Managing Privilege Classification

SailPoint Privilege Classification helps organizations to classify and assign privilege levels to entitlements.

Privilege Classification helps you:

• Automatically assign privilege levels to entitlements.
• Classify entitlements as high, medium, or low.
• Select from multiple classification methods:
  • Single privilege level for all entitlements on a source
  • SailPoint recommended privilege levels
  • Custom privilege level criteria

To enable, classify, and configure privilege levels, users must be an Org Admin, Source Admin, or Source Sub-Admin.

Before you can assign privilege levels to entitlements, you need to configure the source and aggregate the entitlements. You can then enable privilege classification and configure the privilege classification method to automate the assignment of the privilege level for the entitlements.

Privilege Classification Method

Configure the privilege classification method to determine how the privilege level of an entitlement is classified. The methods include assigning the same privilege level to all entitlements, applying generated recommendations, defining custom criteria to apply when assigning a privilege level, or using the recommendation and custom criteria to assign the privilege level.

Privilege Levels

The classification of entitlements defines the privilege level as high, medium, and low to reflect the privilege level granted by the entitlement. An entitlement’s permission is correlated based on the potential impact that misuse or compromise may have.

Privilege Level	Description
High	The highest level of privilege available on the source. All entitlements on the source grant privileged administrative level access. These entitlements pose the highest risk and require monitoring.
Medium	Provides administrative privileged access but not the highest level. Access allows completion of a subset of administrative tasks for a specific role or function and may provide access to data or services.
Low	Access that does not include administrative privileges. Provides only basic access to data.

Precedence of Privilege Level

When you manually override a direct privilege value, the system marks the override privilege level as the highest priority and does not update it with any privilege level that the privilege classification method may assign. If the privilege level has not been manually overridden, the highest value from the privileged classification method is applied.

If the privilege level is unset, then neither a manual setting nor the privilege classification method has set a privilege level. The entitlement retains the default direct privilege value of None until you manually override it or the privilege classification method assigns it.

Enabling Automatic Privilege Classification

Enable the privilege classification feature to assign privilege levels for entitlements based on a method you configure. After you enable privilege classification, the configured privilege classification method is used to assign the privilege level to the entitlement. If you update the method while automatic privilege classification is enabled, the entitlement privilege levels will be assigned based on the updated method configuration.

You can choose to assign the same privilege level to all entitlements, apply the recommendations, and/or configure custom criteria.

You can view assigned privilege levels on a source's entitlement page and on the Entitlement page in the Direct Privilege table column.

Enabling automatic privilege classification has these implications:

• Direct privilege override levels are retained.
• Assigns privilege classification to entitlements using the configured privilege classification method.
• The Override Direct Privilege and Remove Direct Privilege Override actions remain available for manual override.

To enable automatic privilege classification:

1. Go to Admin > Connections > Sources.
2. Select or edit the source you want to enable privilege classification on.
3. In the Entitlement Management section, select Privilege Classification.
4. Set the Enable Automatic Privilege Classification toggle to enabled.

If you have configured and saved a privilege classification method, the privilege level is assigned to the entitlement. For more information, refer to Configuring Privilege Classification Method.

Disabling Automatic Privilege Classification

Disable automatic privilege classification to stop assigning privilege levels for entitlements. When you disable privilege classification, you can continue to configure the privilege classification method without assigning it to entitlements. The privilege level set by the privilege classification method is only assigned when you Enable Automatic Privilege Classification.

Disabling privileged classification after it has been enabled and the privilege level assigned to entitlements has these implications:

• Direct privilege override levels are retained.
• Privilege levels set by the configured privilege classification method are retained.
• The Override Direct Privilege and Remove Direct Privilege Override actions remain available for manual override.

To disable privilege classification:

1. Go to Admin > Connections > Sources.
2. Select or edit the source you want to remove privilege classification from.
3. In the Entitlement Management section, select Privilege Classification.
4. Set the Enable Privilege Classification toggle to disable.

Configuring Privilege Classification Method

You can use one of the following methods to assign privilege classification to entitlements:

Privilege Classification Method	Description
Assign the same direct privilege level to all entitlements	Select a direct privilege level of high, medium, or low, to apply to all the entitlements.
Assign the recommended direct privilege level	Entitlements are listed under their recommended direct privilege level of high, medium, and low. Apply the recommendations individually by privilege level.
Define custom criteria logic to assign the direct privilege level	Use the custom criteria builder to configure the logic to be used when assigning direct privilege levels to entitlements.
Use the recommended privilege level and the custom criteria to assign the direct privilege level	Use the recommended direct privilege level and custom criteria together to assign a direct privilege level to entitlements. The custom criteria logic takes precedence over the recommended direct privilege level.

Assigning the Same Privilege Level

To assign the same direct privilege level to all entitlements:

1. Go to Admin > Connections > Sources.
2. Select or edit the source you want to configure privilege classification on.
3. In the Entitlement Management section, select Privilege Classification.
4. Select Assign the same direct privilege level to all entitlements.

5. Now select the direct privilege level to assign.

   Note

   You cannot rename a defined privilege level or add new privilege levels.

6. Select Save.

   • If you enabled automatic privilege classification, the privilege level is assigned to entitlements immediately after you save your changes.

   • If automatic privilege classification is disabled, the configured privilege classification method is saved, but it does not assign the privilege level to entitlements.

Note

Direct privilege levels that were set via a manual override are retained.

Using Recommendations to Assign Privilege Level

When you configure a source and aggregate the entitlements, the entitlements are grouped by their recommended privilege level.

The privilege level recommendations for entitlements are determined by the following factors:

• A source's published list of entitlement groups that either assigns entitlements as privileged or not privileged.
• SailPoint processes and categorizes entitlements with a privilege level of high, medium, or low.

Note

If no privilege level recommendations are available for your source, then the Recommended Privilege Level section is unavailable for configuration.

You can assign the recommended privilege level to the entitlements listed under each privilege level tab of High, Medium, and Low.

1. Go to Admin > Connections > Sources.
2. Select or edit the source you want to configure privilege classification on.
3. In the Entitlement Management section, select Privilege Classification.
4. In the Privilege Classification Method section, select Assign direct privilege levels according to recommendations and/or custom criteria.
5. Select the direct privilege level, High, Medium, or Low, to view the recommended entitlements for the chosen direct privilege level.
6. Set the Apply Recommendations toggle to enable.

7. Select Save.

   • If you enabled automatic privilege classification, the privilege level is assigned to entitlements immediately after you save your changes.

   • If automatic privilege classification is disabled, the configured privilege classification method is saved, but it does not assign the privilege level to entitlements.

Notes

• Recommendations may change over time.
• Updated recommendations are automatically applied to the entitlements.
• Direct privilege levels that were set via a manual override are retained.

Configuring Custom Criteria to Assign Privilege Level

Configure custom criteria to set the criteria for automatically assigning a privilege level to an entitlement. Your privilege level logic may include multiple groups and contain both And and Or relationships.

To configure custom criteria:

1. Go to Admin > Connections > Sources.
2. Select or edit the source you want to configure privilege classification on.
3. In the Entitlement Management section, select Privilege Classification.
4. In the Privilege Classification Method section, select Assign direct privilege levels according to recommendations and/or custom criteria.
5. In the Custom Criteria for Privilege Level section, set the Apply Custom Criteria toggle to enable.

6. Select an And or Or criteria to be applied between the groups.

   Between Groups

   • And relationships require all groups to be met for the entitlement to qualify for the privilege level.
   • Or relationships allow the entitlement to qualify for the privilege level when it matches any of the groups.

7. Use the Within Group toggle to specify whether your criteria should be combined with an AND or an OR operator:

   Within Group

   • And relationships require all criteria within each group to be met for the entitlement to qualify for the direct privilege level.
   • Or relationships allow the entitlement to qualify for the direct privilege level when it matches any of the criteria within a group.

   Note

   • Each group can have a maximum of 5 criteria.
   • Each criteria Value field can contain up to 50 values.
   • A total of 5 groups can be added.

8. Use the dropdown list to select the logic to be used to assign a privilege level to an entitlement. The options available for selection vary according to the source.

   Criteria	Description
   Attribute	Select the entitlement attribute to use in this group criteria.
   Entitlement Type	Choose from the list of entitlement types to use the schema that defines the attributes.
   Operator	Use the dropdown list to select how to compare the value of the selected attribute, with the value you enter. The operators available for selection vary according to the attribute type, but can include the following: Equals - The attribute and value must match. Multiple values are compared as OR operations. Does Not Equal – The attribute and value cannot match. Contains - The specified value must exist somewhere within the attribute value. Does Not Contain - The specified value cannot exist somewhere within the attribute value. Starts With - The attribute must start with the specified value. Ends With - The attribute or entitlement type must end with the specified value.

9. Use the Value field to enter up to 50 text values you'd like to compare to the attribute. Press Enter between values.

   Note

   This field is case-insensitive.

10. If you require multiple criteria, select Add Criteria to add another criteria row within the group.

    Use the Within Group toggle to specify whether your criteria should be combined with the AND and OR operators.

11. Select Add Group when you need to specify more complex requirements. The selected Between Groups criteria are applied between the groups.

12. Select Save.

    • If you enabled automatic privilege classification, the privilege level is assigned to entitlements immediately after you save your changes.

    • If automatic privilege classification is disabled, the configured privilege classification method is saved, but it does not assign the privilege level to entitlements.

Note

Direct privilege levels that were set via a manual override are retained.

Assigning Recommendations and Custom Criteria

Assign a privilege level to entitlements using both the recommendations and custom criteria.

Once you configure and saved the recommendations and custom criteria:

• If you enabled automatic privilege classification, then the privilege level for each entitlement is calculated and assigned in order of precedence:

  • Direct privilege levels that were set via a manual override are retained.
  • Assigns all privilege levels that match the custom criteria.
  • Assigns privilege levels that did not match the custom criteria but match the recommendation.

• If enabled automatic privilege classification is disabled, the configured privilege classification method is saved, but it does not assign the privilege level to entitlements.

Overriding Assigned Privilege Levels

You can manually override a direct privilege level assigned using the same privilege level, recommendation, and/or custom criteria. If you manually override a privilege level that privilege classification assigns, the system ignores the privilege classification method for assigning privilege levels.

For more information, refer to Manually Overriding Direct Privilege.

Manually Overriding Direct Privilege

You can manually override, or remove a direct privilege level for individual entitlements. This applies whether you set the level before enabling a privilege classification method, the privilege classification method assigned it, or the level remains unset.

Override Direct Privilege

If you manually override an entitlement's direct privilege level, the privilege level you assign takes priority. The manual override replaces the privilege level set by the privilege classification method, and the system ignores further changes until the manual override is removed.

To manually override a direct privilege level:

1. Go to Admin > Connections > Sources.
2. Select or edit the source.
3. In the Entitlement Management section, select Entitlements.
4. Select the checkbox next to the entitlement.

5. Select Actions > Override Direct Privilege Level.

   Note

   To override multiple entitlements, select the checkboxes for the entitlements you want to override. Bulk updates are limited to a maximum of 50 items. If you select more than 50 items, the bulk update fails and the system displays an error message.

6. In the Override Direct Privilege Level panel, select the direct privilege level to be assigned.

   • High - The entitlement with the highest level on the source, posing the highest risk.
   • Medium - Entitlement with a subset of administrative privileged access for a specific role or function.
   • Low - Entitlement with privileged access for a specific role or function.
   • None - Removes the direct privilege that the privilege classification method set.

7. Select Apply. Updates the direct privilege level for the entitlement.

Note

Direct privilege levels that were set via a manual override are retained when privilege classification is enabled and disabled.

Remove Direct Privilege Override

When manually removing an entitlement's direct privilege level, the value is removed and replaced with the following:

• If you have enabled privilege classification is enabled, then it takes over presence and assigns the direct privilege level based on the configured privilege classification method.

• If automatic privilege classification is disabled, then the direct privilege value remains unset.

To manually remove a direct privilege override:

1. Go to Admin > Connections > Sources.
2. Select or edit the source.
3. In the Entitlement Management section, select Entitlements.

4. Select the checkbox next to the entitlement, and then select Actions > Remove Direct Privilege Level Override.

   Note

   To remove an override on multiple entitlements, select the checkboxes for the entitlements you want to override. Bulk updates are limited to a maximum of 50 items. If you select more than 50 items, the bulk update fails and the system displays an error message.

5. A success message confirms that the update was successful.

Viewing Privilege Level Audit Reports and Events

View details about the operations performed from the creation and management of Privilege Classification and the assignment of privilege levels through Search within Event Types and download audit reports.

Privilege Classification operations generate audit events for the following activities:

• Events that the custom privilege classification criteria triggers:

  • PRIVILEGE_CRITERIA_CREATED
  • PRIVILEGE_CRITERIA_UPDATED
  • PRIVILEGE_CRITERIA_DELETED

• Events that the privilege classification configuration triggers when you enable and disable it, and apply a privilege level:

  • PRIVILEGE_CRITERIA_CONFIG_UPDATED

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.