Skip to content

Managing Users, Roles, and Access Groups

After you have completed the setup, you can begin to manage users, roles, and access groups. You can manually add and configure users and administer roles and access groups to govern permissions. Credentials and groups of users can also be managed using vault.

Work with your SailPoint CSM to complete the setup required to federate users from an existing source of identity data into Workload Privilege Management.

Administering Local Users

For initial deployments or other specific use cases, you may want to create local accounts that are created and managed within Workload Privilege Management.

To create a local user:

  1. Select ADMIN from the top bar.

  2. Expand User Maintenance in the left menu and select Users.

  3. Select the blue + to add a user. All users created manually are local users and will need to be assigned roles or access groups to make connections.

You can choose to send an enrollment email to the user so they can set up their account.

Local Account Use Cases

You may want to create local accounts if:

  • You have pilot team members who will participate in the initial deployment of Workload Privilege Management.

  • You have 3rd party professional services supporting the deployment.

  • You need a "break glass" option for administrators.

Best Practice

We recommend limiting the number of local user accounts.

Configuring Users

Users with administrative privileges can add, edit, and delete users from Workload Privilege Management. Users must be added before they can begin connecting to targets. Once added to the system, administrators can categorize users into roles and access groups.

  1. Select ADMIN from the top bar.
  2. Expand User Maintenance in the left menu and select Users.

From here you can add, edit, remove, and view the event history of users.

Adding a Single User

  1. On the Users page, select the blue + icon on the right-hand side to launch the New User form.
  2. Enter the user information and choose the role(s) associated with this user profile.
  3. You can optionally assign the user to an access group. You can also add user identities when creating or editing access groups
  4. Select Save when you're done.

    Best Practices

    Match the username to the email, without the domain. For example, if the email is JohnDoe@domain.com, you would use JohnDoe as the username.

    For initial deployment and break glass accounts, we suggest using the SUPER_USER role.

Adding Multiple Users

  1. On the Users page, select DOWNLOAD SAMPLE CSV.

  2. Preserve the header row in your CSV file. Replace the example data with your information. Empty fields are optional.

  3. Save the file as a CSV-formatted workbook on your computer.

  4. Select BULK ADD BY CSV and select the CSV you created to automatically add users.

Viewing, Editing, and Deleting Users

On the Users page, each row has three icons for you to view event history, delete a user, or edit a user.

  • Select the Event History icon to view user event history, such as logins, user verifications, and logouts.
  • Select the Delete icon to delete a user.
  • Select the Edit icon to edit a user.

Setting Challenge Questions

An administrator can configure challenge questions to support users in regaining access to their account.

  1. Select ADMIN from the top toolbar.
  2. Expand Account Administration in the left menu and select Challenge Questions.
  3. Select + to add a new question.
  4. Select the Delete icon to delete a challenge question.

Managing Roles

User roles define what actions you can take on different connected targets. They dictate what you can and can't do in Workload Privilege Management, such as creating or connecting to a target. Roles are a set of discrete permissions. For example, if you have the CRED_USER role, you will be able to connect to targets and create connections and the REPORTS role would enable you to view all reports. You can be assigned to more than role.

When creating or editing roles, you can choose to associate those roles with access groups.

Using Default Roles

Each SailPoint tenant comes with a default set of roles designed to accommodate organizations based on industry-typical practices for functional delegation of job responsibilities.  

To see all roles:  

  1. Select ADMIN from the top toolbar. 
  2. Expand User Maintenance in the left menu and select Roles  

Adding Custom Roles

It is recommended that you use the default roles provided by Workload Privilege Management. If you need custom roles to accommodate novel workflows, we suggest that you consider customizing user roles to align explicitly with Roles Based Access Control (RBAC) labels and group naming conventions. One suggested strategy for customized user roles is to:

  1. Identify opportunities to consolidate multiple functional user roles into a single user role that describes a type of user (e.g., Windows Admin Tier 1, Windows Admin Tier 3, NetOps).
  2. Identify opportunities to segment functional user roles into more granular user roles. For example, using custom roles in large organizations that have very segmented job responsibilities.
  3. Create new roles with corporate nomenclature to use the same terms and group names as existing RBAC and compliance programs.

To add a new role: 

  1. Select ADMIN from the top toolbar. 
  2. Expand User Maintenance in the left menu and select Roles
  3. Select New Role
  4. Expand the ADMIN, USER, and REPORT menus and select the permissions associated with that role. 
  5. Optionally enter a description, select the API role, or select access group(s). 
  6. Select Save

Viewing History, Editing, and Deleting a Role

On the Roles page:

  • Select the History icon to see the event history of the role.

  • Select the Edit icon to edit a role. All standard and custom roles can be edited except the SUPER_USER role assigned to your root administrator account. 

  • Select the Delete icon to delete a role. 

Using Access Groups

Access groups are administrator-created groupings that determine what connections and credentials you can see based on your user permissions and assigned roles. There are two main ways to populate access groups. You can do so at the individual setting level or, more efficiently, create or edit access groups themselves.

Use the links below to learn more about how each component works with access groups and to see how to assign access groups when creating or editing an individual:

To more easily manage your access groups, you can create or edit access groups and add the identities, identity group mappings, connections, credentials, and connection credentials all in one location. The exception is roles, which can only be assigned to an access group in the role settings.

Creating and Managing Access Groups

  1. Select ADMIN from the top toolbar. 
  2. Expand User Maintenance in the left menu and select Access Groups. This will display all access groups and the option to edit or delete them. 
  3. Select Add New and enter the name and description to create the access group.  

  4. You can now search for and select existing identities, identity group mappings, connections, credentials, and connection credentials to add to the access group.

  5. For each screen, use the search bar to find the element you want included in the access group. Select the blue + to add it to the access group.

Applying Access Groups to a User

When you assign a user to an access group, they gain all of the privileges and restrictions associated with that group.

  1. Select ADMIN from the top toolbar. 
  2. Expand User Maintenance in the left menu and select Users.  
  3. Select + to create a new user or select the Edit icon to edit an existing user. 
  4. Fill out the form and select the access group(s) you want to be associated with that user. 

See Configuring Users for more information on managing user accounts.

Applying Access Groups to a Group Mapping

Identity group mappings take attributes passed in the assertion or token and maps them to roles and access groups. The group mapping option is only available for oAuth 2.0 and SAML platform authentications and will not appear if you are using local authentication.

  1. Select ADMIN from the top toolbar. 
  2. Expand User Maintenance in the left menu and select Group Mapping.
  3. Select Add Group Mapping to create a new user or select Edit under the Actions column to edit an existing user. 
  4. Fill out the form and select the access group(s) you want to be associated with that group mapping. 

Applying Access Groups to a Connection

When an access group you belong to is set on the connection, you will have the ability to add user credentials to that connection. These credentials are only visible to you. You can see the connection to add the credential, but it does not grant you access to any other credentials on the connection unless that access is set at the connection credential or credential level. 

  1. Select ADMIN from the top toolbar. 
  2. Expand Privileged Access Management in the left menu and select Connections.  
  3. Select Add Connection to create a new connection or select the Edit icon to edit an existing connection. 
  4. Fill out the form and select the access group(s) you want to be associated with that connection. 

See Adding and Editing a Connection for more information on configuring connections.

Applying Access Groups to a Credential

When an access group you belong to is set on the credential, you and any other users within that access group can use that credential across Workload Privilege Management. Sometimes the same credential can be used for many targets. Setting the access level on the credential will allow you to access any connection that the credential is on.

  1. Select ADMIN from the top toolbar. 
  2. Expand Privileged Access Management in the left menu and select Credentials.  
  3. Select Add Credential to create a new credential or select the Edit icon to edit an existing credential. 
  4. Fill out the form and select the access group(s) you want to be associated with that credential. 

See Adding and Editing a Credential Manually for more information on managing credentials.

Applying Access Groups to a Connection Credential

When an access group you belong to is set on the connection credential, you and any other users within that access group will only be able to see that credential on connections affiliated with that connection credential. If the same credential is used on any other connection, you will not be able to see it. If the credential does not belong to the access group you are assigned to, you will not see it even if you have access to the connection.  

Because a credential can be on numerous connections, you have the option to edit the connection credential to include access groups at the point at which a credential is associated with a connection.  

  1. Select ADMIN from the top toolbar.  
  2. Expand Privileged Access Management in the left menu and select Connections.  
  3. Select Add Connection to create a new connection or select the Edit icon to edit an existing connection. 
  4. If you have permissions to add credentials, you will see a + icon. Select that to open the Add Connection Credential window. 
  5. Fill out the form and select the access group(s) you want to be associated with that connection credential. 

Applying Access Groups to a Role

Workload Privilege Management provides standard roles that administrators can associate with access groups. The difference between roles and access groups is that roles are permissions that dictate what you can and can't do, such as creating or connecting to a target. Access groups determine what objects you can take actions on.  

  1. Select ADMIN from the top toolbar. 
  2. Expand User Maintenance in the left menu and select Roles.  
  3. Select New Role to create a new role or select the Edit icon to edit an existing role. 
  4. Fill out the form and select the access group(s) you want to be associated with that role. 

See Adding Custom Roles for more information on managing roles.

Using Vault

Vault is used to securely store secret credentials and groups. A user that has been granted the vault permission can use the vault to store secrets that are personal to that user -- no other user can see them. An administrator can create vault groups and assign permissions to users to be able to see the the vault groups by associating the vault group with an access group.

Managing Vault Groups

Vault groups aggregate vault credentials into logical groups aligned with vault users' shared job responsibilities, making management of discretionary access easier. You will belong to a vault group, where you can access all vault credentials within that vault group.

Adding Vault Groups 

The access group must be added to a vault group. Users in an access group have access to all credentials within the assigned vault group. 

  1. Select ADMIN from the top toolbar.
  2. Expand Vault in the left menu and select Vault Groups.
  3. Select the + icon to add a new vault group.
  4. Provide a meaningful Group Name
  5. Select one or more Access Groups that should be allowed access to the credentials that will be loaded into this vault group. 

Editing and Deleting Vault Groups

To edit vault groups, select the Edit icon . To delete vault groups, select the Delete icon . Type "DELETE" in the field to confirm the group removal.

Adding Vault Folders

Vault folders are purely used to organize and logically group vault credentials. This is especially beneficial if you have a significant number of vault credentials.  

Discretionary access is not controlled by the vault folders -- those are controlled by vault groups and access groups.  

  1. Select VAULT from the top toolbar.
  2. Select a vault group in the left menu.
  3. Select the + Add Folder button. 
  4. Name your folder and select Create.  

Editing and Deleting Vault Folders

Right-click on the folder to edit or delete it.  

See Managing Vault Credentials to see how to leverage vault credentials.