Creating Data Segments
Create data segments of administrative access that you can delegate to others. There are two components to define: which users the policy affects and what objects (or records) those users are authorized to view.
Note
Org administrators will still have global access to all users and objects.
- Go to Admin > Global > Data Segmentation.
- On the Data Segments page, select New Data Segment.
- On the New Data Segment > Segment Definition page, enter a unique name and description.
- Define data segment users.
- Define the objects those users are authorized to view.
- Review your data segment.
Defining Data Segment Users
On the New Data Segment page, use a radio button to indicate who the segment applies to: all users, select users, or those that you build criteria to define.
All Users
All Users grants access to this segment's objects to everyone in the organization that has access to Identity Security Cloud.
Select Users
Select Users lets you define a static list of users included in a segment, up to a maximum of 50.
Best Practice
For lists of more than 50, enrich your identity metadata and use Build Criteria.
- In the Users section, select the radio button for Select Users.
- Select Continue.
- Use the checkboxes to indicate which users you want to include, then select Add Users.
- After adding users, you can add more by selecting the Select Users button above the table. Use the Remove option in the Actions column to remove users from the list.
- Select which columns to include in your table using the Column Chooser icon .
- Search for selected users in your table using the Search field above the table. Search is not case sensitive.
- When you are satisfied with your choices, select Save.
Build Criteria for Users
Build Criteria to dynamically determine which users are included in a segment. Use up to 10 criteria for each segment.
Best Practice
Building criteria to dynamically determine a segment’s user population can be easier to maintain than a static list, which needs updates when people move or change roles.
- In the User section, select the radio button for Build Criteria.
-
Use the Attributes and Operator dropdowns to select which to apply and add an entry in the Value field to indicate the values to assess.
Note
The search is not case sensitive.
-
Use the And / Or toggles to indicate whether you want the criteria to include factors between or within groups and attributes.
- Select Add Criteria to add more criteria to your definition. You may define a maximum of 10 criteria.
- When you are satisfied with your choices, select Apply.
- Results fitting the applied criteria are listed at the bottom of the page.
Defining Data Segment Objects
On the New Data Segment > Data Segment Objects page under Access Model Administration, select an option to indicate which entitlements to include. Options are:
- No Entitlements in Segment - Creates an empty segment with no entitlements.
- All Entitlements - Every entitlement in the system is granted to the segment.
- Select Entitlements - Select specific entitlements to include.
- Build Criteria - Define criteria and all entitlements matching that criteria are included.
- Include Unsegmented - Include all entitlement objects that are not part of any other segment.
Select Entitlements
Select entitlements takes you to the Select Entitlements page, where there is a table listing all available entitlements, along with columns for description, access profiles, and identities.
- Select the checkbox next to each entitlement you want to include in the segment. You can select a maximum of 50 entitlements.
- Use Filters to find entitlements. You can filter by which entitlements are Requestable or Not Requestable, Privileged or Not Privileged, Owner, Source, Created Date, and/or Modified Date.
- When you have set your filters, select Apply.
- Once you have selected entitlements, review them on the Selected Entitlements table. You can use the Remove option in the Actions column to remove entitlements from the list.
Build Criteria for Entitlements
Build criteria to dynamically define which entitlements to include in the segment based on the objects’ metadata.
Best Practice
Building criteria to dynamically determine a segment’s entitlements can be easier to maintain than a static list.
-
Select an Attribute from the dropdown, such as name, attribute, value, entitlement type, privileged, cloud governed, description, requestable, attributes, source, and owner.
- For sources that have entitlement types, you can build a segment based on the values in those types, but more detail is required when you build criteria using this attribute. Select the attribute Entitlement Type, choose a source, then select the specific entitlement type that you want to pull from the source, such as Organizational Unit (OU). From there, select the attribute you want from within that type, such as OU Name.
Note
When your criteria includes entitlement type attributes, your results will include all entitlement types that have that attribute, not just the entitlement type on a given source.
Note
Entitlement attributes over 128 KB will be truncated. As a result, the entitlement criteria does not display the associated entitlement in the preview when defining the filter, nor is it matched to the segment, so you won’t have access to it in the entitlement list.
-
Select an Operator. For most attributes, available operators are Equals, Does not equal, Contains, Starts with, Ends with. For source and owner, Equals is the only available operator.
- Enter or select a Value. The search is not case sensitive.
- You can add nested criteria as needed by selecting Add Criteria. Use the And / Or operators to describe how you want the criteria to interact with one another, then add another set of attribute requirements.
- Select Add Group to add another group of entitlements to your segment. Use the And / Or operators to describe how you want the groups to relate.
- Once your criteria are defined, select Apply.
- Review the results table and refine criteria as needed.
- Select Save.
Reviewing Draft Segments
After you have defined and saved a data segment, it is in Draft status, meaning that it is not yet being applied. To review drafts, select Review from the left navigation.
You can also approach this page from Data Segments. Find the segment you want to review and select it. If there are multiple drafts of a given segment, or if there are published and draft versions, they are all listed under the segment name. Select the version you want to review, then select Review from the left navigation.
On the Review page, you can check the segment name, description, users and the criteria that was used to define them (when applicable), as well as the included objects and the criteria used to determine them (when applicable). Use the left navigation if you want to return and modify part of your data segment definition or objects.
Select X at the top right to close this page and return to Data Segments.
Documentation Feedback
Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.