Yes. Granting an IdentityIQ capability is a valid way to provide access to additional functions within SailPoint IdentityIQ, including areas such as Advanced Analytics. Capabilities are part of IdentityIQ’s internal authorization model. They determine what a logged-in user is allowed to see and perform inside the IdentityIQ interface, such as administration, reporting, certification administration, role management, policy management, or advanced search and analysis functions.
Advanced Analytics searches are IdentityIQ functions, not external application permissions. Therefore, access to those search types is governed by IdentityIQ security controls, including capabilities, rights, and in some deployments, scoping. This is different from granting access on a connected application, which would be handled through accounts, entitlements, roles, access requests, and provisioning.
The key distinction is that capabilities grant authority inside IdentityIQ itself. They do not directly modify a user’s access on a target system. Providing access to different types of Advanced Analytics searches is therefore an appropriate reason to assign an IdentityIQ capability.
Reference topics: Identity Modeling — how IdentityIQ access is granted to users; Foundational Concepts — common IdentityIQ objects and components; Governance — analytics and access visibility.
Submit