Simplifying Access for Users with Access Request Segments
It can be difficult for users in an organization to know what access they need to request, especially if they are a new employee or don’t need to request access very often. When presented with all the available options in the Request Center, a user may have to guess at what to request or request more access than they need.
For organizations with the Access Request service, SailPoint provides segments to make requesting access simpler for users and to reduce the risk of overprovisioning access.
A segment represents a set of identities that have been grouped based on specified identity attributes. Admins associate access items that those identities are likely to need for their organizational roles with the segment. When a user in a segment visits the Request Center, they are presented only with the access items defined in their segment and access items that are not included in any segment.
Identities in segments are less likely to request access they don’t need. Identities must be included in at least one segment to restrict their visibility of access items. Identities not associated with any segment can see all access items, even items included in other segments.
Implementing access request segments in your organization provides security and administrative benefits:
- Limits visibility into highly sensitive access
- Reduces the number of access items an approver receives that must be denied
- Prevents users from accidentally gaining access they shouldn’t have
- Reduces costs by providing software licenses only to the users that need them
Organizations must have the Access Request service to use segments.
- Create and name the segment
- Define the segment identities
- Define the segment access
- Enable the segment
Creating an Access Request Segment
- In IdentityNow, select Admin > Access > Segments.
- Select New to display the Name Segment page.
Enter a unique, easy-to-understand name and description to differentiate the segment from others and select Save.
The segment is now saved in the Segments list, ready for you to define the segment identities and define the access that's appropriate for those identities.
To edit an existing segment, select the segment name from the list, and select Edit Segment.
After a segment is created or edited it can take a while (depending on the number of identities and entitlements) for the changes to be visible or go into effect for your users.
Defining Segment Identities
Select identity attribute types and values for identities you want to include in the segment.
- In the Segments list, select the segment you want to define identities for, and select Edit Segment.
- Select Define Segment in the left pane.
- Select attributes and values from the drop-down lists.
- Select for each identity attribute and value combination you want to add to the segment. As you do this, the table lists identities that meet the membership criteria.
- After you have added all the identity attributes you want to include in the segment, select Save.
Defining Segment Access
Add access profiles and roles to the segment. These will be used to determine the access that users in the segment can request.
- In the Segments list, select the segment you want to define access for, and select Edit Segment.
- Select Define Access in the left pane.
- Search for the access profiles and roles you want to add to the segment. As you do this, a list fills with the access profiles and roles meeting your search criteria.
- Add access items to the segment in one of the following ways:
- To remove access items from the segment, select in the Actions column for the items you want to remove from the segment.
- After you have added all the access items you want to the segment, select Save.
Reviewing the Segment
Review the identity attributes and access items in the segment. After you have reviewed the segment and determined that it is ready to use, you'll need to enable it to start using it with access requests.
- In the Segments list, select the segment you want to review, and select Edit Segment.
- Select Review in the left pane to display all the identity attributes, access profiles, and roles in the segment.
If you want to change something about the segment, select the related item in the left pane.
Be sure to select Save on any screen where you make changes, to avoid losing your selections.
If everything looks correct, select Save to save the segment.
Enabling and Disabling Segments
After you have created and defined a segment, you’ll need to enable it to start using it with access requests. To stop using a segment, you’ll need to disable it. After you disable a segment, the identities in that segment will be able to see all requestable access items – unless you’ve defined another segment to include those identities.
To enable and disable segments, use the Yes/No toggle controls found in two places:
- In the Enabled column of the Access Request Segments list
- In the overlay launched after selecting a segment name from the Access Request Segments list