Skip to content

Managing Access Request Segments

For organizations with the Access Request service, SailPoint provides segments to make requesting access simpler for users as well as reduce the risk of overprovisioning access.

A segment represents a set of identities that have been grouped based on specified identity attributes. Admins associate access items that those identities are likely to need for their organizational roles with the segment. When a user in a segment visits the Request Center, they are presented only with the access items defined in their segment and access items that are not included in any segment.

Identities in segments are less likely to request access they don’t need. Identities must be included in at least one segment to restrict their visibility of access items. Identities not associated with any segment can see all access items, even items included in other segments.

Note

Organizations must have the Access Request service to use segments.

Creating an Access Request Segment

  1. In the Admin interface, select Access > Segments.
  2. Select New to display the Name Segment page.
  3. Enter a unique name and description to differentiate the segment from others and select Save.

    The segment is now saved in the Segments list on the Access Request Segments page. You can select a segment from this list to define the segment identities and the access that's appropriate for those identities.

To edit an existing segment, select the segment name from the list on the Access Request Segments page and select Edit Segment in the details window.

Note

After a segment is created or edited, it may take about 20 minutes for changes to appear or go into effect for users, depending on other system processes. This includes, but is not limited to, the number of segments edited and identities impacted as well the type of access items included in the segment. For instance, entitlements may take longer to sync than access profiles or roles.

Defining Segment Identities

Select identity attribute types and values for identities you want to include in the segment.

  1. From the Segments list, select the segment you want to define identities for.
  2. In the details window, select Edit Segment.
  3. Select Define Segment from the left pane.
  4. Select attributes and values from the dropdown menus.
  5. Select Add Criteria (Add attribute.) for each identity attribute and value combination you want to add to the segment. As you do this, the table lists identities that meet the membership criteria.
  6. After you have added all the identity attributes you want to include in the segment, select Save.

Defining Segment Access

Add access profiles, entitlements, and roles to the segment. These will be used to determine the access that users in the segment can request.

  1. From the Segments list, select the segment you want to define access for, and select Edit Segment.
  2. In the details window, select Edit Segment.
  3. Select Define Access in the left pane.
  4. Search for the access profiles, entitlements, and roles you want to add to the segment. As you do this, a list fills with the access items meeting your search criteria.
  5. Add access items to the segment in one of the following ways:
    • Select the checkboxes next to the access items you want to include and select + Add to Segment.
    • In the Actions column, select Add to Segment (Add access item.) for the access items you want to include.
  6. To remove access items from the segment, select Remove from Segment (Remove access item.) in the Actions column for the items you want to remove.
  7. After you have added all the access items you want to the segment, select Save.

Reviewing the Segment

Review the identity attributes and access items in the segment. After you have reviewed the segment and determined that it is ready to use, you'll need to enable the segment to start using it with access requests.

  1. From the Segments list, select the segment you want to review.
  2. In the details window, select Edit Segment.
  3. Select Review in the left pane to display all the identity attributes, access profiles, entitlements, and roles in the segment.
  4. If you want to change something about the segment, select the related item in the left pane.

    Important

    Select Save on any page where you make changes to avoid losing your selections.

  5. If everything looks correct, select Save to save the segment.

Enabling and Disabling Segments

After you have created and defined a segment, you’ll need to enable it to start using it with access requests. To stop using a segment, you’ll need to disable it. After you disable a segment, the identities in that segment will be able to see all requestable access items – unless you’ve defined another segment to include those identities.

To enable and disable segments, use the Yes/No toggle controls found in the following areas:

  • In the Enabled column of the Segments list
  • In the window launched after selecting a segment name from the Segments list