User Level Permissions

User levels are sets of permissions within IdentityNow that administrators can grant to users. Users cannot grant themselves user level permissions – only IdentityNow Admins can grant or remove user levels.

If you grant someone a user level, it will appear in certifications as an entitlement that the reviewer can grant or revoke. For information on how to grant and remove user levels, refer to Setting User Level Permissions.

Users can be granted multiple user levels and will have the combined access of all levels assigned to them.

To view the user levels and associated privileges in a table format, refer to the User Level Access Matrix.

Admin

A user with the Admin user level has all rights enabled on all sources. They control the system configurations, applications, sources, and identities.

Helpdesk Admin User Level

A user with the Helpdesk Admin user level can take the following actions:

• Invite users to register with IdentityNow.
• Enable, disable, and unlock accounts.
• Help users reset their passwords.
• Aggregate data for single accounts.
• View application, role, and activity data for identities.

Helpdesk Admins cannot manually set lifecycle states or make changes to sources, apps, and other features within IdentityNow.

Certification Admin User Level

A user with the Certification Admin user level can take the following actions:

• Perform all actions available in Certifications.
• Search your organization's identity and entitlement data.
• Save, subscribe to, and download reports on pages they have access to in IdentityNow.
• View cloud entitlement details if their organization is using SailPoint CIEM.

Report Admin User Level

A user with the Report Admin user level can take the following actions:

• Save, subscribe to, and download reports on pages they have access to in IdentityNow.
• Search your organization's identity and entitlement data.
• View system activity, tasks, and certification campaigns on the Admin Dashboard.
• View Access History and Data Explore if your organization has configured the Access Modeling service.
• Access the Access Intelligence Center if they have also been granted the Access Intelligence Center Author or Reader user level.
• View cloud entitlement details if their organization is using SailPoint CIEM.

Role Admin User Level

A user with the Role Admin user level can take the following actions:

• Create, manage, and edit roles.
• Access Role Discovery and Role Insights if your organization has configured the Access Modeling service.
• Search your organization's identity and entitlement data.
• Save, subscribe to, and download reports on pages they have access to in IdentityNow.

Role Sub-Admin User Level

Sub-Admins must be associated with a governance group on the source to access these pages.

A user with the Role Sub-admin user level has the same permissions for Search and reports as Role Admins. However, they can create, manage, and edit roles with access profiles and entitlements only on sources that are associated with the governance groups they are members of. Role Sub-admins can also view and work with roles that do not have access profiles or entitlements.

Role Sub-admins cannot access Role Discovery or Role Insights.

Source Admin User Level

A user with the Source Admin user level can take the following actions:

• Create, configure, manage, and edit sources.
• Create, manage, and edit access profiles.
• Search your organization's identity and entitlement data.
• Save, subscribe to, and download reports on pages they have access to in IdentityNow.
• View cloud entitlement details if their organization is using SailPoint CIEM.

Source Sub-Admin User Level

A user with the Source Sub-admin user level has the same permissions for Search and reports as Source Admins. However, they can perform the following actions only on the sources associated with the governance groups they are members of:

• Create, configure, manage, and edit associated sources.
• Create, manage, and edit access profiles that contain entitlements from associated sources.

Users may not be assigned Source Sub-Admin and Role Admin permissions at the same time.

Access Intelligence User Levels

The Access Intelligence Center can be accessed by Admins and Report Admins who have also been granted the Access Intelligence Center Author or Reader user level.

Author User Level

In addition to the access granted through their assigned Admin or Report Admin user level, a user with the Access Intelligence Author user level can take the following actions:

• View public sheets
• Create public or private sheets
• Bookmark filters

Reader User Level

In addition to the access granted through their assigned Admin or Report Admin user level, a user with the Access Intelligence Reader user level can take the following actions:

• View public sheets
• Filter data

Data Access Security User Levels

Refer to the following documentation for information about Data Access Security user levels.

• Data Access Security User Level Matrix
• Data Access Security User Levels

Cloud Governance Services

SailPoint Cloud Governance Services also include user levels to customize access.

SailPoint CIEM

If your organization has purchased and enabled SailPoint CIEM, you can allow your Org, Certification, Report, Source, and Cloud Gov Users/Admins to view cloud access details.

Cloud Access Management

IdentityNow Admins can access Cloud Access Management if your organization has purchased and enabled it. IdentityNow Admins can also give other users access to Cloud Access Management by granting them the Cloud Gov User or Cloud Gov Admin user level.

Users with the Cloud Gov User (CLOUD_GOV_USER) user level can do the following:

• View source data and information in Cloud Access Management.
• Access IdentityNow with End User permissions.

Users with the Cloud Gov Admin (CLOUD_GOV_ADMIN) user level can do the following:

• Access Cloud Access Management.
  • Manage the sources page and add, edit, or delete cloud sources.
  • Perform manual inventory refreshes.
• Access IdentityNow with End User permissions.

If your organization has purchased SailPoint CIEM, these user levels will also allow them to view cloud access details.

SaaS Management

If your organization has purchased and enabled SailPoint SaaS Management, you can invite dashboard users to the application and assign them the Admin or Reader user level within SaaS Management.

Configuration Hub

You can use the following Configuration Hub user levels.

• Configuration Hub Admin - Permission to view and perform any action in Configuration Hub.
• Configuration Hub Backup Admin - Permissions to manage backups, which include creating a backup, deleting a backup, viewing backup summaries and details, and viewing existing drafts and Activity Logs.
• Configuration Hub Reader - View-only permissions, which include the ability to view backup summaries and details, existing drafts, and Activity Logs.