Skip to content

User Level Permissions

User levels are sets of permissions within IdentityNow that administrators can grant to users. Users cannot grant themselves user level permissions – only IdentityNow Admins can grant or remove user levels.

If you grant someone a user level, it will appear in certifications as an entitlement that the reviewer can grant or revoke. For information on how to grant and remove user levels, refer to Setting User Level Permissions.

Users can be granted multiple user levels and will have the combined access of all levels assigned to them.

To view the user levels and associated privileges in a table format, refer to the User Level Access Matrix.

Helpdesk Admin User Level

A user with the Helpdesk Admin user level can complete the following actions:

Helpdesk Admins cannot manually set lifecycle states or make changes to sources, apps, and other features within IdentityNow.

Certification Admin User Level

A user with the Certification Admin user level can complete the following actions:

  • Perform all actions available in Certifications.
  • Search your organization's identity and entitlement data.
  • Save, subscribe to, and download reports on pages they have access to in IdentityNow.

Report Admin User Level

A user with the Report Admin user level can complete the following actions:

  • Save, subscribe to, and download reports on pages they have access to in IdentityNow.
  • Search your organization's identity and entitlement data.
  • View system activity, tasks, and certification campaigns on the Admin Dashboard.
  • View Access History and Data Explore if your organization has configured the Access Modeling service.

Role Admin User Level

A user with the Role Admin user level can complete the following actions:

  • Create, manage, and edit roles.
  • Access Role Discovery and Role Insights if your organization has configured the Access Modeling service.
  • Search your organization's identity and entitlement data.
  • Save, subscribe to, and download reports on pages they have access to in IdentityNow.

Role Sub-Admin User Level

To utilize sub-admin user levels, the source and the user must be associated with a governance group.

A user with the Role Sub-admin user level has the same permissions for Search and reports as Role Admins. However, they can create, manage, and edit roles with access profiles only on sources that are associated with the governance groups they are members of. Role Sub-admins can also view and work with roles that do not have any access profiles.

Role Sub-admins do not have access to Role Discovery or Role Insights.

Source Admin User Level

A user with the Source Admin user level can complete the following actions:

  • Create, configure, manage, and edit sources.
  • Create, manage, and edit access profiles.
  • Search your organization's identity and entitlement data.
  • Save, subscribe to, and download reports on pages they have access to in IdentityNow.

Source Sub-Admin User Level

To utilize sub-admin user levels, the source and the user must be associated with a governance group.

A user with the Source Sub-admin user level has the same permissions for Search and reports as Source Admins. However, they can perform the following actions only on the sources associated with the governance groups they are members of:

  • Create, configure, manage, and edit associated sources.
  • Create, manage, and edit access profiles that contain entitlements from associated sources.

Cloud Governance Services

SailPoint Cloud Governance Services also include user levels to customize access.

Cloud Access Management

IdentityNow Admins can access Cloud Access Management if your organization has purchased and enabled it. IdentityNow Admins can also give other users access to Cloud Access Management by granting them the Cloud Gov User or Cloud Gov Admin user level.

Users with the Cloud Gov User (CLOUD_GOV_USER) user level can do the following:

  • View source data and information in Cloud Access Management.
  • Access IdentityNow with End User permissions.

Users with the Cloud Gov Admin (CLOUD_GOV_ADMIN) user level can do the following:

  • Access Cloud Access Management.
    • Manage the sources page and add, edit, or delete cloud sources.
    • Perform manual inventory refreshes.
  • Access IdentityNow with End User permissions.

SaaS Management

If your organization has purchased and enabled SailPoint SaaS Management, you can invite dashboard users to the application and assign them the Admin or Reader user level within SaaS Management.