Custom Role & User Level Management in SailPoint ISC

Introduction Of Custom User Levels in SailPoint ISC

Most organizations have multiple teams working inside Identity Security Cloud like helpdesk, app owners, auditors, project teams, and security administrators. Each team requires different levels of access. When everyone is having the same admin role, it becomes difficult to limit what they can see or change. This may lead to unintentional changes, over‑privileged access, and audit challenges.

To solve these issues, SailPoint introduced Custom User Levels. This feature allows administrators to create permission based on their needs. Instead of giving broad access, you can now give the exact permissions required for the task.

What Are Custom User Levels?

• Custom User Levels are administrator permission groups that determine what a user can view, edit, or manage within ISC.  Each user level consists of selected permissions tied to identities, access components, sources, virtual appliances, and platform configurations. Admins can assign one or many custom levels to an individual, depending on their duties. This setup ensures that people only receive the access required for their job.

• Organizations often face challenges such as, Helpdesk admin needed limited access, App owners requiring only source‑related visibility, Security auditors needing view‑only access, Project teams requiring temporary elevated access.

• Without Custom User Levels, one admin role may cover too many permissions, making it hard to maintain proper boundaries. Custom levels solve this by offering a flexible way to distribute responsibilities safely.

Creating Custom User Levels in ISC

• Go to the Admin -> Global and select User Level. 

• Click Create to start building a new level. 

• Add a name and description. 

• Select the required permissions. 

• Save the user level and assign it to users.

Permissions Available in User Levels

1. Access Permissions 

These cover entitlement, role and access profile‑related actions:

• Access Profiles, Roles, Entitlements Read Only.

• Access Profiles, Roles, Entitlements Management to create, view, manage and delete objects.

2. Identity Permissions 

These permissions control actions related to user accounts:

• Identity Read Only for Identity Details, Events, Accounts, Access and work reassignment

• Identity Management for Identity Accounts, Revoke Identity Access, Enable / Delete / Invite / Reset / Disable Identity, Export Identity List / Events, Set Lifecycle State, Add and Delete Work Reassignment, Process Identity, Set User Levels, Reset MFA, Synchronize Attributes, Reset Password

• Identity Access History Read Only

• Human and Uncorrelated Accounts Read Only

• Human and Uncorrelated Accounts Management

3. Connection Permissions 

These manage application integrations:

• VA Read Only

• VA Management

4. Here the assigned custom user level identities will be shown here.

5. After reviewing the details need to do Appy changes then the created custom user level can be come created and assigned to the identities.

6. Here we can see the created user level in the identity list page for the particular identity we have created.

Benefits of Custom User Levels

• Enables least‑privilege access across teams. 

• Prevents accidental or unauthorized changes to the system. 

• Helps create clear separation of responsibility. 

• Simplifies compliance reviews and audits. 

• Allows flexibility as organizations grow or restructure. 

Limitations and Considerations

While Custom User Levels provide some limitations needs to be follow,

• Too many user levels may become complex to maintain. 

• Lack of documentation may result in confusion. 

• Incorrect mapping may restrict essential admin activities. 

• The feature is evolving and may expand further in the future. 

• Good planning and periodic reviews help avoid these issues.

• Start with minimal permissions and expand only as needed. 

• Review permissions regularly. 

• Assign test accounts to validate new user levels.