No. IdentityIQ capabilities are used to control what a user can do inside SailPoint IdentityIQ, not to grant elevated permissions on a connected target application. A capability defines access to IdentityIQ functions such as administration, reporting, certification management, policy management, role management, access request functions, or other internal product features. Capabilities are part of IdentityIQ’s internal authorization model and determine which menus, pages, actions, and administrative operations a logged-in IdentityIQ user may perform.
Elevated permissions on a connected application must be granted through governed access, such as requesting or provisioning an account, entitlement, role, or permission on that target system. That process is handled through access requests, approval workflows, provisioning plans, connector operations, and application-specific provisioning policies. For example, adding a privileged group in Active Directory or assigning an administrative application role would be modeled as target-system access, not as an IdentityIQ capability.
Therefore, granting an IdentityIQ capability is appropriate when the user needs additional permissions within IdentityIQ itself, not when they need elevated access on an external connected application. Reference topics: Identity Modeling — how IdentityIQ access is granted to users; User-Driven Requests — access requests; Provisioning — target application access fulfillment.
