Authoritative Source
• The trusted Datasource
• Generally HR database or Application
• Atleast one auth datasource is must – company can have many auth system (application)
• Responsible to create Identity in IIQ – example Workday, SAP HR, delimeted file (flat file), JDBC
Identity
• Comes from authoritative Data source(s)
• Must have a unique identifier like employee id
• Should have some attributes – first name – last name – email – manager
• Identity Attributes can be fetched from any target system
• IIQ table: spt_identity
Access Request
• Harry the News reader, wants access to a cool application “News Analysis”
• Raises an access request i.e identity Request ( which generates - identity request Id : number to track and to get status of the raised requests )
• Request goes to Sam, the manager for approval
Policy
• New Agency has a Policy where
– 'Read' should not have 'budget approval' entitlement
– 'Write' should not have 'budget approval' entitlement
– 'Editor' should not have 'budget approval' entitlement
Certification
• Access Review or Attestation
• Mark and Harry has common manager - Sam
– Mark wants to become “News reader”
• Sam revokes entitlements - Write and Modify
• Certification can be periodic
Entitlements and Roles
• Identity: Mark : works in a News agency – account in application “News Digest” and he is an “Editor” – Mark is entitled to “Read”, “Write” and “Modify”
– Access to Application: News Digest
– Role: Editor
– Entitlement: • Read,Write and Modify
• Identity: Harry : works in a News agency – account in application “News Digest” and he is an News “reader” – Harry is entitled to “Read” news
–Access to Application: News Digest
– Role: Reader
– Entitlement • Read
Orphan Account
• An account from a target system with no identity to attach or correlate
• improper correlation logic
Correlation
• Attaching account with Identity
• An identity can be attached/correlated to many accounts
• Proper Correlation Logic reqiured – ex: given Name of Active Directory -> Identity first Name
• identity – Workday account – Service now account – Active Directory account
Aggregation
• Pulling Data or accounts from Target System
• Application wise data pulling or aggregation
• Account aggregation
• Group aggregation
Connector
• Provided by Sailpoint IIQ to connect different application
• Needs connection Parameters
• Various out-of-the-box(OOTB) connectors available
– Active Directory
– LDAP
– Salesforce
– SAP
– Delimited
– JDBC and many more
• Custom Connector
Target System (Application)
• Business applications
• Users/Identities use these applications to perform some work
• Users/Identities have accounts in these target system
• Identity own account in target system
– service Now (ticketing System)
– Active Directory
– LDAP
– duo
– salesforce
Work group details are storing in SailPoint DB:
spt_identity_workgroups table
Examples:
- context.search - Iterator iterator = context.search(ManagedAttribute.class,queryOptions);
- context.saveObject(accountGroup);
- context.commitTransaction();
- context.getObjectByName - Identity identity = context.getObjectByName(Identity.class, strIdentity);
Provisioning Plan in Workflow
• provisioning plan contains a list of requested changes to an identity
• Identity or IdentityName variable will be present most of the time in workflow
• Provisioning plan is created for each identity