User Level Access Matrix
The following table shows the Identity Security Cloud pages and components that are accessible from the most common user levels. Refer to User Level Permissions for more information about each level.
For information about Data Access Security User Levels and Configuration Hub User Levels, follow the links at the bottom of this page.
Note
Multiple user levels can be granted to a user; however, the following cannot be assigned at the same time:
- Role Admin and Source Sub-Admin
- Role Sub-Admin and Source Admin
- Role Sub-Admin and Role Admin
- Source-Sub Admin and Source Admin
- Source Admin and Source Configuration Assignee
The user's access is cumulative across all granted user levels.
Best Practice
Org Admin should not be assigned with any other elevated user level, such as Source Sub-Admin, Role Sub-Admin, or Helpdesk Admin. The Org Admin already has all rights enabled on all sources, and when assigned with other elevated user levels they can overlap in a way that may unintentionally curtail the Org Admin rights.
| Admin | Cert Admin | Helpdesk Admin | Report Admin | Role Admin Sub-Admin | Source Admin Sub-Admin | Source Configuration Assignee | Cloud Gov Admin/User | Identity Graph Admin | Identity Graph Read Only | End User | |
| Technical Name | ORG_ADMIN | CERT_ADMIN | HELPDESK | REPORT_ADMIN | ROLE_ADMIN ROLE_SUBADMIN | SOURCE_ADMIN SOURCE_SUBADMIN | SOURCE_CONFIG_ASSIGNEE | CLOUD_GOV_ADMIN CLOUD_GOV_USER |
IDENTITY_GRAPH_ADMIN | IDENTITY_GRAPH_READ_ONLY | |
| Details | Details | Details | Details | Details | Details | Details | Details | Details | |||
| Admin | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | Dashboard | ✓ | ✓ | ✓ | ✓ |
| Overview | ✓ | ✓ | ✓ | ✓ | |||||||
| Access Intelligence Center | ✓ | ✓ | ✓ | ✓ | ✓ | ||||||
| Aggregation Activity | ✓ | ✓ | ✓ | ✓ | |||||||
| Tasks | ✓ | ✓ | ✓ | ✓ | |||||||
| Monitor | ✓ | ✓ | ✓ | ✓ | |||||||
| Identity Management | ✓ | ✓ | ✓ | ||||||||
| Identities | ✓ | ✓2 | ✓5 | ||||||||
| Machine Identities | ✓ | ✓ | ✓ | ✓4 | |||||||
| Accounts | ✓ | ✓ | ✓3 | ✓6 | |||||||
| Access History | ✓ | ✓ | ✓4 | ||||||||
| Identity Profiles | ✓ | ||||||||||
| Outliers | ✓ | ✓ | ✓4 | ||||||||
| Governance Groups | ✓ | ||||||||||
| Activities | ✓ | ✓4 | |||||||||
| Access Model | ✓ | ✓ | ✓ | ||||||||
| Entitlements | ✓ | ✓1 | ✓4 | ||||||||
| Access Profiles | ✓ | ✓1 | ✓4 | ||||||||
| Roles | ✓ | ✓1 | ✓4 | ||||||||
| Role Insights | ✓ | ✓ | |||||||||
| Metadata | ✓ | ✓4 | |||||||||
| Segments | ✓ | ||||||||||
| Applications | ✓ | ||||||||||
| Connections | ✓ | ✓ | |||||||||
| Sources | ✓ | ✓1 | |||||||||
| Virtual Appliances | ✓ | ||||||||||
| Integrations | ✓ | ||||||||||
| Multi-Host Sources | ✓ | ||||||||||
| Admin | Cert Admin | Helpdesk Admin | Report Admin |
Role Admin Sub-Admin |
Source Admin Sub-Admin |
Source Configuration Assignee | Cloud Gov Admin/User | Identity Graph Admin | Identity Graph Read Only | End User | |
| Certifications | ✓ | ✓ | ✓ | ||||||||
| Campaigns | ✓ | ✓ | ✓ | ||||||||
| Campaign Filters | ✓ | ✓ | |||||||||
| Password Mgmt | ✓ | ||||||||||
| Policies | ✓ | ||||||||||
| Sync Groups | ✓ | ||||||||||
| Global | ✓ | ✓ | ✓ | ✓ | ✓ | ||||||
| Reports | ✓ | ✓ | ✓ | ✓ | ✓ | ||||||
| System Settings | ✓ | ||||||||||
| Additional Settings | ✓ | ||||||||||
| GenAI Settings | ✓ | ✓ | |||||||||
| Security Settings | ✓ | ||||||||||
| Email Templates | ✓ | ||||||||||
| Grant Tenant Access | ✓ | ||||||||||
| Forms | ✓ | ||||||||||
| Parameter Storage | ✓ | ||||||||||
| Event Triggers | ✓ | ||||||||||
| Workflows | ✓ | ||||||||||
| Search | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||
| Saved Search Queries | ✓ | ✓ | ✓ | ✓ | ✓ | ||||||
| Certification Campaigns | ✓ | ✓ | |||||||||
| Policies | ✓ | ||||||||||
| Reports | ✓ | ✓ | ✓ | ✓ | ✓ | ||||||
| Role Discovery | ✓ | ✓ | |||||||||
| Dashboard Home | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| Passwords | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| Preferences | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| Request Center | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| Approvals | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| Task Manager | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| Certifications | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| SailPoint CIEM | ✓ | ✓ | |||||||||
| Harbor Pilot | ✓ | ||||||||||
| Identity Graph | ✓ | ✓ | ✓ | ||||||||
| View Supported Tenant Data | ✓ | ✓ | ✓ | ||||||||
| Identity Graph Actions | ✓ | ✓ |
1 Sub-admins can access these pages only if they are members of the governance group for the associated source. Sub-admins have the ability to search all organization data, not just data associated with their governance group.
2 Helpdesk Admins can process identities but cannot manually set identity lifecycle states.
3 Source Admins can view all accounts. Sub-admins can only view accounts for sources associated with the governance groups they are members of.
4 Identity Graph Admin rights to these items are read-only and do not provide any configuration capabilities.
5 Identity Graph Admin only has access to view and set the lifecycle state for identities.
6 Identity Graph Admin only has access to view and enable / disable accounts.
Data Access Security User Levels
Refer to the following documentation for information about Data Access Security user levels.
Configuration Hub User Levels
Refer to the following documentation for information about Configuration Hub user levels.
Documentation Feedback
Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.