SailPoint Identity IQ ( Identity Management )
Today there are many products available in the market providing IDM solution to enterprise applications.Then what is new about the Sailpoint Identity IQ?
The answer lies in its approach to provide the solution.
Existing IDM products are IT
focused and their efficiency mostly depends upon the IT helpdesk and
the IT technical team.Sailpoint aims at shifting more and more Identity
& access processes from the IT technical team to the end users so
that the dependency is as less as possible on the technical team. So we
can say this product is more of Business focused as compared to other
IDM products which are IT focused.It has a single use interface as compared to the existing IDM products having multiple interfaces with multiple contexts.
SAILPOINT IdentityIQ integrates ‘provisioning and compliance features’ into a single solution.Thus
this IDM product is able to address all the needs related to Identity
and Access management such as ‘access certifications’ , ‘policy
enforcement’,’account provisioning’ and ‘user life-cycle management’.
SAILPOINT IDENTITY IQ consists of 4 major components:
- Compliance Manager
- Lifecycle Manager
- Governance Platform
- User Provisioning
COMPLIANCE MANAGER:
SailPoint IdentityIQ
Compliance Manager automates the common auditing, reporting and
management activities and integrates identity processes such as Access certification* and Policy enforcement*
Compliance Manager helps to
prioritize the most critical compliance activities and focuses controls
on the users, resources and access privileges that represent the
greatest potential risk.
• It proactively detects and prevent inappropriate access and violations of corporate policies
• It ensures compliance and better manage risk during mergers and acquisitions
*Access Certifications:
The periodic review of user access privileges in order to validate that
access privileges align with a user’s job function and conform to
policy guidelines. Access certifications are commonly used as an
internal control to ensure compliance with regulations.
*Policy Enforcement: The set of preventive and detective controls that automatically ensure that defined policy is followed by the organization.
LIFE CYCLE MANAGER:
SailPoint IdentityIQ
Lifecycle Manager allows business users to easily request access and
reset passwords themselves from a centralized, business-friendly
interface. By applying policy to all user lifecycle processes,
IdentityIQ Lifecycle Manager ensures users acquire only the most
appropriate levels of access for their job function.
IdentityIQ Lifecycle Manager
automates change to user access, resulting from a range of identity
lifecycle events (i.e., new hires, transfers, moves or terminations)
through integration with authoritative sources, such as HR systems and
corporate directories. When a lifecycle event is detected, Lifecycle
Manager triggers the required changes by initiating the appropriate
business process, including policy checking and approvals.
With Lifecycle Manager, we can:
• Empower business users to independently request and manage access
• Enable business users to proactively change and reset passwords
• Speed delivery of access using automated identity lifecycle events (i.e., hires, transfers, and terminations)
• Centralize access request and change processes
• Streamline IT operations and offload IT and help desk
Self-service access request:
Centralized access request management allows managers and end users to
conveniently request new access or make changes to existing access
privileges within the constraints of your pre-defined identity policy
and role models. It also provides an efficient, more accurate way to
view existing access and remove access as needed, as well as to create
and edit identities.
*Self-Service:
The process of allowing users to request access to resources using a
self-service interface, which uses workflow to route the request to the
appropriate manager(s) for approval.
*Password management: Automation of the process for controlling setting, resetting and synchronizing passwords across systems.
Using the same
business-friendly user interface, users and/or their approved delegates
can change or reset passwords across target systems. Allowing end-users
to proactively manage password changes can significantly reduce help
desk calls. Most importantly, centralized password management will
enables us to consistently enforce strong password policies, customized
for each application.
*Event-based lifecycle management:
To further streamline user on-boarding, off-boarding, and other job
changes within the enterprise, we can add event-based lifecycle
management to automatically trigger access changes based on HR or other
authoritative feeds.
GOVERNANCE PLATFORM:
The SailPoint IdentityIQ
Governance Platform centralizes identity data, captures business policy,
models roles and proactively manages user and resource risk factors.
Together, these integrated capabilities allow organizations to build
preventive and detective controls that support critical identity
business processes, including access certifications, access requests,
lifecycle management and provisioning.
With the Governance Platform, we can:
• Centralize technical identity data across resources and transform it into rich, business relevant information
• Create, enforce and verify role-based access across diverse enterprise applications
• Prioritize compliance and
security efforts by assessing the risk of each person, application and
system resource across the environment
• Define and leverage enterprise access policies for detective and preventive control
USER PROVISIONING:
SailPoint IdentityIQ
Provisioning Broker acts as a bridge between compliance and user
lifecycle processes, allowing consistent user interfaces and processes
at the business layer that are separate from technical processes for
implementing change. Provisioning Broker sends access change requests to
automated provisioning systems, including IdentityIQ Provisioning
Engine or third-party provisioning systems; and can also leverage manual
change management processes by creating help desk tickets or manual
work items to track progress of all changes requested by the business.
This seamless orchestration of changes across access delivery mechanisms
unifies policy enforcement, process monitoring and auditing, and gives
organizations the flexibility to provision changes to user access in any
way they choose.
With User Provisioning, we can:
• Speed the provisioning of access changes to our managed resources
• Improve compliance by implementing changes according to defined policy
• Generate documentation of provisioning changes for auditors
*Provisioning:
The process of granting, changing, or removing user access to systems,
applications and databases based on a unique user identity.
Concept of Identity Cubes and Identity Attributes
- SailPoint IdentityIQ represents users by Identity Cubes.
- Identity Cubes are a correlated collection of accounts and entitlements that represent a single user in the real world.
- Identity Cubes are multi-dimensional data models of identity information that offer a single, logical representation of each managed user.
- Each Cube contains information about user entitlements, user activity, and associated business context.
- “Cubes” are built through a discovery process from authoritative sources i.e. by bringing in user account data from Authoritative Applications and are refreshed dynamically or by running a Identity Refresh Task
- Identity Attributes are used to describe Identity Cubes and hence describe the real-world user.
- Identity Attributes are created by directly mapping a list of attributes from various sources or derived through rules or mappings.
- Example of Identity attributes are Name,Email,department etc
User Discovery
- A multi-step process by which Identity Cubes are created and updated with account and attribute data from multiple backend systems.
- One or more “authoritative sources” (HR, Corporate Directory) supply the population of unique identities and start the creation of Identity Cubes.
Connector
- An IdentityIQ component which communicates with various targeted platforms, applications and systems to import application and account data. A connector is defined as part of an application. (Example: Delimited File Connector, JDBC, Active Directory, etc.)
- SailPoint supports many of the industry standard databases as an Authoritative Resources. Few examples of Supported Connectors: Active Directory, DB2, Delimited File, IBM Tivoli Directory Server, IBM Tivoli Identity Manager, JDBC, LDAP, LDIF, Linux, Lotus Notes, Mainframe, MS SQL Server, MS SharePoint, Oracle DB, Oracle Apps, PeopleSoft, RACF,SAP, SAP HR, SAP Portal, Sales force, Solaris, Sun IDM, Sybase and many more.
Account Aggregation
- The process by which IdentityIQ creates and updates Identity Cubes with account, attribute and entitlement data accessed through configured Applications.
- Account Aggregation is very similar to reconciliation within an identity management solution. Tasks are utilized to perform account aggregation.
- Account Aggregation is achieved through defining and running reusable Account Aggregation tasks.
Provisioning
User provisioning and Account provisioning are same terms and are interchangeably used.
Provisioning can be thought of as
1. The process of granting, changing, or removing user access to systems, applications and databases based on a unique user identity by creation of user accounts on target systems.
2. The process of providing customers or clients with accounts, the appropriate access to those accounts, all the rights associated with those accounts, and all of the resources necessary to manage the accounts.
1. The process of granting, changing, or removing user access to systems, applications and databases based on a unique user identity by creation of user accounts on target systems.
2. The process of providing customers or clients with accounts, the appropriate access to those accounts, all the rights associated with those accounts, and all of the resources necessary to manage the accounts.
Types of provisioning include:
1. Automated provisioning – Detecting new user record from the Authoritative Source or HR System and automatically provisioning those users with appropriate access on target applications.
2. Self-service provisioning – allows users to update their profile data and request an account or request an entitlement and manage their own passwords.
3. Workflow-based provisioning – gathers the required approvals from the designated approvers before granting a user access to an application or data.
1. Automated provisioning – Detecting new user record from the Authoritative Source or HR System and automatically provisioning those users with appropriate access on target applications.
2. Self-service provisioning – allows users to update their profile data and request an account or request an entitlement and manage their own passwords.
3. Workflow-based provisioning – gathers the required approvals from the designated approvers before granting a user access to an application or data.
A provisioning system must, in general, include some or all of the following components:
1. Connectors, to read information about users from integrated systems and applications and to send updates (e.g., create new user, delete user, modify user information) back to those systems and applications.
2. Internal database that tracks user objects and other data from integrated systems and applications.
3. Auto-discovery system, which populates the internal database using the connectors.
4. User interface where users can review the contents of the internal database, make change requests, approve or reject proposed changes, etc.
5. Workflow engine, used primarily to invite users to review and either approve or reject changes.
6. Policy engine, which evaluates both current user information and proposed changes to see if they meet corporate rules and regulations.
7. Reporting engine, which helps organizations extract information from the internal database.
1. Connectors, to read information about users from integrated systems and applications and to send updates (e.g., create new user, delete user, modify user information) back to those systems and applications.
2. Internal database that tracks user objects and other data from integrated systems and applications.
3. Auto-discovery system, which populates the internal database using the connectors.
4. User interface where users can review the contents of the internal database, make change requests, approve or reject proposed changes, etc.
5. Workflow engine, used primarily to invite users to review and either approve or reject changes.
6. Policy engine, which evaluates both current user information and proposed changes to see if they meet corporate rules and regulations.
7. Reporting engine, which helps organizations extract information from the internal database.
Phases of a Sailpoint IdentityIQ Certification
Certification processes are very important when we speak of Access
Governance using Sailpoint IdentityIQ. Generally the concepts remain the
same as in any other Access Governance product ,but let us try to gain
some more insight into IdentityIQ certifications.
The Certification processes allow reviewers\managers\certifiers to review and remediate accesses granted to users on various resources such as applications,entitlements,accounts and roles etc.Based on the type of resources, certifications in IdentiyIQ are divided into categories listed below:
Active Phase:
Remediation\Revocation Phase:
The Certification processes allow reviewers\managers\certifiers to review and remediate accesses granted to users on various resources such as applications,entitlements,accounts and roles etc.Based on the type of resources, certifications in IdentiyIQ are divided into categories listed below:
- Manager Certifications
- Application Owner Certifications
- Entitlement Owner Certifications
- Advanced Certifications
- Account Group Certifications
- Role Certifications
- Identity Certifications
- Event‐Based Certifications
- Generation Phase
- Active Phase
- Challenge Phase
- Sign Off Phase
- Remediation\Revocation Phase
- End Phase
Active Phase:
- It is during the Active phase that the certifiers are required to take their decisions(approve\revoke).
- Delegations and reassignments,if any, needs to be completed during this phase.
- The Active period duration is mentioned on the Lifecycle page.
- The Challenge Phase starts when the Active Period Duration is over.
- Challenge phase is a phase in which a user whose access is being affected by a reviewers decision can challenge the decision.
- It is enabled only if the “Enable Challenge Period” option was selected from the Lifecycle page.
- The Sign Off phase starts at the end of Challenge phase.
- Once the Sign Off button is clicked , no further changes to Access Reviews can be made by reviewers.
Remediation\Revocation Phase:
- In this phase remediation action(e.g. revocation of access rights) is performed on the source application using the provisioning mechanism(manually or automatically)
- Remediation generally consists of sending email messages,creating work items for resource owners to take action.
- When a Revocation Period is enabled, IdentityIQ monitors the status of remediation requests; when it is not enabled, remediation requests are submitted for processing but are not tracked.
- The Access Review reaches its End Phase when all Phases configured for it have passed their end date or when all actions required for the process (as configured) are complete.
- If a Certification does not have a Challenge or Revocation Periods enabled, clicking Sign Off initiates the End Phase.
- If a Revocation Period enabled, End Phase will start only once all remediation requests have been completed or when the Revocation Period’s end date passes.
Types of Certifications in Sailipoint
Certifications in Sailpoint IQ can be divided into two categories.First on the basis of their “Time period of Execution” and second on the basis of their “functionality”.
Lets first discuss their classification on the basis of their “Time period of Execution”
Certifications can be scheduled to run periodically or continuously. Continuous certifications focus on the frequency with which individual items need to be certified while periodic certifications focus on the frequency with which the entire certification needs to be completed.
Certifications can also be configured to run based on events that occur during an identity life-cycle For example, it might be configured to automatically generate a certification when an identity’s manager changes or any job change event or can be even creation of new identity etc.
Periodic Certification:
Periodic certifications are scheduled to run on a periodic bases, hourly, daily, weekly, monthly, quarterly, and annually. These periodic access reviews provide a snapshot view of the identities, roles, and account groups . Periodic certifications focus on the frequency with which entire entities (identities, roles, account groups) must be certified.
Periodic certifications require the certifier to sign off on a completed access review, an access review in which all of the items (roles, entitlements, violations, account groups) have been acted upon and to confirm those decisions.
Continuous Certification:
Continuous certifications focus on the frequency with which individual items (roles, entitlements, violations) contained within identity‐type certifications need to be certified and not on the frequency with which the entire certification needs to be performed.Continuous certifications do not use the sign off method.
Lets now have a look on their classification on the basis of their “functionality”.
• Manager Certifications — certify that your direct reportees have the entitlements they need to do their job
and only the entitlements they need to do their job.
• Application Owner Certifications — certify that all identities accessing an application for which an Application Owner is
responsible have the proper entitlements.
• Entitlement Owner Certifications — certify that all identities accessing entitlements for which an Entitlement Owner is
responsible are correct.
• Advanced Certifications — certify that all identities included in the population associated with that
Advanced Certification have the correct entitlements and roles.
• Account Group Certifications — certify that account groups for which an account owner is responsible have the
proper permissions and group membership. Account groups that do not have owners assigned are
certified by the owner of the application on which they reside.
• Role Certifications — certify that roles for which a role owner is responsible are composed of the proper roles
and entitlements and that these roles are assigned to the correct identities.
• Identity Certifications — certify the entitlement information for the identities selected from the Identity
Risk Score, Identity Search Results, or Policy Violation pages, usually for at risk users.
• Event‐Based Certifications — certify the entitlement information for the identities selected based on
events detected within IdentityIQ.
Thanks & Regards
Lets first discuss their classification on the basis of their “Time period of Execution”
Certifications can be scheduled to run periodically or continuously. Continuous certifications focus on the frequency with which individual items need to be certified while periodic certifications focus on the frequency with which the entire certification needs to be completed.
Certifications can also be configured to run based on events that occur during an identity life-cycle For example, it might be configured to automatically generate a certification when an identity’s manager changes or any job change event or can be even creation of new identity etc.
Periodic Certification:
Periodic certifications are scheduled to run on a periodic bases, hourly, daily, weekly, monthly, quarterly, and annually. These periodic access reviews provide a snapshot view of the identities, roles, and account groups . Periodic certifications focus on the frequency with which entire entities (identities, roles, account groups) must be certified.
Periodic certifications require the certifier to sign off on a completed access review, an access review in which all of the items (roles, entitlements, violations, account groups) have been acted upon and to confirm those decisions.
Continuous Certification:
Continuous certifications focus on the frequency with which individual items (roles, entitlements, violations) contained within identity‐type certifications need to be certified and not on the frequency with which the entire certification needs to be performed.Continuous certifications do not use the sign off method.
Lets now have a look on their classification on the basis of their “functionality”.
• Manager Certifications — certify that your direct reportees have the entitlements they need to do their job
and only the entitlements they need to do their job.
• Application Owner Certifications — certify that all identities accessing an application for which an Application Owner is
responsible have the proper entitlements.
• Entitlement Owner Certifications — certify that all identities accessing entitlements for which an Entitlement Owner is
responsible are correct.
• Advanced Certifications — certify that all identities included in the population associated with that
Advanced Certification have the correct entitlements and roles.
• Account Group Certifications — certify that account groups for which an account owner is responsible have the
proper permissions and group membership. Account groups that do not have owners assigned are
certified by the owner of the application on which they reside.
• Role Certifications — certify that roles for which a role owner is responsible are composed of the proper roles
and entitlements and that these roles are assigned to the correct identities.
• Identity Certifications — certify the entitlement information for the identities selected from the Identity
Risk Score, Identity Search Results, or Policy Violation pages, usually for at risk users.
• Event‐Based Certifications — certify the entitlement information for the identities selected based on
events detected within IdentityIQ.
Thanks & Regards
