User Level Permissions

User levels are sets of permissions within Identity Security Cloud that administrators can grant to users. Users cannot grant themselves user level permissions - only Admins can grant or remove user levels.

If you grant someone a user level, it will appear in certifications as an entitlement that the reviewer can grant or revoke. For information on how to grant and remove user levels, refer to Setting User Level Permissions.

Users can be granted multiple user levels and will have the combined access of all levels assigned to them. The following user level combinations cannot be assigned to a user at the same time:

• Role Admin and Source Sub-Admin
• Role Sub-Admin and Source Admin
• Role Sub-Admin and Role Admin
• Source Sub-Admin and Source Admin

To view the user levels and associated privileges in a table format, refer to the User Level Access Matrix.

Admin

A user with the Admin user level has all rights enabled on all sources. They control the system configurations, applications, sources, and identities. They can also enable and use Harbor Pilot.

Helpdesk Admin User Level

A user with the Helpdesk Admin user level can take the following actions:

• Invite users to register with Identity Security Cloud.
• Read, enable, disable, and unlock accounts.
• Help users reset their passwords.
• Aggregate data for single accounts.
• Process, disable, and reset identities.
• View application, role, and activity data for identities.
• Reset multifactor authentication for identities.

Helpdesk Admins cannot manually set lifecycle states or make changes to sources, apps, and other features within Identity Security Cloud.

Certification Admin User Level

A user with the Certification Admin user level can take the following actions:

• Perform all actions available in Certifications.
• Search your organization's identity and entitlement data.
• Save, subscribe to, and download reports on pages they have access to in Identity Security Cloud.
• View cloud entitlement details if their organization is using SailPoint CIEM.

Report Admin User Level

A user with the Report Admin user level can take the following actions:

• Save, subscribe to, and download reports on pages they have access to in Identity Security Cloud.
• Search your organization's identity and entitlement data.
• View system activity, tasks, and certification campaigns on the Admin Dashboard.
• View Access History and Data Explore if your organization has configured the Access Modeling service.
• Access the Access Intelligence Center if they have also been granted the Access Intelligence Center Author or Reader user level.
• View cloud entitlement details if their organization is using SailPoint CIEM.

Role Admin User Level

A user with the Role Admin user level can take the following actions:

• Create, manage, and edit roles.
• Access Role Discovery and Role Insights if your organization has configured the Access Modeling service.
• Search your organization's identity and entitlement data.
• Save, subscribe to, and download reports on pages they have access to in Identity Security Cloud.

Role Sub-Admin User Level

Sub-Admins must be associated with a governance group on the source to access these pages.

A user with the Role Sub-admin user level has the same permissions for Search and reports as Role Admins. However, they can create, manage, and edit roles with access profiles and entitlements only on sources that are associated with the governance groups they are members of. Role Sub-admins can also view and work with roles that do not have access profiles or entitlements.

Role Sub-admins cannot access Role Discovery or Role Insights.

Source Admin User Level

A user with the Source Admin user level can take the following actions:

• Create, configure, manage, and edit sources.
• View, aggregate, remove, and correlate accounts.
• Create, manage, and edit access profiles.
• Search your organization's identity and entitlement data.
• Save, subscribe to, and download reports on pages they have access to in Identity Security Cloud.
• View cloud entitlement details if their organization is using SailPoint CIEM.

Source Sub-Admin User Level

A user with the Source Sub-admin user level has the same permissions for Search and reports as Source Admins. However, they can perform the following actions only on the sources associated with the governance groups they are members of:

• Create, configure, manage, and edit associated sources.
• View accounts on associated sources.
• Create, manage, and edit access profiles that contain entitlements from associated sources.

Access Intelligence User Levels

The Access Intelligence Center can be accessed by Admins and Report Admins who have also been granted the Access Intelligence Center Author or Reader user level.

Author User Level

In addition to the access granted through their assigned Admin or Report Admin user level, a user with the Access Intelligence Author user level can take the following actions:

• View public sheets
• Create public or private sheets
• Bookmark filters

Reader User Level

In addition to the access granted through their assigned Admin or Report Admin user level, a user with the Access Intelligence Reader user level can take the following actions:

• View public sheets
• Filter data

Data Access Security User Levels

Refer to the following documentation for information about Data Access Security user levels.

• Data Access Security User Level Matrix
• Data Access Security User Levels

Cloud Governance Services

SailPoint Cloud Governance Services also include user levels to customize access.

SailPoint CIEM

If your organization has purchased and enabled SailPoint CIEM, you can allow your Org, Certification, Report, Source, and Cloud Gov Users/Admins to view cloud access details.

Users with the Cloud Gov User level do not need admin access to view and approve SailPoint CIEM account entitlements.

Cloud Access Management

Identity Security Cloud Admins can access Cloud Access Management if your organization has purchased and enabled it. Admins can also give other users access to Cloud Access Management by granting them the Cloud Gov User or Cloud Gov Admin user level.

Users with the Cloud Gov User (CLOUD_GOV_USER) user level can do the following:

• View source data and information in Cloud Access Management.
• View and approve SailPoint CIEM account entitlements
• Access Identity Security Cloud with End User permissions.

Users with the Cloud Gov Admin (CLOUD_GOV_ADMIN) user level can do the following:

• Access Cloud Access Management.
  • Manage the sources page and add, edit, or delete cloud sources.
  • Perform manual inventory refreshes.
• Access Identity Security Cloud with End User permissions.

If your organization has purchased SailPoint CIEM, these user levels will also allow them to view cloud access details.

SaaS Management

If your organization has purchased and enabled SailPoint SaaS Management, you can invite dashboard users to the application and assign them the Admin or Reader user level within SaaS Management.

Configuration Hub

You can use the following Configuration Hub user levels.

• Configuration Hub Admin - Permission to view and perform any action in Configuration Hub. This user level is required to configure the S3 bucket if utilizing Configuration Hub Cloud Storage.
• Configuration Hub Backup Admin - Permissions to manage backups, which include creating a backup, deleting a backup, viewing backup summaries and details, and viewing existing drafts and Activity Logs.
• Configuration Hub Reader - View-only permissions, which include the ability to view backup summaries and details, existing drafts, and Activity Logs.

Access Request Administration User Levels

Access Request Administration includes user levels to customize access.

Access Request Admin Read Only

Filter, search, and view access requests.

Access Request Admin Full Management

• Filter, search, and view access requests.
• Take any actions, including Approve, Reassign, Remind, Overwrite, and Cancel.
• Complete bulk actions.

Access Revoker User Level

A user with the Access Revoker user level can can view the Details and Access tabs on the Admin Identity page and submit access revocation requests for any user.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.