigned, the Identities tab will show users who are assigned to the custom user level and allow you to unassign them. You are not directed to use that tab at this point because you can’t assign identities to a new user level here.
From the left navigation, select Review.
Review your custom user level, then select Save Draft to save an inactive draft or Apply Changes to save and apply, making your user level active and ready for use.
- In the Apply Changes confirmation, select Cancel or Apply Changes.
Select X to close the details page.
The new user level appears on the User Levels page.

On the User Levels page, you can search by name or status and filter by name, description, owner, or status to find user levels. Columns list the following user level information:

Name - Name of the user level.
Description - Briefly describes the user level.
Owner - Identity that manages the user level.
Status - Indicates whether the user level is active and available to be assigned to users, or a draft, which is not able to be assigned to users.
Associated identities - A count of how many identities have been assigned to the user level.
Actions - Actions that are available for the user level, e.g., Delete.

Assigning and Unassigning Custom User Levels

You can assign and unassign custom user levels to users individually in the same way as with default user levels. Refer to Setting User Level Permissions.

You can also unassign multiple users from a custom user level in bulk:

Go to Admin > Global > User Levels.
Select the name of a custom user level.
From the left navigation, select Identities.
Scroll or use the search bar to find identity names. Select the checkboxes next to the names you want to unassign from this user level.

Note

To unassign an individual identity from this custom user level, you can select Unassign from the Actions column in that row.
Once you have selected one or more checkboxes, you can select Unassign at the top right side of the table.
The selected identities are immediately unassigned.

Managing Custom User Levels

Once you have added custom user levels to your tenant, you can edit details, add permissions, or remove permissions from them. Set user level permissions for users and remove them the same way you do with default user levels.

Editing User Level Details

You can make changes to custom user levels in your tenant.

Go to Admin > Global > User Levels.
Select the name of the user level you want to edit.
On the User Level page, make any changes you want to the name, owner, or description.
If the user level is a draft, select Save Draft on this page or on the Review page. If the user level is active, go to the Review page and select Apply changes.

A success message lets you know that the update was successful.
Select X to close the page.

Adding User Level Permissions

You can add permissions to existing custom user levels.

Go to Admin > Global > User Levels.
Select the name of the user level you want to edit.
From the left navigation, select Permissions.
Select Select Permissions.
Search or filter permissions to find those that you want to add.
- Enter a search term, or select the Filters icon, then enter a name or description, or use the checkboxes to select the category that you want to view. Select Apply.
Use the checkboxes to select permissions to add to the custom user level.
Select Add.
From the left navigation, select Review.
Review the custom user level, then select Save Draft to save an inactive draft or Apply Changes to save and apply, making your user level active and ready for use.
Select X to close the details page.

Removing User Level Permissions

You can remove permissions from existing custom user levels.

Go to Admin > Global > User Levels.
Select the name of the user level you want to edit.
From the left navigation, select Permissions.
Search or filter permissions to find those that you want to remove.
- Enter a search term, or select the Filters icon, then enter a name or description, or use the checkboxes to select the category that you want to view. Select Apply.
Find the permission you want to remove and select Remove on the right side of the card.
From the left navigation, select Review.
Review your custom user level, then select Save Draft to save an inactive draft or Apply Changes to save and apply, making your user level active and ready for use.
Select X to close the details page.

Deleting Custom User Levels

You can only delete custom user levels, not those that are provided by default. Before you can delete a custom user level, first you must remove all identities’ assignments to that user level. You can unassign identities either from the Identity List or from the User Level UI.

Unassign identities from the Identity List:

Go to Admin > Identity > Identity List.
Find identities and select Actions > Set User Levels.
Deselect the custom user level that you want to delete.
Select Save.

A success message confirms that the update was successful.

Unassign identities from the User Level UI:

Go to Admin > Global > User Levels.
Find and select the user level you want to delete.
From the left navigation, select Identities.
You can unassign all of the assigned identities in bulk. Select the checkbox at the top of the list to select all identities.
Select Unassign at the top right side of the list.
All selected identities are immediately unassigned.

A success message confirms that the update was successful.

Once the identities' assignments are removed and the user level is empty, you can delete the user level itself. If any identities are still assigned to the user level, an error message will let you know that it cannot be deleted because it is currently in use.

Delete the User Level:

Go to Admin > Global > User Levels.
Find the user level you want to delete. In the Actions column, select Delete.
A success message confirms that the user level was deleted and the entry is removed from the User Levels page.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.