You are on page 1of 588

SailPoint IdentityIQ

Version 5.5

User’s Guide

© Copyright 2011 SailPoint Technologies, Inc., All Rights Reserved.
SailPoint Technologies, Inc. makes no warranty of any kind with regard to this manual, including, but not limited to,
the implied warranties of merchantability and fitness for a particular purpose. SailPoint Technologies shall not be
liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with
the furnishing, performance, or use of this material.
Restricted Rights Legend. All rights are reserved. No part of this document may be photocopied, reproduced, or
translated to another language without the prior written consent of SailPoint Technologies. The information contained
in this document is subject to change without notice.
Use, duplication or disclosure by the U.S. Government is subject to restrictions as set forth in subparagraph (c) (1) (ii)
of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 for DOD agencies, and
subparagraphs (c) (1) and (c) (2) of the Commercial Computer Software Restricted Rights clause at FAR 52.227-19
for other agencies.

Regulatory/Export Compliance. The export and reexport of this software is controlled for export purposes by the
U.S. Government. By accepting this software and/or documentation, licensee agrees to comply with all U.S. and
foreign export laws and regulations as they relate to software and related documentation. Licensee will not export or
reexport outside the United States software or documentation, whether directly or indirectly, to any Prohibited Party
and will not cause, approve or otherwise intentionally facilitate others in so doing. A Prohibited Party includes: a
party in a U.S. embargoed country or country the United States has named as a supporter of international terrorism; a
party involved in proliferation; a party identified by the U.S. Government as a Denied Party; a party named on the
U.S. Government's Entities List; a party prohibited from participation in export or reexport transactions by a U.S.
Government General Order; a party listed by the U.S. Government's Office of Foreign Assets Control as ineligible to
participate in transactions subject to U.S. jurisdiction; or any party that licensee knows or has reason to know has
violated or plans to violate U.S. or foreign export laws or regulations. Licensee shall ensure that each of its software
users complies with U.S. and foreign export laws and regulations as they relate to software and related
documentation.
Trademark Notices. Copyright © 2011 SailPoint Technologies, Inc. All rights reserved. SailPoint, the SailPoint
logo, SailPoint IdentityIQ, and SailPoint Identity Analyzer are trademarks of SailPoint Technologies, Inc. and may
not be used without the prior express written permission of SailPoint Technologies, Inc. All other trademarks shown
herein are owned by the respective companies or persons indicated.

Table of Contents
Chapter 1 IdentityIQ Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Section 1: Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Chapter 2 Certification / Access Review Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
My Access Reviews Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Access Review Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Access Review Details - Access Review Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Access Review Details - Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Access Review Details - Access Review List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Access Review Page - Decisions Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Identity - Type Access Review Decisions Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Entitlement Owner Access Review - Decision Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Account Group Access Review- Decision Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Role Composition Access Review- Decision Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Access Review Page - Recent Changes Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Access Review Details - Employee Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Access Review Page - Risk Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Access Review Details - Group Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45

Chapter 3 How to Perform Access Reviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
How to Reassign Access Reviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
How to Approve Access Reviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
How to Delegate Access Review Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
How to Allow Exceptions on Access Review Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
How to Revoke or Edit Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
How to Revoke an Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
How to Handle a Challenged Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
How to Allow Policy Violations on an Access Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
How to Correct Policy Violations on an Access Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
How to Request Role Creation from Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
How to Complete Access Review Work Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
How to Complete Delegated Access Reviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
How to Complete Revocation Work Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
How to Complete Reassigned or Forwarded Access Reviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70
How to Perform Multi-Level Sign Off on Access Reviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70
How to Challenge a Revocation Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70

Chapter 4 Certification Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Define a Certification Event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73

Chapter 5 Certifications Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Certifications Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81
Certification Schedules Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
Schedule New Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
Schedule a Manager Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
How to Schedule a Manager Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
Schedule an Application Owner Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
How to Schedule an Application Owner Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101

Schedule an Entitlement Owner Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
How to Schedule an Entitlement Owner Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107
Schedule an Advanced Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108
How to Schedule an Advanced Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115
Schedule a Role Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .116
How to Schedule a Role Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121
Schedule an Account Group Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122
How to Schedule an Account Group Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127
Schedule an Identity Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127
How to Schedule an Identity Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134

Section 2: Configuring IdentityIQ . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Chapter 6 Configuring IdentityIQ Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Chapter 7 Configure Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Application Configuration Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139
Application Configuration Tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141
Activity Data Source Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151
JDBC Collector Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153
Windows Event Log Collector Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154
Log File Collector Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154
RACF Audit Log Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155
Connector Attribute Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156
Active Directory Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156
ALES Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163
Logical Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165
Delimited File Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168
Google Apps Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171
IBM Lotus Domino Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173
IBM Tivoli Directory Server Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179
IBM Tivoli Identity Manager Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184
JDBC Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189
LDAP Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .191
LDIF Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196
Mainframe Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202
Microsoft SharePoint® Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .203
Microsoft SQL Server® 2005 & 2008 Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205
Novell Identity Manager Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .207
PeopleSoft Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212
Oracle Database Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215
RACF Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216
Rule Based Logical Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .223
SAP Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .223
SAP HR/HCM Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225
SAP Portal - User Management Web Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228
Salesforce Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229
Sun IDM Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .230
Top Secret Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231
UNIX Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244
Windows Local Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245

Chapter 8 Role Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Role Viewer Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .250
Role Editor Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253
Role Editor - Archived Role Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255
Role Editor - Edit Entitlement Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .256
Role Editor - Provisioning Policy Editor Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .257
Role Search Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259
Role Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .261
Entitlement Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .262
Role Mining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .264
IT Role Mining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .264
Business Role Mining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .266
Role Mining Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .269
IT Role Mining Results Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .269
Business Role Mining Results Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .270
Working with the Role Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .271
How to Create or Edit a Role From the Role Management Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .271
How to Create a Role From a Role Creation Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .273
How to Create or Edit a Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .274
How to Approve Role Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .278
How to Perform Impact Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .278

Chapter 9 Group and Population Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Group Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .282
Edit Group Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .282
Populations Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283
Edit Population Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .284
Account Groups Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .285
Edit Account Groups Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .286
Workgroups Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .287
Edit Workgroups Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .287

Chapter 10 Configure Activity Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Activity Target Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .291
Add Targets to Activity Category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .291

Chapter 11 Define Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Edit Policy Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294
Edit SOD Rule Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296
Edit Activity Rule Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .298
Edit Advanced Policy Rule Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .299
How to Create or Edit a Separation of Duty Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300
How to Create or Edit an Activity Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .301
How to Create or Edit an Advanced Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302

Chapter 12 Configure Risk Scoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Identity Risk Score Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .305
Baseline Access Risk Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .306
Composite Scoring Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .308
Application Risk Score Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .309

Chapter 13 Business Process Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Process Details Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .312
Process Variables Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .312
Process Designer Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .313

Business Process Management - Add or Edit a Step . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .314
Business Process Management - Add or Edit an Approval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315
Business Process Management - Add or Edit a Transition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .317
Process Metrics Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .318
Monitor Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .318

Chapter 14 System Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
IdentityIQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321
IdentityIQ Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .322
Login Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .329
Identity Mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .331
Account Mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .334
Account Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .337
Application Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .340
Role Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .341
Scopes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .345
Time Periods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .347
Audit Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .348
Import From File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .348
Compliance Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .349

Section 3: Using IdentityIQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Chapter 15 Using IdentityIQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Chapter 16 IdentityIQ Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Inbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .356
Outbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .358
Application Access Review Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .359
Application Risk Score Chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .359
Application Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .360
Access Review Completion Chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .360
Access Review Completion Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .361
Certification Decision Chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .362
Access Review Owner Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .362
Access Review Owner Status By Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .363
Group Access Review Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .363
My Access Reviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .363
Online Tutorials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .364
Policy Violations Chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .364
Policy Violation Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .365
Risk Score Chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .365
Signoff Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .366
How to Edit the Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .366
How to Edit Your User Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .367
View Work Item Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .368

Chapter 17 IdentityIQ Identity Cube Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Identities Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .371
View Identity Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .372
View Identity Attributes Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .372
View Identity Entitlements Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .373
View Identity Application Accounts Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .374

View Identity Policy Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .375
View Identity History Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .375
View Identity Risk Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .377
View Identity Activity Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .377
View Identity User Rights Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .378
View Identity Events Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391
Manual Correlation of Identity Cubes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .392
How to Perform Manual Identity Correlation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .395

Chapter 18 Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Tasks Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .398
Predefined Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .398
Working with Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .401
How to Create a New Task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .402
How to Edit a Task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .403
How to Schedule a Task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .404
Scheduled Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .405
Working with Schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .405
How to Edit a Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406
Task Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406
Task Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .408
Account Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .410
Account Group Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .412
Activity Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .412
Continuous Certification Refresh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .413
Data Export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .413
Entitlement Role Generator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .414
ITIM Application Creator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .415
Identity Refresh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .416
Missing Managed Entitlements Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .418
Novell Active Directory Group Entitlement Mapper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .418
Novell Application Creator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .418
Policy Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .419
Refresh Logical Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .419
Role Index Refresh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .421
Sequential Task Launcher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .421
Target Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .421
System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .422
How to Complete Task Work Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .422

Chapter 19 Advanced Analytics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
Identity Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .425
Advanced Identity Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .429
Identity Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .430
Access Review Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .431
Access Review Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434
Role Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434
Role Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .437
Account Group Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .438
Account Group Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .439
Activity Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .440
Activity Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .442
Audit Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .443

Audit Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .444
Process Metrics Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .445
Process Metrics Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .446

Chapter 20 Manage Work Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
Work Item Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .449
How to Assign Work Items from the Work Items Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .450
Work Item Archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .451

Chapter 21 Policy Violations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Violation Decisions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .454
How to Complete Policy Violation Work Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .455

Chapter 22 Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
My Reports Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .457
Reports Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .458
Scheduled Reports Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .459
Working with Schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .460
Report Results Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .460
Working with Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .461
How to Create a New Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .462
How to Edit a Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .463
How to Schedule a Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .465
How to Complete Report Work Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .466
Report List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .466
Standard Report Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .467
Access Review and Certification Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .468
Role Access Review Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .468
Manager Access Review Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .469
Access Review Signoff Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .470
Access Review Decision Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .471
Certification Activity by Application Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .472
Application Owner Access Review Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .473
Entitlement Owner Access Review Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .474
Advanced Access Review Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .475
Account Group Access Review Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .476
Account Group Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .478
Account Group Membership Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .478
Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .479
User Activity Detailed Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .479
User Activity Archive Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .480
Administration Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .481
Work Item Detail Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .481
Work Item Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .482
Revocation Archive Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .484
Revocation Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .485
Mitigation Detailed Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .486
Mitigation Archive Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .487
Blank Managed Entitlement Description Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .488
Configured Resource Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .489
Application Delimited File Status Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .489
Configured Applications Detail Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .489
Configured Applications Archive Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .490

Identity and User Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .492
Account Attributes Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .492
Authentication Question Status Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .493
Identity Cube Summary Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .495
User Detail Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .495
Identity Effective Access Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .497
Users by Application Detail Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .498
Users by Application Archive Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .499
User Detail Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .500
User Forwarding Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .501
Uncorrelated User Accounts Detail Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .503
Uncorrelated User Accounts Archive Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .504
Privileged User Access Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .504
Application Accounts by Attribute Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .505
Application Account Exception Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .506
Policy Enforcement Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .507
Policy Violation Detail Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .507
Policy Violation Archive Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .508
Risk Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .509
Risky Accounts by Application Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .509
Identity Risk Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .510
Applications Risk Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .511
Role Management Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .512
Role Membership Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .513
Role Detail Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .514
Role Composition Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .515
Role Change Management Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .516
Role Archive Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .517
Identity Role Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .518

Chapter 23 Managing Application and Identity Risk Scores . . . . . . . . . . . . . . . . . . . . . . 521
Identity Risk Scores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .521
Application Risk Scores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .522

Section 4: Lifecycle Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
Chapter 24 Lifecycle Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
Manage Lifecycle Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .527
Select Identities Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .527
Request Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .528
Request Entitlements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .530
Manage Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .533
Manage Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .533
Create Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .534
Edit Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .534
View Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .535
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .535
Access Request Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .535
Access Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .536

Chapter 25 Lifecycle Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539
Define a Lifecycle Event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .539

Chapter 26 Lifecycle Manager Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541
Account Request Status Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .541
Create Identity Request Status Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .542
Edit Identity Request Status Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .543
Entitlement Request Status Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .545
Password Management Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .546
Role Request Status Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .547

Chapter 27 Lifecycle Manager Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
Lifecycle Manager Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .549
Lifecycle Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .549
Business Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .555
Additional Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .555
Identity Provisioning Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .557

Section 5: Appendixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561

IdentityIQ Introduction
SailPoint IdentityIQ is a business-oriented identity governance solution that delivers risk-aware
compliance management, adaptive role management, access request management and identity
intelligence. Some of the world’s largest organizations are using IdentityIQ to improve security,
minimize risk and streamline their compliance efforts.
IdentityIQ Compliance Manager streamlines complex compliance processes for greater efficiency,
effectiveness and lower costs. Its integrated risk model provides the contextual framework that enables
organizations to prioritize compliance activities and focus controls on the users, resources and access
privileges that represent the greatest potential risk to the business.
IdentityIQ Role Manager aligns user access privileges with job functions, ensuring conformance to
business and regulatory policies. Using a flexible role mining and modeling approach, IdentityIQ
automates the process of role discovery and definition, and its adaptive architecture makes it easy to
create a role model that matches any organization’s desired role structure.
IdentityIQ minimizes the access burden placed on IT staff by empowering end users across the
organization to request and manage their own access. Through automation and policy checking, the
entire access request process is streamlined and more accurate. And, by managing it through IdentityIQ,
the entire access request and change process is documented providing auditable reports as needed.
Organizations strive for better visibility into potential risk factors across their business. With Identity
Intelligence from IdentityIQ, organizations can transform technical identity data scattered across
multiple enterprise systems into centralized, easily understood and business-relevant information. The
visibility and insights offered by IdentityIQ through dashboards, risk metrics and reporting provide a
clear understanding of identity and access information and help to proactively manage and focus
compliance efforts strategically across even the most complex enterprise environments.
Go to www.sailpoint.com to see all that SailPoint Technologies has to offer.

IdentityIQ User’s Guide

1

2 IdentityIQ User’s Guide .

Section I: Certification .

This section contains information on the following: • Certification / Access Review Overview on page 3 — view the access reviews assigned to you. • How to Perform Access Reviews on page 47 — detailed instructions on how to complete a certification request. • Certification Events on page 73 — define certification events. • Schedule New Certification on page 86 — schedule certifications. • My Access Reviews Page on page 9 — view the access reviews assigned to you. 4 IdentityIQ User’s Guide . • Access Review Details on page 11 — view detailed access review information and take the required actions.

in the future. Use the Create New Role button to define a role around that job function. One-off access reviews can be created from the Identity Risk Score.IBM Tivoli Identity Manager .IBM Tivoli Directory Integrator . you can certify that single role instead of the five (5) additional entitlements. These include.Novell Identity Manager . For example. Certifications can be schedule to run periodically or continuously.Oracle Identity Manager . These reports enable reviewers to approve access for identities. Each report is annotated with descriptive business language . reassign. Reviewers can also forward. Identity Search Results. if there are five (5) entitlements that appear in the Additional Entitlements list for every identity in an access review.BMC Enterprise Security Station . These one-off access reviews can be created for one or more identities and are most IdentityIQ User’s Guide 5 . and role composition and membership.BMC Remedy Action Request System Certain access reviews also enable certifiers to request the creation of new roles.Chapter 1: Certification / Access Review Overview IdentityIQ enables you to automate the review and approval of identity access privileges by collecting fine-grained access (or entitlement) data and formats the information into reports. account group permissions and membership. or delegate all or part of an access review to another reviewer. Provisioning providers can be configured to communicate user and account information and automatically add or revoke access. a Manager Certification is scheduled which contains individual access reviews for which approvers must take action. but are not limited to the following: . and. Continuous certifications focus on the frequency with which individual items need to be certified while periodic certifications focus on the frequency with which the entire certification needs to be completed. the combination of those entitlements might define a function of that population. which are routed to the appropriate reviewers as access reviews. or Policy Violation pages. Roles requested from access reviews use the same analysis and approval business processes as those created in the Role Manager. System Administrators and Certification Administrators can take action on all access review items whether they own them or not. flagging anomalies and calling out violations where they appear. or take corrective actions (such as revoking entitlements that violate policy). Certifications are comprised of multiple access reviews.Sun Identity Manager . Use the create new role feature to create roles based on trends found during access reviews. IdentityIQ can be configured to integrate with provisioning providers to automate access management for your implementation. For example.highlighting changes.

6 IdentityIQ User’s Guide . These periodic access reviews provide a snapshot view of the identities. When the business manager makes his decisions and signs off on the access review it could be forwarded to the owner of an application to which the employees have access so they can review the decisions and make changes if necessary. account groups) must be certified. entitlements. daily. roles. Items are added to a continuous certification by the Refresh Continuous Certification task in the certification required state to ensure that they are certified immediately. are defined when the certification is scheduled.often used in special situations. and account groups within your enterprise. roles. quarterly. but might not be familiar with the accounts and permissions on each application to which they have access. For example. For example. Each item in a continuous certification progress through three stages. Periodic certifications can also be created using a multi-level sign-off structure enabling access reviews to be reviewed by multiple certifiers before they are considered complete. account groups) have been acted upon and to confirm those decisions. and certification overdue. an access review in which all of the items (roles. When an item enters the certification required stage a notification is sent to the certifier and a work item is sent to their inbox. Certifications can also be configured to run based on events that occur within IdentityIQ. entitlements. IdentityIQ might be configured to automatically generate a certification when an identity's manager changes. Continuous Certification: Continuous certifications focus on the frequency with which individual items (roles. Periodic certifications focus on the frequency with which entire entities (identities. an identity might be assigned accounts on three different applications at different times during their employment within your enterprise. Periodic Certification: Periodic certifications are scheduled to run on a periodic bases. monthly. the Refresh Continuous Certifications task will remove them from the certification. and annually. The duration of each stage. Continuous certifications do not use the sign off method to track the state of the components with which they are comprised. This ensures that when anything associated with the certification changes the certification information is updated. certification required. violations. if an employee leaves the company and they are marked as inactive. hourly. Each of those accounts might require an access review on a quarterly basis. This differs from periodic certifications in that periodic certifications focus on the frequency with which the entire certification must be performed and not on the frequency with which the components from which it is comprised need to be certified. a certification might be created for the direct reports of a business manager who knows his employees. Continuous certification tracks each of those accounts individually and generates an “access review required” notice for each item as its specific access review becomes due. violations) contained within identity-type certifications need to be certified and not on the frequency with which the entire certification needs to be performed. if an identity is assigned a new role the task will add that role to the continuous certification. certified. Periodic certifications require the certifier to sign off on a completed access review. such as when an access review is required outside of the normal access review cycle. For example. The events that trigger the certifications are configurable to meet the needs of your enterprise. For example. Continuous certifications track the status of each item using certification reports and tasks. In the same way. and the notifications and escalations associated with each. The information within continuous certifications is updated on a regular basis using the Refresh Continuous Certifications task. weekly.

The phases associated with each certification are determined when the certification is scheduled. You can sign off on a periodic certification in the challenge phase only if all challenges have been completed and no open decision remain on the access review. and Revocation. Email notifications sent to non-IdentityIQ users contain a link to an end user portal which enables them to enter a revocation challenge as if they were logged into the product. You can sign off on a periodic certification in the active stage only if no roles or entitlements were revoked or if the challenge period is not active. Active. • Identity Certifications — certify the entitlement information for the identities selected from the Identity Risk Score. • Account Group Certifications — certify that account groups for which you are responsible have the proper permissions and group membership. • Challenge — the challenge phase is the period during which all revocation requests can be challenged by the user from which the role. When you sign off on an access review IdentityIQ User’s Guide 7 . During this phase changes can be made to decisions as frequently as required. The affected user has the duration of the challenge period to accept the loss of access or challenge that decision. not based on sign-off status. • Event-Based Certifications — certify the entitlement information for the identities selected based on events detected within IdentityIQ.Certification Types: IdentityIQ provides the following certification types: • Manager Certifications — certify that your direct reports have the entitlements they need to do their job and only the entitlements they need to do their job. Identity Search Results. When you sign off on a periodic certification it enters either the end phase or the revocation phase. Certifications progress through phases as they move through their life-cycle. Account groups that do not have owners assigned are certified by the owner of the application on which they reside. or Policy Violation pages. usually for at risk users. Challenge. • Role Certifications — certify that roles for which you are responsible are composed of the proper roles and entitlements and that these roles are assigned to the correct identities. Note: Continuous certification items move through these phases based on when decision are saved. The notifications contain the details of the revocation request and any comments added by the requestor. When the challenge phase begins. entitlements. • Entitlement Owner Certifications — certify that all identities accessing entitlements for which you are responsible are correct. • Active — the active phase is the review period during which all decision required within this access review should be made. See How to Challenge a Revocation Request on page 70. • Application Owner Certifications — certify that all identities accessing applications for which you are responsible have the proper entitlements. a work item and email is sent to each user in the access review affected by a revocation decision. To enter the revocation phase. or account group access are being removed. Continuous certification items enter the next phase when a decision is saved. • Advanced Certifications — certify that all identities included in the population associated with that Advanced Certification have the correct entitlements and roles. the revocation period must be active and a revocation decision exist.

This section contains information on the following: • My Access Reviews Page — view the access reviews assigned to you. To forward an access review request to a different IdentityIQ user or workgroup with access review authority. The layout of the access review pages can be customized during the configuration of IdentityIQ. My Access Reviews Page Use your Access Review page to view the list of access reviews assigned to you. or mouse over the tab and select My Access Reviews to display this page. revocation is done automatically. To work with your access reviews. when a revocation request is saved in a continuous certification. Revocation requests that are not acted upon during the revocation phase can be escalated as required. • Access Review Details — view detailed access review information and take the required actions. • Certification Events — define certification events. Click on an access review in the list to display the Access Review Details page. Revocation completion status is update at an interval specified during the deployment of IdentityIQ. The revocation phase is entered when a periodic certification is signed off on.My Access Reviews Page it enters either the end phase or the revocation phase. or manually using a work request assigned to a IdentityIQ user. Click on the Manage tab. • Revocation — the revocation phase is the period during which all revocation work should be completed. if your provisioning provider is configured for automatic revocation. See Access Review Details on page 11. see How to Perform Access Reviews on page 47. Your My Access Review page contains the following information: 8 IdentityIQ User’s Guide . the revocation period must be active and a revocation decision exist. • Complete Access Review — detailed instructions on how to complete a certification request. by generating a help ticket. Click Details to view detailed revocation information. See Access Review Details on page 11. the function of the product should not be affected. Owner history and all comments are maintained with forwarded work items on the View Work Item page. While the organization of the pages might vary from the descriptions in this documentation. A user cannot take action on themselves unless enabled during configuration. if your implementation is configured to work with a help desk solution. See Certification Events on page 73. By default this is performed daily. See How to Perform Access Reviews on page 47. When the revocation phase is entered. When you forward an access review it is removed from your My Access Review page and does not show up on your risk score statistics. To enter the revocation phase. • Certification Schedules — schedule certifications. Revocation activity is monitored to ensure that inappropriate access to roles and entitlements is revoked in a timely manner. See Schedule New Certification on page 86. or when the active and challenge phases have ended. right-click on an access review in the list and select Forward. See My Access Reviews Page on page 9.

If tags were not assigned for any access review assigned to you. For continuous access review this field displays N/A. Percentage Complete The percentage of the access review completed. if a role contains required or permitted roles. if the challenge function is active. Requested By The user name of the person requesting the access review. If an expiration date is not set this field is marked N/A until the access review is signed off on. End – The access review is complete. Continuous access reviews will always display N/A. The expiration date for a access review is the duration of the active phase plus the duration of the challenge phase. For example. Create Date The date on which the access review was requested. Revocation – The time period in which all revocation work should be completed for roles or entitlements that were revoked. Only top-level roles are displayed as line items. this column does not display in the table. those roles are certified as part of the top-level role in the same way that the IdentityIQ User’s Guide 9 . Phase The current phase of the access review process. Access Review Details Use the Access Review page to work with and complete access review requests. The due date is the date around which the reminder and escalation rules are set. The worksheet displays the individual line items that are assigned to the identities within identity-type access reviews. For example. and a modifier indicating to whom or what it applies. Note: The challenge and revocation phases are only active if those functions were activated when the access review request was scheduled. Active – The time period in which the certifier should make all decisions required to complete the access review. Challenge – The time period in which decisions to revoke roles or entitlements can be challenged by the affected user. Tags Tags are used to classify access reviews for searching and reporting. Phase End The date and time at which the current phase ends and the next begins. If tags were not assigned at the time the access review was created this column is empty. 46% (6 of 13) means you have certified 6 of the 13 users on the list. Due The expiration date for this access review request or the date and time at which it was sign off on. or 46% of the total number. The information displayed on this page is dependent on the access review type and the default settings of your implementation of IdentityIQ. The length of each phase is specified when the access review request is scheduled.Access Review Details Table 1—My Access Review Page Table Descriptions Column Description Description The type of access review. Tags are assigned when access reviews are scheduled.

due date. Access Review Details .Access Review Information This section provides information on the access review type. Click on an item to display the Access Review Details page containing detailed information about that item.Risk Data on page 55. Access Review Details .Decisions Tab on page 29 • Recent Changes – (Not available on Account Group or Role Access Reviews) lists any modifications since the last access review was performed. see How to Perform Access Reviews on page 47. owner. Identity-type access reviews are Manager. • Decisions tab – Enables you to view detailed information about the item selected from the access review list. The number to the right of the status bar shows the number of items completed compared to the total number in the access review. The status bar reflects the percent of items in the access review that are in the complete state.Employee Data on page 51 • Group Information – (Only available on Account Group Access Review) lists the attributes for the account group being certified and a full list of the permissions and entitlements associated with that account group on the application specified. account groups. Access Review Page .Access Review Information entitlements which make up a role are certified with the role. This list might contain entitlements.Recent Changes Tab on page 47 • Employee Data – (Not available on Account Group or Role Access Reviews) lists detailed information about the identity. or identities depending on the access reviewaccess review type and the default settings of IdentityIQ. Access Review Details . 10 IdentityIQ User’s Guide . Access Review Details .Group Information on page 53 • Risk Data – Enables you to view detailed risk information for each category included in the access review.Access Review Information on page 13 • Filter – Enables you to filter the information displayed on the page. and Role Membership certifications. Continuous certifications do not display a due date because that information does not apply On the worksheet view. The Access Review Details page is comprised of the following sections: • Access Review Information – Displays the administrative and statistical information for the access review. status. Application Owner. roles. Access Review Details . Access Review Page . Entitlement Owner Advanced. Access Review Details Filter on page 17 • Access Review list – Displays the list of items that must be certified before this access review is complete. Access Review Page . the status panel displays information about the current status of the access review. creation date. To work with your access review. and the current phase of the access review.Access Review Details .Identity List on page 23 The following sections are displayed by clicking an item in the access review list. Identity. Note: The Access Review Details page displays slightly different information for each access review type.

Access Review Details . the current phase section also displays the Revocation Completion status bar. Click Details to see view the Revocation Details Panel on page 12. The tags listed are any tags assigned to the certification when it was scheduled. displays with the Access Review Decision page if subordinate access reviews exist. items are removed from the revocation completion status information when the revocation is complete. The revocation competition status is updated at an interval specified during the deployment of IdentityIQ. Continuous certifications provide a summary at section that details the duration of each continuous certification stage. For example. the item is not complete until all access decisions are acted upon. Access Reviews. When specified. For continuous certifications. Click Access Reviews in the status panel to see the subordinate reviews associated with the one displayed. Identity. when all items and subordinate access reviews have been acted upon and are in a complete state. For periodic. Note: For continuous certifications you will never sign off on the certification. certification required. Depending on how this certification was scheduled. Examples of subordinate access reviews might include any groups of identities that you reassign. You must click Sign Off and verify the certification completion on the Sign Off on Access Review dialog before an access reivew is recognized as complete by IdentityIQ. subordinate access reviews must be in a complete state before the top-level certification can be signed off. Subordinate access reviews are not displayed as part of the access review list and do not reflect as part of the completion status for this access review. The current phase shows the phase of the access review at this time and the date on which this phase ends. Lower-level manager access reviews can be created when Manager Certifications are scheduled and might be required as part of that process. The Status Panel also contains information on subordinate access reviews that exist as part of this access review. During the revocation phase. Click a subordinate access review to display the Access Review Decision page. you might not be able to sign off on an access review until all subordinate reviews are complete. the identity is not considered complete in the review until each role and additional entitlement is acted upon. Subordinate Access Reviews Subordinate access review are any access reviews that must be completed before the top-level certification can be considered completed. An expandable label. or any lower-level. Click Access Reviews to expand a table containing the following information: IdentityIQ User’s Guide 11 . manager access reviews. See Subordinate Access Reviews on page 11. By default this is performed daily.Access Review Information On the list views. a completion notice is displayed in the Access Review Information panel. and certification overdue. if an identity has multiple roles or additional entitlements. subordinate. See Schedule New Certification on page 86. or non-continuous certifications. certified. The status bar reflects the percentage of revocation request completed for this access review and the number to the right of the bar shows the number completed compared to the total number requested. Account Group. Tags are used to classify certifications for searching and reporting purposes. or Role.

Subordinate Certification Descriptions Column Description Name The name and descriptive information about the top-level certification. Action Click an icon to specify an action to be taken on the subordinate certification. Owner The current owner of the subordinate access review requests. Completed The number of subordinate items that are in the completed state. qualified certifier. Return — return the subordinate access review items to the review from which they were generated and delete the subordinate access review. Forward — forward the subordinate access review to a different. Delegated The number of subordinate items that were delegated by the current owner to different users. Revocation Details Panel The revocation details panel contains detailed information on each revocation request contained in the certification in which you are working.Access Review Details . Percent Complete The percentage of the subordinate access review that has been acted upon and is in a complete state. Email — generate an email to send to the owner of the original access review. The revocation details panel contains the following information: 12 IdentityIQ User’s Guide .Access Review Information Table 2—Certification Report . Open The number of subordinate items that are still in the open state.

You can use any combination of filters. Expiration The end date for the revocation period specified when the certification schedule was created. role. being revoked from he entity. Define a filter and click Filter to update the access review list.Filter The Access Review Details filter enables you to control the number of items displayed in the access review list. entitlement. Revoked The account.Access Review Details . etc. Target The entity from which the item is being revoked. Details Detailed information about the revocation request including the item being removed and the user to whom it is assigned. Access Review Details . either automatic or work item. Requestor The certifier that started the revocation process for the specified item. The following filters are available: IdentityIQ User’s Guide 13 . Click Reset to repopulate the list with all items included in this access review request. Recipient The recipient of the revocation request.Filter Table 3—Revocation Details Panel Description Column Description Status The status of the revocation request. Type The type of revocation expected.

— OR —  One or more entitlement or policy violation belonging to the identity has been delegated to another approver. Completed — access review of this item is complete. Changes Detected Note: This option is not available on account group or role access review types.Filters Filter Status Description Note: Some status options are dependent on IdentityIQ configuration settings and might not be available in all access reviews. No — show only those identities with identity and entitlement information that has not changed since the last access review.Access Review Details .  Only one status can be specified per filter. Challenged — a revocation request was challenged by the affected user and that challenge must be acted upon before the item is complete.Filter Table 4—Access Review Details . 14 IdentityIQ User’s Guide . Requesting revocation moves the state to complete as well. Delegated — access review for the items have been delegated to another approver. Filter by access review status.  That approver has not yet taken action on the delegated access review request. Waiting Review — action was taken on a delegated access review request and that action is now awaiting your review. Open — action is required on this item before this access review request is considered complete. Returned — the access review request for this item was delegated and returned with no action being taken. Yes — show only those identities with identity or entitlement information that has changed since the last access review.

  Additional Entitlements: The Additional Entitlements list contains all of the applications containing additional entitlements assigned to identities in the access review. Display additional filter options. access review required. For example. Organization — returns all identities with the organization value selected. Select a filter from the Filter by: drop-down list and a value to associate with that filter from the drop-down list to the right. First Name — returns all identities with the first name selected. the filters are inclusive. Identical filter types are controlled with an OR statement and both values are returned.  Identity Properties:  Identity properties are defined during system configuration. Risk Score — returns all identities with the minimum risk score value specified.Filters Filter Add Filter Description Note: Some options are dependent on the access review type and IdentityIQ configuration settings and might not be available in all access reviews. or after the specified date. before. Specify an application and use the drop-down list to the right to select the specific entitlement and value of interest.Access Review Details .Filter Table 4—Access Review Details . only items matching all of the criteria specified are displayed in the list. Continuous State — returns items in the state specified. only identities with the name John Doe are included in the list. If you specify multiple filters of the same type. if you filter by First Name John and Last Name Doe. Policy Violations Detected — select yes or no to return all identities that have or do not have policy violation detected.  Access Review Properties: Additional Entitlements Detected — select yes or no to return all identities that have or do not have additional entitlements. First Name John and First Name Joe. IdentityIQ User’s Guide 15 . Item Type — returns items of the type selected. Role — returns all identities that have the entitlements that make up the Role specified. The value field contains all the valid options for the filter selected. Location — returns all identities with the location value selected. Last Name — returns all identities with the last name selected. certified.  Account Properties:  Account properties are defined during system configuration and might be any account attribute from any application configured to work with IdentityIQ. Unless you specify multiple filters of the same type. Next Continuous Change — returns items that will change state on. for example policy violations or additional entitlements. or overdue.

these items are grouped by the identity with which they are associated. Entitlement Owner. Click on the role name to display the Access Review Decision tab and detailed information.Access Review List The information displayed in the access review list is dependent on the type of access review you are working with and the configuration of your implementation of IdentityIQ. on the Access Review Decision tab. This view displays a flattened list of all the roles that you must act on before you can sign off on this access review. Identity. This view diplays a flattened list of all identities that contain roles. This view displays a flattened list all of the account groups that you must act on before you can sign off on this access review. entitlements and policy violations that you must act on as part of this access review. Application Owner.Access Review Details .Worksheet on page 16. Note: If you are performing an Application Owner access review. Advanced.Access Review Details . By default. • Role Composition List view – Used for role composition access reviews. Access Review Details . only information pertaining to the applications included in the access review are displayed for each identity in the list. only information pertaining to the roles included in the access review are displayed for each identity in the list.Access Review Details . For example all items for which exceptions were allowed are highlighted with an icon and message showing the date on which the exception expires. Note: If you are performing a Role Membership access review. This view displays a flattened list of all of the individual entitlements. • Account Group List view – Used for account group access reviews. Identity-type access reviews are Manager.Worksheet The worksheet displays the individual line items that are assigned to the identities within identity-type access reviews. The access review lists might also contain informational messages or icons for the items displayed.Identity List on page 20.Access Review List Access Review Details . and Role Membership. if a role contains required and permitted roles. only the top-level role is displayed and the required and permitted roles are certified as part of that role. .Access Review Details . For example. By default these items are grouped by the identity with which they are associated. . and all privileged user might display a red “P. • Worksheet view – Used for identity-type access reviews. Only the top-level roles are displayed.Role List on page 23.Access Review Details .Account Group List on page 22. Go to the appropriate section for documentation on the different views. Both assigned and detected roles are displayed and denoted by icon. . all roles that were added but for whom required roles are missing. • Identity List view – Used for identity-type access reviews. roles. . and policy violations that you must act on as part of this access review.” and. 16 IdentityIQ User’s Guide .

Mouse over an icon in the legend to display a pop-up description. The default worksheet contains the following information: Note: The access review pages are configurable for each implementation of IdentityIQ.Worksheet Column Legend Description The legend defines the choices available from the decisions column. See How to Perform Access Reviews on page 47. See “Access Review Details . Table 5—Access Review Details . Do one of the following: • Click on an item to display the Decisions tab and view detailed information about the identity with which the item is associated. • Right-click on any item that is displaying the attention required. Revoking these entitlements has auto-remediation enabled by default. See How to Perform Access Reviews on page 47. Use the multi-select box at the top of the column to select multiple items at one time. This means that when the revocation is processed (either when the access review is signed or immediately. open the Identity List view. The decision icons displayed are dependent on configuration settings and options selected when the access review request was scheduled. The Microsoft Excel Worksheet is not connected to IdentityIQ and actions taken there are not reflected in the product. depending on the access review configuration) the capabilities and authorized scopes are removed from the identity. icon to handle a revocation challenge or review the decision made by a certifier to whom this item was delegated. • Select multiple items using the selection boxes in the left-most column and select the appropriate action from the Select Bulk Action drop-down list at the bottom of the page. History and comments are displayed in the History dialog. A user cannot take action on themselves unless enabled during configuration.Worksheet” on page 16. these appear as entitlements on the IdentityIQ application as Capabilities and Authorized Scopes attributes.Decisions Tab on page 29.Access Review List If the access review was scheduled with the IdentityIQ capabilities and scope included. The selection boxes are only visible if bulk actions are enabled for your deployment of IdentityIQ. or star. See Access Review Page . or change the way the entitlement descriptions display. Click Show identity view at the bottom of the page to display the access review information listed by identity. Use the options at the bottom right of the table to export this list to a Microsoft Excel Worksheet.Access Review Details . IdentityIQ User’s Guide 17 . • Right-click on an item and select View History or Add Comments to view the access review history of the item or add comments as needed. Your screen might not display the same information as is listed in this table. See How to Handle a Challenged Revocation on page 63. • Take action on an item using the icons in the decision column.

 Revoke Account — launches a revocation request for the entire account associated with this item. A user cannot take action on themselves unless enabled during configuration. including all entitlements. including all entitlements. This depends on configuration and access review scheduling decision. for this identity. If you approve a role you are approving items contained within. Approve Account — approve the entire account associated with this item. Revoke — revoke one or more of the conflicting roles or permissions.  Role or Entitlement Decision: Approve — approve this item. Use the multi-select box at the top of the column to select multiple items at one time.  To add comments or view the history associated with an item. on the associated application. to someone else with access review authority. IdentityIQ User’s Guide .Access Review Details . If a role contains roles that are required but have not been assigned to the user you might be asked if you would like to provision those roles at this time. 18 Identity The distinguishing identifier for this user as derived from the identity authoritative source. if you are not the access review owner. Revoke— launch a revocation request for this item or modify its associated permissions. you are given the option to remove those roles as well. Allow Exception — approve this item for a specific period of time. If a role contains required or permitted roles that are not used by other roles assigned to this user.  When comments are added to an access review item.Worksheet Column Selection box Description Note: This column is not displayed if the access review has already been signed-off on. on the associated application. Delegate — delegate the access review of the policy violations.  Policy Violation Decisions: Allow — allow the violation for a specific period of time. Use the selection boxes to select an item. Decision Note: The decision buttons displayed are dependent on system settings configured during deployment of IdentityIQ and decisions made when the access review was scheduled.  To edit or change a decision after a save has been performed. or if bulk actions are not enabled.Access Review List Table 5—Access Review Details . If a role being revoked contains entitlements required by another approved role. IdentityIQ must be configured to enable editing of permissions from this page. First Name The first name of the identity associated with the line item. right-click and select an option from the drop-down menu. or multiple items. Delegate — delegate the access review of this item to someone else with access review authority. balloon icons are displayed in this column. click on a different decision icon and resave the access review. the shared entitlement will not be removed from the identity. for example an employee number. and select the appropriate action from the Select Bulk Action drop-down list at the bottom of the page.

Description A brief description of the item. Application The application on which the entitlement resides. Challenged — a user has challenged the revocation of some access point and that challenge is awaiting your response. Challenge — a revocation notice has been sent to a user informing them that they are about the have some access revoked and enabling them to accept or challenge that revocation. Due Date This column is only displayed for continuous access reviews.Access Review List Table 5—Access Review Details . Changes Detected Yes — changes were made to this item since the last access review was completed. The current state of the item in the continuous access review life cycle (certified.  When available.  This field is blank for roles and policy violations.Access Review Details . Complete — access review of this item is complete. Status The status of the access review for the specific item. New User — this is the first time this item has been included in an access review of this type. Instance The instance of the application on which the account resides. Note: The Waiting Review status is dependent on IdentityIQ being configured to require reviews of all delegated access review requests. Risk Score The composite risk score for the associated item. if the Description column is currently displaying the value for an entitlement in a Manager Access Review. click Show entitlement descriptions to display more detailed information in that column. Possible status are: Open — action is required on this item before this access review is considered complete. The date displayed is the date at which the item will move to the next state. Delegated — access review for this item has been delegated to another approver. Select Bulk Action A list of the actions you can perform on multiple items at one time. IdentityIQ User’s Guide 19 . access review required. That approver has not yet taken action on the delegated access review request. or overdue). See How to Perform Access Reviews on page 47. Returned — the access review request for this item was delegated and returned with no action being taken. click the link at the bottom of the table to switch information views from Value to Descriptions For example. No — changes were not made to this item since the last access review was completed. The bulk actions correspond to actions taken on individual items. The choices are dependent on system settings specified during product configuration.Worksheet Column Description Last Name The last name of the identity associated with the line item. Waiting Review — action was taken on a delegated access review request and that action is now awaiting your review.  Bulk actions overwrite your ability to add missing required roles to the roles being certified. Account ID The login ID used by this identity on the application associated with the entitlement specified.

How to Delegate Access Review Requests on page 52. Your screen might not display the information in this table. See How to Perform Access Reviews on page 47. entitlements and policy violations that are part of this access review. open the Identity List view. See How to Handle a Challenged Revocation on page 63. Access Review Details . Use the multi-select box at the top of the column to select multiple identities at one time. Click Show worksheet view at the bottom of the page to view the access review items in a more detailed table. Use the options at the bottom right of the table to export this list to a Microsoft Excel Worksheet. • Right-click on any item that is displaying the attention required.Worksheet Column Export to CSV Description Use this to export the worksheet view of the Access Review Details to a Microsoft Excel spreadsheet. icon to handle a revocation challenge or review the decision made by a certifier to whom this item was delegated. The Microsoft Excel Worksheet is not connected to IdentityIQ and actions taken there are not reflected in the product. • Select multiple identities using the selection boxes in the left-most column and select the appropriate action from the Select Bulk Action drop-down list at the bottom of the page.Decisions Tab on page 29. • Right-click on a identity and select Delegate to delegate the access review for the entire identity to a different approver.Access Review List Table 5—Access Review Details . See Access Review Page . See “Access Review Details . The default identity list contains the following information: Note: The access review pages are configurable for each implementation of IdentityIQ. Do one of the following: • Click on an identity to display the Decisions tab and view detailed identity information. or change the way the entitlement descriptions display. 20 IdentityIQ User’s Guide .Access Review Details . or star.Worksheet” on page 16.Identity List The identity list is comprised of all identities containing roles.

Changes Detected Yes — changes were made to this users identity attributes or entitlement information since the last access review was completed. IdentityIQ User’s Guide 21 . or bulk actions are not enable. Use the multi-select box at the top of the column to select multiple items at one time. if you are not the access review owner. First Name The first name associated with the identity that requires access review.Access Review List Table 6—Access Review Details . Possible status are: Open — action is required on this identity before this access review is considered complete. Identity The distinguishing identifier for this user as derived from the identity authoritative source.Access Review Details . and select the appropriate action from the Select Bulk Action drop-down list at the bottom of the page. Note: Bulk action is only available if configured for your enterprise. That approver has not yet taken action on the delegated access review request. Note: The Waiting Review status is dependent on IdentityIQ being configured to require reviews of all delegated access review requests. access review required. The date displayed is the date at which the identity will move to the next state. for example an employee number. The current state of the identity in the continuous access review life cycle (certified. A user cannot take action on themselves unless enabled during configuration. Returned — the access review request for this identity was delegated and returned with no action being taken. Due Date This column is only displayed for continuous access reviews. Status The status of the access review for the specific identity. or overdue). New User — this is the first time the identity has been included in a access review of this type. Challenge — a revocation notice has been sent to a user informing them that they are about the have some access revoked and enabling them to accept or challenge that revocation.Identity List Column Selection boxes Description Note: This column is not displayed if the access review has already been signed-off on. Complete — access review of this identity is complete. Last Name The last name associated with the identity that requires access review. No — changes were not made to the identity attributes or entitlement information since the last access review was completed. Waiting Review — action was taken on a delegated access review request and that action is now awaiting your review. Delegated — access review for one or more entitlement belonging to this identity has been delegated to another approver. Policy Violations are not approved. Note: When you use the selection box to select and approve an identities’s access information. or multiple identities. Use the selection box column to select an identity. Requesting reassignment on all roles and entitlements moves the state to complete as well. all entitlements for that identity are approved for all roles and applications. Challenged — a user has challenged the revocation of some access point and that challenge is awaiting your response.

 See How to Perform Access Reviews on page 47. See Account Group Access Review. Export to CSV Use this to export the worksheet view of the Access Review Details to a Microsoft Excel spreadsheet. Do one of the following: • Click on a group to display the Decisions tab and view detailed information.Access Review Details .Access Review List Table 6—Access Review Details . See How to Perform Access Reviews on page 47. The bulk actions correspond to the actions available for individual identities. The items that appear in this list are dependent on system settings defined during product configuration. See How to Handle a Challenged Revocation on page 63. This list contains the same information for both Account Group Permission and Account Group Membership access review. • Select multiple groups using the selection boxes in the left-most column and select the appropriate action from the Select Bulk Action drop-down list at the bottom of the page. or star. • Right-click on any item that is displaying the attention required.  Bulk actions overwrite your ability to add missing required roles to the roles being certified.Identity List Column Description Select Bulk Action A list of the actions you can perform on multiple identities at one time.Decision Tab on page 41. The default account group list contains the following information: 22 IdentityIQ User’s Guide . icon to handle a revocation challenge or review the decision made by a certifier to whom this item was delegated.Account Group List The list is comprised of all of the account groups that make up this access review request. Use the multi-select box at the top of the column to select multiple identities at one time. Access Review Details .

Role List The list is comprised of all of the roles that make up this access review. Access Review Details . • Right-click on any item that is displaying the attention required.Worksheet on page 16.Access Review List Table 7—Access Review Details .Decision Tab on page 43 • Right-click on a role and select Delegate to delegate the access review for the selected role to a different approver. Select Bulk Action A list of the actions you can perform on multiple account groups at one time. That approver has not yet taken action on the delegated access review request. Use the multi-select box at the top of the column to select multiple roles at one time. See Access Review Details . The default role list contains the following information: IdentityIQ User’s Guide 23 . Delegated — access review for one or more permission or member belonging to this account group has been delegated to another approver. Complete — access review of this account group is complete. The bulk actions correspond to the actions taken on individual account groups. . Status The status of the access review for the specific account group.Account Group List Column Description Account Group The account group whose membership or permissions are being certified. Returned — the access review request for this account group was delegated and returned with no action being taken. See How to Handle a Challenged Revocation on page 63. Do one of the following: • Click on a role to view detailed information. icon to handle a revocation challenge or review the decision made by a certifier to whom this item was delegated. or star. The items that appear in this list are dependent on system settings defined during product configuration. See How to Perform Access Reviews on page 47. This list is only available for Role Composition access reviews. Description The description of the account group. Role Membership access reviews display on the worksheet or identity view.Access Review Details . • Select multiple roles using the selection boxes in the left-most column and select the appropriate action from the Select Bulk Action drop-down list at the bottom of the page. Possible states are: Open — action is required on this account group before this access review is considered complete.See Role Composition Access Review.

or role being certified and make decisions on the line items. Access Review Page . entitlement owner. • For account group access reviews. The items that appear in this list are dependent on system settings defined during product configuration. See Account Group Access Review. Delegated — access review for one or more role or profile belonging to this role has been delegated to another approver. including manager. 24 IdentityIQ User’s Guide . see Entitlement Owner Access Review . application owner. Entitlement Owner Access Review .Decisions Tab Note: You can only take action on access reviews for which you are the owner or delegated approver.Role List Column Description Role The name of the role being certified for composition. Returned — the access review request for this role was delegated and returned with no action being taken. such as roles and entitlements that are included in each. see Identity .Decisions Tab Table 8—Access Review Details .Type Access Review Decisions Tab Note: Account group.Decision Tab on page 38. see Role Composition Access Review.Decision Tab on page 36. The information displayed on this tab is dependent on the type of access review you are performing. Possible status are: Open — action is required on this role before this access review is considered complete. Select Bulk Action A list of the actions you can perform on multiple roles.Decision Tab on page 36.Type Access Review Decisions Tab on page 24. account group. entitlement owner and role access reviews appear and behave significantly different than other access review types. See How to Perform Access Reviews on page 47. For identity-type access reviews. That approver has not yet taken action on the delegated request. Complete — access review of this role is complete. • For account group access reviews. advanced. Note: Access Reviews are highly configurable and you might not see all of the information described in this section on your access review pages. • For role access reviews.Decision Tab on page 36 and Role Composition Access Review. Use the Decisions tab to view detailed information about the identity.Access Review Page . see Entitlement Owner Access Review .Decision Tab on page 41. All others are read only. The bulk actions correspond to the actions taken on individual roles. Identity . and identity access review.Decision Tab on page 41. Status The status of the access review for the specific role.

To view details about the changes. When you are finished reviewing the history and comments. these appear as additional entitlements on the IdentityIQ application as Capabilities and Authorized Scopes attributes. If the policy with which a violation is associated is removed before the violation is acted on in the access review. “Exception allowed until 11/20/2007. For example. Both assigned and detected roles are displayed in the roles section. Use the Previous Identity and Next Identity buttons to move through the list of identities included in this access review. This means that when the revocation is processed (either when the access review is signed or immediately. See Access Review Page Recent Changes Tab on page 47. Roles. some policy information might not be available. and Additional Entitlements. for an item on which an exception was allowed. For example. Comments and history are displayed below the summary information for each item. but has not been removed from the identity cube displays the following warning. “Item was revoked but has not been removed. Different role types are indicated with different icons and you can click on the role name to expand the role information and view the role details and hierarchy. a separation of duties policy might disallow one person from requesting and approving purchase orders or an activity policy might disallow a user with the Human Resource role from updating the payroll application. IdentityIQ User’s Guide 25 . or a permission. Only the top-level roles are displayed in the roles section. Revoking these entitlements has auto-remediation enabled by default. For example. From this page you can take action on the identity’s roles. Roles are made up of roles and profiles and defined when IdentityIQ is configured. Policies are defined for your enterprise and used to monitor users that are in violation of those policies. click the close icon at top right corner of that panel. entitlements and policy violations.” Or.” Identities can have multiple Policy Violations. any item for which a revocation request was generated in a previous access review. depending on the access review configuration) the capabilities and authorized scopes are removed from the identity. such as group membership. The summary section of the access review decision panel is updated with informational messages and warnings about the access review item as well. if a role contains required and permitted roles. Changes made to identity information since the last access review was performed are marked with a red [new]. view the decision history or add comments to an access review item. An Entitlement is either a specific value for an account attribute. only the top-level role is displayed and the required and permitted roles are certified as part of that role.Access Review Page . click the icon on the left side of the decision buttons. To undo a decision. Note: For Application Owner access reviews. If the access review was scheduled with the IdentityIQ capabilities and scope included. click the Recent Changes tab. the Decisions tab only contains information that pertains to the application being certified for the selected identity. Detail and work item information display in separate dialogs or pages. Additional entitlements are all entitlements to which the identity has access but that are not included as part of a role to which they have access.Decisions Tab Use the Decisions tab to view details on the roles and entitlements granted to the selected identity and any policy violations caused by those entitlements. Profiles are collections of entitlements on one specific application in the business model.

Decisions Tab” on page 26. for an identity with five roles and thirty additional entitlements you might want to approve all but two of the additional entitlements. Use Delegate All to delegate the entire identity to a different IdentityIQ user with access review capability. Select the correct section below to view the appropriate information. you can certify that single role instead of the five additional entitlements. if there are five entitlements that appear in the Additional Entitlements list for every identity in a certification. This enables you to create exceptions to the bulk decision. For example. Then. Use the Create Role button to define a role around that job function and submit it for approval. Paging controls limit the number of items that display in each section. Identity and Role Membership Access Review Decisions Tab The Decisions tab for these certification types are divided into three sections: • Policy Violations • Roles • Additional Entitlements Policy Violations: Policies are defined specifically for your enterprise and used to monitor users that are in violation of those policies. If provisioning was enabled from the “Schedule New Certification” on page 86 page. Advanced. Use the create new role feature to suggest new roles based on trends found during access reviews. Rather than making an individual decision on each of the potentially numerous items in the identity. • — See “Manager.Access Review Page . Bulk decisions overwrite the ability to perform the provisioning of missing required roles from this page. right side of each section. Advanced. Click Save Changes or Cancel Changes at the bottom of the tab to save or cancel any actions taken on this portion of the access review or to suggest the creation of a new role from the additional entitlements on an identity. For example. a separation of duties policy might disallow one person from requesting and 26 IdentityIQ User’s Guide . Identity. the combination of those entitlements might define a function of that population. For example. Revoke All. click Approve All and then change the decision for any specific entitlements before saving the decisions. Manager. Use the Approve All. Use Clear Decisions to undo any previous saved or unsaved actions for this portion of the access review. Identity and Role Membership Access Review .Decisions Tab If your environment was configured to use paging to limit the display size of the Decision tab sections. in the future. • — See “Application Owner Decisions Tab” on page 31. Advanced. The Decisions tab displays slightly different information for Manager. and Revoke All Accounts buttons to make bulk decisions on the displayed identity. See How to Request Role Creation from Certifications on page 66. and Role Composition certifications than for Application Owner certifications. you might see the paging controls on the top. The decisions are not confirmed until you click Save Changes or move to a different identity within the access review. you can provision roles that are required by roles in the access review but that have not been assigned to the identity.

Policy Violations table and provides a description of each.Access Review Page . Table 9. You must take action on these violations before the certification is complete.” on page 28.Decisions Tab approving purchase orders or an activity policy might disallow a user with the Human Resource role from updating the payroll application. IdentityIQ User’s Guide 27 . some policy information might not be available. Policy violations might also be viewed and acted upon from the Policy Violations page. Advanced. “Manager. and Identity Access Review Decisions Tab — Policy Violations. If the policy with which a violation is associated is removed before the violation is acted on in the certification. lists the columns in the Decisions tab. The Policy Violations table lists any violations of policy for this identity. Decisions made on a violation from that page are displayed below the summary information within the access review.

Policy The policy that is in violated. Type comments into the pop-up dialog and click Save or view the history information below the policy violation information. Corrective Action — any recommended corrective action entered when the policy was defined. Summary The description of the policy violation from the rule definition page. When comments are added to a certification item balloon icons are displayed in this column.Access Review Page . certification required.   To edit or change a decision after a save has been performed. Due Date This column is only displayed for continuous certifications. Advanced. to someone else with certification authority. click the icon to the left of the decision buttons. The date displayed is the date at which the item will move to the next state. Click on a rule to display the following rule information: Description — brief description of the rule from the rule definition page.  To add comments or view the history associated with a policy violation. or overdue). Owner The defined owner of the violated policy. The action to take on the policy violations. Roles: The Decisions tab.  Note: This option is available for Contiuous Certifications only. click the icon to the left of the decision buttons and select Edit or Undo Decision. The current state of the item in the continuous certification life cycle (certified. Policy — the policy in which the rule is contained. and Identity Access Review Decisions Tab — Policy Violations Column Decision Description Note: The decision buttons displayed are dependent on system settings configured during deployment of IdentityIQ. for this identity. Score Weight —the risk score weight assigned to this rule and used to calculate identity risk scores.Decisions Tab Table 9—Manager.  Allow — allow the violation for a specific period of time. Rule The specific rule that is being broken to cause the violation of the policy.  Compensating Control — any compensating controls associated with this rule. Revoke — revoke one or more of the conflicting roles or permissions or accounts. History Click the menu icon located next to the “OK” icon in the Decision column and then click View History to display the history of saved actions preformed on this portion of the access review. Roles table provides the following: 28 IdentityIQ User’s Guide . Delegate — delegate the certification of the policy violations.

certification required. for this identity.Access Review Page . and this role contains required roles that have not yet been assigned to this user. Delegate — delegate the access review of this role. a dialog is displayed enabling you to provision those roles from this page.  Click on a role name to display the details of that role. a Missing Required Roles warning is displayed in this column.  Approve — approve this role. Revoke— remove this Role. IdentityIQ User’s Guide 29 . The action to take on the associated Role. or overdue). If provisioning is enabled from access reviews. The detailed information might contain two tabs. and Identity Access Review Decisions tab — Roles Column Decision Description Note: The decision buttons displayed are dependent on system settings configured during deployment of IdentityIQ.  To edit or change a decision after a save has been performed. If the top-level role does not contain any permitted or required roles. See My Access Reviews Page on page 9. If a role contains required or permitted roles that are not used in other roles assigned to this user. only the Role Hierarchy tab is displayed. to someone else with access review authority.  If additional roles are required by a role and have not been assigned to this identity. including the roles and entitlements it contains. Due Date This column is only displayed for continuous certifications. click the icon to the left of the decision buttons. When comments are added to an access review item balloon icons are displayed in this column. one containing hierarchical information and one containing any permitted or required roles. including the roles and entitlements it contains. those items are not revoked. for a specific period of time. click the icon to the left of the decision buttons and select Edit or Undo Decision. Allow Exception — approve this role.Decisions Tab Table 10—Manager. The current state of the item in the continuous certification life cycle (certified. Advanced. Role The name of the role. If a role contains items used in other roles assigned to this user. a dialog is displayed enabling you to make a revocation decision for each of those roles. The date displayed is the date at which the item will move to the next state. including its roles and entitlements. Description Brief description of the role. Type comments into the pop-up dialog and click Save or view the history information below the role information.  To add comments or view the history associated with a role.

these appear as additional entitlements on the IdentityIQ application as Capabilities and Authorized Scopes attributes. B. C. and Identity Access Review Decisions tab — Roles Column History Description Click the menu icon located next to the “OK” icon in the Decision column and then click View History to display the history of saved actions preformed on this portion of the access review. and A. and C are grouped as the role. B. Also. and C. Click on the Application or Account Name to view detailed information.  Note: This option is available for Contiuous Certifications only. Advanced. and D. B. but the identity only has access to entitlements A and B. if a role is comprised of entitlements A. D is added to the Additional Entitlements list. For example. if the user is assigned entitlements A. A and B are included in the list of Additional Entitlements. If the access review was scheduled with the IdentityIQ capabilities and scope included. 30 IdentityIQ User’s Guide . Additional Entitlements: Additional Entitlements are any entitlements to which the identity has access but that do not comprise a complete role.Decisions Tab Table 10—Manager. The Additional Entitlements table groups entitlements by the application to which they are associated.Access Review Page . This means that when the revocation is processed (either when the access review is signed or immediately. depending on the certification configuration) the capabilities and authorized scopes are removed from the identity. Revoking these entitlements has auto-remediation enabled by default.

Access Review Page . Application The application with which the entitlements are associated.Decisions Tab Table 11—Manager. and Identity Access Review Decisions tab — Additional Entitlements Column Certification Decision Description Note: The decision buttons displayed are dependent on system settings configured during deployment of IdentityIQ. The current state of the item in the continuous certification life cycle (certified. Due Date This column is only displayed for continuous certifications.  To add comments or view the history associated with a entitlement. Approve Account — approve the entire account associated with this item. click the icon to the left of the decision buttons. Allow Exception — approve the entitlements on the specified application for a specific period of time. History Click the menu icon located next to the “OK” icon in the Decision column and then click View History to display the history of saved actions preformed on this portion of the access review. Delegate — delegate the access review of the entitlements on this application. Revoke Account — launches a revocation request for the entire account on the application associated with this item.  Approve — approve these entitlements on the specified application. Revoke— launch a revocation request for this item or modify its associated permissions. to someone else with access review authority. click the icon to the left of the decision buttons and select Edit or Undo Decision. or overdue). Attribute The attribute on the application to which the entitlement applies. See “My Access Reviews Page” on page 9. The date displayed is the date at which the item will move to the next state. Advanced. Account Name The account name with which this identity accesses the application associated with these entitlements. including all entitlements.  Note: This option is available for Contiuous Certifications only. Application Owner Decisions Tab IdentityIQ User’s Guide 31 .  To edit or change a decision after a save has been performed. When comments are added to an access review item balloon icons are displayed in this column. IdentityIQ must be configured to enable editing of permissions from this page. on the associated application. for this identity. certification required. Type comments into the pop-up dialog and click Save or view the history information below the entitlement information. The action to take on the entitlements. Entitlements A list of the entitlements this identity has on the specified application.

Decisions Tab Application Owner access reviews only contain information that applies to the application being certified. Policy Violations table and provides a description of each. lists the columns in the Decisions tab. roles. The Decisions tab for these access review types are divided into three sections: • Policy Violations • Roles • Additional Entitlements Policy Violations: Policies are defined specifically for your enterprise and used to monitor for user that are in violation of those policies. some policy information might not be available. If the policy with which a violation is associated is removed before the violation is acted on in the access review. or additional entitlements that are associated with other applications. 32 IdentityIQ User’s Guide . a separation of duties policy might disallow one person from requesting and approving purchase orders or an activity policy might disallow a user with the Human Resource role from updating the payroll application. You must take action on these violations before the access review is complete. Table 12. For example. The Policy Violations table lists any violations of policy that apply to this application for this identity. If an identity has policy violations. they are not displayed on the decision tab for the identity. Policy violations might also be viewed and acted upon from the Policy Violations page. Decisions made on a violation from that page are displayed below the summary information within the access review.Access Review Page . “Application Owner Access Review Decisions tab — Policy Violations.” on page 33.

Owner The defined owner of the policy that is in violated. Type comments into the pop-up dialog and click Save or view the history information below the policy violation information. When comments are added to an access review item balloon icons are displayed in this column. Click on a rule to display the following rule information: Description — brief description of the rule from the rule definition page. Role table and provides a description of each. Corrective Action — any recommended corrective action entered when the policy was defined. “Application Owner Access Review Decisions tab — Role Entitlements.  To add comments or view the history associated with a policy violation. Score Weight —the risk score weight assigned to this rule and used to calculate identity risk scores. Summary The description of the policy violation from the rule definition page.  Allow — approve the violation for a specific period of time. certification required. Role Entitlements: Table 13.Decisions Tab Table 12—Application Owner Access Review Decisions tab — Policy Violations Column Decision Description Note: The decision buttons displayed are dependent on system settings configured during deployment of IdentityIQ. Delegate — delegate the access review of the policy violations. or overdue). The action to take on the policy violations. Policy The policy that is in violated.” on page 34.   To edit or change a decision after a save has been performed.  Compensating Control — any compensating controls associated with this rule. Revoke — revoke one or more of the conflicting roles or permissions to prevent this violation from reoccurring. Policy — the policy in which the rule is contained. to someone else with access review authority.  Note: This option is available for Contiuous Certifications only. The current state of the item in the continuous certification life cycle (certified. The date displayed is the date at which the item will move to the next state. History Click the menu icon located next to the “OK” icon in the Decision column and then click View History to display the history of saved actions preformed on this portion of the access review.Access Review Page . click the icon to the left of the decision buttons and select Edit or Undo Decision. for this identity. IdentityIQ User’s Guide 33 . Due Date This column is only displayed for continuous certifications. click the icon to the left of the decision buttons. Rule The specific rule that is being broken to cause the violation in the policy. lists the columns in the Decisions tab.

 Allow Exception — approve this role. for a specific period of time. and this role contains required roles that have not yet been assigned to this user. Revoke— remove this Role. Account Name The account name used by this identity to access the application. Type comments into the pop-up dialog and click Save or view the history information below the role information. When comments are added to an access review item balloon icons are displayed in this column. If a role contains required or permitted roles that are not used in other roles assigned to this user. a Missing Required Roles warning is displayed in this column. Due Date 34 This column is only displayed for continuous certifications. to someone else with access review authority. a dialog is displayed enabling you to provision those roles from this page. only the Role Hierarchy tab is displayed. Entitlements for Account A detailed list of the entitlements that make up this role on the application being on <Application Name> certified.Access Review Page . If provisioning is enabled from access reviews. Delegate — delegate the access review of this role. including its roles and entitlements. click the icon to the left of the decision buttons. If the top-level role does not contain any permitted or required roles. The detailed information might contain two tabs.Decisions Tab Table 13—Application Owner Access Review Decisions tab — Role Entitlements Column Decision Description Note: The decision buttons displayed are dependent on system settings configured during deployment of IdentityIQ. for this identity. including the roles and entitlements it contains. those items are not revoked. one containing hierarchical information and one containing any permitted or required roles.  If additional roles are required by a role and have not been assigned to this identity. The current state of the item in the continuous certification life cycle (certified. IdentityIQ User’s Guide . certification required. If a role contains items used in other roles assigned to this user. or overdue).  Click on a role name to display the details of that role. a dialog is displayed enabling you to make a revocation decision for each of those roles.  Approve — approve this role. See My Access Reviews Page on page 9. The date displayed is the date at which the item will move to the next state. The action to take on the associated Role.  To add comments or view the history associated with a role. including the roles and entitlements it contains. Role The name of the role.

and A.Decisions Tab Table 13—Application Owner Access Review Decisions tab — Role Entitlements Column History Description Click the menu icon located next to the “OK” icon in the Decision column and then click View History to display the history of saved actions preformed on this portion of the access review. and can be edited and updated. IdentityIQ User’s Guide 35 . Mouse over the question mark (?) icon next to the entitlement name to view a description of the entitlement. A and B are included in the list of Additional Entitlements. These descriptions are added. if a role is comprised of entitlements A. C. D is added to the Additional Entitlements list. B. and C. but that do not comprise a complete role. Also. Additional Entitlements: Additional Entitlements are any entitlements to which the identity has access. and D. but the identity only has access to entitlements A and B.  Note: This option is available for Contiuous Certifications only.Access Review Page . and C are grouped as the role. if the identity is assigned entitlements A. For example. as part of the configuration process for your implementation of IdentityIQ. B. B.

Decisions Tab Table 14—Application Access Review Decisions tab — Additional Entitlements Column Decision Description Note: The decision buttons displayed are dependent on system settings configured during deployment of IdentityIQ. Entitlement Owner Access Review . The current state of the item in the continuous certification life cycle (certified. When comments are added to an access review item balloon icons are displayed in this column. Revoke Account — launches a revocation request for the entire account on the application. The action to take on the entitlements. Account Name The account name with which this identity accesses the application. Attribute The attribute name with which the entitlement is associated.  Approve — approve these entitlements on this application. on the associated application.  To add comments or view the history associated with an entitlement. IdentityIQ must be configured to enable editing of permissions from this page. History Click the menu icon located next to the “OK” icon in the Decision column and then click View History to display the history of saved actions preformed on this portion of the access review. Use the Previous Entitlement and Next Entitlement buttons to move through the list of entitlements included in this access review. Delegate — delegate the access review of the entitlement.Access Review Page . Due Date This column is only displayed for continuous certifications. click the icon to the left of the decision buttons.Decision Tab Use the Decision tab of the entitlement owner access review to make decisions on the identity assigned to be responsible for specific entitlements or permissions being certified. The date displayed is the date at which the item will move to the next state. Type comments into the pop-up dialog and click Save or view the history information below the entitlement information. for this identity. Approve Account — approve the entire account associated with this item. See My Access Reviews Page on page 9. Allow Exception — approve the entitlements for a specific period of time. including all entitlements. to someone else with access review authority. 36 IdentityIQ User’s Guide . or overdue). certification required. Entitlements on <Application Name> A detailed list of the Addition Entitlements for this identity on the application being certified.  Note: This option is available for Contiuous Certifications only. Revoke— launch a revocation request for this item or modify its associated permissions.

the name of the entitlement is displayed at the top of the page and the table contains the following information depending on the type of entitlement owner access review being performed: IdentityIQ User’s Guide 37 . Revoke All. Use the Approve All. click Approve All and then change the decision for any specific entitlements before saving the decisions. you can provision roles that are required by roles in the access review but that have not been assigned to the identity. Use Clear Decisions to undo any previous saved or unsaved actions for this portion of the access review. The decisions are not confirmed until you click Save Changes or move to a different identity within the access review. right side of each section. Paging controls limit the number of items that display in each section. Click Save Changes or Cancel Changes at the bottom of the tab to save or cancel any actions taken on this portion of the access review.Access Review Page . you might see the paging controls on the top. and Revoke All Accounts buttons to make bulk decisions on the displayed identity.Decisions Tab If your environment was configured to use paging to limit the display size of the Decision tab sections. If provisioning was enabled from the “Schedule New Certification” on page 86 page. Bulk decisions overwrite the ability to perform the provisioning of missing required roles from this page. For example. On the Entitlement Owner Decision tab. Rather than making an individual decision on each of the potentially numerous items in the identity. Use Delegate All to delegate the entire identity to a different IdentityIQ user with access review capability. for an identity with five roles and thirty additional entitlements you might want to approve all but two of the additional entitlements. This enables you to create exceptions to the bulk decision.

  Click on the icon to the left of the decision icons to change a previously made decision. Use the Previous Account Group and Next Account Group buttons to move through the list of account groups included in this access review. Use the Approve All.  Approve — approve the member for this account group on the specified application. Delegate — delegate the access review of this member on this account group to someone else with access review authority. Revoke All.Decision Tab Use the Decision tab of the account group access reviews to make decisions on the permissions or members assigned to each account group on the application being certified.  Click on the identity name to display detailed information about identity and application attributes. Identity The identity with which the account is associated. History Click the menu icon located next to the “OK” icon in the Decision column and then click View History to display the history of saved actions preformed on this portion of the access review. and Revoke All Accounts buttons to make bulk decisions on the displayed identity. Revoke Account — create a revocation request to remove the member from the account group. The members list contains all identities that have access to the account group being certified.Decisions Tab Table 15—Entitlement Owner Access Review Decision Tab Column Decision Description Note: The decision buttons displayed are dependent on system settings configured during deployment of IdentityIQ.  Note: This option is available for Contiuous Certifications only. There are two different type of account group access reviews: • Permissions — certify the entitlements contained within each account group on an application. The decisions are not confirmed until you click Save Changes or move to a different identity within the access review. Account Group Access Review. Rather than making an individual decision on each of the 38 IdentityIQ User’s Guide . The action to take on the member of the account group. When comments are added to an access review item balloon icons are displayed in this column. for an identity with five roles and thirty additional entitlements you might want to approve all but two of the additional entitlements. Account Name The account name with which this identity accesses the application. For example. This enables you to create exceptions to the bulk decision.  Click in the account name to display detailed information.Access Review Page . • Membership — certify the members that make up the account groups on an application. See My Access Reviews Page on page 9.

the name of the account group is displayed at the top of the page and the table contains the following information depending on the type of account group access review being performed: IdentityIQ User’s Guide 39 . you can provision roles that are required by roles in the access review but that have not been assigned to the identity. click Approve All and then change the decision for any specific entitlements before saving the decisions. Click Save Changes or Cancel Changes at the bottom of the tab to save or cancel any actions taken on this portion of the access review. On the Account Group Certification tab. Use Delegate All to delegate the entire identity to a different IdentityIQ user with access review capability. Use Clear Decisions to undo any previous saved or unsaved actions for this portion of the access review. If provisioning was enabled from the “Schedule New Certification” on page 86 page. Bulk decisions overwrite the ability to perform the provisioning of missing required roles from this page.Decisions Tab potentially numerous items in the identity.Access Review Page .

The action to take on the entitlement.Decisions Tab Table 16—Account Group Certification Decision Tab .  Click on the icon to the left of the decision icons to change a previously made decision.Membership Column Decision Description Note: The decision buttons displayed are dependent on system settings configured during deployment of IdentityIQ. Delegate — delegate the access review of this entitlement on this account group to someone else with access review authority.  Click in the account name to display detailed information.  Approve — approve the member for this account group on the specified application. Entitlements The rights granted by this entitlement on the associated target. When comments are added to an access review item balloon icons are displayed in this column. Revoke — create a revocation request to remove the entitlement from the account group. Revoke Account — create a revocation request to remove the member from the account group. When comments are added to an access review item balloon icons are displayed in this column. The action to take on the member of the account group. IdentityIQ User’s Guide . Identity The identity with which the account is associated. Delegate — delegate the access review of this member on this account group to someone else with access review authority. 40 Account Name The account name with which this identity accesses the application.  Click on the icon to the left of the decision icons to change a previously made decision. Table 17—Account Group Access Review Decision Tab . See My Access Reviews Page on page 9.Access Review Page . Attribute The target object to which this entitlement grants access.  Click on the identity name to display detailed information about identity and application attributes.  Approve — approve the entitlement for this account group on the specified application.Permissions Column Decision Description Note: The decision buttons displayed are dependent on system settings configured during deployment of IdentityIQ.

Bulk decisions overwrite the ability to perform the provisioning of missing required roles from this page.Membership Column History Description Click the menu icon located next to the “OK” icon in the Decision column and then click View History to display the history of saved actions preformed on this portion of the access review. If provisioning was enabled from the “Schedule New Certification” on page 86 page.Access Review Page . and Revoke All Accounts buttons to make bulk decisions on the displayed identity. On the Decisions tab. Rather than making an individual decision on each of the potentially numerous items in the identity. The composition of a role is the profiles and roles with which it is comprised. Use Delegate All to delegate the entire identity to a different IdentityIQ user with access review capability. click Approve All and then change the decision for any specific entitlements before saving the decisions. Use the Approve All. For example. the name of the role is displayed at the top of the page and the tables contain the following information: IdentityIQ User’s Guide 41 . you can provision roles that are required by roles in the access review but that have not been assigned to the identity.  Note: This option is available for Contiuous Certifications only. for an identity with five roles and thirty additional entitlements you might want to approve all but two of the additional entitlements. Role Composition Access Review.Decision Tab Use the Decision tab of the role compositions access review to make decisions on the composition or membership of the roles being certified.Decisions Tab Table 17—Account Group Access Review Decision Tab . The decisions are not confirmed until you click Save Changes or move to a different identity within the access review. Use Clear Decisions to undo any previous saved or unsaved actions for this portion of the access review. Revoke All. The membership of a role is a list all of the identities to which the role is assigned. This enables you to create exceptions to the bulk decision. Click Save Changes or Cancel Changes at the bottom of the tab to save or cancel any actions taken on this portion of the access review. Use the Previous Role and Next Role buttons to move through the list of roles included in this access review.

 When comments are added to an access review item balloon icons are displayed in this column. If the top-level role does not contain any permitted or required roles.  Click the profile name to view the list of entitlements contained within. Description The description of the subordinate role. only the Role Hierarchy tab is displayed.  Approve — approve the subordinate role for inclusion in the main role. Revoke — create a revocation request to remove the subordinate role.Decisions Tab Table 18—Role Access Review Decision Tab . Note: You cannot take action on individual entitlements within a profile.  Click on the icon to the left of the decision icons to change a previously made decision. Each role might include multiple other roles. Profile The name of the profiles included in the role. The detailed information might contain two tabs. Description Brief description of the profile as it was entered when the profile was defined. one containing hierarchical information and one containing any permitted or required roles. Included Roles: Decision Note: The decision buttons displayed are dependent on system settings configured during deployment of IdentityIQ.  Click on the icon to the left of the decision icons to change a previously made decision. 42 Role The name of roles contained within the role being certified.  Approve — approve the profile for this role. The action to take on the role. IdentityIQ User’s Guide .Access Review Page . When comments are added to an access review item balloon icons are displayed in this column. See My Access Reviews Page on page 9. Delegate — delegate the access review of this subordinate role to someone else with access review authority. The action to take on the profile. Revoke — create a revocation request to remove the profile from the role. Application The application with which the profile is associated. See My Access Reviews Page on page 9.Composition Column Description Role Composition: Decision Note: The decision buttons displayed are dependent on system settings configured during deployment of IdentityIQ.  Click on a role name to display the details of that role. Delegate — delegate the access review of this profile on this role to someone else with access review authority.

Access Review Page . Role The name of the role. Revoke— remove this role. The detailed information might contain two tabs. Use the Recent Changes tab to view any modifications to the identity attributes or entitlements since the last access review. one containing hierarchical information and one containing any permitted or required roles.Recent Changes Tab Table 19—Role Access Review Decision Tab . if necessary. those entitlements are not revoked.  Approve — approve this role. including its entitlements. Description Brief description of the role. including its entitlements. only the Role Hierarchy tab is displayed. The action to take on the role.  To add comments or view the history associated with a role.Membership Column Decision Description Note: The decision buttons displayed are dependent on system settings configured during deployment of IdentityIQ. including its entitlements for a specific period of time.  Click on a role name to display the details of that role. and. If a role contains entitlements used in other roles assigned to this user. When comments are added to an access review item balloon icons are displayed in this column. click the icon to the left of the decision buttons. click the icon to the left of the decision buttons and select Edit or Undo Decision. Type comments into the pop-up dialog and click Save or view the history information below the role information. If the top-level role does not contain any permitted or required roles.Recent Changes Tab Note: This tab is not available for account group or role composition access review. for this identity. This enables you to review any changes and determine if they are appropriate for the identity’s role within your organization. IdentityIQ User’s Guide 43 . make the required changes during this certification cycle.   To edit or change a decision after a save has been performed. Access Review Page .  Allow Exception — approve this role. Delegate — delegate the access review of this role. to someone else with access review authority.

Attribute The name of the attribute that changed. Permission Changes Table 22— Recent Changes Form . See “Permission Changes” on page 44.  For example. ADDED — added the new value.Role Changes Column Description Role The name of the role that changed. Application Attribute Changes Table 21— Recent Changes Form . See “Identity Attribute Changes” on page 45. See “Role Changes” on page 44.Application Attribute Changes Column Description Application The name of the application containing the attribute that was changed.Access Review Page . See “Application Attribute Changes” on page 44. IdentityIQ User’s Guide . Role Changes Table 20— Recent Changes Form . ADDED — added the new value.Recent Changes Tab The Recent Changes section contains tables listing the following information: • Role Changes — changes to the roles assigned to this identity. • Permission Changes — changes to permissions on any application to which the identity has access. REMOVED — removed the old value. a target might be a table in the application.Permission Changes Column 44 Description Application The name of the application affected by permission that was added or removed. Target The object in the application on which rights are granted. Right The specific rights granted on that target.  For example. • Identity Attribute Changes — changes to the identity attributes defined during the configuration of IdentityIQ. Change Type The type of change that was detected. Value The value that was changed. MODIFIED — modified the old value to the new value. the rights might allow the identity to add and remove information on a specific table in the application. REMOVED — removed the old value. Change Type The type of change that was detected. MODIFIED — modified the old value to the new value. • Application Attribute Changes — changes to attribute values associated with attributes in applications to which the identity has access.

Group Information Note: The Group Information tab is only available for account group access review. The employee data contained on this page is defined when IdentityIQ is configured and is comprised of the information your deployment team considered relevant for your organization. Access Review Page . REMOVED — removed the old value.Employee Data Table 22— Recent Changes Form . Value The value that was changed. Change Type The type of change that was detected. for example certification.Access Review Details . Click a line item in the table on the Access Review Details page to access specific information about that item on a new page IdentityIQ User’s Guide 45 . Access Review Details . role.Identity Attribute Changes Column Description Attribute The name of the attribute that changed. Click a line item in the table on the Access Review Details page to access specific information about that item on a new page. Identity Attribute Changes Table 23— Recent Changes Form . or policy violation. ADDED — added the new value. Click the Employee Data tab to view detailed information about the employee to help determine the appropriate actions for this access review. Based on the score information in each category you can make more informed decision during the course of the access review process.Permission Changes Column Change Type Description Added or Removed to specify the action taken against the permission defined by the target and right combination. MODIFIED — modified the old value to the new value. Access Review Details . This tab contains information on each score category.Employee Data Note: This tab is not available for account group or role composition access review.Risk Data Use the Risk Data tab to view risk information to help determine the appropriate actions for this access review.

Group Information The Group Information tab is available from the Access Review page for both permission and membership account group access review.Access Review Details . Click this tab to view the list of attributes for the account group being certified and a full list of the permissions and entitlements associated with that account group on the application specified. 46 IdentityIQ User’s Guide .

See “Access Review Details . 2. Access Review Details on page 11 1. but they appear as read only. When you begin an access review you are taken to one of the following views depending on the configuration of the product and your personal preference settings. Advanced. Perform one of the following actions on each item included in the Access Review Request: IdentityIQ User’s Guide 47 . The list views display the top-level items that make up an access review. or role) being certified.Chapter 2: How to Perform Access Reviews Use the following information to complete access reviews. As you become familiar with the product and tailor it to fit the functions of your job you will discover the method that works best for you. Procedure Access Reviews are performed from the Access Review Details page. account groups. Your personal preferences overwrite those defined during the product configuration. identities. — OR — . View your Access Review page: . entitlements.Click on an access review request in your Inbox on the Dashboard. or roles. account group.Decisions Tab” on page 29. however. Entitlement Owner. The Access Review Decisions tab displays detailed information about one entity (identity. Required Authorization You must be the owner or delegated approver of an access review to take action on any of the items within the access review. Application Owner. There are numerous ways to move through the IdentityIQ application. Identity-type access reviews are Manager. entitlement. See “Access Review Details Worksheet” on page 19. Click on a line item to display the Access Review Decisions tab for the identity with which the item is associated. Identity. Click on a top-level item to display the Access Review Decision tab containing detailed information about that item. The worksheet displays the individual line items that are assigned to the identities within identity-type access reviews.Click the Manage tab.Identity List” on page 23. or mouse over the tab and select My Access Reviews to display the Access Reviews page. and Role Membership access reviews. See “How to Edit Your User Preferences” on page 367. You might be able to view another user’s access review. System Administrators and Certification Administrators can take action on all access review items whether they own the certification or not. Click on an access review request. See “Access Review Page .

. For example. however. How to Reassign Access Reviews Bulk reassignment enables you to reduce cumbersome access review lists by reassigning items to appropriate access review approvers. If needed. This option is also available in the Select Bulk Decision drop-down.Delegate — See “How to Delegate Access Review Requests” on page 52. Any changes made during the delegation will be lost. . .   Decsions are not commited at this point. 3. click Cancel Changes to undo any individual decisions. Note: Changing the decisions may revoke one or more line item delegations. .Reassign — See How to Reassign Access Reviews on page 48. . . 4. If the challenge period for revocations is active. you can use this feature to reassign identities by department or manager. Sign off on a periodic certification or complete a continuous certification task before for it is overdue. Click Save Changes at the bottom of the screen.Revoke Account — “How to Revoke an Account” on page 62 . To sign off on the access review.The challenge period has expired. Any decision made on the Access Review Details page or the Decisions tab must be saved prior to moving to a different page.How to Reassign Access Reviews Note: Not all of these decision options are available at all times. click Sign Off in the top portion of the Access Review Details page and select Finish on the Sign Off on Access Review pop-up dialog. A counter displaying the number of unsaved decisions is visible in the upper-right corner of the access review items table. A warning prompts the user for any unsaved changes. . .Allow Exception — See “How to Allow Exceptions on Access Review Requests” on page 55.All items are complete and the challenge period is not active or no revocation decision were made.Correct Violation — How to Correct Policy Violations on an Access Review on page 65. if you are the assigned approver of an application with thousands of identities.Approve — See “How to Approve Access Reviews” on page 50.Allow Violation — How to Allow Policy Violations on an Access Review on page 64. you cannot sign off on an access review until one of the following conditions is met: . Note: All items must be in the Complete state before the sign off option is available.The access review is in the challenge phase and all items are completed and any revocation decision have progressed through the challenge procedure. . 48 IdentityIQ User’s Guide . You must sign off on a periodic certification before it is considered complete.Revoke or Edit Access — See “How to Revoke or Edit Access” on page 58.

See “How to Edit Your User Preferences” on page 367. identity list. account group list. Click Save Changes at the bottom of the screen. Click on the arrow to the right of the field to display all users. Click Reassign to reassign this access review and return to the Access Review Details page. IdentityIQ User’s Guide 49 . all reassigned items must be acted upon before you can sign-off on a periodic certification. If you select a forwarding user. . If configured. Required Authorization You must be the owner or delegated approver of an access review to take action. manager. The recipient can be an identity or a workgroup. Procedure 1. Use the multi-select box at the top of the column to select multiple items at one time. The drop-down menu might contain options such as assign to self. . 4. Select items for reassignment using the check-boxes in the left-hand column. Use the filter and column sort options to sort the list of items for reassignment by shared characteristics such as role.Comment — (optional) any additional information needed. but they appear as read only. all work items.How to Reassign Access Reviews Reassignment can be performed from the worksheet. 5. assign to manager. are sent to that user.Recipient — enter the full name of the approver to whom you are reassigning this work item. The Percentage Complete bar is updated to reflect the changes and the selected items are removed from the list and do not reflect as part of the completion status for this access review. location. including access review requests. You might be able to view another user’s access reviews. Enter the following information in the reassignment pop-up dialog. entitlement list. or assign to application owner. or role list views. 2. Entering the first few letters of a name displays a pop-up menu of IdentityIQ users and workgroups with names containing that letter string.Description — (optional) a brief description of the item being reassigned. or organization. 3. Click Reassign from the Select Bulk Action drop-down list to display the Reassign Items dialog. Automatic reassignment or forwarding of all access reviews assigned to you can be set using the Forwarding User field on the Edit Preferences page. . — OR — Select an assignee from the drop-down menu.

Access Review Approval . a dialog is displayed enabling you to request provisioning for those roles. Warning messages are displayed at the top of the page if you attempt to include policy violations when performing an approval. The policy violation owner is one of the following: • A chosen identity.Access Review Decisions Tab on page 52 Note: Bulk certification is considered a risk by many auditors and is not available if it was disabled during configuration. • An identity chosen by a running a rule. You cannot approve policy violations.Worksheet View Perform approvals on individual items that make up the entity. but they appear as read only. • Access Review Approval . • The manager of the person who violated policy.Worksheet View on page 50 • Access Review Approval .How to Approve Access Reviews Additional Information For additional information on access reviews see the following: • My Access Reviews Page on page 9 • Certifications Tab on page 81 How to Approve Access Reviews You can approve items from the access review list views. The Dashboard displays only policy violations that you own. 50 IdentityIQ User’s Guide . and from the Access Review Decisions tab. Procedure 1. Select the approval icon from the list of options for each item. 2. You might be able to view another IdentityIQ user’s access reviews. you can view the violation with View Violation on the Policy Violations page. including the worksheet. You can assign an owner to a policy violation at the time you define the policy.Identity (List) View on page 51 • Access Review Approval . If you perform bulk approval this function is overwritten and the roles are approved in their current state. Required Authorization You must be the owner or delegated approver of an access review to take action. Access the worksheet from your Dashboard Inbox or Access Reviews page. If provisioning is enabled from the access review pages and you approve a role that contains required roles to which the identity does not have access.

role. To certify identities. or role level enables you to certify multiple entities without having to drill down and review each of the individual item. The Percentage Complete bar is updated to reflect the changes. roles. — OR — Click Do Not Provision and return to the access review page. Access Reviews performed at this level are logged for auditing purposes. The recipient you specify is used only if automatic provisioning is not configured or there is no default remediator for the application. The provisioning function is only available if you approve roles individually and provisioning is enabled for this access review. do the following: Required Authorization You must be the owner or delegated approver of an access review to take action. Click Save Changes at the bottom of the screen. or account group. 3. or display the Access Review Decisions tab for the identity with which it is associated.How to Approve Access Reviews — OR — Use the check-boxes in the left-hand column. or certified. Access Review Approval . entitlements. For continuous certifications the state in the Due Date column is returned to green. Procedure Note: When you perform an approve at this level you are approving all of the items that comprise the identity. or certified. The Percentage Complete bar is updated to reflect the changes and the status column is changed to Complete. to select multiple items at one time and choose Approve from the Select Bulk Action drop-down list. If the provisioning dialog displays.Identity (List) View Performing approvals at the identity. Select items for approval using the check-boxes in the left-hand column. 3. 2. You might be able to view another IdentityIQ user’s access reviews. Click Save Changes at the bottom of the screen. but they appear as read only. add comments. or groups. IdentityIQ User’s Guide 51 . review the missing information and make a provisioning decision. If you perform bulk approval you will not be given the option to provision required roles if any are missing from the roles in the access review. entitlement. Select Approve from the Select Bulk Action drop-down list and confirm the approval on the pop-up dialog. Right-click on any item to view its access review history. you must select a recipient for the request and click Provision Required Roles again. Use the multi-select box at the top of the column to select multiple items. or the multi-select box at the top of the column. 1. account group. If you choose to request that the missing roles be added. entitlement. For continuous certifications the state in the Due Date column is returned to green. 4.

and from the Access Review Decisions tab. account group. these sections contain detailed information regarding identities who have the entitlement or permission. you must select a recipient for the request and click Provision Required Roles again. Select the approval icon from the list of options for each item. and the groups risk information. the members of that group. For entitlement access reviews. Click on highlighted information. If the provisioning dialog displays. Click an item on the worksheet or list to display the Access Review Decisions tab page. Required Authorization You must be the owner or delegated approver of an access review to take action. 2. 52 IdentityIQ User’s Guide . review the missing information and make a provisioning decision. and a list of the identity attributes. — OR — Click Approve All at the top of the page to approve all non-violation items at once. such as a role or application name to view details on that item. including the worksheet. identity risk information. Procedure 1.Access Review Decisions Tab Perform approvals on individual items that make up the identity. If you choose to request that the missing roles be added. 3. How to Delegate Access Review Requests You can delegate items from the access review list views. 4. the changes that have been made to the identity’s information since the last access review. You might be able to view another IdentityIQ user’s access reviews. The recipient you specify is used only if automatic provisioning is not configured or there is no default remediator for the application. but they appear as read only. these sections contain detailed information about roles and entitlements contained within the role and risk information about the role. Click Save Changes at the bottom of the screen to return to the Access Review Details list. The provisioning function is only available if you approve roles individually and provisioning is enabled for this access review. Click the icon on the left of the action icons to see its access review history or add a comment.How to Delegate Access Review Requests Access Review Approval . these sections contain detailed information about the entitlements granted to the selected identity. For identity-type access reviews. If you perform bulk approval you will not be given the option to provision required roles if any are missing from the roles in the access review. For account group access reviews. entitlement. these sections contain detailed information about permissions contained within an account group. For role composition access reviews. or role. — OR — Click Do Not Provision and return to the access review page.

. Procedure 1. Click Delegate to delegate the item and return to the worksheet. Required Authorization You must be the owner or delegated approver of an access review to take action.Worksheet View on page 53 Access Review Delegation .How to Delegate Access Review Requests Delegation can also be performed automatically based on rules specified when the certification request is generated. Click Save Changes at the bottom of the screen.Recipient — enter the full name of the approver to whom you are delegating this work item.Identity (List) View on page 54 Access Review Delegation . Select the delegation icon from the list of options for each item. 3. . or display the Access Review Decisions tab for the identity with which it is associated. You might be able to view another IdentityIQ user’s access reviews. but they appear as read only.Description — a description of the work item being delegated.Worksheet View Perform delegation on individual items that make up the identity.Comment — (optional) any additional information needed for this delegation.Access Review Decision Tab on page 54 Access Review Delegation . Access Review Delegation . Right click on any item to view its access review history. IdentityIQ User’s Guide 53 . Access the worksheet from your Dashboard Inbox or Access Reviews Details page. You can edit the description as required. . add comments. Entering the first few letters of a name displays a pop-up menu of IdentityIQ users and workgroups with names containing that letter string. 4. Items delegated automatically display within the access review details and behave exactly like items delegated manually. Note: The “Enable Line Item Delegation” option must have been selected when the certification was created to delegate certification items from the Access Review Deatials page. 2. Enter the following information in the Delegate Access Review pop-up dialog. The Status column is updated with the Delegated status 5. Note: Changing the decisions may revoke one or more line item delegations. The recipient can be an identity or a workgroup. Any changes made during the delegation will be lost.

3. Entering the first few letters of a name displays a pop-up menu of IdentityIQ users and workgroups with names containing that letter string. or role. 1. . but they appear as read only.Comment — (optional) any additional information needed for this delegation. . The recipient can be an identity or a workgroup.How to Delegate Access Review Requests Access Review Delegation . Access Review Delegation .Access Review Decision Tab Perform delegations on individual items that make up the identity. Use the multi-select box at the top of the column to select multiple items. 54 IdentityIQ User’s Guide . 4. You might be able to view another IdentityIQ user’s access reviews. Required Authorization You must be the owner or delegated approver of an access review to take action. Note: Line item delegation is only available if activated when IdentityIQ is configured. Click Save Changes at the bottom of the screen. Required Authorization You must be the owner or delegated approver of an access review to take action on the access review. Enter the following information in the Delegate Access Review pop-up dialog.Identity (List) View Performing delegations at the top level enables you to delegate numerous items without having to drill down and review each of their individual components. You might be able to view another IdentityIQ user’s access reviews. You can edit the description as required.Description — a description of the work item being delegated. Click Delegate to delegate and return to the Access Review Details page. but they appear as read only. Note: Changing the decisions may revoke one or more line item delegations. Select items for delagation using the check-boxes in the left-hand column. Any changes made during the delegation will be lost. account group. The Status column is updated with the Delegated status.Recipient — enter the full name of the approver to whom you are delegating this work item. 2. . Note: You cannot delegate account groups from the account group list. Procedure Note: When you delegate at this level you are also delegating all of the items that comprise the identity or role.

Additional Information For additional information on access reviews see the following: • My Access Reviews Page on page 9 • Certifications Tab on page 81 How to Allow Exceptions on Access Review Requests Use Allow Exception to put an expiration date on access to a particular entitlement. Click an item in the worksheet or list view to display the Access Review Details page detailed information sections. The Percentage Complete bar and status column are updated to reflect the changes. Enter the following information in the Delegate Access Review pop-up dialog. . The recipient can be an identity or a workgroup. . You can edit the description as required. IdentityIQ User’s Guide 55 . . Note: Changing the decisions may revoke one or more line item delegations. you can allow them access to that role for the length of the vacation. Entering the first few letters of a name displays a pop-up menu of IdentityIQ users and workgroups with names containing that letter string. — OR — Click Delegate All at the top of the page to approve all non-violation items at once. For example.Comment — (optional) any additional information needed for this delegation. these sections contain detailed information about the entitlements granted to the selected identity.How to Allow Exceptions on Access Review Requests Procedure 1. Any changes made during the delegation will be lost. and a list of the identity attributes. role. Click the icon to the left of an item to see its access review history or add a comment. Click on highlighted information. if one employee must temporarily assume the duties of another during a vacation. For account group access reviews. these sections contain detailed information about permissions contained within an account group and the members of that group. these sections contain detailed information regarding identities who have the entitlement or permission. For identity-type access reviews. Select the Delegate icon from the list of options for each item. For entitlement access reviews. Click Save Changes at the bottom of the screen. this section contains detailed information about roles and entitlements contained within the role and risk information about the role.Description — a description of the work item being delegated.Recipient — enter the full name of the approver to whom you are delegating this work item. 4. such as a role or application name to view details on that item. the changes that have been made to the identity’s information since the last access review. 3. or account group. For role composition access reviews. 2.

How to Allow Exceptions on Access Review Requests You can allow exceptions on items from the access review list views. Required Authorization You must be the owner or delegated approver of an access review to take action. or click the .. Use the multi-select box at the top of the column to select multiple items at one time. and from the Access Review Decisions tab.. Select the allow exceptions icon from the list of options for each item. Select Allow Exception from the Select Bulk Action drop-down list. Select items using the check-boxes in the left-hand column. Procedure 1. You might be able to view another IdentityIQ user’s access reviews.Worksheet View Allow exceptions on individual items that make up the identity. but they appear as read only. . Right-click on any item to view its access review history. 5. mm/dd/yyyy. or the multi-select box at the top of the column to select multiple items at one time. . including the worksheet. but they appear as read only. 4. For example. icon and select a date. Access the worksheet from your Dashboard Inbox or My Access Reviews page. Enter the following information in the Allow Exception pop-up dialog. add comments. Procedure To allow a temporary exception do the following: 1. You might be able to view another IdentityIQ user’s access reviews. A 4-digit year is required if you enter the date manually.Identity (List) View Required Authorization You must be the owner or delegated approver of an access review to take action.Expiration — manually enter an expiration date. 3. 2. Click Save Changes at the bottom of the screen. 2. Click Allow Exception to return to the worksheet.Comment — (optional) any additional information needed for this exception. Decisions made in access reviews are reflected on the Policy Violations page for the affected policy violation. Access Review Allow Exceptions . or display the Access Review Decisions tab for the identity with which it is associated. Access Review Allow Exceptions . and choose Allow Exception from the Select Bulk Action drop-down list. 56 IdentityIQ User’s Guide . — OR — Use the check-boxes in the left-hand column.

Click Allow Exception. A 4-digit year is required if you enter the date manually. the changes that have been made to the identity’s information since the last access review.Comment — (optional) any additional information needed for this exception. 4.Expiration — manually enter an expiration date. 5.. icon and select a date. For role composition access reviews. Click on an item in the worksheet or list view to display the Access Review Details page detailed information sections. For identity-type access reviews. . . Select the Allow Exception icon from the list of options for each item. For example. do the following: 1. mm/dd/yyyy. but they appear as read only. The Percentage Complete bar and status column are updated to reflect the changes.. 4. Access Review Allow Exceptions . . For entitlement access reviews. or click the . You might be able to view another IdentityIQ user’s access reviews. For example. Enter the following information in the Allow Exception pop-up dialog.Comment — (optional) any additional information needed for this exception. or click the . Click the icon to the left of an item to see its access review history or add a comment. Click Save Changes at the bottom of the screen. these sections contain detailed information regarding identities who have the entitlement or permission. . this section contains detailed information about roles and entitlements contained within the role and risk information about the role. these sections contain detailed information about the entitlements granted to the selected identity.Expiration — manually enter an expiration date. For account group access reviews. Click Save Changes at the bottom of the screen to return to the Access Review Details list.How to Allow Exceptions on Access Review Requests 3.. 3. 2. Procedure To allow a temporary exception to the access.Access Review Decisions Tab Required Authorization You must be the owner or delegated approver of an access review to take action. Enter the following information in the Allow Exception pop-up dialog. these sections contain detailed information about permissions contained within an account group and the members of that group. Click on highlighted information.. IdentityIQ User’s Guide 57 . A 4-digit year is required if you enter the date manually. icon and select a date. mm/dd/yyyy. and a list of the identity attributes. such as a role or application name to view details on that item.

You can revoke items from the access review list views. The revocation phase is the period during which all revocation work should be completed. no action is taken on a revocation request until the access review containing this item is signed off on or the challenge period expires. This is done to ensure that no entitlement is removed until final confirmation has been received from the requestor. if the challenge period is active. The challenge phase is the period during which all revocation requests can be challenged by the user from whom the role or entitlement is being removed or modified. Access Review Revocation . a dialog is displayed enabling you to make revocation decision on each of those included roles. remove access to a managed entitlement from an identity. 58 IdentityIQ User’s Guide . By default all included roles. If you perform bulk revocation this function is overwritten.Worksheet View Perform revocation or editing on individual items that make up the identity. and from the Access Review Decisions tab.How to Revoke or Edit Access Additional Information For additional information on access review see the following: • My Access Reviews Page on page 9 • Certifications Tab on page 81 How to Revoke or Edit Access You can use the revoke function to request the removal of an identity’s access to the specified role or entitlement. For revocation on individual roles. by default. Without the automatic configurations. Entitlement editing is only available from the worksheet or Access Review Decisions tab. revocations are done manually using a work request assigned to a IdentityIQ user or workgroup. if a role contains required or permitted roles that are not used in any other roles for this identity. The revocation phase is entered when an access review is signed off on or when the active and challenge phases have ended. including the worksheet. Revocation is done automatically if your provisioning provider is configured for automatic revocation via help ticket generation or if your implementation is configured to work with a help desk solution. On identity-type access reviews you can also use the revoke function to edit the values of certain entitlement attributes or permissions. or remove a profile or included role from a role. If an access review requires that multiple revocation requests be sent to the same IdentityIQ user or workgroup they are rolled up into one work item. Entitlements must be configured on the application to enable editing from the access review pages. This default behavior can be overwritten when the access review schedule is created so that revocation requests are processed immediately On continuous access reviews the revocation request is sent when the decision is saved. See How to Handle a Challenged Revocation on page 63. the revocation process might also include the challenge and revocation periods. For identity-type access reviews. On periodic access reviews. are marked for removal. that are not used in other roles for this identity. remove a permission or member from an account group.

. If you perform bulk revocation. 2. but they appear as read only. deselect any that should not be revoked for this identity. Entering the first few letters of a name displays a pop-up menu of IdentityIQ users and workgroups with names containing that letter string. 5. Attribute — attribute name with which the attribute or permission is associated.Edit Revocation Details — only available if the entitlement is configured for modification. Value — if are modifying the entitlement. The revocation dialog is only displayed if the role contains required or permitted roles that are not used by another role assigned to this user. Application — application to which the entitlement is associated. You might be able to view another IdentityIQ user’s access reviews. The recipient can be an identity or a workgroup. Review the included roles that are part of this revocation request. all included roles and entitlements that are not used by another role for this identity are automatically revoked. add comments. Remove or Modify. Account ID — login ID of this identity on the application specified. select or type the new value. 4. One line is displayed for each entitlement contained in this revocation request. and choose Revoke from the Select Bulk Action drop-down list. Procedure 1.Recipient — enter the full name of the revoker to whom you are assigning this work item. Operation — select the operation to perform. Select the revoke icon from the list of options for each item.  If automatic remediation is enabled or a default revoker was specified for the application to which the entitlements are associated.Comment — (optional) any additional information needed for this revocation. . Access the worksheet from your Dashboard Inbox or My Access Reviews page. Right click on any item to view its certification history. Note: This dialog is not displayed if a default revoker was specified as part of the IdentityIQ configuration. or the multi-select box at the top of the column to select multiple items at one time. . Enter the following information in the pop-up dialog and click Revoke. — OR — Use the check-boxes in the left-hand column. and click Continue.How to Revoke or Edit Access Required Authorization You must be the owner or delegated approver of an access review to take action. 3. the recipient specified here is overwritten. or display the Certification Decisions tab for the identity with which it is associated. IdentityIQ User’s Guide 59 . Click Save Changes at the bottom of the screen.

or to the person specified as the revoker for that application. do the following: 1. The drop-down list might contain options such as.Comment — (optional) any additional information needed for this revocation. Entering the first few letters of a name displays a pop-up menu of IdentityIQ users and workgroups with names containing that letter string. assign to self or assign to manager. Or select a revoker from the drop-down list. but they appear as read only. 2. Select Revoke from the Select Bulk Action drop-down list 3. do the following: 60 IdentityIQ User’s Guide . . Select items using the check-boxes in the left-hand column. Use the multi-select box at the top of the column to select multiple items at one time. or if permissions editing is enabled for this entitlement. . Click Save Changes at the bottom of the screen.Access Review Decisions Tab Required Authorization You must be the owner or delegated approver of a certification to take action. Procedure To request the removal of access for multiple items. 4. a default revoker was not set during configuration. Procedure To request the removal of an access. Application owners and revokers are defined when the application is configured. If no recipient is specified the revocation request is sent to the owner of the application to which the entitlements are associated. Enter the following information in the pop-up dialog and click Revoke. Additional Information For additional information on certification see the following: • My Access Reviews Page on page 9 • Certifications Tab on page 81 Access Review Revocation . You might be able to view another user’s certifications. The recipient can be an identity or a workgroup. You might be able to view another user’s certifications.How to Revoke or Edit Access Access Review Revocation .Identity (List) View Required Authorization You must be the owner or delegated approver of a certification to take action.Recipient — enter the full name of the revoker to whom you are assigning this work item. The revocation dialog is only displayed if the proper revoker cannot be found using the revocation rules defined when IdentityIQ was configured. but they appear as read only.

2. Click Save Changes at the bottom of the screen. this section contains detailed information about the roles and entitlements that comprise the role. For account group certifications. . The Percentage Complete bar and status column are updated to reflect the changes. entitlements that are shared by other roles assigned to this user are not revoked with the role. 5.Recipient — enter the full name of the revoker to whom you are assigning this work item. If the revocation selection dialog is displayed. 4. the changes that have been made to the identity’s information since the last certification. Click on highlighted information. Click on an item in the worksheet or list view to display the Certification Report detailed information sections. — OR — Assign the revocation request to yourself using the drop-down list. For role composition certifications. For identity-type certifications. do the following. such as a role or application name to view details on that item. Select the Revoke icon from the list of options for each item and click Save. If the revocation dialog is displayed. deselect any that should not be revoked for this identity. and a list of the identity attributes. For entitlement owner access reviews. IdentityIQ User’s Guide 61 . these sections contain detailed information about the entitlements granted to the selected identity.  Enter the following information in the pop-up dialog and click Revoke. 3. these sections contain detailed information regarding identities who have the entitlement or permission. these sections contain detailed information about permissions contained within an account group and the members of that group.Comment — (optional) any additional information needed for this revocation. and click Continue.  If automatic remediation is enabled or a default revoker was specified for the application to which the entitlements are associated. Click the icon to the left of an item to see its certification history or add a comment. review the included roles that are part of this revocation request. If you are requesting the revocation of a role. Entering the first few letters of a name displays a pop-up menu of IdentityIQ users and workgroups with names containing that letter string. . The revocation selection dialog is only displayed if the role contains required or permitted roles that are not used by another role assigned to this user. The recipient can be an identity or a workgroup.How to Revoke or Edit Access 1. the recipient specified here is overwritten.

no action is taken on a revocation request until the certification containing the account is signed off on or the challenge period expires.Worksheet View Perform account revocation on complete accounts. but they appear as read only. if the challenge period is active. The revocation phase is the period during which all revocation work should be completed. Revoke account is available from the worksheet and Certification Decisions tab. On periodic certifications. See How to Handle a Challenged Revocation on page 63. by default. Required Authorization You must be the owner or delegated approver of a certification to take action. This default behavior can be overwritten when the certification schedule is created so that revocation requests are processed immediately.Worksheet View on page 58Access Review Revocation . This is done to ensure that no account is removed until final confirmation has been received from the requestor.How to Revoke an Account Additional Information For additional information on certification see the following: • My Access Reviews Page on page 9 • Certifications Tab on page 81 How to Revoke an Account Use Revoke Account to request the removal of an entire account from an application instead of requesting the removal of one entitlement at a time.Access Review Decisions Tab on page 60 Access Review Revoke Account . You might be able to view another IdentityIQ user’s certifications. When you select Revoke Account for one entitlement. On continuous certifications the revocation request is sent when the decision is saved. Without the automatic configurations. revocations are done manually using a work request assigned to a IdentityIQ user or workgroup. Access Review Revocation . If a certification requires that multiple revocation requests be sent to the same IdentityIQ user or workgroup they are rolled up into one work item. the revocation process might also include the challenge and revocation periods. Revocation is done automatically if your provisioning provider is configured for automatic revocation via help ticket generation or if your implementation is configured to work with a help desk solution. The revocation phase is entered when a certification is signed off on or when the active and challenge phases have ended. The challenge phase is the period during which all revocation requests can be challenged by the user from which the account is being removed. all other entitlements associated with the same account for the item being certified are marked for revocation. 62 IdentityIQ User’s Guide . For identity-type certifications.

. Click the Revoke All button at the top of the table.How to Handle a Challenged Revocation Procedure 1. Additional Information For additional information on certification see the following: • My Access Reviews Page on page 9 • Certifications Tab on page 81 How to Handle a Challenged Revocation For identity. Click Save Changes at the bottom of the screen. Access the worksheet from your Dashboard Inbox or My Access Reviews page. these sections contain detailed information about the entitlements granted to the selected identity. Access Review Revoke Account . Click the icon to the left of an item to see its certification history or add a comment. 2. Click an item in the worksheet or list view to display the Access Review Decisions tab page. The account revocation request is processed automatically or sent to the application owner or remediator in a work item. the revocation process might also include the challenge and revocation periods. 2. and a list of the identity attributes. Procedure To request the removal of an account. Select the revoke account icon from the list of options. such as a role or application name to view details on that item. 3. If no revocation information can be located. The challenge phase is the period during which all revocation requests can be challenged by the user from whom the role or entitlements or account is being removed. the changes that have been made to the identity’s information since the last certification. do the following: 1. The Percentage Complete bar and status column are updated to reflect the changes.Access Review Decisions Tab Required Authorization You must be the owner or delegated approver of a certification to take action. For identity-type certifications. but they appear as read only. Click on highlighted information.type certifications. IdentityIQ User’s Guide 63 . 3. You might be able to view another user’s certifications. If no revocation information can be located. you might be asked to provide a revoker for this request. Click Save Changes at the bottom of the screen. you might be asked to provide a revoker for this request. The account revocation request is processed automatically or sent to the application owner or remediator in a work item.

64 IdentityIQ User’s Guide . 3. For example. you can allow them access to a role that creates a policy violation for the length of the vacation. click the word Click to display the Decision Challenged dialog. if one employee must temporarily assume the duties of another. From the Decisions tab. or entitlements for a specific period of time. Based on your decision one of the following occurs: . Click Save Changes at the bottom of the screen.How to Allow Policy Violations on an Access Review When a revocation request is challenged. On the line of the revoked item. All comments are kept with the certification item and can be viewed below the certification decision information for that item. 4. click the violation name to display detailed information about the policy in question. How to Allow Policy Violations on an Access Review Use Allow Violations to allow an identity to retain conflicting roles. Optional: Add comments to the item to track the history of the decision.Accept — the item is moved to the open status and you must make another certification decision. the status of the item associated with the revocation request is displayed as Challenged. Procedure To make a decision on a challenged revocation. 2. You might be able to view another IdentityIQ user’s certifications. accounts. Click comments to view the comments added by the challenger and accepted/rejected to view the comments associated with the decision. Required Authorization You must be the owner or delegated approver of a certification to take action. The Percentage Complete bar and status column are updated to reflect the changes. but they appear as read only. but they appear as read only. do the following: 1.Reject — the revocation process proceeds as normal when the certification is signed off on or the challenge period ends. You can allow violations from the Access Review Details page or the Access Review Decisions tab. From the Challenge Decision drop-down menu select either Accept or Reject. You might be able to view another IdentityIQ user’s certifications. . You must take action on all challenged revocations before a certification is complete. Required Authorization You must be the owner or delegated approver of a certification to take action. 5.

icon and select a date. or click the . The policy violation owner is one of the following: • A chosen identity. mm/dd/yyyy. From the Decisions tab click the violation name to display detailed information about the policy in question. Note: Selecting Correct Violation indicates that the actions necessary to correct the policy violation will be taken manually if they are not automated. Additional Information For additional information on certification see the following: • My Access Reviews Page on page 9 • Certifications Tab on page 81 How to Correct Policy Violations on an Access Review Correcting a violation indicates that you will take action to revoke or modify one or more of the items causing the violation. Required Authorization You must be the owner or delegated approver of a certification to take action.Expiration — manually enter an expiration date. Select the Allow Exception icon from the list of options. 3. you can view the violation with View Violation on the Policy Violations page. • An identity selected by a running a rule. You might be able to view another IdentityIQ user’s certifications. .. 2. IdentityIQ User’s Guide 65 . For example. A 4-digit year is required if you enter the date manually. The Dashboard displays only policy violations that you own. Procedure To allow a policy violation. Enter the following information in the Allow Violation pop-up dialog..Comment — (optional) any additional information needed for this exception. do the following: 1. Click Save Changes at the bottom of the screen. but they appear as read only. • The manager of the person who violated policy. . You can correct violations from the Access Review Details page or the Access Review Decisions tab.How to Correct Policy Violations on an Access Review You can assign an owner to a policy violation at the time you define the policy.

 The Advice field contains suggestions on how to correct this violation. and.How to Request Role Creation from Certifications You can assign an owner to a policy violation at the time you define the policy. 4. Use the Create Role button to define a role around that job function. in the future. This advice was entered when the policy was created. Required Authorization You must be the owner or delegated approver of a certification to take action. The recipient information is only displayed if an overwrite of the default remediator is enabled for your deployment. Additional Information For additional information on certification see the following: • My Access Reviews Page on page 9 • Certifications Tab on page 81 How to Request Role Creation from Certifications Use the create new role feature to request the creation of roles based on trends found during certifications. you can certify that single role instead of the five (5) additional entitlements.  — OR — Enter the remediation information in the pop-up dialog to request that corrective action be performed by the selected recipient. Procedure To take corrective action on a policy violation. • The manager of the person who violated policy. The Dashboard displays only policy violations that you own. if there are five (5) entitlements that appear in the Additional Entitlements list for every identity in a certification. Do one of the following: Verify that a message was returned stating that the selected correction occurred automatically. 3. 2. You can only request the creation of roles from the Certification Decisions tab for identity-type certifications. the combination of those entitlements might define a function of that population. For example. For role separation of duty policies. The Percentage Complete bar is updated to reflect the changes. Click Save Changes at the bottom of the screen. do the following: 1. • An identity selected by a running a rule. Select the Revoke icon from the list of options for the policy violation. you can view the violation with View Violation on the Policy Violations page. 66 IdentityIQ User’s Guide . The policy violation owner is one of the following: • A chosen identity. You might be able to view another IdentityIQ user’s certifications. but they appear as read only. select the items to be removed or modified on the pop-up dialog and click Continue.

Roles can contain entitlements from multiple applications.How to Complete Access Review Work Items Procedure To request the creation of a new role from a certification do the following: 1. Click Create Role from the action buttons on the bottom of the page to display the Create Role dialog.Description — enter a brief description of the role. Enter the following information on the Create Role dialog: . .Role Name — enter a name for the role being submitted for approval.Entitlements — select the entitlements that should be included in this role. How to Complete Access Review Work Items Access Review work items are those access review items that were originally assigned to a different approver. . . to take action. 2. or require you to take revocation actions. forwarded. but now require you. IdentityIQ User’s Guide 67 . Entering the first few letters of a name displays a pop-up menu of IdentityIQ users with names containing that letter string. Click Create to create and assign the role creation work item to the designated approver. Additional Information For additional information on certification see the following: • How to Create a Role From a Role Creation Request on page 273. or the other members of a workgroup to which you belong. 3. require your approval. Access Review work items are items that were delegated.  If this field is not controlled by a rule. reassigned. The dialog displays all of the additional entitlements to which the user has access arranged by the applications with which they are associated. enter the full name of the approver to whom you are reassigning this work item.Approver — the approver for roles should be controlled by a rule configured during the implementation of IdentityIQ.

6.Delegation Review If the access review was originally configured to require a delegation review. Procedure 1. See Access Review Page . Click the Dashboard tab to view your Inbox. that manager might not be familiar with all of the entitlements or roles listed in that employee’s identity cube. Review the work item information in the Summary section. Make a access review decision on each item listed for the identity. 3. if an employee does work for you but reports to a different manager. 2. the person who delegated it receives a work item that requires further action.Decisions Tab on page 29 for detailed information on access review decisions. For example.How to Complete Access Review Work Items Use the following procedures to take action on access review work items: • How to Complete Delegated Access Reviews on page 68 • How to Complete Revocation Work Items on page 69 • How to Complete Reassigned or Forwarded Access Reviews on page 70 • How to Perform Multi-Level Sign Off on Access Reviews on page 70 • How to Challenge a Revocation Request on page 70 How to Complete Delegated Access Reviews Delegated access reviews are the items from access reviews that were originally assigned to a different certifier and were then delegated by that approver to you. Required Authorization You must be the owner of a delegated work item to take action on that work item. Click Complete to display the Completion Comments dialog and mark the work item as complete. you will receive an alert if you try to complete a work item with taking action on each item. Click on a delegation work item to display the View Work Item page. Note: A System Administrator or Certification Administrator can also take action on work items. Click on a delegated work item in your Inbox. Review the Comments section for any information associated with this work item. 68 IdentityIQ User’s Guide . Optional . Use the Add Comment button to add additional information to the work item if necessary. 5. once the delegate has completed their portion of the access review. Note: If your deployment was configured to require a decision on each item in the work item before it is marked compete. 4.

Procedure 1. By clicking Complete on this work item. you can either delegate the line item again or make the decision yourself. Note: A System Administrator or Certification Administrator can also take action on work items. 6. Click on a revocation work item in your Inbox to display the View Work Item page. Click on a line item to view the details of the revocation request for that item. Revocation requests are not sent until after the access review for the item to which they apply is completed and signed off on or until the access review has entered the challenge phase. Refer to the documentation associated with the specific application for information on how to remove entitlements. The revocation of application privileges is not performed as part of IdentityIQ. you are stating that you have acted on the revocation request. If rejected. Required Authorization You must have authorization on the specified application to perform the required revocation.How to Complete Access Review Work Items 1. if the challenge period feature is active. use the Assign Selected Items button to assign specific revocation requests to members of that workgroup. This is done to ensure that nothing is removed until the final decision is made on the access review. Any member of the workgroup can change the assignee status. 3. Review and perform the operations necessary to revoke those privileges specified. 5. How to Complete Revocation Work Items Use this procedure to confirm that you have completed the requested revocation. Click Accept to accept the delegated decision or Reject to override the delegated decision. 3. Use the Add Comment button to add additional information to the work item if necessary. The name of the workgroup member is displayed in the Assignee column. Review the Comments section for any information associated with this work item. 4. Note: If a delegated decision is overridden by a decision made by the identity who originally deligated the work item. In the Decision column. 4. click the word “Click” to view the comments of the delgated decision maker. Click a line items which require further action (indicated with a “star” icon) to bring up the Access Review Details Decisions page. Click the work item which requires further action from the inbox or Work Items page to bring up the Access Review Details page. an audit would show the delegation of the work item had never been assigned. 2. If this work item was assigned to a workgroup. IdentityIQ User’s Guide 69 . Click the Dashboard tab to view your Inbox. Review the work item information in the Summary section. but on the specific application from which the entitlements are to be removed. 2.

How to Perform Multi-Level Sign Off on Access Reviews Multi-level sign-off access reviews are access reviews that have been completed and signed off on by the assigned certifier but that require further review and sign-off by one or more additional users before they are considered complete. the multi-level sign off rule will run again to determine if the access review is complete or if additional sign-offs are required. This process is repeated until the rule determines that no further sign-offs are required for the access review. — OR — If there are multiple revocation requests contained in the work item. 70 IdentityIQ User’s Guide . When an access review is assigned to you for additional sign off you receive an email notification and the access review request is sent to your Inbox on the Dashboard. Reassigned work items are designated as reassigned in the Description columns on your Access Review page and in your Inbox on the Dashboard. After you sign off. The challenge phase is the period during which all revocation requests can be challenged by the user from which the role or entitlement is being removed. Forwarded work item descriptions maintain the name of the original owner or the name of the application to which the access review applies. make changes or add comments as required. mark multiple revocations as complete by selecting them and using the Mark Revocation Complete button. Click Complete to display the Completion Comments dialog and mark the work item as complete. How to Challenge a Revocation Request For identity-type access reviews. If a role or entitlement is being removed from your identity cube. or by clicking on the revocation item and completing them individually. To accept the revocation. you are assigned a work item that enables you to either accept or challenge the revocation. How to Complete Reassigned or Forwarded Access Reviews Access Reviews that have been reassigned or forwarded to you for completion are handled exactly the same as access reviews that were assigned to you originally. do not respond to this challenge work item. Access the access review request as you would any other.How to Complete Access Review Work Items 7. and click Sign Off when you are finished. the revocation process might also include the challenge and revocation periods. See How to Perform Access Reviews on page 47.

IdentityIQ User’s Guide 71 . enter your reasons for the challenge in the Reason for Challenge field and click Challenge. Or click Cancel to close the work item without taking action.How to Complete Access Review Work Items To challenge the revocation request.

How to Complete Access Review Work Items 72 IdentityIQ User’s Guide .

Define a Certification Event Chapter 3: Certification Events Certifications can be configured to run based on events that occur within IdentityIQ. IdentityIQ User’s Guide 73 . Use the Certification Event tab to configure events within your enterprise to trigger the creation and assignment of certification requests. To access the Certification Events panel. The left-hand panel provides a summary of the steps and a brief description of each. all certifications for that event appear under the same certification group on the Monitor->Certifications page. Owner The user that created the event certification. You can also see a field description by placing your cursor on the question mark (?) icon displayed beside each field name. Note: This name is used to identify the certification event. For example. click or mouse-over the Monitor tab and select Certifications. You do not have to move through the steps sequentially. Lifecycle. Scheduling a certification is broken down into a series of steps. and Advanced. Disabled Indicates whether or not the certification event is enabled.” on page 74 for a list of the fields on the Event Certification panel and a description of each. Attribute Name The attribute specified in attribute change type certification events. Basic. Type The event type associated with this certification event. This name is not displayed in the certifications that are created when this event is triggered. The events that trigger the certifications can be configured to meet the needs of your enterprise. The Certifications Events tab contains the following information: Table 24—Certifications Events Tab Column Descriptions Column Name Description The name assigned when the certification event was created. Click on an existing certification event to view the details defined when it was created. Event-based certifications are launched when changes are detected during an identity refresh. “Certification Event field descriptions. Define a Certification Event See Table 25. Notifications. You can move through the steps by selecting them in the Summary panel or by clicking Next at the bottom of the page. When a Certification Event is set up. an event-based certification might be configured to run when a manager change is detected for an identity and for that certification request to be sent to the newly assigned manager. Click New Certification Event to display the certification event configuration panel. On the Certifications page click the Certification Events tab.

 If no value is specified. when and the frequency with which the certification should be created. all values are included. all managers are included. Table 25—Certification Event field descriptions Field Name Description Basic: Specify what to certify. New Value Filter For Attribute Change event certification event types only: Certifications are only launched if the attribute value specified has been newly assigned.launch a certification when an identities manager changes. all values are included. Attribute Change .Define a Certification Event -------------------------------------------------------------------------------Note: Event certifications are generated as Identity certifications and are displayed as such in the Dashboard Inbox and on the Access Certifications list page. see Certifications Tab on page 81. IdentityIQ User’s Guide . Rule .launch a certification when a change is detected for the specified attribute. To distinguish Event certifications from other Identity certifications use the Custom Name and Custom Short name options on the Advanced panel. Event Type Specify an event-type or rule to associate with this certification. To schedule a non-event certification. The attribute drop-down list contains all of the standard and extended identity attributes configured in your deployment of IdentityIQ. Attribute For Attribute Change event certifications types only: Select the identity attribute with which to associate this event certification. and who is responsible for performing the certification. If no manager is specified. Create . This name is not displayed in the certification requests that are created when an event is triggered. If no value is specified.use a rule to determine when certifications are launched. If no manager is specified.launch a certification when a new identity is discovered. Previous Manager Filter For Manager Transfer event certification types only: Certifications are only launched if identities are transferred from the specified manager. Manger Transfer . all managers are included. Previous Value Filter For Attribute Change event certification types only: Certifications are only launched if the attribute value specified has changed. 74 Description Brief description of the certification event. Name Assign an intuitive name for the event certification. Note: This name is used to identify the event certification. New Manager Filter For Manager Transfer event certification types only: Certifications are only launched if identities are transferred to the specified manager.

Certification Owner Owner of the certification. Included Applications The applications from which roles and entitlements should be discovered when generating this certification. If no applications are specified than all of the applications are included. Rules are created as part of the configuration process of IdentityIQ. Tags can be used to classify certifications for searching and reporting. Script — a custom script for role creation. Tags Specify one or more tags for the certifications. Certification Name Name of the certification associated with the certification event. Active Period Enter Rule Select a rule to run when the certification enters its active period.. If this field is deactivated no policy violations are included. Included Identities Specifies which identities should to include when detecting this lifecycle event. Disabled Select to specify that a lifecycle event should not be processed. Rule — select an existing rule from the drop-down list. Select Certifier(s) Manually . Include Policy Violations Include policy violations for each identity in the certification report.” icon to launch the Rule Editor to make changes to your rules if needed.manually specify certifiers to whom these event certifications will be assigned.. Include Roles Include roles assigned to the identity in the certification. You must enter a default certifier in case some of the identities do not have a manager assigned. IdentityIQ User’s Guide 75 .  See Rule Editor on page 326. Assign to Manager(s) . Lifecycle: Define the lifecycle of the certification. Certifiers The full name of the person or people to whom the certification is assigned.assign to the manager s of the identities for whom the certifications are created. Include Additional Entitlements Include entitlements in the certification that are assigned to an identity but are not contained within a defined role. Filter — a custom database query for role creation.Define a Certification Event Table 25—Certification Event field descriptions Field Name Description Rule For Rule event certification types only: Select the event certification rule used to launch certifications. You can select from the displayed list. Population — select an existing population and assign this role to identities in that population. Note: Click the “. Typing the first few letters of the name displays a list of all valid certifiers in the system containing that letter combination. Select one of the following filter types to narrow your selection: Match List — a list of attributes and permissions on selected applications.

the revocation period must be active and a revocation decision exist. The work items contain the details of the revocation request and any comments added by the requestor. 76 End Period Enter Rule Select a rule to run when the certification enters its end period. Require Subordinate Completion Select this option to require the completion of all subordinate access reviews before the parent report can be completed. Revocation completion status is update at an interval specified during the deployment of IdentityIQ. IdentityIQ User’s Guide . During this phase changes can be made to decisions as frequently as required. Revocation requests that are not acted upon during the revocation phase can be escalated as required. When the revocation phase is entered. You can sign off on a certification in the challenge phase only if all challenges have been completed and no open decision remain on the certification. To enter the revocation phase. Specify the length of this phase. Specify the length of this phase. Specify the length of this phase. Require Reassignment Completion Select this option to require the completion of all reassignment access reviews before the parent report can be completed. a work item and email is sent to each user in the certification affected by a revocation decision. When you sign off on a certification it enters either the end phase or the revocation phase. When you sign off on a certification it enters either the end phase or the revocation phase. To enter the revocation phase. Click Details to see view detailed revocation information. By default this is performed daily. The affected user has the duration of the challenge period to accept the loss of access or challenge that decision. Automatically Sign Off When All Items Are Reassigned Select this option to cause an access review to automatically be signed off when all items in the access review are reassigned. Enable Challenge Period The period during which all revocation requests can be challenged by the user from which the role or entitlement is being removed. Revocation activity is monitored to ensure that inappropriate access to roles and entitlements is revoked in a timely manner.Define a Certification Event Table 25—Certification Event field descriptions Field Name Description Active Period Duration The review period during which all decision required within this certification should be made. if your provisioning provider is configured for automatic revocation. You can sign off on a certification in the active stage only if no roles or entitlements were revoked or if the challenge period is not active. revocation is be done either automatically. Enable Revocation Period The period during which all revocation work should be completed. When the challenge phase begins. or manually using a work request assigned to a IdentityIQ user with the proper authority on the specified application. the revocation period must be active and a revocation decision exist. Return Reassignments to Original Access Review Select this option to cause the contents of reassignment access reviews to return back into the original access review when the reassigned access review is signed. The revocation phase is entered when a certification is signed off on or when the active and challenge phases have ended.

before the first escalation notice is sent. or the number of email reminders that are sent to the revocation request owner. Reminder Email Template: The IdentityIQ notification template used for the reminders. Reminder Frequency: The frequency with which email reminders are sent until the request is completed or expires. IdentityIQ User’s Guide 77 . Send Email Reminder(s) Before Certification Expires This options is not available for continuous certifications. Advanced: Specify advanced options that can change the contents and behavior of the certification. Send the first reminder: The number of days before the certification expiration date that the first reminder is sent. Escalation Rule: The escalation rule to apply when escalating a revocation request. Escalation Trigger: The number of days after which a revocation request is assigned. Send an escalation notice and change the owner of the certification to the escalation recipient. Escalation Trigger: The number of days after which a certification is assigned. Send email reminders before certification expires. Escalate Revocation(s) Send an escalation notice and change the owner of the revocation request to the escalation recipient. Send Revocation Reminder(s) Send email reminders before the revocation period expires. Reminder Frequency: The frequency with which email reminders are sent until the request is completed or expires. Escalate Before Certification Expires This options is not available for continuous certifications. Require Comments For Approval Require that certifiers add comments for all items approved within a certification. If the challenge period is active. Notify Users Of Revocations Send an email notification to identities from whom access has been revoked. before the first escalation notice is sent. or the number of email reminders that are sent to the certification owner. Escalation Rule: The escalation rule to apply when escalating a certification request. Notifications: Specify options about when reminders and escalations should occur for certification and revocations.Define a Certification Event Table 25—Certification Event field descriptions Field Name Process Revokes Immediately Description Specifies that revocation requests should be processed as soon as a revocation decision is saved. If this field is not activated revocation requests are not sent until the certification is signed off on. the revocation request is not sent until the revocation is accepted or the challenge period expires. Reminder Email Template: The IdentityIQ notification template used for the reminders. Send the first reminder: The number of days before the revocation expiration date that the first reminder is sent. Require delegation review Require that all delegated certification items be reviewed by the original certification owner.

Exclude Logical Tier Entitlements Exclude entitlements on tier application accounts from the certification. Additionally any logical application entitlements will be filtered from the tier application entitlements Include IdentityIQ Capabilities Include IdentityIQ capabilities of the identity for certification. For example. Include IdentityIQ Scopes Include all controlled scopes for the identity being certified. Allow certifier to Enable the certifier to provision missing role requirements from within a provision missing required certification. the certification request is sent to that user’s inbox and they receive an email notification. Only users that control the designated scope or that own the objects created (certification requests) can see this schedule and certifications. Additional Entitlement Granularity The granularity at which additional entitlements are listed in the certification. this rule is run to determine if the decisions need to be reviewed by another approver. objects with no scope assigned might be visible to all users with the correct capabilities. roles 78 IdentityIQ User’s Guide . For example. each permission associated with each attribute is listed. Depending on configuration settings. Filter Logical Application Entitlements Select to allow only logical entitlements defined on the logical application's managed entitlement list to be included in the certification. Exclude Inactive Identities Exclude inactive identities from new certifications and remove identities that become inactive from existing certifications. and must be acted upon. you probably do not need to include it in certifications. This only applies to composite applications. Custom Short Name The custom short name template used to give certifications short names displayed on the dashboard. If they do. separately. Save Exclusions Activate to save any entitlements that are discovered.Define a Certification Event Table 25—Certification Event field descriptions Field Name Description Custom Name The custom name template used to name certifications. Exclusion Rule Select the rule that should be run to exclude certain entitlements from the certification. This can contain parameterized content that is merged into the name when the certification is generated. After the initial sign off by the certifier. This can contain parameterized content that is merged into the short name when the certification is generated. Pre-delegation Rule Specify the rule to use to determine if portions of the certifications generated by this schedule should be pre-delegated to specific certifiers. if you have an entitlement that is assigned to every user in your enterprise. if you select Attribute/Permission. but excluded from the certification so that they can be used in reports. This process is repeated until no more reviewers are discovered by the rule. Scope The scope of this certification schedule and all certifications generated by this schedule. Sign Off Approver Rule The rule used to determine if additional review is need on the sign off decision.

 Entitlement Description: the more verbose or intuitive description of the entitlement. Note: This setting is overwritten by user preferences set by the certifiers.Define a Certification Event Table 25—Certification Event field descriptions Field Name Default Entitlement Display Mode Description Select your preference for the way in which entitlement names are displayed in the certifications created by this schedule. Entitlement Name: the base name of the entitlement. IdentityIQ User’s Guide 79 .

Define a Certification Event 80 IdentityIQ User’s Guide .

Click a certification to display the detailed results page for that certification. IdentityIQ automates and optimizes the review and approval of identity access privileges. From this page. You can also use this page to create one-time certifications when required. Create Date The date and time at which the certification request was generated. When a certification schedule is created the work item which appears in the recipient’s Inbox arrives labeled as an access review request. Use the Certifications page to view and create the scheduled certifications required to maintain compliance in your enterprise. Certifications are comprised of multiple access reviews. IdentityIQ User’s Guide 81 . Owner The user that started the certification request Status Current status of the certification request. and role composition and membership. The terms “certification” and “access review” are interchangeable within IdentityIQ for the most part. Table 26—Certifications Tab Column Descriptions Column Description Name The type of certification scheduled and the date and time at which it was first launched. The detailed results page contains all of the information available for the certifications scheduled. or right-click and select Forward Certification to assign a new owner for this certification. certifications can be created for your entire enterprise or for one approver or item.Certifications Tab Chapter 4: Certifications Page Note: Identity certifications are special cases and are scheduled from the Identities or Advanced Identity Search Results pages. Any IdentityIQ user with access to those pages can schedule an identity certification. Percentage Complete Percentage of certification completion based on the number of access reviews within the certification. account group permissions and membership. The Certification Page contains the following areas: • Certifications Tab on page 81 • Certification Schedules Tab on page 84 • Certification Events on page 73 • Schedule New Certification on page 86 Certifications Tab Use the Certifications tab to view certification requests that are complete or in the process of running.

Details Panel Descriptions.Certifications Tab See Table 27. “Certifications Results . You can also see a field description by placing your cursor on the question mark (?) icon displayed beside each field name. 82 IdentityIQ User’s Guide .” on page 83 for a list of the fields on the certification results page and a description of each.

 For example. Note: This pie chart is only visible if Include Roles was enabled in the Basic section of the certification schedule creation. Identities Completed Status bar displaying the percentage of identities within the certification whose actions have been completed. Additional Entitlements Pie chart representing statistical data for open. approved and remediated business role items for the access reviews within the certification. Decision Statistics Business Roles Pie chart representing statistical data for open. Click View Exclustions to see which items were left out of the certification. and a modifier indicating to whom or what it applies. Note: This pie chart is only visible if Include Additional Entitlements was enabled in the Basic section of the certification schedule creation. Policy Violations Pie chart representing statistical data for open. Creation Date Date and time when the certification was created. 46% (6 of 13) means you have certified 6 of the 13 users on the list. approved and remediated entitlement items for the access reviews within the certification. IdentityIQ User’s Guide 83 .Certifications Tab Table 27—Certifications Results . Access Reviews Completed Status bar displaying the percentage of access reviews within the certification that have been completed. Note: This pie chart is only visible if Include Policy Violations was enabled in the Basic section of the certification schedule creation. approved and remediated policy violations for the access reviews within the certification. The name of the certification scheduled. Completed The date and time at which the certification request was completed. Owner The owner of the certification. Percentage Complete The percentage of the certification completed. Exclustions Number of certification items not included in the certification.Details Panel Descriptions Item Description Certification Name Appears at the top of the page. Items Completed Status bar displaying the percentage of access request items within the certification that have been completed. Click View Certification Options to see all of the certification parameters. or 46% of the total number. Access Reviews Description The type of certification.

If tags were not assigned for any certification assigned to you. Note: The challenge and revocation phases are only active if those functions were activated when the certification request was schedule. Continuous certification tracks each of those accounts individually and generates a certification required notice for each item as its specific certification becomes due. this column does not display in the table. Challenge — the time period in which decisions to revoke roles or entitlements can be challenged by the affected user. the managers to whom the requests were assigned. If tags were not assigned at the time the certification was created this column is empty. Tags Tags are used to classify certifications for searching and reporting. End — the certification is complete. Tags are assigned when certifications are scheduled. an identity might be assigned accounts on three different applications at different times during their employment within your enterprise. entitlements. For example. Certifiers The name of the person responsible for acting on the access review. This differs from periodic certifications in that periodic certifications focus on the frequency with which the entire 84 IdentityIQ User’s Guide .Certification Schedules Tab Table 27—Certifications Results . The information displayed for each certification varies depending on the type of certification and the parameters specified at the time schedule was created. Each of those accounts might require an access review on a quarterly basis. violations) contained within the certification need to be certified and not on the frequency with which the entire certification needs to be performed. Certifications that are only scheduled to run once are considered to be pending and are removed from the list of scheduled certifications after the scheduled run time. Phase End The date and time at which the current phase ends and the next begins. For continuous certifications this field displays N/A. Revocation — the time period in which all revocation work should be completed for roles or entitlements that were revoked. Continuous certifications focus on the frequency with which individual items (roles. Due The date and time on which the access review decision is required. For example a manager certification results page might contain the number of access reviews generated by the schedule. The length of each phase is specified when the certification request is scheduled. Certifications can be scheduled to run continuously.Details Panel Descriptions Item Phase Description The current phase of the certification process. periodic and continuous certifications. Certification Schedules Tab Use the Certification Scheduled tab to view and edit information pertaining to pending. Active — the time period in which the certifier should make all decisions required to complete the certification. and the active period duration and scale for this schedule.

 This field is empty for continuous certifications. if the application has been aggregated. you must either run the application aggregation or identity refresh tasks with the refresh certifications options activated. IdentityIQ User’s Guide 85 . This field is empty for continuous certifications. run the Refresh Continuous Certifications task. For periodic certifications the fields on an existing schedule are read only. To modify an existing periodic schedule you have to delete the existing schedule and create a new one. Next Execution The date and time at which the certification will next run. To include the applications in certifications created after the applications are added. Last Execution The date and time at which the certification ran last. For continuous certifications you can add additional applications to the certifications created by the schedule. Owner The user that started the certification request Click an existing schedule to view the details defined for the schedule when it was created. or. The Certifications Schedule tab contains the following information: Table 28—Certifications Schedule Tab Column Descriptions Column Description Name The type of certification scheduled and the date and time at which it was first launched. for example Success or Failed. The applications added are not included in the certification when the schedule is saved. Result Result status of the last run of the certification.Certification Schedules Tab certification must be performed and not on the frequency with which the components from which it is comprised need to be certified.

Table 29—Schedule Manager Certification field descriptions Field Name Description Basic: Specify what to certify. • Schedule Advanced Certification field descriptions on page 108. You can move through the steps by selecting them in the Summary panel or by clicking Next at the bottom of the page. Lifecycle. 86 Certification Name Name of the certification. Certification Owner The identity assigned as owner of the certification. when and the frequency with which the certification should be created. You do not have to move through the steps sequentially.” on page 86 for a list of the fields on the Manager Certification panel and a description of each. The creator of the certification schedule is the owner by default. See Identity Risk Scores on page 521. Behavior. and Advanced. You can also see a field description by placing your cursor on the question mark (?) icon displayed beside each field name. and Policy Violations on page 453. Identity Search Results on page 459. or Policy Violations page. IdentityIQ User’s Guide . • Schedule an Identity Certification on page 127. Identity Search Results. The field is populated by default but can be edited as needed.Schedule New Certification Schedule New Certification Use the Schedule New Certification drop-down list below the table to schedule certifications: • Schedule a Manager Certification on page 86. Basic. they are request individually from the Identity Risk Scores. To schedule a Manager Certification. Identity Certification are not scheduled from the Certifications page. See Table 29. • Schedule an Account Group Certification on page 122. and who is responsible for performing the certification. Schedule a Manager Certification Manager certifications are used to certify that your direct reports have the entitlements they need to do their job and only the entitlements they need to do their job. see How to Schedule a Manager Certification on page 94. • Schedule an Application Owner Certification on page 94. • Schedule an Entitlement Owner Certification on page 101. “Schedule Manager Certification field descriptions. • Schedule a Role Certification on page 116. Notifications. Scheduling a certification is broken down into a series of steps. The left-hand panel provides a summary of the steps and a brief description of each.

Annually. The review period during which all decision required within this certification should be made. Once. If no applications are specified than all of the applications are included. Hourly. You can sign off on a certification in the active stage only if no roles or entitlements were revoked or if the challenge period is not active. Run Now Launch the certification request as soon as it is scheduled. Lifecycle: Define the lifecycle of the certification. Quarterly. Tags Specify one or more tags for the certifications created by this schedule. Active Period Rule Select rule from drop-down list to apply when the certification enters its active period. You can enter the date manually. Include Policy Violations Include policy violations for each identity in the certification report. Select Accounts to include only accounts in the certification. When you sign off on a certification it enters either the end phase or the revocation phase. Weekly. IdentityIQ User’s Guide 87 . or Continuously. All Managers Schedule a certification for all managers configured in the IdentityIQ application. Execution Frequency The frequency with which this certification is run.Schedule a Manager Certification Table 29—Schedule Manager Certification field descriptions Field Name Description Recipient The full name of a specific manager being assigned an certification. Monthly. Specify the length of this phase. Start The date and time at which the certification reports are created.. You can select from the displayed list. Included Applications The applications from which roles and entitlements should be discovered when generating this certification. The default is Once. Daily. Note: Certification start times must be at least one minute later than the current time.  Typing the first few letters of the name displays a list of all of the manager names in the system containing that letter combination. the certification start time must be 11:42 or later. During this phase changes can be made to decisions as frequently as required.. the revocation period must be active and a revocation decision exist. Tags can be used to classify certifications for searching and reporting. If this field is deactivated no policy violations are included. Included Access Select Entitlements to include entitlement access in the certification. You can also choose to include Additional Entitlements. Active Period Duration This options is not available for continuous certifications. Roles and Accounts With No Entitlements in the certification. if it is currently 11:41. To enter the revocation phase. or click the . For example. icon to select a date from the calendar.

 The period of time during which items remain in the certified state before requiring another certification. Process Revokes Immediately Specifies that revocation requests should be processed as soon as a revocation decision is saved. 88 End Period Enter Rule Select rule to run when the certification enters the end period. To enter the revocation phase. The period of time during which items remain in the certification required state before moving to the overdue state if no action is taken by the certifier. Certification Required Duration This option is only available for continuous certifications. the revocation period must be active and a revocation decision exist. You can sign off on a certification in the challenge phase only if all challenges have been completed and no open decision remain on the certification. When you sign off on a certification it enters either the end phase or the revocation phase. The work items contain the details of the revocation request and any comments added by the requestor. If the challenge period is active. IdentityIQ User’s Guide . The revocation phase is entered when a certification is signed off on or when the active and challenge phases have ended. the revocation request is not sent until the revocation is accepted or the challenge period expires. If this field is not activated revocation requests are not sent until the certification is signed off on. Revocation requests that are not acted upon during the revocation phase can be escalated as required. Specify the length of this phase. a work item and email is sent to each user in the certification affected by a revocation decision. Revocation completion status is update at an interval specified during the deployment of IdentityIQ. revocation is be done either automatically. Enable Challenge Period The period during which all revocation requests can be challenged by the user from which the role or entitlement is being removed. if your provisioning provider is configured for automatic revocation. Click Details to see view detailed revocation information. When the challenge phase begins. Specify the length of this phase.Schedule a Manager Certification Table 29—Schedule Manager Certification field descriptions Field Name Description Certified Duration This option is only available for continuous certifications. For example. Enable Revocation Period The period during which all revocation work should be completed. When the revocation phase is entered. or manually using a work request assigned to a IdentityIQ user with the proper authority on the specified application. items that must be certified quarterly might have a two month certification duration and a one month certification required duration. By default this is performed daily. The affected user has the duration of the challenge period to accept the loss of access or challenge that decision. Revocation activity is monitored to ensure that inappropriate access to roles and entitlements is revoked in a timely manner.

Input the comments that IdentityIQ will add to any undecided items when automatically closing this access review. Challenge Creation Notices To Challengers Choose the email template used to send challenge creation notices to challengers. Suppress Initial Notifications Select this option to prevent the sending of initial certification notification emails. Notifications: Specify options about when reminders and escalations should occur for certification and revocations. IdentityIQ User’s Guide 89 .  Closing Rule . Bulk Reassignment Modification Notices Choose the email template used to send bulk reassignment notices Challenge Period Start Notices To Challengers Choose the email template used to send challenge period start notices to certifiers.  Comments . Revoke. Use the following options to configure the details of this process.  Signer .  Time After Certification Expiration . Challenge Period End Notices To Certifiers Choose the email template used to send challenge period end notices to certifiers.  Action Taken On Undecided Items .Select the rule that IdentityIQ runs at the beginning of the automatic closing process. Exception Expiration Notices Choose the email template used to send mitigation expiration notices. during which IdentityIQ will periodically scan users to determine whether the requested remediations have been carried out.Schedule a Manager Certification Table 29—Schedule Manager Certification field descriptions Field Name Description Enable Automatic Closing Specifies that the remediation period should be enabled. Initial Notification Email Template Choose the email template used for initial certification notifications.Select the identity who signs off on automatically closed access reviews. or Allow Exception.The action that IdentityIQ will assign to any undecided items when automatically closing this access review. Challenged Decision Notices To Certifiers Choose the email template used to send challenged decision notices to certifiers. Challenge Expiration Notices To Challengers Choose the email template used to send challenge expiration notices to challengers. Choose from Approve.Select the amount of time following this access review's expiration date that IdentityIQ should wait before attempting to automatically close it.

 Select the email template used for the escalation notification. Escalation Rule: The escalation rule to apply when escalating a certification request.  Escalation Email Template: The email template used for the escalation notification. Escalate the certification request when the certification enters the overdue period. Escalate During Overdue Period This option is only available for continuous certifications. Challenge Accepted Notices To Challengers Choose the template used to send challenge accepted notices to challengers. the first reminder is sent when the certification request is generated. If this option is active. 90 Send Email Reminder(s) Before Certification Expires This options is not available for continuous certifications. Escalation Trigger: The number of days after which a certification is assigned. Reminder Email Template: The IdentityIQ notification template used for the reminders. Send Reminders During Certification Required Period This option is only available for continuous certifications. Reminder Frequency: The frequency with which email reminders are sent until the request is completed or expires. Challenge Rejected Notices To Challengers Choose the email template used to send challenge rejected notices to challengers.Schedule a Manager Certification Table 29—Schedule Manager Certification field descriptions Field Name Description Challenge Decision Expiration Notices To Challengers And Certifiers Choose the email template used to send challenge decision expiration notices to challengers and certifiers. Sign Off Approval Notices Choose the email template used to send notices to access review sign off To Approvers approvers. Send email reminders before certification expires. IdentityIQ User’s Guide . Send the first reminder: The number of days before the certification expiration date that the first reminder is sent. Reminder Email Template: The IdentityIQ notification template used for the reminders. or the number of email reminders that are sent to the certification owner. Send an escalation notice and change the owner of the certification to the escalation recipient. Send email reminders before the certification enters the overdue state. Escalate Before Certification Expires This options is not available for continuous certifications. before the first escalation notice is sent. Escalation is performed as specified by the rule selected. Reminder Frequency: The frequency with which email reminders are sent until the request is completed or enters the overdue state.

Require Subordinate Completion Enable this option to require the completion of all subordinate access reviews before the parent report can be completed.   Note: The Require Reassignment Completion and Return Reassignments to Original Access Review options must not be enabled for this option to be available.Schedule a Manager Certification Table 29—Schedule Manager Certification field descriptions Field Name Description Send Revocation Reminder(s) Send email reminders before the revocation period expires. Require Delegation Review Enable this option to require a review to be performed on all delegated access reviews by the original access review owner. Initial Access Review View Choose between initial list view. Require Reassignment Completion Enable this option to require the completion of all reassignment access reviews before the parent report can be completed. Default is list view. Reminder Email Template: The IdentityIQ notification template used for the reminders. Escalate Revocations Send an escalation notice and change the owner of the revocation request to the escalation recipient. or the number of email reminders that are sent to the revocation request owner. Escalation Email Template: The email template used for the escalation notification. Default Access Review Grid View Choose between the worksheet (line item) view or the identity view for the identity type Access Review Details page. Default Entitlement Display Mode Choose between the entitlement value or the longer entitlement description display mode on the Access Review Details page. Notify Users Of Revocations Send an email notification to identities from whom access has been revoked. Escalation Rule: The escalation rule to apply when escalating a revocation request. Escalation Trigger: The number of days after which a revocation request is assigned. Automatically Sign Off When All Items Are Reassigned Enable this option to cause an access review to be automatically signed off when all items in the access review are reassigned. Send the first reminder: The number of days before the revocation expiration date that the first reminder is sent. Behavior: Specify options that can change the presentation and behavior of the certification. IdentityIQ User’s Guide 91 . The detailed view has implied filter set (with Status Open currently). or the detailed view. Default is set to worksheet view. Return Reassignments to Original Access Review Enable this option to cause the contents of reassignment access reviews to be returned back into the original access review when the reassigned access review is signed. Individual user preferences can override System configuration settings. Reminder Frequency: The frequency with which email reminders are sent until the request is completed or expires. Individual user preferences can override System configuration settings. before the first escalation notice is sent.

Enable Provisioning Of Missing Role Requirements Enable this option to allow users to request provisioning missing required roles. Custom Short Name The custom short name template used to give certifications short names displayed on the dashboard. Enable Bulk Revocation Enable this optio to allow users to bulk revoke access review items. 92 Custom Name The custom name template used to name certifications. Require Bulk Certification Enable this option to requires certifiers to confirm decisions when they are bulk Confirmation certified within an access review. Enable Bulk Account Revocation Enable this optio to allow users to bulk revoke all entitlements for a given account. This can contain parameterized content that is merged into the short name when the certification is generated. Advanced: Specify advanced options that can change the contents and behavior of the certification. Enable Bulk Approval Enable this optio to allow users to bulk approve access review items. Enable Line Item Delegation Enable this option to allow certifiers to delegate individual items from an access review. Enable Identity Delegation Enable this option to allow certifiers to delegate entire identities in an access review. IdentityIQ User’s Guide . Enable Bulk Clear Decisions Enable certifiers to cancel all decisions currently made on the access review. Enable Account Approval Enable thisoption to allow users to bulk approve all entitlements for a given account. This can contain parameterized content that is merged into the name when the certification is generated. Enable Bulk Allow Exceptions Enable this optio to allow users to bulk allow exceptions. Enable Default Exception Duration Enable this option to set a default time period in which exceptions are allowed during the access review. Enable Allow Exceptions Enable this option to allows certifiers to allow exceptions for entitlements that should be allowed for a time period.Schedule a Manager Certification Table 29—Schedule Manager Certification field descriptions Field Name Require Comments For Approval Description Enable this option to require the certifier to include comments when an access review item is approved. Enable Account Revocation Enable this option to allow users to bulk revoke all entitlements for a given account. Enable Bulk Reassignment Enable this optio to allow users to bulk reassign access review items.

this rule is run to determine if the decisions need to be reviewed by another approver. each permission associated with each attribute is listed. Only users that control the designated scope or that own the objects created (certification requests) can see this schedule and certifications. Generate certifications Select whether to generate a certification request for the specified managers. objects with no scope assigned might be visible to all users with the correct capabilities.Schedule a Manager Certification Table 29—Schedule Manager Certification field descriptions Field Name Description Scope The scope of this certification schedule and all certifications generated by this schedule. if you select Attribute/Permission. Pre-delegation Rule Specify the rule to use to determine if portions of the certifications generated by this schedule should be pre-delegated or reassigned to specific certifiers. For example. Include IdentityIQ Scopes Include all controlled scopes for the identity being certified. the certification request is sent to that user’s inbox and they receive an email notification. Filter Logical Application Entitlements Only logical entitlements defined on the logical application's managed entitlement list will be included in the certification. If you select For the specified manager(s) only. Email Owner on Pre-Delegation Completion Select this checkbox to have an email notification sent back to the original owner once the pre-delegation is finished. but excluded from the certification so that they can be used in reports. Select the Flatten Hierarchy option to include all of the employees that report directly to the selected managers and the employees that report to any subordinate managers on the certification request. After the initial sign off by the certifier. or for the specified managers and all of their subordinate managers. Include IdentityIQ Capabilities Include IdentityIQ capabilities of the identity for certification. if you have an entitlement that is assigned to every user in your enterprise. Exclude Logical Tier Entitlements Exclude entitlements on tier application accounts from the certification. separately. If they do. Save Exclusions Activate to save any entitlements that are discovered. Depending on configuration settings. Additional Entitlement Granularity The granularity at which additional entitlements are listed in the certification. IdentityIQ User’s Guide 93 . Exclusion Rule Select the rule that should be run to exclude certain entitlements from the certification. This process is repeated until no more reviewers are discovered by the rule. the Flatten Hierarchy option is displayed. Sign Off Approver Rule The rule used to determine if additional review is need on the sign off decision. you probably do not need to include it in certifications. Additionally any logical application entitlements will be filtered from the tier application entitlements. Exclude Inactive Identities Exclude inactive identities from new certifications and remove identities that become inactive from existing certifications. and must be acted upon. For example.

Schedule an Application Owner Certification Application Owner certifications are used to certify all identities accessing applications for which you are responsible have the proper entitlements. Certification schedules can be complex or simple. You can move through the steps by selecting them in the Summary panel or by clicking Next at the bottom of the page. Specify the date and time at which this certification should first run or select Run Now. 8. Select All Managers to schedule a certification for all managers. Click the Monitor tab. Lifecycle. see How to Schedule an Application Owner Certification on page 101. You do not have to move through the steps sequentially. You can also see a field description by placing your cursor on the question mark (?) icon displayed beside each field name. 3. if it is currently 11:41. This option is not displayed for continuous certifications. The left-hand panel provides a summary of the steps and a brief description of each. “Schedule Application Owner Certification field descriptions. From the Certifications page. See Table 30. Select the execution frequency for this certification from the drop-down list. 4. Notifications. For a description of each option available on the page. For example. 2. If no applications are specified than all of the applications are included. see “Schedule a Manager Certification” on page 86. —OR— Type a specific manager name in the Recipient field. Continuous certifications require additional information. Specify the duration of the active period for this certification on the Lifecycle panel. Procedure 1. Scheduling a certification is broken down into a series of steps. 94 IdentityIQ User’s Guide . and Advanced. select Manager from the Schedule new certification drop-down list. the certification start time must be 11:42 or later. 6. or scroll over the tab and select Certifications. To schedule an Application Owner Certification. Click Schedule Certification to schedule the certification. Certification start times must be at least one minute later than the current time. depending on the specific needs of your enterprise and the purpose of the certifications being scheduled. 7. This procedure lists the basic steps required to launch a certification schedule. 5.Schedule an Application Owner Certification How to Schedule a Manager Certification Use the following procedure to schedule manager certification requests. Select the application(s) to include in the certification from the Included Applications drop-down list. Basic. see “Schedule a Manager Certification” on page 86.” on page 95 for a list of the fields on the Application Owner Certification and a description of each.

Included Access Select Entitlements to include entitlement access in the certification.  All of the applications in the list are included if All Applications is selected. Certification Name Name of the certification. IdentityIQ User’s Guide 95 . Roles and Accounts With No Entitlements in the certification. icon to select a date from the calendar. or Continuously. You can enter the date manually. All Applications Schedule an Application Certification request for the owners of all applications configured in IdentityIQ. when and the frequency with which the certification should be created. Start The date and time at which the certification reports are created. and who is responsible for performing the certification. You can also choose to include Additional Entitlements. Active Period Enter Rule Select rule from the drop-down list to apply when the certification enters its active period. Lifecycle: Define the lifecycle of the certification. Use the Ctrl or Shift keys to select multiple applications. If this field is deactivated no policy violations are included. Application(s) Select the applications to certify. During this phase changes can be made to decisions as frequently as required. You can sign off on a certification in the active stage only if no roles or entitlements were revoked or if the challenge period is not active. Monthly.Schedule an Application Owner Certification Table 30—Schedule Application Owner Certification field descriptions Field Name Description Basic: Specify what to certify. Weekly. The field is populated by default but can be edited as needed. Daily. Note: Certification start times must be at least one minute later than the current time. Specify the duration of this phase. Once. Tags Specify one or more tags for the certifications created by this schedule.. Hourly. For example. if it is currently 11:41. Include Policy Violations Include policy violations for each identity in the certification report. Active Period Duration The review period during which all decision required within this certification should be made.. The creator of the certification schedule is the owner by default. When you sign off on a certification it enters either the end phase or the revocation phase. Certification Owner The identity assigned as owner of the certification. Select Accounts to include only accounts in the certification. the certification start time must be 11:42 or later. To enter the revocation phase. Tags can be used to classify certifications for searching and reporting. Execution Frequency The frequency with which this certification is run. The default is Once. Annually. or click the . the revocation period must be active and a revocation decision exist. Quarterly. Run Now Launch the certification request as soon as it is saved.

96 End Period Enter Rule Select rule to run when the certification enters the end period. Revocation activity is monitored to ensure that inappropriate access to roles and entitlements is revoked in a timely manner. or manually using a work request assigned to a IdentityIQ user with the proper authority on the specified application. The revocation phase is entered when a certification is signed off on or when the active and challenge phases have ended. The work items contain the details of the revocation request and any comments added by the requestor. Click Details to see view detailed revocation information. revocation is be done either automatically. if your provisioning provider is configured for automatic revocation. a work item and email is sent to each user in the certification affected by a revocation decision. For example. the revocation period must be active and a revocation decision exist. Process Revokes Immediately Specifies that revocation requests should be processed as soon as a revocation decision is saved. To enter the revocation phase. When the revocation phase is entered.Schedule an Application Owner Certification Table 30—Schedule Application Owner Certification field descriptions Field Name Description Certification Duration This option is only available for continuous certifications. The period of time during which items remain in the certification required state before moving to the overdue state if no action is taken by the certifier. Specify the duration of this phase. If the challenge period is active. Revocation requests that are not acted upon during the revocation phase can be escalated as required. The affected user has the duration of the challenge period to accept the loss of access or challenge that decision. By default this is performed daily. You can sign off on a certification in the challenge phase only if all challenges have been completed and no open decision remain on the certification. Enable Revocation Period The period during which all revocation work should be completed. If this field is not activated revocation requests are not sent until the certification is signed off on. Certification Required Duration This option is only available for continuous certifications. IdentityIQ User’s Guide . Revocation completion status is update at an interval specified during the deployment of IdentityIQ. Specify the duration of this phase. When the challenge phase begins. When you sign off on a certification it enters either the end phase or the revocation phase. The period of time during which items remain in the certified state before requiring another certification. items that must be certified quarterly might have a two month certification duration and a one month certification required duration. the revocation request is not sent until the revocation is accepted or the challenge period expires. Enable Challenge Period The period during which all revocation requests can be challenged by the user from which the role or entitlement is being removed.

Notifications: Specify options about when reminders and escalations should occur for certification and revocations. Choose from Approve. Reminder Frequency: The frequency with which email reminders are sent until the certification is completed or expires. Escalation Rule: The escalation rules to apply when escalating a certification. Escalation Trigger: The number of days after which a certification is assigned. the first reminder is sent when the certification request is generated.Select the amount of time following this access review's expiration date that IdentityIQ should wait before attempting to automatically close it.  Escalation Email Template: The email template used for the escalation notification. Send the first reminder: The number of days before the certification expiration date that the first reminder is sent. Reminder Email Template: The IdentityIQ notification template used for the reminders. Reminder Frequency: The frequency with which email reminders are sent until the request is completed or enters the overdue state.  Closing Rule . Send Email Reminder(s) Before Certification Expires Send email reminders to the request owner before the certification expires.  Comments . during which IdentityIQ will periodically scan users to determine whether the requested remediations have been carried out. IdentityIQ User’s Guide 97 . or the number of email reminders that are sent to the certification owner. If this option is active.Select the identity who signs off on automatically closed access reviews.Input the comments that IdentityIQ will add to any undecided items when automatically closing this access review. Send email reminders before the certification enters the overdue state. Use the following options to configure the details of this process.Schedule an Application Owner Certification Table 30—Schedule Application Owner Certification field descriptions Field Name Description Enable Automatic Closing Specifies that the remediation period should be enabled. Send Reminders During Certification Required Period This option is only available for continuous certifications.  Time After Certification Expiration . or Allow Exception.The action that IdentityIQ will assign to any undecided items when automatically closing this access review.  Signer . before the first escalation notice is sent.Select the rule that IdentityIQ runs at the beginning of the automatic closing process.  Action Taken On Undecided Items . Reminder Email Template: The IdentityIQ notification template used for the reminders. Escalate Before Certification Expires Send an escalation notice up the chain of command on certification status. Revoke.

or the number of email reminders that are sent to the revocation request owner. Default Access Review Grid View Choose between the worksheet (line item) view or the identity view for the identity type Access Review Details page. Reminder Frequency: The frequency with which email reminders are sent until the request is completed or expires. Specify the email template to use for escalation notifications. Behavior: Specify options that can change the presentation and behavior of the certification. Send the first reminder: The number of days before the revocation expiration date that the first reminder is sent. Escalate the certification request when the certification enters the overdue period. The detailed view has implied filter set (with Status Open currently). Escalation Rule: The escalation rule to apply when escalating a revocation request. 98 Initial Access Review View Choose between initial list view. before the first escalation notice is sent. Escalation is performed as specified by the rule selected. Send Revocation Reminder(s) Send email reminders before the revocation period expires. Individual user preferences can override System configuration settings. Require Reassignment Completion Enable this option to require the completion of all reassignment access reviews before the parent report can be completed. Default is list view. Require Subordinate Completion Enable this option to require the completion of all subordinate access reviews before the parent report can be completed. Reminder Email Template: The IdentityIQ notification template used for the reminders. Return Reassignments to Original Access Review Enable this option to cause the contents of reassignment access reviews to be returned back into the original access review when the reassigned access review is signed. Escalation Trigger: The number of days after which a revocation request is assigned. Escalation Email Template: The email template used for the escalation notification. Default Entitlement Display Mode Choose between the entitlement value or the longer entitlement description display mode on the Access Review Details page.Schedule an Application Owner Certification Table 30—Schedule Application Owner Certification field descriptions Field Name Description Escalate During Overdue Period This option is only available for continuous certifications. Notify Users Of Revocations Send an email notification to identities from whom access has been revoked. Escalate Revocation(s) Send an escalation notice and change the owner of the revocation request to the escalation recipient. IdentityIQ User’s Guide . Individual user preferences can override System configuration settings. or the detailed view. Default is set to worksheet view.

Enable Account Revocation Enable this option to allow users to bulk revoke all entitlements for a given account. Require Delegation Review Enable this option to require a review to be performed on all delegated access reviews by the original access review owner. IdentityIQ User’s Guide 99 . Require Bulk Certification Enable this option to requires certifiers to confirm decisions when they are bulk Confirmation certified within an access review. Enable Bulk Account Revocation Enable this optio to allow users to bulk revoke all entitlements for a given account. Enable Account Approval Enable thisoption to allow users to bulk approve all entitlements for a given account. Enable Bulk Allow Exceptions Enable this optio to allow users to bulk allow exceptions. Enable Bulk Revocation Enable this optio to allow users to bulk revoke access review items.Schedule an Application Owner Certification Table 30—Schedule Application Owner Certification field descriptions Field Name Description Automatically Sign Off When All Items Are Reassigned Enable this option to cause an access review to be automatically signed off when all items in the access review are reassigned. Enable Line Item Delegation Enable this option to allow certifiers to delegate individual items from an access review.   Note: The Require Reassignment Completion and Return Reassignments to Original Access Review options must not be enabled for this option to be available. Enable Bulk Reassignment Enable this optio to allow users to bulk reassign access review items. Enable Identity Delegation Enable this option to allow certifiers to delegate entire identities in an access review. Enable Provisioning Of Missing Role Requirements Enable this option to allow users to request provisioning missing required roles. Enable Default Exception Duration Enable this option to set a default time period in which exceptions are allowed during the access review. Require Comments For Approval Enable this option to require the certifier to include comments when an access review item is approved. Enable Bulk Clear Decisions Enable certifiers to cancel all decisions currently made on the access review. Advanced: Specify advanced options that can change the contents and behavior of the certification. Enable Allow Exceptions Enable this option to allows certifiers to allow exceptions for entitlements that should be allowed for a time period. Enable Bulk Approval Enable this optio to allow users to bulk approve access review items.

Pre-delegation Rule Specify the rule to use to determine if portions of the certifications generated by this schedule should be pre-delegated or reassigned to specific certifiers. This can contain parameterized content that is merged into the name when the certification is generated. Save Exclusions Activate to save any entitlements that are discovered. Exclude Logical Tier Entitlements Exclude entitlements on tier application accounts from the certification. For example. This process is repeated until no more reviewers are discovered by the rule. After the initial sign off by the certifier. Additionally any logical application entitlements will be filtered from the tier application entitlements. but excluded from the certification so that they can be used in reports. This can contain parameterized content that is merged into the short name when the certification is generated. you probably do not need to include it in certifications. if you select Attribute/Permission. Exclude Inactive Identities Exclude inactive Identities from new certifications and remove Identities that become inactive from existing certifications. If they do. Exclusion Rule Select the rule that should be run to exclude certain entitlements from the certification. if you have an entitlement that is assigned to every user in your enterprise. For example. Depending on configuration settings. Include IdentityIQ Capabilities Include IdentityIQ capabilities of the identity for certification. Scope The scope of this certification schedule and all certifications generated by this schedule. this rule is run to determine if the decisions need to be reviewed by another approver. the certification request is sent to that user’s inbox and they receive an email notification. IdentityIQ User’s Guide . Sign Off Approver Rule The rule used to determine if additional review is need on the sign off decision. and must be acted upon. Include IdentityIQ Scopes Include all controlled scopes for the identity being certified. Filter Logical Application Entitlements Only logical entitlements defined on the logical application's managed entitlement list will be included in the certification. each permission associated with each attribute is listed. separately. objects with no scope assigned might be visible to all users with the correct capabilities. 100 Additional Entitlement Granularity The granularity at which additional entitlements are listed in the certification.Schedule an Application Owner Certification Table 30—Schedule Application Owner Certification field descriptions Field Name Description Custom Name The custom name template used to name certifications. Custom Short Name The custom short name template used to give certifications short names displayed on the dashboard. Only users that control the designated scope or that own the objects created (certification requests) can see this schedule and certifications. Email Owner on Pre-Delegation Completion Select this checkbox to have an email notification sent back to the original owner once the pre-delegation is finished.

roles Default Entitlement Display Mode Select your preference for the way in which entitlement names are displayed in the certifications created by this schedule. 3. see “Schedule an Application Owner Certification” on page 94. Specify the date and time at which this certification should first run or select Run Now. Note: This setting is overwritten by user preferences set by the certifiers. For example. For a description of each option available on the page. Continuous certifications require additional information. Certification start times must be at least one minute later than the current time. Click Schedule Certification to schedule the certification. 2. 7. Click the Monitor tab. if it is currently 11:41. Select Application Owner from the Schedule New Certification drop-down list. 5. Schedule an Entitlement Owner Certification Entitlement Owner certifications are used to certify all identities accessing managed entitlements within an application for which you are responsible have the proper access. Specify the duration of the active period for this certification on the Lifecycle panel. Procedure 1. This procedure lists the basic steps required to launch a certification schedule. IdentityIQ User’s Guide 101 .Schedule an Entitlement Owner Certification Table 30—Schedule Application Owner Certification field descriptions Field Name Description Allow certifier to Enable the certifier to provision missing role requirements from within a provision missing required certification. —OR— Select specific applications from the Application(s) field. depending on the specific needs of your enterprise and the purpose of the certifications being scheduled. 4. Certification schedules can be complex or simple. Entitlement Description: the more verbose or intuitive description of the entitlement. Select the execution frequency for this certification from the drop-down list. Select All Applications to schedule a certification request for the owners of all applications. the certification start time must be 11:42 or later. or scroll over the tab and select Certifications. 6. Entitlement Name: the base name of the entitlement. How to Schedule an Application Owner Certification Use the following procedure to schedule application certification requests. see “Schedule an Application Owner Certification” on page 94.

 You can enter the date manually. Start The date and time at which the certification reports are created. Quarterly. Once. see How to Schedule an Entitlement Owner Certification on page 107. The default is Once. Application(s) Select the applications to certify. Lifecycle. Daily.  All of the applications in the list are included if All Applications is selected. Execution Frequency The frequency with which this certification is run. Notifications. Weekly. The field is populated by default but can be edited as needed. Annually. Tags Specify one or more tags for the certifications created by this schedule. For example. Use the Ctrl or Shift keys to select multiple applications. or click the . Lifecycle: Define the lifecycle of the certification. Certification Owner The identity assigned as owner of the certification. “Schedule Entitlement Owner Certification field descriptions. icon to select a date from the calendar. Scheduling a certification is broken down into a series of steps. To schedule an Entitlement Owner Certification. if it is currently 11:41. Monthly. The left-hand panel provides a summary of the steps and a brief description of each. Hourly. and Advanced. Run Now Launch the certification request as soon as it is saved. Include Unowned Data Enabling this option will include managed entitlements and permissions which have no owner in the access review Unowned Data Owner Enabling this option will assign ownership of unowned entitlements to either the application owner or an identity you select from the drop-down list. Note: Certification start times must be at least one minute later than the current time.. You can also see a field description by placing your cursor on the question mark (?) icon displayed beside each field name. Certification Name Name of the certification. 102 IdentityIQ User’s Guide . Tags can be used to classify certifications for searching and reporting.Schedule an Entitlement Owner Certification See Table 31. and who is responsible for performing the certification.” on page 102 for a list of the fields on the Entitlement Owner Certification and a description of each. or Continuously. All Applications Schedule an Application Certification request for the owners of all applications configured in IdentityIQ. Table 31—Schedule Entitlement Owner Certification field descriptions Field Name Description Basic: Specify what to certify. when and the frequency with which the certification should be created. the certification start time must be 11:42 or later. You can move through the steps by selecting them in the Summary panel or by clicking Next at the bottom of the page.. Basic. You do not have to move through the steps sequentially. The creator of the certification schedule is the owner by default.

If this field is not activated revocation requests are not sent until the certification is signed off on. IdentityIQ User’s Guide 103 . Process Revokes Immediately Specifies that revocation requests should be processed as soon as a revocation decision is saved. if your provisioning provider is configured for automatic revocation. Active Period Duration The review period during which all decision required within this certification should be made. When the revocation phase is entered. To enter the revocation phase. Revocation completion status is update at an interval specified during the deployment of IdentityIQ. If the challenge period is active. or manually using a work request assigned to a IdentityIQ user with the proper authority on the specified application. You can sign off on a certification in the active stage only if no roles or entitlements were revoked or if the challenge period is not active. During this phase changes can be made to decisions as frequently as required. Enable Revocation Period The period during which all revocation work should be completed. Revocation activity is monitored to ensure that inappropriate access to roles and entitlements is revoked in a timely manner. the revocation period must be active and a revocation decision exist. Enable Challenge Period The period during which all revocation requests can be challenged by the user from which the role or entitlement is being removed. the revocation request is not sent until the revocation is accepted or the challenge period expires. revocation is be done either automatically. Specify the duration of this phase. Revocation requests that are not acted upon during the revocation phase can be escalated as required. To enter the revocation phase. Specify the duration of this phase. You can sign off on a certification in the challenge phase only if all challenges have been completed and no open decision remain on the certification. By default this is performed daily. the revocation period must be active and a revocation decision exist. End Period Enter Rule Select rule to run when the certification enters the end period. Specify the duration of this phase. Click Details to see view detailed revocation information.Schedule an Entitlement Owner Certification Table 31—Schedule Entitlement Owner Certification field descriptions Field Name Description Active Period Enter Rule Select a rule from the drop-down list to apply when the certification enters its active period. a work item and email is sent to each user in the certification affected by a revocation decision. When the challenge phase begins. The work items contain the details of the revocation request and any comments added by the requestor. The affected user has the duration of the challenge period to accept the loss of access or challenge that decision. The revocation phase is entered when a certification is signed off on or when the active and challenge phases have ended. When you sign off on a certification it enters either the end phase or the revocation phase. When you sign off on a certification it enters either the end phase or the revocation phase.

Use the following options to configure the details of this process.  Comments . or Allow Exception. Escalate Before Certification Expires Send an escalation notice up the chain of command on certification status.  Time After Certification Expiration . Choose from Approve.Input the comments that IdentityIQ will add to any undecided items when automatically closing this access review.Select the identity who signs off on automatically closed access reviews. Escalation Rule: The escalation rules to apply when escalating a certification.Schedule an Entitlement Owner Certification Table 31—Schedule Entitlement Owner Certification field descriptions Field Name Description Enable Automatic Closing Specifies that the remediation period should be enabled. Specify the email template to use for escalation notifications. Send the first reminder: The number of days before the certification expiration date that the first reminder is sent. or the number of email reminders that are sent to the certification owner. Revoke. before the first escalation notice is sent.  Signer . Reminder Email Template: The IdentityIQ notification template used for the reminders. IdentityIQ User’s Guide .Select the rule that IdentityIQ runs at the beginning of the automatic closing process.The action that IdentityIQ will assign to any undecided items when automatically closing this access review. Escalate During Overdue Period This option is only available for continuous certifications. Escalation Trigger: The number of days after which a certification is assigned. during which IdentityIQ will periodically scan users to determine whether the requested remediations have been carried out.  Closing Rule .  Action Taken On Undecided Items .  Escalation Email Template: The email template used for the escalation notification. Escalation is performed as specified by the rule selected. Escalate the certification request when the certification enters the overdue period.Select the amount of time following this access review's expiration date that IdentityIQ should wait before attempting to automatically close it. Reminder Frequency: The frequency with which email reminders are sent until the certification is completed or expires. Notifications: Specify options about when reminders and escalations should occur for certification and revocations. 104 Send Email Reminder(s) Before Certification Expires Send email reminders to the request owner before the certification expires.

 Send the first reminder: The number of days before the revocation expiration date that the first reminder is sent. Initial Access Review View Choose between initial list view.   Note: The Require Reassignment Completion and Return Reassignments to Original Access Review options must not be enabled for this option to be available. Individual user preferences can override System configuration settings. Require Reassignment Completion Enable this option to require the completion of all reassignment access reviews before the parent report can be completed.Schedule an Entitlement Owner Certification Table 31—Schedule Entitlement Owner Certification field descriptions Field Name Description Send Revocation Reminder(s) Send email reminders before the revocation period expires. Default is list view. Default Access Review Grid View Choose between the worksheet (line item) view or the identity view for the identity type Access Review Details page. Require Delegation Review Enable this option to require a review to be performed on all delegated access reviews by the original access review owner. or the number of email reminders that are sent to the revocation request owner. Reminder Email Template: The IdentityIQ notification template used for the reminders. Automatically Sign Off When All Items Are Reassigned Enable this option to cause an access review to be automatically signed off when all items in the access review are reassigned. Escalation Trigger: The number of days after which a revocation request is assigned. Require Subordinate Completion Enable this option to require the completion of all subordinate access reviews before the parent report can be completed. IdentityIQ User’s Guide 105 . The detailed view has implied filter set (with Status Open currently). Reminder Frequency: The frequency with which email reminders are sent until the request is completed or expires. or the detailed view. Escalation Rule: The escalation rule to apply when escalating a revocation request. Behavior: Specify options that can change the presentation and behavior of the certification. before the first escalation notice is sent. Require Comments For Approval Enable this option to require the certifier to include comments when an access review item is approved. Default is set to worksheet view. Escalation Email Template: The email template used for the escalation notification. Return Reassignments to Original Access Review Enable this option to cause the contents of reassignment access reviews to be returned back into the original access review when the reassigned access review is signed. Default Entitlement Display Mode Choose between the entitlement value or the longer entitlement description display mode on the Access Review Details page. Escalate Revocation(s) Send an escalation notice and change the owner of the revocation request to the escalation recipient. Individual user preferences can override System configuration settings.

Enable Identity Delegation Enable this option to allow certifiers to delegate entire identities in an access review. Enable Default Exception Duration Enable this option to set a default time period in which exceptions are allowed during the access review. Custom Short Name The custom short name template used to give certifications short names displayed on the dashboard. Enable Account Approval Enable thisoption to allow users to bulk approve all entitlements for a given account. Scope The scope of this certification schedule and all certifications generated by this schedule. Enable Bulk Reassignment Enable this optio to allow users to bulk reassign access review items. Only users that control the designated scope or that own the objects created (certification requests) can see this schedule and certifications. Depending on configuration settings. Enable Bulk Allow Exceptions Enable this optio to allow users to bulk allow exceptions. Enable Allow Exceptions Enable this option to allows certifiers to allow exceptions for entitlements that should be allowed for a time period. 106 Custom Name The custom name template used to name certifications. Enable Bulk Revocation Enable this optio to allow users to bulk revoke access review items. objects with no scope assigned might be visible to all users with the correct capabilities. Enable Bulk Clear Decisions Enable certifiers to cancel all decisions currently made on the access review. Enable Provisioning Of Missing Role Requirements Enable this option to allow users to request provisioning missing required roles. Enable Bulk Approval Enable this optio to allow users to bulk approve access review items. This can contain parameterized content that is merged into the name when the certification is generated. This can contain parameterized content that is merged into the short name when the certification is generated. Enable Account Revocation Enable this option to allow users to bulk revoke all entitlements for a given account. Enable Line Item Delegation Enable this option to allow certifiers to delegate individual items from an access review. Enable Bulk Account Revocation Enable this optio to allow users to bulk revoke all entitlements for a given account.Schedule an Entitlement Owner Certification Table 31—Schedule Entitlement Owner Certification field descriptions Field Name Description Require Bulk Certification Enable this option to requires certifiers to confirm decisions when they are bulk Confirmation certified within an access review. IdentityIQ User’s Guide . Advanced: Specify advanced options that can change the contents and behavior of the certification.

this rule is run to determine if the decisions need to be reviewed by another approver. Entitlement Description: the more verbose or intuitive description of the entitlement. Sign Off Approver Rule The rule used to determine if additional review is need on the sign off decision. 2. Select Entitlement Owner from the Schedule New Certification drop-down list. Email Owner on Pre-Delegation Completion Select this checkbox to have an email notification sent back to the original owner once the pre-delegation is finished. Enable the certifier to provision missing role requirements from within a Allow certifier to provision missing required certification. If they do. Note: This setting is overwritten by user preferences set by the certifiers. This procedure lists the basic steps required to launch a certification schedule. Procedure 1. Additional Entitlement Granularity The granularity at which additional entitlements are listed in the certification. see “Schedule an Entitlement Owner Certification” on page 101. and must be acted upon. depending on the specific needs of your enterprise and the purpose of the certifications being scheduled. if you have an entitlement that is assigned to every user in your enterprise. separately. IdentityIQ User’s Guide 107 . For example. but excluded from the certification so that they can be used in reports.Schedule an Entitlement Owner Certification Table 31—Schedule Entitlement Owner Certification field descriptions Field Name Description Exclusion Rule Select the rule that should be run to exclude certain entitlements from the certification. For example. you probably do not need to include it in certifications. How to Schedule an Entitlement Owner Certification Use the following procedure to schedule entitlement owner certification requests. Click the Monitor tab. Save Exclusions Activate to save any entitlements that are discovered. or scroll over the tab and select Certifications. After the initial sign off by the certifier. roles Default Entitlement Display Mode Select your preference for the way in which entitlement names are displayed in the certifications created by this schedule. Entitlement Name: the base name of the entitlement. each permission associated with each attribute is listed. if you select Attribute/Permission. the certification request is sent to that user’s inbox and they receive an email notification. Pre-delegation Rule Specify the rule to use to determine if portions of the certifications generated by this schedule should be pre-delegated or reassigned to specific certifiers. Certification schedules can be complex or simple. For a description of each option available on the page. This process is repeated until no more reviewers are discovered by the rule.

depending on the search. it might contain a completely different set of identities.Schedule an Advanced Certification 3. Specify the duration of the active period for this certification on the Lifecycle panel. criteria that define the population or group. Table 32—Schedule Advanced Certification field descriptions Field Name Description Basic: Specify what to certify. For example. Continuous certifications require additional information. Scheduling a certification is broken down into a series of steps. see How to Schedule an Advanced Certification on page 115. 6. each time an advanced certification is requested for a population or a group. Specify the date and time at which this certification should first run or select Run Now. “Schedule Advanced Certification field descriptions. Select All Applications to schedule a certification request for the data owners of all applications. the certification start time must be 11:42 or later. Basic. you would probably hope to not see the same set of identities associated with policy violations repeatedly. To schedule an Advanced Certification. Schedule an Advanced Certification Use the Advanced Certification panel to schedule certification for populations created based on criteria specified on the Identity Search page or based on groups generated from the group factory. Lifecycle. You can move through the steps by selecting them in the Summary panel or by clicking Next at the bottom of the page. Certification Name 108 Name of the certification. Select the execution frequency for this certification from the drop-down list. the criteria that defines the selected populations or groups is used to populate the certification with identities matching that criteria. Notifications.” on page 108 for a description of each field used to schedule a certification. Certification start times must be at least one minute later than the current time. 4. and who is responsible for performing the certification. Click Schedule Certification to schedule the certification. Those populated certifications are then sent to the certifiers associated with each population or group. You can also see a field description by placing your cursor on the question mark (?) icon displayed beside each field name. 7. when and the frequency with which the certification should be created. if it is currently 11:41. IdentityIQ User’s Guide . When an advanced certification is requested. 5. —OR— Select specific applications from the Application(s) field. or filtering. For example. see “Schedule an Entitlement Owner Certification” on page 101. and Advanced. The left-hand panel provides a summary of the steps and a brief description of each. You do not have to move through the steps sequentially. The field is populated by default but can be edited as needed. Therefore. See Table 32. if you have a population that is based on identities with a policy risk score greater than zero (0) and you schedule an advance certification for that population once a month.

 Tags can be used to classify certifications for searching and reporting. Hourly. You can also choose to include Additional Entitlements. Active Period Enter Rule Select a rule from the drop-down list to apply when the certification enters its active period. This includes all public populations and populations you created. Group Factories to Certify Group Factory — All available groups created by group factories. Populations to Certify Population — All available populations IdentityIQ. or letters. Weekly. If no applications are specified than all of the applications are included. Note: A separate certification request is sent for each population specified. the certification start time must be 11:42 or later. icon to select a date from the calendar. You can enter the date manually. If this field is deactivated no policy violations are included. Include Policy Violations Include policy violations for each identity in the certification report. Certifiers can be individual identities or workgroups. The default is Once. Note: Certification start times must be at least one minute later than the current time.. Included Access Select Entitlements to include entitlement access in the certification. This includes all identity attributes designated as group factories. Quarterly. even if the certifier of each is the same.  Entering the first letter. Annually. Certifier Rule — Select the rule used to designate certifiers for the groups selected. Included Applications The applications from which roles and entitlements should be discovered when generating this certification. of an identity displays a selection list of valid certifier identities containing that letter string.. if it is currently 11:41. Execution Frequency The frequency with which this certification is run. Daily. Certifier(s) — The identities to whom this request is being sent. or Continuously. Roles and Accounts With No Entitlements in the certification. Monthly. Start The date and time at which the certification reports are created. Once. IdentityIQ User’s Guide 109 . or click the . The creator of the certification schedule is the owner by default. Select Accounts to include only accounts in the certification.Schedule an Advanced Certification Table 32—Schedule Advanced Certification field descriptions Field Name Description Certification Owner The identity assigned as owner of the certification. Run Now Launch the certification request as soon as it is saved. Tags Specify one or more tags for the certifications created by this schedule. For example. Lifecycle: Define the lifecycle of the certification.

a work item and email is sent to each user in the certification affected by a revocation decision.Schedule an Advanced Certification Table 32—Schedule Advanced Certification field descriptions Field Name Description Certification Duration This option is only available for continuous certifications. Specify the duration of this phase. For example. The affected user has the duration of the challenge period to accept the loss of access or challenge that decision. By default this is performed daily. When the revocation phase is entered. If this field is not activated revocation requests are not sent until the certification is signed off on. Specify the duration of this phase. Certification Required Duration This option is only available for continuous certifications. The work items contain the details of the revocation request and any comments added by the requestor. Enable Challenge Period The period during which all revocation requests can be challenged by the user from which the role or entitlement is being removed. If the challenge period is active. When the challenge phase begins. IdentityIQ User’s Guide . To enter the revocation phase. Revocation completion status is update at an interval specified during the deployment of IdentityIQ. 110 End Period Enter Rule Select rule to run when the certification enters the end period. Click Details to see view detailed revocation information. the revocation request is not sent until the revocation is accepted or the challenge period expires. The period of time during which items remain in the certified state before requiring another certification. Revocation requests that are not acted upon during the revocation phase can be escalated as required. When you sign off on a certification it enters either the end phase or the revocation phase. You can sign off on a certification in the challenge phase only if all challenges have been completed and no open decision remain on the certification. The period of time during which items remain in the certification required state before moving to the overdue state if no action is taken by the certifier. The revocation phase is entered when a certification is signed off on or when the active and challenge phases have ended. Process Revokes Immediately Specifies that revocation requests should be processed as soon as a revocation decision is saved. or manually using a work request assigned to a IdentityIQ user with the proper authority on the specified application. if your provisioning provider is configured for automatic revocation. the revocation period must be active and a revocation decision exist. revocation is be done either automatically. Revocation activity is monitored to ensure that inappropriate access to roles and entitlements is revoked in a timely manner. Enable Revocation Period The period during which all revocation work should be completed. items that must be certified quarterly might have a two month certification duration and a one month certification required duration.

  Comments . Choose from Approve.Schedule an Advanced Certification Table 32—Schedule Advanced Certification field descriptions Field Name Description Enable Automatic Closing Specifies that the remediation period should be enabled.Select the rule that IdentityIQ runs at the beginning of the automatic closing process.Input the comments that IdentityIQ will add to any undecided items when automatically closing this access review. or Allow Exception. Reminder Frequency: The frequency with which email reminders are sent until the certification is completed or expires.  Action Taken On Undecided Items . Escalation Trigger: The number of days after which a certification is assigned. Reminder Email Template: The IdentityIQ notification template used for the reminders. Escalation Rule: The escalation rules to apply when escalating a certification.Select the identity who signs off on automatically closed access reviews. or the number of email reminders that are sent to the certification owner. If this option is active. IdentityIQ User’s Guide 111 .Select the amount of time following this access review's expiration date that IdentityIQ should wait before attempting to automatically close it. Escalate Before Certification Expires Send an escalation notice up the chain of command on certification status. during which IdentityIQ will periodically scan users to determine whether the requested remediations have been carried out.  Escalation Email Template: The email template used for the escalation notification. the first reminder is sent when the certification request is generated. Revoke. Send email reminders before the certification enters the overdue state.  Time After Certification Expiration . Send Email Reminder(s) Before Certification Expires Send email reminders to the request owner before the certification expires.  Closing Rule . Send the first reminder: The number of days before the certification expiration date that the first reminder is sent. Reminder Email Template: The IdentityIQ notification template used for the reminders. Reminder Frequency: The frequency with which email reminders are sent until the request is completed or enters the overdue state. before the first escalation notice is sent. Use the following options to configure the details of this process.The action that IdentityIQ will assign to any undecided items when automatically closing this access review. Notifications: Specify options about when reminders and escalations should occur for certification and revocations. Send Reminders During Certification Required Period This option is only available for continuous certifications.  Signer .

before the first escalation notice is sent. Return Reassignments to Original Access Review Enable this option to cause the contents of reassignment access reviews to be returned back into the original access review when the reassigned access review is signed. Send Revocation Reminder(s) Send email reminders before the revocation period expires. Default is list view. Escalate the certification request when the certification enters the overdue period. Escalate Revocation(s) Send an escalation notice and change the owner of the revocation request to the escalation recipient. Escalation Trigger: The number of days after which a revocation request is assigned. Require Subordinate Completion Enable this option to require the completion of all subordinate access reviews before the parent report can be completed. Escalation is performed as specified by the rule selected. Escalation Rule: The escalation rule to apply when escalating a revocation request. Behavior: Specify options that can change the presentation and behavior of the certification. IdentityIQ User’s Guide . 112 Initial Access Review View Choose between initial list view. Default Entitlement Display Mode Choose between the entitlement value or the longer entitlement description display mode on the Access Review Details page. Escalation Email Template: The email template used for the escalation notification. Reminder Email Template: The IdentityIQ notification template used for the reminders. Send the first reminder: The number of days before the revocation expiration date that the first reminder is sent.Schedule an Advanced Certification Table 32—Schedule Advanced Certification field descriptions Field Name Description Escalate During Overdue Period This option is only available for continuous certifications. Notify Users Of Revocations Send an email notification to identities from whom access has been revoked. The detailed view has implied filter set (with Status Open currently). Default is set to worksheet view. or the number of email reminders that are sent to the revocation request owner. Default Access Review Grid View Choose between the worksheet (line item) view or the identity view for the identity type Access Review Details page. Specify the email template to use for escalation notifications. Individual user preferences can override System configuration settings. or the detailed view. Require Reassignment Completion Enable this option to require the completion of all reassignment access reviews before the parent report can be completed. Reminder Frequency: The frequency with which email reminders are sent until the request is completed or expires. Individual user preferences can override System configuration settings.

Require Comments For Approval Enable this option to require the certifier to include comments when an access review item is approved. Advanced: Specify advanced options that can change the contents and behavior of the certification.Schedule an Advanced Certification Table 32—Schedule Advanced Certification field descriptions Field Name Description Automatically Sign Off When All Items Are Reassigned Enable this option to cause an access review to be automatically signed off when all items in the access review are reassigned. Enable Identity Delegation Enable this option to allow certifiers to delegate entire identities in an access review. Enable Bulk Approval Enable this optio to allow users to bulk approve access review items. Enable Bulk Clear Decisions Enable certifiers to cancel all decisions currently made on the access review. Enable Bulk Account Revocation Enable this optio to allow users to bulk revoke all entitlements for a given account. Require Bulk Certification Enable this option to requires certifiers to confirm decisions when they are bulk Confirmation certified within an access review. Enable Bulk Allow Exceptions Enable this optio to allow users to bulk allow exceptions. Enable Default Exception Duration Enable this option to set a default time period in which exceptions are allowed during the access review. Enable Provisioning Of Missing Role Requirements Enable this option to allow users to request provisioning missing required roles. Enable Account Revocation Enable this option to allow users to bulk revoke all entitlements for a given account. Enable Line Item Delegation Enable this option to allow certifiers to delegate individual items from an access review. Enable Bulk Reassignment Enable this optio to allow users to bulk reassign access review items. Enable Account Approval Enable thisoption to allow users to bulk approve all entitlements for a given account. Require Delegation Review Enable this option to require a review to be performed on all delegated access reviews by the original access review owner. Enable Allow Exceptions Enable this option to allows certifiers to allow exceptions for entitlements that should be allowed for a time period. IdentityIQ User’s Guide 113 .   Note: The Require Reassignment Completion and Return Reassignments to Original Access Review options must not be enabled for this option to be available. Enable Bulk Revocation Enable this optio to allow users to bulk revoke access review items.

and must be acted upon. Include IdentityIQ Capabilities Include IdentityIQ capabilities of the identity for certification. Filter Logical Application Entitlements Only logical entitlements defined on the logical application's managed entitlement list will be included in the certification. Exclude Logical Tier Entitlements Exclude entitlements on tier application accounts from the certification. This can contain parameterized content that is merged into the short name when the certification is generated.Schedule an Advanced Certification Table 32—Schedule Advanced Certification field descriptions Field Name Description Custom Name The custom name template used to name certifications. each permission associated with each attribute is listed. Exclusion Rule Select the rule that should be run to exclude certain entitlements from the certification. you probably do not need to include it in certifications. Only users that control the designated scope or that own the objects created (certification requests) can see this schedule and certifications. objects with no scope assigned might be visible to all users with the correct capabilities. Custom Short Name The custom short name template used to give certifications short names displayed on the dashboard. This only applies to composite applications. but excluded from the certification so that they can be used in reports. Additionally any logical application entitlements will be filtered from the tier application entitlements. if you have an entitlement that is assigned to every user in your enterprise. Allow Certifier to Provision Missing Required Roles Enable the certifier to provision missing role requirements from within a certification. Exclude Composite Tier Entitlements Exclude entitlements on tier application accounts from the certification. separately. Save Exclusions Activate to save any entitlements that are discovered. Include IdentityIQ Scopes Include all controlled scopes for the identity being certified. 114 Additional Entitlement Granularity The granularity at which additional entitlements are listed in the certification. For example. For example. Email Owner on Pre-Delegation Completion Select this checkbox to have an email notification sent back to the original owner once the pre-delegation is finished. Pre-delegation Rule Specify the rule to use to determine if portions of the certifications generated by this schedule should be pre-delegated or reassigned to specific certifiers. if you select Attribute/Permission. This can contain parameterized content that is merged into the name when the certification is generated. Scope The scope of this certification schedule and all certifications generated by this schedule. Depending on configuration settings. IdentityIQ User’s Guide .

Schedule an Advanced Certification Table 32—Schedule Advanced Certification field descriptions Field Name Default Entitlement Display Mode Description Select your preference for the way in which entitlement names are displayed in the certifications created by this schedule. Repeat these steps until all required populations are included in the certification. You can remove certifiers using the minus (-) icon. Entitlement Description: the more verbose or intuitive description of the entitlement. Select the execution frequency for this certification from the drop-down list. Certification start times must be at least one minute later than the current time. if it is currently 11:41. 7. For example. Procedure 1. Entitlement Name: the base name of the entitlement. a. Click the plus (+) icon to open the Certifier(s) text field. Click Schedule Certification to schedule the certification. or scroll over the tab and select Certifications. How to Schedule an Advanced Certification Use the following procedure to schedule advanced certification requests. 2. This procedure lists the basic steps required to launch a certification schedule. d. Select a population from the Population drop-down list. b. Continuous certifications require additional information. Select Advanced from the Schedule New Certification drop-down list. depending on the specific needs of your enterprise and the purpose of the certifications being scheduled. Note: This setting is overwritten by user preferences set by the certifiers. c. of an identity to display a selection list of valid certifier identities containing that letter string and select a certifier. see “Schedule an Advanced Certification” on page 108. 4. For a description of each option available on the page. IdentityIQ User’s Guide 115 . 6. Specify the date and time at which this certification should first run or select Run Now. Specify the populations to include in the certification and assign certifiers to each. You can add multiple certifiers for each population using the plus (+) icon. Note: You must add at least one certifier for a population before adding additional populations below it in the list. Enter the first letter. Click Add to include the selected certifier. f. Enter a description for the certification. or letters. 5. 3. the certification start time must be 11:42 or later. see “Schedule an Advanced Certification” on page 108. e. Click Add to include the selected population. Certification schedules can be complex or simple. Click the Monitor tab.

the certification start time must be 11:42 or later. To schedule a role certification. Certification Owner The identity assigned as owner of the certification. The role composition certification is used to certify the roles and entitlements that make up a role. You can also see a field description by placing your cursor on the question mark (?) icon displayed beside each field name.” on page 116 for a list of the fields on the certification schedule page and a description of each. Monthly. You do not have to move through the steps sequentially. You can enter the date manually. You can move through the steps by selecting them in the Summary panel or by clicking Next at the bottom of the page. Select Role(s) Specify roles to certify by selecting them on the list. Hourly. The creator of the certification schedule is the owner by default. “Schedule Role Certification Field Descriptions. Information that is exclusive to one type will be noted in this section.. The default is Once. Tags 116 Specify one or more tags for the certifications created by this schedule. or click the . IdentityIQ User’s Guide . if it is currently 11:41. Basic. when and the frequency with which the certification should be created. and who is responsible for performing the certification. and Advanced. Table 33— Schedule Role Certification Field Descriptions Field Description Basic: Specify what to certify. The left-hand panel provides a summary of the steps and a brief description of each. Lifecycle.Schedule a Role Certification Schedule a Role Certification There are two types of role certifications. Scheduling a certification is broken down into a series of steps. Certification Name Name of the certification. The field is populated by default but can be edited as needed.. Alternatively. The role membership certification is used to certify the users to whom the role is assigned. Daily. Include Role Hierarchy Composition Only: Create certification items for each role that is included in the roles selected for certification. Quarterly or Annually. Run Now Launch the certification request as soon as it is saved. Start The date and time at which the certification reports are created. For example. you can select a role type to certify by clicking the Certify By Role Type radio button and selecting the role type from the list. Weekly. Execution Frequency The frequency with which this certification is run. The pages used to schedule the different role certification types are similar. Tags can be used to classify certifications for searching and reporting. composition and membership. See Table 33. Notifications. Certify All Roles Schedule a certification on all roles defined in your enterprise. icon to select a date from the calendar. see How to Schedule a Role Certification on page 121. Note: Certification start times must be at least one minute later than the current time. Once.

or Allow Exception. during which IdentityIQ will Closing periodically scan users to determine whether the requested remediations have been carried out. Active Period Enter Rule Select a rule from the drop-down list to apply when the certification enters its active period.  Comments . When you sign off on a certification it enters either the end phase or the revocation phase.  Time After Certification Expiration . If this field is not activated revocation requests are not sent until the certification is signed off on. Enable Automatic Specifies that the remediation period should be enabled. Choose from Approve. To enter the revocation phase. End Period Enter Rule Select rule to run when the certification enters the end period.  Action Taken On Undecided Items . Send the first reminder: The number of days before the certification expiration date that the first reminder is sent.  Closing Rule . the revocation request is not sent until the revocation is accepted or the challenge period expires.Input the comments that IdentityIQ will add to any undecided items when automatically closing this access review. Reminder Frequency: The frequency with which email reminders are sent until the certification is completed or expires. Specify the duration of this phase. During this phase changes can be made to decisions as frequently as required.  Signer .Select the identity who signs off on automatically closed access reviews.Schedule a Role Certification Table 33— Schedule Role Certification Field Descriptions Field Description Lifecycle: Define the lifecycle of the certification. Send Email Reminder(s) Before Certification Expires Send email reminders to the request owner before the certification expires. Revoke.Select the rule that IdentityIQ runs at the beginning of the automatic closing process. You can sign off on a certification in the active stage only if no roles or entitlements were revoked. If the challenge period is active. the revocation period must be active and a revocation decision exist. Active Period Duration The review period during which all decision required within this certification should be made.Select the amount of time following this access review's expiration date that IdentityIQ should wait before attempting to automatically close it. Process Revokes Immediately Specifies that revocation requests should be processed as soon as a revocation decision is saved. Notifications: Specify options about when reminders and escalations should occur for certification and revocations. Reminder Email Template: The IdentityIQ notification template used for the reminders. IdentityIQ User’s Guide 117 . Use the following options to configure the details of this process.The action that IdentityIQ will assign to any undecided items when automatically closing this access review.

The detailed view has implied filter set (with Status Open currently). or the detailed view.  Escalation Email Template: The email template used for the escalation notification. Default Access Choose between the worksheet (line item) view or the identity view for the identity Review Grid View type Access Review Details page. Escalation Trigger: The number of days after which a certification is assigned. Return Reassignments to Original Access Review Enable this option to cause the contents of reassignment access reviews to be returned back into the original access review when the reassigned access review is signed. before the first escalation notice is sent. Send Revocation Reminder(s) Send email reminders before the revocation period expires. Require Subordinate Completion Enable this option to require the completion of all subordinate access reviews before the parent report can be completed. Send the first reminder: The number of days before the revocation expiration date that the first reminder is sent. Escalation Rule: The escalation rule to apply when escalating a revocation request. before the first escalation notice is sent. Escalate Revocation(s) Send an escalation notice and change the owner of the revocation request to the escalation recipient. Behavior: Specify options that can change the presentation and behavior of the certification. Initial Access Review View Choose between initial list view.Schedule a Role Certification Table 33— Schedule Role Certification Field Descriptions Field Description Escalate Before Certification Expires Send an escalation notice up the chain of command on certification status. Reminder Email Template: The IdentityIQ notification template used for the reminders. Individual user preferences can override System configuration settings. Default is list view. 118 Default Entitlement Display Mode Choose between the entitlement value or the longer entitlement description display mode on the Access Review Details page. IdentityIQ User’s Guide . or the number of email reminders that are sent to the revocation request owner. Notify Users Of Revocations Send an email notification to identities from whom access has been revoked. Individual user preferences can override System configuration settings. Escalation Email Template: The email template used for the escalation notification. Escalation Rule: The escalation rules to apply when escalating a certification. Reminder Frequency: The frequency with which email reminders are sent until the request is completed or expires. Default is set to worksheet view. or the number of email reminders that are sent to the certification owner. Require Reassignment Completion Enable this option to require the completion of all reassignment access reviews before the parent report can be completed. Escalation Trigger: The number of days after which a revocation request is assigned.

IdentityIQ User’s Guide 119 . Enable Allow Exceptions Enable this option to allows certifiers to allow exceptions for entitlements that should be allowed for a time period. Enable Bulk Enable this optio to allow users to bulk allow exceptions. Require Delegation Review Enable this option to require a review to be performed on all delegated access reviews by the original access review owner. Enable Account Approval Enable thisoption to allow users to bulk approve all entitlements for a given account.   Note: The Require Reassignment Completion and Return Reassignments to Original Access Review options must not be enabled for this option to be available. Enable Identity Delegation Enable this option to allow certifiers to delegate entire identities in an access review. Allow Exceptions Enable Bulk Reassignment Enable this optio to allow users to bulk reassign access review items. Require Bulk Certification Confirmation Enable this option to requires certifiers to confirm decisions when they are bulk certified within an access review. Enable Bulk Approval Enable this optio to allow users to bulk approve access review items. Enable Bulk Revocation Enable this optio to allow users to bulk revoke access review items. Require Comments For Approval Enable this option to require the certifier to include comments when an access review item is approved. Enable Line Item Delegation Enable this option to allow certifiers to delegate individual items from an access review. Enable Account Revocation Enable this option to allow users to bulk revoke all entitlements for a given account. Enable Provisioning Of Missing Role Requirements Enable this option to allow users to request provisioning missing required roles. Enable Default Exception Duration Enable this option to set a default time period in which exceptions are allowed during the access review.Schedule a Role Certification Table 33— Schedule Role Certification Field Descriptions Field Description Automatically Sign Off When All Items Are Reassigned Enable this option to cause an access review to be automatically signed off when all items in the access review are reassigned.

 A name entered here overrides the default certifier for the type of certification requested. If no role owner is discovered. you probably do not need to include it in certifications. This option is only available when creating a Role Membership certification. This can contain parameterized content that is merged into the name when the certification is generated.Schedule a Role Certification Table 33— Schedule Role Certification Field Descriptions Field Enable Bulk Account Revocation Description Enable this optio to allow users to bulk revoke all entitlements for a given account. Select Certifier Manually — enter the full name of a specific certifier or certifiers being assigned this certification. but excluded from the certification so that they can be used in reports. Exclude Inactive Identities Exclude inactive Identities from new certifications and remove identity that become inactive from existing certifications. Assign to Role Owner — assign the certification to the owner of the role under certification. if you have an entitlement that is assigned to every user in your enterprise. Custom Short Name The custom short name template used to give certifications short names displayed on the dashboard. This can contain parameterized content that is merged into the short name when the certification is generated. Save Exclusions Activate to save any entitlements that are discovered. If multiple roles have been selected. Description Enter an description of this certification. objects with no scope assigned might be visible to all users with the correct capabilities. Typing the first few letters of the name displays a list of all of the authorized certifier names in the system containing that letter combination. a warning is attached to the task results with a list of the items that could not be assigned for certification. For example. Depending on configuration settings. IdentityIQ User’s Guide . 120 Custom Name The custom name template used to name certifications. separate certifications will be created if the given roles do not share a common owner. Only users that control the designated scope or that own the objects created (certification requests) can see this schedule and certifications. a separate certification request will be created for each manager with at least one direct report in the role under certification. the certification is assigned to the role owner for that identity. Exclusion Rule Select the rule that should be run to exclude certain entitlements from the certification. You can select from the displayed list. Scope The scope of this certification schedule and all certifications generated by this schedule. If a manager is not found for an identity. Certifiers can be individual identities or workgroups. Enable Bulk Clear Enable certifiers to cancel all decisions currently made on the access review. Decisions Advanced: Specify advanced options that can change the contents and behavior of the certification. Certifier(s) Assign to Manager — assign the certification request to the role member’s manager. If the role members do not share a common manager.

If they do. Select the execution frequency for this certification from the drop-down list. Continuous certifications for role membership require additional information. Sign Off Approver Rule This option is only available for role membership certifications. Entitlement Name: the base name of the entitlement. 3. 4. Entitlement Description: the more verbose or intuitive description of the entitlement. see “Schedule a Role Certification” on page 116. depending on the specific needs of your enterprise and the purpose of the certifications being scheduled. Click the Monitor tab. For a description of each option available on the page. see “Schedule a Role Certification” on page 116. —OR— Select specific roles to limit the scope of the certification. this rule is run to determine if the decisions need to be reviewed by another approver. Select Certify All Roles to schedule a certification for all roles. Note: This setting is overwritten by user preferences set by the certifiers. Select Role Membership or Role Composition from the Schedule new certification drop-down list. IdentityIQ User’s Guide 121 . The rule used to determine if additional review is need on the sign off decision. How to Schedule a Role Certification Use the following procedure schedule a role certification. This procedure lists the basic steps required to launch a certification schedule. or scroll over the tab and select Certifications. 2. Allow certifier to provision missing required roles Enable the certifier to provision missing role requirements from within a certification. Email Owner on Pre-Delegation Completion Select this checkbox to have an email notification sent back to the original owner once the pre-delegation is finished. This process is repeated until no more reviewers are discovered by the rule.Schedule a Role Certification Table 33— Schedule Role Certification Field Descriptions Field Description Pre-delegation Rule Specify the rule to use to determine if portions of the certifications generated by this schedule should be pre-delegated or reassigned to specific certifiers. the certification request is sent to that user’s inbox and they receive an email notification. After the initial sign off by the certifier. Default Entitlement Display Mode Select your preference for the way in which entitlement names are displayed in the certifications created by this schedule. Certification schedules can be complex or simple. Procedure 1.

The account group permissions certification is used to certify the entitlements and permissions that make up an account group. Schedule an Account Group Certification There are two types of account group certifications. The left-hand panel provides a summary of the steps and a brief description of each. Execution Frequency The frequency with which this certification is run. when and the frequency with which the certification should be created. All Applications Schedule a certification on all account groups configured in your enterprise. see How to Schedule an Account Group Certification on page 127. The field is populated by default but can be edited as needed. Notifications. Application(s) Specify specific application on which to limit the certification. Information that is exclusive to one type will be noted in this section. Hourly. The pages used to schedule the different certification types are similar. 6. Quarterly or Annually. Monthly. and who is responsible for performing the certification. Specify the duration of the active period for this certification on the Lifecycle panel. Specify the date and time at which this certification should first run. You can also see a field description by placing your cursor on the question mark (?) icon displayed beside each field name. Lifecycle. Weekly. The account group membership certification is used to certify the users to whom the account group is assigned. Scheduling a certification is broken down into a series of steps. You can move through the steps by selecting them in the Summary panel or by clicking Next at the bottom of the page. The default is Once. Daily. and Advanced. permissions and membership. Run Now Launch the certification request as soon as it is saved. The creator of the certification schedule is the owner by default. You do not have to move through the steps sequentially.Schedule an Account Group Certification 5. IdentityIQ User’s Guide . 7. See Table 34. 122 Certification Name Name of the certification. To schedule an Account Group Certification. the certification start time must be 11:42 or later. Basic. For example. “Schedule Account Group Certification Field Descriptions. Click Schedule Certification to schedule the certification. Once. Certification start times must be at least one minute later than the current time. if it is currently 11:41. or select Run Now.” on page 122 for a list of the fields on the Account Group Certification and a description of each. Table 34— Schedule Account Group Certification Field Descriptions Field Description Basic: Specify what to certify. Certification Owner The identity assigned as owner of the certification.

if it is currently 11:41. or click the .Select the amount of time following this access review's expiration date that IdentityIQ should wait before attempting to automatically close it. Tags Specify one or more tags for the certifications created by this schedule. End Period Enter Rule Select rule to run when the certification enters the end period.. If this field is not activated revocation requests are not sent until the certification is signed off on. Notifications: Specify options about when reminders and escalations should occur for certification and revocations.  Closing Rule . Lifecycle: Define the lifecycle of the certification. When you sign off on a certification it enters either the end phase or the revocation phase.Schedule an Account Group Certification Table 34— Schedule Account Group Certification Field Descriptions Field Start Description The date and time at which the certification reports are created. Tags can be used to classify certifications for searching and reporting. You can sign off on a certification in the active stage only if no roles or entitlements were revoked or if the challenge period is not active. Enable Automatic Specifies that the remediation period should be enabled.Input the comments that IdentityIQ will add to any undecided items when automatically closing this access review. To enter the revocation phase. Specify the duration of this phase. the revocation period must be active and a revocation decision exist.  Signer .The action that IdentityIQ will assign to any undecided items when automatically closing this access review. Note: Certification start times must be at least one minute later than the current time. If the challenge period is active. Process Revokes Immediately Specifies that revocation requests should be processed as soon as a revocation decision is saved. the certification start time must be 11:42 or later. Active Period Enter Rule Select a rule from the drop-down list to apply when the certification enters its active period. You can enter the date manually.. During this phase changes can be made to decisions as frequently as required.  Action Taken On Undecided Items . or Allow Exception. Use the following options to configure the details of this process.Select the rule that IdentityIQ runs at the beginning of the automatic closing process. during which IdentityIQ will Closing periodically scan users to determine whether the requested remediations have been carried out. the revocation request is not sent until the revocation is accepted or the challenge period expires. IdentityIQ User’s Guide 123 .Select the identity who signs off on automatically closed access reviews.  Comments . Choose from Approve.  Time After Certification Expiration . For example. icon to select a date from the calendar. Active Period Duration The review period during which all decision required within this certification should be made. Revoke.

Default is list view. Reminder Frequency: The frequency with which email reminders are sent until the request is completed or expires.  Escalation Email Template: The email template used for the escalation notification. Escalation Trigger: The number of days after which a revocation request is assigned. Escalation Trigger: The number of days after which a certification is assigned. IdentityIQ User’s Guide . before the first escalation notice is sent. or the detailed view. Escalation Email Template: The email template used for the escalation notification. Initial Access Review View Choose between initial list view. Default Access Choose between the worksheet (line item) view or the identity view for the identity Review Grid View type Access Review Details page.Schedule an Account Group Certification Table 34— Schedule Account Group Certification Field Descriptions Field Description Send Email Reminder(s) Before Certification Expires Send email reminders to the request owner before the certification expires. or the number of email reminders that are sent to the certification owner. Escalate Before Certification Expires Send an escalation notice up the chain of command on certification status. Require Subordinate Completion Enable this option to require the completion of all subordinate access reviews before the parent report can be completed. Escalation Rule: The escalation rules to apply when escalating a certification. Escalate Revocation(s) Send an escalation notice and change the owner of the revocation request to the escalation recipient. Send Revocation Reminder(s) Send email reminders before the revocation period expires. Escalation Rule: The escalation rule to apply when escalating a revocation request. Individual user preferences can override System configuration settings. Individual user preferences can override System configuration settings. Behavior: Specify options that can change the presentation and behavior of the certification. before the first escalation notice is sent. 124 Default Entitlement Display Mode Choose between the entitlement value or the longer entitlement description display mode on the Access Review Details page. Reminder Email Template: The IdentityIQ notification template used for the reminders. Send the first reminder: The number of days before the revocation expiration date that the first reminder is sent. Default is set to worksheet view. Send the first reminder: The number of days before the certification expiration date that the first reminder is sent. Require Reassignment Completion Enable this option to require the completion of all reassignment access reviews before the parent report can be completed. Reminder Frequency: The frequency with which email reminders are sent until the certification is completed or expires. or the number of email reminders that are sent to the revocation request owner. The detailed view has implied filter set (with Status Open currently). Reminder Email Template: The IdentityIQ notification template used for the reminders.

Enable Default Exception Duration Enable this option to set a default time period in which exceptions are allowed during the access review. Enable Account Approval Enable thisoption to allow users to bulk approve all entitlements for a given account. Enable Bulk Enable this optio to allow users to bulk allow exceptions. Enable Identity Delegation Enable this option to allow certifiers to delegate entire identities in an access review. Enable Bulk Revocation Enable this optio to allow users to bulk revoke access review items. Require Delegation Review Enable this option to require a review to be performed on all delegated access reviews by the original access review owner. Automatically Sign Off When All Items Are Reassigned Enable this option to cause an access review to be automatically signed off when all items in the access review are reassigned. Allow Exceptions IdentityIQ User’s Guide 125 . Enable Provisioning Of Missing Role Requirements Enable this option to allow users to request provisioning missing required roles. Enable Allow Exceptions Enable this option to allows certifiers to allow exceptions for entitlements that should be allowed for a time period. Require Bulk Certification Confirmation Enable this option to requires certifiers to confirm decisions when they are bulk certified within an access review. Enable Line Item Delegation Enable this option to allow certifiers to delegate individual items from an access review. Enable Account Revocation Enable this option to allow users to bulk revoke all entitlements for a given account.   Note: The Require Reassignment Completion and Return Reassignments to Original Access Review options must not be enabled for this option to be available.Schedule an Account Group Certification Table 34— Schedule Account Group Certification Field Descriptions Field Description Return Reassignments to Original Access Review Enable this option to cause the contents of reassignment access reviews to be returned back into the original access review when the reassigned access review is signed. Enable Bulk Approval Enable this optio to allow users to bulk approve access review items. Require Comments For Approval Enable this option to require the certifier to include comments when an access review item is approved.

For example. 126 Custom Name The custom name template used to name certifications. Depending on configuration settings. A name entered here overrides the account group owner as certifier for this certification request. Additional Entitlement Granularity The granularity at which additional entitlements are listed in the certification. you probably do not need to include it in certifications.Schedule an Account Group Certification Table 34— Schedule Account Group Certification Field Descriptions Field Description Enable Bulk Reassignment Enable this optio to allow users to bulk reassign access review items. Custom Short Name The custom short name template used to give certifications short names displayed on the dashboard. Decisions Advanced: Specify advanced options that can change the contents and behavior of the certification. Enable Bulk Account Revocation Enable this optio to allow users to bulk revoke all entitlements for a given account. and must be acted upon. each permission associated with each attribute is listed. if you have an entitlement that is assigned to every user in your enterprise. Typing the first few letters of the name displays a list of all of the authorized certifier names in the system containing that letter combination. if you select Attribute/Permission. Scope The scope of this certification schedule and all certifications generated by this schedule. Email Owner on Pre-Delegation Completion Select this checkbox to have an email notification sent back to the original owner once the pre-delegation is finished. Enable Bulk Clear Enable certifiers to cancel all decisions currently made on the access review. Only users that control the designated scope or that own the objects created (certification requests) can see this schedule and certifications. This can contain parameterized content that is merged into the short name when the certification is generated. separately. IdentityIQ User’s Guide . but excluded from the certification so that they can be used in reports. objects with no scope assigned might be visible to all users with the correct capabilities. Save Exclusions Activate to save any entitlements that are discovered. For example. Pre-delegation Rule Specify the rule to use to determine if portions of the certifications generated by this schedule should be pre-delegated or reassigned to specific certifiers. You can select from the displayed list. Exclusion Rule Select the rule that should be run to exclude certain entitlements from the certification. Certifiers can be individual identities or workgroups. This can contain parameterized content that is merged into the name when the certification is generated. Certifier(s) The full name of a specific certifier or certifiers being assigned this certification.

Procedure 1. IdentityIQ User’s Guide 127 . These do not replace the regularly scheduled certification requests. or scroll over the tab and select Certifications. Scheduling a certification is broken down into a series of steps. 7. How to Schedule an Account Group Certification Use the following procedure schedule an Account Group Certification. For a description of each option available on the page. Certification schedules can be complex or simple. Identity Search Results. Lifecycle. 3. Note: This setting is overwritten by user preferences set by the certifiers. 5. Select the execution frequency for this certification from the drop-down list. Select Account Group from the Schedule new certification drop-down list. You can move through the steps by selecting them in the Summary panel or by clicking Next at the bottom of the page. the certification start time must be 11:42 or later. Click the Monitor tab. You do not have to move through the steps sequentially. The left-hand panel provides a summary of the steps and a brief description of each. Certification start times must be at least one minute later than the current time. Specify the duration of the active period for this certification on the Lifecycle panel. Notifications.Schedule an Identity Certification Table 34— Schedule Account Group Certification Field Descriptions Field Default Entitlement Display Mode Description Select your preference for the way in which entitlement names are displayed in the certifications created by this schedule. Entitlement Name: the base name of the entitlement. Basic. Select All Applications to schedule a certification for all account groups. Specify the date and time at which this certification should first run or select Run Now. For example. —OR— Select specific applications to limit the scope of the certification. Identity Certifications are certification requests for users with risk scores that warrant special attention or who are currently in violation of a policy. 6. if it is currently 11:41. Click Schedule Certification to schedule the certification. or Policy Violations pages. 4. Schedule an Identity Certification Schedule Identity Certifications for any or all users from the Identity Risk Scores. and Advanced. This procedure lists the basic steps required to launch a certification schedule. but are in addition to those certifications. 2. see “Schedule an Account Group Certification” on page 122. Entitlement Description: the more verbose or intuitive description of the entitlement. depending on the specific needs of your enterprise and the purpose of the certifications being scheduled.

The creator of the certification schedule is the owner by default. icon to select a date from the calendar. the certification start time must be 11:42 or later. and who is responsible for performing the certification. Start The date and time at which the certification reports are created. see How to Schedule an Identity Certification on page 134.Schedule an Identity Certification To schedule a Manager Certification. or click the . Weekly. Recipient The full name of a specific manager being assigned an certification. Include Roles Include roles assigned to the identity in the certification. You can select from the displayed list. The default is Once. Note: Certification start times must be at least one minute later than the current time. Daily. If no applications are specified than all of the applications are included. Run Now Launch the certification request as soon as it is saved. If this field is deactivated no policy violations are included. or Continuously.. Tags can be used to classify certifications for searching and reporting.  Typing the first few letters of the name displays a list of all of the manager names in the system containing that letter combination. Quarterly. Include Additional Entitlements Include entitlements that are assigned to an identity but are not contained within a defined role in the certification. Included Applications The applications from which roles and entitlements should be discovered when generating this certification. Execution Frequency The frequency with which this certification is run. Tags Specify one or more tags for the certifications created by this schedule. Include Policy Violations Include policy violations for each identity in the certification report. Active Period Rule 128 Select rule from drop-down list to apply when the certification enters its active period. when and the frequency with which the certification should be created. For example.. if it is currently 11:41. Certification Owner The identity assigned as owner of the certification. Certification Name Name of the certification. Hourly. All Managers Schedule a certification for all managers configured in the IdentityIQ application. IdentityIQ User’s Guide . Monthly. The field is populated by default but can be edited as needed. Annually. Table 35—Schedule Identity Certification Field Descriptions Field Name Description Basic: Specify what to certify. Lifecycle: Define the lifecycle of the certification. Once. You can enter the date manually.

 Specify the length of this phase.Schedule an Identity Certification Table 35—Schedule Identity Certification Field Descriptions Field Name Description Active Period Duration This options is not available for continuous certifications. IdentityIQ User’s Guide 129 . By default this is performed daily. The affected user has the duration of the challenge period to accept the loss of access or challenge that decision. Specify the length of this phase. Revocation activity is monitored to ensure that inappropriate access to roles and entitlements is revoked in a timely manner. When you sign off on a certification it enters either the end phase or the revocation phase. The work items contain the details of the revocation request and any comments added by the requestor. Click Details to see view detailed revocation information. the revocation period must be active and a revocation decision exist. The period of time during which items remain in the certified state before requiring another certification. Certification Required Duration This option is only available for continuous certifications. You can sign off on a certification in the active stage only if no roles or entitlements were revoked or if the challenge period is not active. End Period Enter Rule Select rule to run when the certification enters the end period. the revocation period must be active and a revocation decision exist. The review period during which all decision required within this certification should be made. The revocation phase is entered when a certification is signed off on or when the active and challenge phases have ended. During this phase changes can be made to decisions as frequently as required. Revocation requests that are not acted upon during the revocation phase can be escalated as required. Certification Duration This option is only available for continuous certifications. When the challenge phase begins. revocation is be done either automatically. Enable Challenge Period The period during which all revocation requests can be challenged by the user from which the role or entitlement is being removed. or manually using a work request assigned to a IdentityIQ user with the proper authority on the specified application. To enter the revocation phase. When the revocation phase is entered. Revocation completion status is update at an interval specified during the deployment of IdentityIQ. Enable Revocation Period The period during which all revocation work should be completed. For example. a work item and email is sent to each user in the certification affected by a revocation decision. Specify the length of this phase. items that must be certified quarterly might have a two month certification duration and a one month certification required duration. You can sign off on a certification in the challenge phase only if all challenges have been completed and no open decision remain on the certification. To enter the revocation phase. if your provisioning provider is configured for automatic revocation. The period of time during which items remain in the certification required state before moving to the overdue state if no action is taken by the certifier. When you sign off on a certification it enters either the end phase or the revocation phase.

Escalate Before Certification Expires This options is not available for continuous certifications.  Closing Rule . Reminder Frequency: The frequency with which email reminders are sent until the request is completed or expires. 130 Send Email Reminder(s) Before Certification Expires This options is not available for continuous certifications. Enable Automatic Closing Specifies that the remediation period should be enabled. Revoke. Choose from Approve. before the first escalation notice is sent. IdentityIQ User’s Guide .Schedule an Identity Certification Table 35—Schedule Identity Certification Field Descriptions Field Name Process Revokes Immediately Description Specifies that revocation requests should be processed as soon as a revocation decision is saved. Send an escalation notice and change the owner of the certification to the escalation recipient. Send the first reminder: The number of days before the certification expiration date that the first reminder is sent.Select the amount of time following this access review's expiration date that IdentityIQ should wait before attempting to automatically close it. Escalation Trigger: The number of days after which a certification is assigned.The action that IdentityIQ will assign to any undecided items when automatically closing this access review. Send email reminders before certification expires.Select the rule that IdentityIQ runs at the beginning of the automatic closing process. or the number of email reminders that are sent to the certification owner.Input the comments that IdentityIQ will add to any undecided items when automatically closing this access review. the revocation request is not sent until the revocation is accepted or the challenge period expires.  Comments .  Signer .  Time After Certification Expiration .  Action Taken On Undecided Items . or Allow Exception. Notifications: Specify options about when reminders and escalations should occur for certification and revocations. Escalation Rule: The escalation rule to apply when escalating a certification request.Select the identity who signs off on automatically closed access reviews. during which IdentityIQ will periodically scan users to determine whether the requested remediations have been carried out.  Escalation Email Template: The email template used for the escalation notification. If this field is not activated revocation requests are not sent until the certification is signed off on. Reminder Email Template: The IdentityIQ notification template used for the reminders. Use the following options to configure the details of this process. If the challenge period is active.

The detailed view has implied filter set (with Status Open currently). Escalation is performed as specified by the rule selected. Escalation Email Template: The email template used for the escalation notification. Select the email template used for the escalation notification. Escalation Rule: The escalation rule to apply when escalating a revocation request. the first reminder is sent when the certification request is generated. IdentityIQ User’s Guide 131 . Notify Users Of Revocations Send an email notification to identities from whom access has been revoked. Send the first reminder: The number of days before the revocation expiration date that the first reminder is sent. Escalate Revocation(s) Send an escalation notice and change the owner of the revocation request to the escalation recipient.Schedule an Identity Certification Table 35—Schedule Identity Certification Field Descriptions Field Name Description Send Reminders During Certification Required Period This option is only available for continuous certifications. Individual user preferences can override System configuration settings. Default Entitlement Display Mode Choose between the entitlement value or the longer entitlement description display mode on the Access Review Details page. Default Access Review Grid View Choose between the worksheet (line item) view or the identity view for the identity type Access Review Details page. Send email reminders before the certification enters the overdue state. Reminder Email Template: The IdentityIQ notification template used for the reminders. Reminder Frequency: The frequency with which email reminders are sent until the request is completed or enters the overdue state. Require Subordinate Completion Enable this option to require the completion of all subordinate access reviews before the parent report can be completed. Reminder Email Template: The IdentityIQ notification template used for the reminders. Escalation Trigger: The number of days after which a revocation request is assigned. Individual user preferences can override System configuration settings. If this option is active. Behavior: Specify options that can change the presentation and behavior of the certification. or the number of email reminders that are sent to the revocation request owner. before the first escalation notice is sent. Escalate During Overdue Period This option is only available for continuous certifications. Reminder Frequency: The frequency with which email reminders are sent until the request is completed or expires. Default is list view. Escalate the certification request when the certification enters the overdue period. Send Revocation Reminder(s) Send email reminders before the revocation period expires. Initial Access Review View Choose between initial list view. or the detailed view. Default is set to worksheet view.

Automatically Sign Off When All Items Are Reassigned Enable this option to cause an access review to be automatically signed off when all items in the access review are reassigned. Enable Bulk Approval Enable this optio to allow users to bulk approve access review items. Enable Line Item Delegation Enable this option to allow certifiers to delegate individual items from an access review. Require Bulk Certification Enable this option to requires certifiers to confirm decisions when they are bulk Confirmation certified within an access review. Require Delegation Review Enable this option to require a review to be performed on all delegated access reviews by the original access review owner. 132 Enable Account Revocation Enable this option to allow users to bulk revoke all entitlements for a given account. Enable Bulk Revocation Enable this optio to allow users to bulk revoke access review items. Enable Bulk Allow Exceptions Enable this optio to allow users to bulk allow exceptions. Enable Default Exception Duration Enable this option to set a default time period in which exceptions are allowed during the access review. Return Reassignments to Original Access Review Enable this option to cause the contents of reassignment access reviews to be returned back into the original access review when the reassigned access review is signed.Schedule an Identity Certification Table 35—Schedule Identity Certification Field Descriptions Field Name Description Require Reassignment Completion Enable this option to require the completion of all reassignment access reviews before the parent report can be completed. Enable Identity Delegation Enable this option to allow certifiers to delegate entire identities in an access review. Enable Provisioning Of Missing Role Requirements Enable this option to allow users to request provisioning missing required roles. Enable Bulk Account Revocation Enable this optio to allow users to bulk revoke all entitlements for a given account. Require Comments For Approval Enable this option to require the certifier to include comments when an access review item is approved. Enable Allow Exceptions Enable this option to allows certifiers to allow exceptions for entitlements that should be allowed for a time period. Enable Bulk Reassignment Enable this optio to allow users to bulk reassign access review items.   Note: The Require Reassignment Completion and Return Reassignments to Original Access Review options must not be enabled for this option to be available. IdentityIQ User’s Guide . Enable Account Approval Enable thisoption to allow users to bulk approve all entitlements for a given account.

objects with no scope assigned might be visible to all users with the correct capabilities. Additional Entitlement Granularity The granularity at which additional entitlements are listed in the certification. if you have an entitlement that is assigned to every user in your enterprise. separately. This can contain parameterized content that is merged into the short name when the certification is generated. or for the specified managers and all of their subordinate managers. Save Exclusions Activate to save any entitlements that are discovered. and must be acted upon. Include IdentityIQ Scopes Include all controlled scopes for the identity being certified. Pre-delegation Rule Specify the rule to use to determine if portions of the certifications generated by this schedule should be pre-delegated or reassigned to specific certifiers. For example. Exclude Inactive Identities Exclude inactive identities from new certifications and remove identities that become inactive from existing certifications. Include IdentityIQ Capabilities Include IdentityIQ capabilities of the identity for certification. Scope The scope of this certification schedule and all certifications generated by this schedule. the Flatten Hierarchy option is displayed. If you select For the specified manager(s) only. each permission associated with each attribute is listed. IdentityIQ User’s Guide 133 . Exclusion Rule Select the rule that should be run to exclude certain entitlements from the certification.Schedule an Identity Certification Table 35—Schedule Identity Certification Field Descriptions Field Name Enable Bulk Clear Decisions Description Enable certifiers to cancel all decisions currently made on the access review. Generate certifications Select whether to generate a certification request for the specified managers. For example. Only users that control the designated scope or that own the objects created (certification requests) can see this schedule and certifications. Advanced: Specify advanced options that can change the contents and behavior of the certification. Exclude Logical Tier Entitlements Exclude entitlements on tier application accounts from the certification. This can contain parameterized content that is merged into the name when the certification is generated. you probably do not need to include it in certifications. Select the Flatten Hierarchy option to include all of the employees that report directly to the selected managers and the employees that report to any subordinate managers on the certification request. Depending on configuration settings. but excluded from the certification so that they can be used in reports. Custom Name The custom name template used to name certifications. Custom Short Name The custom short name template used to give certifications short names displayed on the dashboard. Additionally any logical application entitlements will be filtered from the tier application entitlements. Filter Logical Application Entitlements Only logical entitlements defined on the logical application's managed entitlement list will be included in the certification. if you select Attribute/Permission.

3. Use the selection options at the top of the column to assist in the selection process. and select a certifier from the list. In the Certifiers field: Select Assign to Managers to assign certifications to the managers of the identities selected and specify a default certifier for those identities with no manager assigned. — OR — Select Select Certifier Manually. If they do. depending on the specific needs of your enterprise and the purpose of the certifications being scheduled. click the plus (+) icon. Note: This setting is overwritten by user preferences set by the certifiers. see “Schedule an Identity Certification” on page 127. You can repeat this process as many times as needed. Sign Off Approver Rule The rule used to determine if additional review is need on the sign off decision.Schedule an Identity Certification Table 35—Schedule Identity Certification Field Descriptions Field Name Description Email Owner on Pre-Delegation Completion Select this checkbox to have an email notification sent back to the original owner once the pre-delegation is finished. this rule is run to determine if the decisions need to be reviewed by another approver. Allow certifier to Enable the certifier to provision missing role requirements from within a provision missing required certification. Procedure 1. Select Certify Identity from the Select Decision drop-down list at the top right-hand side of the page to launch the Schedule Certification page. This procedure lists the basic steps required to launch an identity certification schedule. From the Identity Risk Scores. Certification schedules can be complex or simple. For a description of the other options available on the page. the certification request is sent to that user’s inbox and they receive an email notification. How to Schedule an Identity Certification Use the following procedure schedule an Identity Certification. This process is repeated until no more reviewers are discovered by the rule. 134 IdentityIQ User’s Guide . Entitlement Description: the more verbose or intuitive description of the entitlement. The number of users selected is displayed at the bottom of the table. 2. Identity Search Results. roles Default Entitlement Display Mode Select your preference for the way in which entitlement names are displayed in the certifications created by this schedule. Entitlement Name: the base name of the entitlement. After the initial sign off by the certifier. or Policy Violations page select users for which to schedule Identity Certifications using the check-boxes in the left-hand column.

Additional Information Identity Certifications are created from the Identity Risk Scores. See Identity Risk Scores on page 521. 7. Continuous certifications require additional information. see “Schedule a Manager Certification” on page 86. if it is currently 11:41. Identity Search Results on page 459. Certification start times must be at least one minute later than the current time. or letters. 6. and Policy Violations on page 453. Identity Search Results. of an identity to display a selection list of IdentityIQ users. Click Save to schedule the certification. Select the execution frequency for this certification from the drop-down list. the certification start time must be 11:42 or later. Enter a letter. Specify the date and time at which this certification should first run or select Run Now. For example. 5. Note: Certification start times must be at least one minute later than the current time. IdentityIQ User’s Guide 135 . the certification start time must be 11:42 or later.Schedule an Identity Certification 4. or Policy Violation page. 8. if it is currently 11:41. For example. Use the identities table to add or remove user to the certification request. Specify the duration of the active period for this certification on the Lifecycle panel.

Schedule an Identity Certification 136 IdentityIQ User’s Guide .

Section II: Configuring IdentityIQ .

Refer to your SailPoint Technologies. From this page you will specify the connection properties. store. access and analyze corporate data from sources all across the enterprise. and displayed on the Dashboard. identity mappings and system setting used throughout the IdentityIQ application. • Role Management on page 249 — create and maintain roles and profiles that define your enterprise. used throughout the IdentityIQ application. • Business Process Management on page 311 — create and manage the workflows that are used throughout your enterprise. for use in IdentityIQ activity searching.Chapter 5: Configuring IdentityIQ Overview You must setup IdentityIQ to work within your enterprise before it can help you make more strategic decisions using systems that collect. • System Setup on page 321 — system setup options include login rules. aggregation rules. Groups and Populations and Account Groups can also be used in IdentityIQ searches. These features. Use the following IdentityIQ components to improve internal governance measures. • Group and Population Configuration on page 281 — work with groups and populations of identities. — define the applications in your enterprise that will work with IdentityIQ. optimize compliance efforts and more effectively manage risk. • Configure Risk Scoring on page 305 — define the risk scoring model for use by IdentityIQ. relevant attributes. • Define Policies on page 293 — define policies for your enterprise. A workflow contains a sequence of steps or activities and each step can perform one or more actions. When these are enabled activity can be tracked and monitored by membership and risk information. • Activity Target Categories on page 291 — create categories of targets. create the Identity Cubes that enable you to monitor and maintain compliance. • Configure Applications on page 139. or composite risk score. 138 IdentityIQ User’s Guide . Policies are comprised of rules used to enforce your policies. and activity information for each application. such as policy violations or risk scores. combined with information discovered from your application and user configuration. on multiple applications and data sources. IdentityIQ Installation Guide for information on installing and deploying IdentityIQ.IdentityIQ uses a combination of base access risk and compensated scoring to determine the overall risk scores.

Owner The owner of the application. relevant attributes. Type The application type.Application Configuration Page Chapter 6: Configure Applications You must define each application in your enterprise. Host Host on which the application resides. Application List Page The Application List page displays all of the applications currently configured. are assigned certification request associated with the application and all can take action on those requests. aggregation rules. The Application List contains the following information: Table 36—Application List Column Descriptions Column Description Name The name of the application. This is the named used to identify the application throughout the IdentityIQ application. all members share certification responsibilities. The owner specified here is responsible for certifications and account group certifications requested on this application if no revoker is specified. Click on an existing application or click New Application to open the Application Configuration Page. Use the Configure Application page to add or edit applications. From this page you will specify the connection properties. IdentityIQ User’s Guide 139 .  Application ownership can be assigned to an individual identity or a workgroup. If the application ownership is assigned to a workgroup. relevant attributes. Application Configuration Page Use the Application Configuration page to define the applications in your enterprise. and activity information for each application. Specify the connection properties. targets and aggregation rules for each application. Modified The date on which the application was last modified. For each application enter or edit the following information: Table 37—Configure Application Page Field Descriptions Field Description Name The name of the application. for example LDAP or JDBC.

for example LDAP or JDBC. Risk. Description A brief description of the application. You can then create a single profile for that role instead of a separate profile for each instance of the applications. This list will grow and change to meet the needs of SailPoint’s IdentityIQ users. See Application Configuration Tabs on page 141. and Unstructured Targets. Schema. you might set a profile class of XYZ on all of the applications on which any user that has read account privileges should be assigned the role XYZ Account Reader. Descriptions. Scope The scope for this application.  Depending on configuration settings. The Tiers. but if a new object is being created. When you have finished adding the attribute information. If scope is assigned. Provisioning Policy. During the correlation process any user with read account privileges on any of the applications with the profile class XYZ is assigned the role XYZ Account Reader. this application does not appear on the select list unless the creator controls the scope assigned.  You can specify multiple authoritative applications.  The Application Type drop-down list contains the types of application to which IdentityIQ can connect.  Objects associated with this application. Authoritative Application Select if this application in an authoritative application. for example a certification schedule. all revocation requests are assigned to the to application owner by default. Attributes. Click Save to save your changes and return to the Application List page. and Password Policy tabs contain information specific to the application type selected. 140 IdentityIQ User’s Guide . Managed Entitlements. are visible to a user with any or no controlled scope. Application Type The application type.Application Configuration Page Table 37—Configure Application Page Field Descriptions Field Revoker Description The default IdentityIQ user or workgroup to be assigned revocation requests associated with entitlements on this application.  For example. Note: If no user is specified in this field. for example a human resources application. Profile Class An optional class used to associate this application with a larger set of applications for role modeling purposes. An authoritative application is a repository for employee information for your enterprise. Correlation. Activity Data Sources. Rules. for example entitlements in a certification request. objects with no scope assigned might be visible to all users with the correct capabilities. but they are the data source from which the majority of the IdentityIQ Identity Cubes are built. Case Insensitive Use to cause case insensitive comparisons of account attribute values when evaluating provisioning policy. only the owner of the application or users that control the designated scope can work with this application. These might not be at risk applications.

Attributes. This tab also contains any extended attributes that were configured for your deployment of IdentityIQ. Enter the information on this tab as required by the application type being configured. Note: The Tiers tab is only available with the Logical application type. Descriptions. Schema. After using the automatic discovery function you must designate the Identity Attribute and Display Attribute for the application. For those application types. Activity Data Sources. For more dynamic application types (i. click New Schema Attribute to expand the attribute fields and add the attribute information. See Delimited File Connector on page 168 and JDBC Connector on page 189. When initially configuring applications. Each application type requires different connection information and the fields on this tab are changed accordingly. Most application types include a default set of schema attributes.Application Configuration Page Application Configuration Tabs The information contained on the Tiers. Schema Tab The Schema tab is used to define the user and group attributes for the application being configured. Rules. JBDC or DelimitedFile). See Unstructured Targets Tab on page 162.e. Use these tabs to define how each application will interact with IdentityIQ. The connectors for some application types enable the automatic discovery of the base schema attributes for those applications. IdentityIQ User’s Guide 141 . The field content is dependent on the application being configured. Click Test Connection to verify the information is correct. and Unstructured Targets tabs is determined by the type of application specified on the Application Type drop-down list. click Add Account Schema or Add Group Schema to specify the type of attribute you are defining. account and group schemas should be defined manually. See Logical Connector on page 165. Attributes Tab The Attributes tab contains the information that IdentityIQ uses to connect and interact with the application. Risk. Note: The Unstructured Targets tab is only available with the Active Directory application type. See Connector Attribute Configuration on page 156 for information on the require attributes for each connector type. click Discover Schema Attributes to automatically populate your schema tables. The extended attributes are displayed at the bottom of the table. For application types that already exist in IdentityIQ. Use the following fields to define attributes for use with the IdentityIQ application. Correlation. See Connector Attribute Configuration on page 156 for information on each connector type.

For example. With this option activated. IdentityIQ User’s Guide . Identity Attribute The attribute that is used by the IdentityIQ application to identify the object.  Note: This is a required field. Description A brief description of the attribute.  Note: This is a required field. Display Attribute The attribute that is used as the object name as it appears throughout the IdentityIQ application. Attributes: 142 Name The name of the attribute. This option is available for Oracle and DelimitedFile applications.  Specify the method of modification for this attribute: Select — display a select list of all possible values or permissions for this attribute. string or boolean. Note: LDAP's default types are iNetOrgPerson and groupOfUniqeNames for groups.   Note: This is a required field. For example. Select from the drop-down list. Remediation Modifiable Accounts that are remediation modifiable can have their values and permissions modified from the Certification Report page for the identity being certified. User and Group for Active Directory LDAP or DBA_USER and DBA_ROLES for Oracle.Application Configuration Page Table 38—Application Configuration . Free text — display a text field in which a certifier can enter any value. IdentityIQ correctly pulls in permission data for identities. Type The type of attribute being defined. Instance Attribute The attribute that uniquely identifies a specific instance of an application.Schema Tab Field Descriptions Fields Native Object Type Descriptions The type of object with which the attributes are associated. Include Permissions Select this function to automatically add directPermissions to the schema.

See Access Review Page . Edit Account Attributes Page on page 335 Correlation Key Specify attributes that IdentityIQ can use to correlate activity discovered in the activity logs for this application with information stored in identity cubes. See Role Management on page 249. Profiles are created on the IdentityIQ Modeler and are used to create roles. If activity aggregation is not being used. IdentityIQ User’s Guide 143 . This will enable group information to display each time you click on a group name or group icon on the product pages. Multi-Valued Specify attributes for which multiple values might be returned during aggregation. they must be mapped on the Edit Account Attribute page. Multi-valued attributes are sometimes used to build account groups and can be used for queries throughout the product. Even objects that have a single value for a multi-value attribute are stored as a single-item list. — in Lifecycle Manager. Group Mark an attribute as group if the value stored in the attribute is group membership and you are also aggregating the groups. See Access Review Page . correlation between the activity discovered by an activity scan and the identity cube of the user that performed the action must key off of the user’s full name. Minable Specify attributes for use during role and profile creation.Decisions Tab on page 29.Decisions Tab on page 29. For example.  Attributes specified as entitlements are used by IdentityIQ as follows: — as additional entitlements during certification. Before multi-valued attributes are available for use in searches. activity logs might contain the full name of users instead of unique account ids.  Attributes flagged as multi-valued are stored as a list.Schema Tab Field Descriptions Fields Entitlement Descriptions Specify attributes to be used as entitlements on this application.Application Configuration Page Table 38—Application Configuration . — when creating profiles based on exiting users on this application. See Request Entitlements on page 530. — in account group certifications. Only attributes designated as minable are returned by those searches.  Note: Correlation Key is only used during activity aggregation. Therefore. When creating roles and profiles it is possible to mine applications for attributes and permissions to use in those objects rather than manually entering the values. Correlation Key should not be selected.

For example.  Specify the method of modification for this attribute: Select — display a select list of all possible values or permissions for this attribute. Correlation Tab Use the correlation tab to configure how application accounts are assigned to identities within IdentityIQ using account and identity information. • Identity Attribute — the name of the identity attribute to use when searching for managers. and you have an identity attribute email configured within IdentityIQ with the value set as the email address for every identity cube. Service and Administrator accounts might be handled using condition based correlation. Managed Entitlements can be specific to one application or shared among multiple applications of the same type. a direct mapping can be used. To configure Account Correlation you can select an existing correlation configuration from the list or create a new configuration using the correlation wizard. if the application has an attribute managerEmail with the value set as the email address of the manager of every user with an account on the application. you can correlate the application's account attribute “mail” with an identity's attribute “email”. In the manager correlation section. For example. configure how assigned managers should be resolved to identities using existing information. • Condition Based Correlation — assigns application accounts to existing identities by defining attribute conditions. • Application Attribute — the name of the applications account attribute that holds the reference to the manager. The correlation wizard will walk you through both attribute and condition based correlation. the Application Attribute and the Identity Attribute. This is how accounts are typically correlated to Identities. • Attribute Based Correlation — use attributes of the application's account to find identities based on attribute values stored on Identity objects. Free text — display a text field in which a certifier can enter any value. For example. the root account on Unix typically does not have any identifying attributes that can help when trying correlate it to an existing identity. you would correlate the application attribute managerEmail with the identity attribute email to perform manager correlation. 144 IdentityIQ User’s Guide .Application Configuration Page Table 38—Application Configuration . Managed Entitlements can also be defined in multiple languages. To configure Manager Correlation you must select two attributes. By default IdentityIQ supports up to three languages but that number can be increased during the configuration process. Managed Entitlements Tab Use the application Managed Entitlements tab to define and maintain entitlement properties associated with a specific application or application type. In cases where the account owner is known because they are the application owner.Schema Tab Field Descriptions Fields Remediation Modifiable Descriptions Attributes that are remediation modifiable can have their values and permissions modified from the Certification Report page for the identity being certified.

entitlement or permission. Owner The owner of the entitlement. You can search the list of descriptions using any of the description fields for the application and language. This field is only available for entitlements. Value The entitlement. Click on an existing description row to display the Edit Entitlement Description panel. Description The full description. Importing CSVs with longer descriptions will result in a truncated description appearing in the Managed Entitlement description field. Type The type of description.  IdentityIQ supports up to three languages by default.Managed Entitlements Tab Field Descriptions Fields Descriptions Select Language Specify the language in which the descriptions are displayed on this page. permission or account group value. Advance Search Click Advanced Search to expand the search panel. New Managed Entitlement Display the New Entitlement Description panel and enter the following information: Type — select entitlement or permission from the drop-down list Attribute — select the entitlement attribute from the drop-down list Value — specify a value Description — enter the descriptive text for the entitlement or permission Owner — type the name of the entitlement owner.Application Configuration Page Use the Find missing managed entitlements function to find any application entitlements that do not have descriptions and use the import and export features to move descriptions to and from CVS files. That number can be increased during configuration. Attribute The attribute name. Requestable Indicates whether or not the entitlement is requestable in Lifecycle Manager (sold separately). Note: Managed Entitlement description lengths in IdentityIQ are limited to 450 characters. The Managed Entitlements tab contains the following information: Table 39—Application Configuration . Requestable — Use the check box to make the entitlement requestable in Lifecycle Manager (sold separately) Use for all <type> applications — specify if the description should be used for this application or all applications of this type IdentityIQ User’s Guide 145 .

This number is then multiplied by a sensitivity value which can be used to increase or decrease the impact of the original percentage. or compensating factor. used throughout the application.attribute. if 10 out of 100 accounts are flagged as service accounts.Application Configuration Page Table 39—Application Configuration . View latest results View the results of the latest missing entitlement task. The import data file must be in the following CSV format and must be in must be in UTF-8 format or plain ASCII. that defaults to thirty (30). Service. All scores are calculated by first determining the percentage of accounts that have the qualities tested by the component score.value.description text  “Type” in the above explanation must be either an Entitlement or Permission. Find missing managed entitlements Launch a task to discover any entitlements that are not listed in the descriptions table. Specify if the export includes the descriptions for this application or for all applications of this type. For example. These scores are based on the latest information discovered by IdentityIQ. or composite risk score. Note: Existing entitlement descriptions with the same type/attribute/value will be overwritten by the import data. This page also provides a list of the top composite score contributors providing further information on how the score was derived and providing clues on the areas of highest risk.Managed Entitlements Tab Field Descriptions Fields Import Descriptions Import descriptions from a CVS file. Risk Tab The application Risk tab provides a current application risk score and a detailed view of the raw and compensated risk score for each category used to derive that score. For example. the component service with a configured value true. For example.10). After the component score is calculated a weight. Inactive. is applied to each component score to determine the amount each will contribute to the overall risk score for the application. a few violator accounts might increase risk more than many inactive accounts.50). This algorithm has an argument. IdentityIQ uses a combination of base access risk and compensated scoring to determine the overall application risk scores. daysTillDormant. The default sensitivity value is 5 making the adjusted percentage fifty percent (. Export Export all descriptions from this catalog. This final percentage is then applied to the score range of 1000 resulting in a component score of 500.  Specify if the imported descriptions are to be used for the this specific application or all applications of this type. The task adds the entitlements to the table with empty description fields that can be edited later. If the last 146 IdentityIQ User’s Guide . : type. for example lastLogin. and Privileged component scores look for links that have a configured attribute. The Dormant Account score looks for a configured attribute that is expected to have a date value. then the raw percentage is ten percent (.

Type The activity data source type. The examplerules. Rules Tab These are the rules that can be customized to handle the complexity of the data being extracted. Activity information is collected and correlated using the Activity Aggregation task. for example JDBC Collector. buildMapRule.xml file is located in the identityiq_HOME/WEB-INF/config directory. A correlation rule is only required if there is more than one application and a correlation configuration has not been defined. Activity Data Sources Tab The Activity Data Source tab is used to configure the data sources from which activity information is collected.Connection Attributes on page 167.Application Configuration Page login date is more than thirty (30) days prior to the current date. Right-click on a data source and select Edit or click New Activity Data Source to access the Activity Data Source Configuration page. Activity information displayed on the Dashboard or returned by activity searches is based on the information stored by IdentityIQ since the last aggregation and correlation tasks were run. the account is considered dormant and is factored into the risk score. IdentityIQ User’s Guide 147 . Log File. The Violator Account score looks for links whose owning identity has a number of policy violations greater than a configured threshold. and mapToResourceObject Rule. The information collected from these sources is normalized and then stored by IdentityIQ and used to monitor activity information for users and applications. or Windows Event Log Collector. Right-click on a data source and select Delete to remove an activity data source. Modified The date on which the activity data source was last modified. The Risky Account score looks for links whose owning identity has a composite risk score greater than a configured threshold. The default threshold is five hundred (500). The default threshold is ten (10). See Logical Connector . A file containing an example of each rule type is included in the IdentityIQ installation package. Rules are specific to connectors and are used throughout the product. The delimited file connector has rules that are specific to its implementation. You can write more than one of each type and select the rule to use from drop-down lists. See Activity Data Source Configuration on page 151. The Activity Data Sources table contains the following information: Table 40—Application Configuration .Activity Data Source Tab Table Descriptions Column Description Name A descriptive name for the activity data source from which the activity data is collected. mergeMapsRule. The rules in this table apply to all applications and are called by the aggregation process.

With a provisioning policy in place. See How to Create or Edit a Provisioning Policy on page 258 for information on how to work with provisioning policies. This is determined by selecting from the following: None — no owner is assigned to this provisioning policy. The Provisioning Policy Editor panel contains the following information: Table 41—Application Configuration . A policy can be attached to an IdentityIQ application or role and is used as part of the provisioning process. Role Owner — identity assigned as owner of the role in which the provisioning policy resides. Script — use a script to determine the owner of this provisioning policy Edit Provisioning Policy Fields Panel Use the Edit Provisioning Policy Fields panel to customize the look and function of the form fields generated from the provisioning policy. Review Required Choose whether or not to require the person who is approving the workflow item to approve this field. Rule — use a rule to determine the owner of this provisioning policy. Application The application associated with the account attributes or permissions for this provisioning policy. Owner The owner of the provisioning policy. Required Choose whether or not to have the completion of this field a requirement for submitting the form. Choose from the following: Boolean — true or false values field Date — calendar date field Integer — only numerical values field Long — similar to integer but is used for large numerical values Identity — specific identity in IdentityIQ field Secret — hidden text field String — text field IdentityIQ User’s Guide .Provisioning Policy Editor Field Descriptions Field Name Description Name The name of your provisioning policy. Description A brief description of the provisioning policy. 148 Name The name of the field. Application Owner — identity assigned as owner of the application in which the provisioning policy resides. Type Select the type of field from the drop-down list. Help Text The text you wish to appear when hovering the mouse over the help icon.Application Configuration Page Provisioning Policy Tab Provisioning Policies are used to define account attributes that must be set when creating an account due to a change in role assignments or due to a Lifecycle Manager request. when a role is requested the user must input specified criteria into a generated form before the request can be completed. Display Name The name displayed for the field in the form generated by the provisioning policy.

Validation Gives the ability to specify a script or rule for validating the user's value. Description A brief description of the password policy. Application Owner — identity assigned as owner of the application in which the provisioning policy resides. Script — use a script to determine the owner of this provisioning policy Password Policy Tab Use the password policy tab to select and create password policies which apply to specified applications.Provisioning Policy Editor Field Descriptions Field Name Description Value Determine how the value is derived.Password Policy Field Descriptions Field Name Description Name The name of your password policy. Rule — use a rule to determine the owner of this provisioning policy. IdentityIQ User’s Guide 149 .Application Configuration Page Table 41—Application Configuration . Click the plus sign to add another value. For example. Select from the following: Literal — value is based on the information you provide Rule — value is based on a specified rule Script — value is determined by the execution of a script Default Value The value displayed in the field of the generated form before editing. Role Owner — identity assigned as owner of the role in which the provisioning policy resides. The password policy panel contains the following: Table 42—Application Configuration . This is determined by selecting from the following: None — no owner is assigned to this provisioning policy. Owner The owner of this provisioning policy field. Click an existing password policy to edit it or click Create New Policy to configure one from scratch. a script that validates that a password is 8 characters or longer. Choose from the following: None — the field is blank Literal — value is based on the information you provide Rule — value is based on a specified rule Script — value is determined by the execution of a script Multi Valued Choose this to have more than one selectable value in this field of the generated form. Choose from the following: None — the field is blank Literal — value is based on the information you provide Rule — value is based on a specified rule Script — value is determined by the execution of a script Allowed Values The value(s) which may be displayed in the field of the generated form.

of digits Minimum number Input the minimum number of uppercase letters required for a valid password.xml file located in IdentityIQ/WEB-INF/config/.Application Configuration Page Table 43—Application Configuration . Password Policy Description A brief description of the password policy. of special characters Password history length The number of past passwords that cannot be used again. Minimum number Input the minimum number of characters required for a valid password. of characters Maximum number of characters Input the maximum number of characters required for a valid password. Minimum number Input the minimum number of letters required for a valid password. of uppercase letters Minimum number Input the minimum number of lowercase letters required for a valid password. The Validate passwords against password dictionary is a configurable list of terms unavailable for use as passwords. The passwordDictionary. Select do disallow the use of any password defined in the password dictionary. the password dictionary Select to disallow the use of Identity attribute values as passwords Validate passwords against the identity's list of attributes Select to disallow the use of Identity link attribute values as passwords Validate passwords against the identity's account attributes 150 IdentityIQ User’s Guide . of lowercase letters Minimum number Input the minimum number of special characters required for a valid password.Password Policy Editor Field Descriptions Field Name Description Password Policy Name The name of your password policy. of letters Minimum number Input the maximum number of numerical digits required for a valid password.

the associated value textbox is disabled. Customize further by creating attribute groups to which this password policy applies. The criteria is configured using the tools provided. Population — select a population to which this password policy applies. Select from the following filters: All — all identities have this password policy applied Match List — only identities whose criteria match that specified in thelist. the term matches users on the chosen application who have a null value for that attribute/permission. you will not see that change reflected on the application until you click Save on the application page and commit the change. Activity collectors access activity data sources such as event or audit logs. Script — use a BeanShell script to determine the identities to which this password policy applies. Changes made on this page are not committed until a save is performed on the application with which they are associated. When the "is null" match is processed. application attributes and application permissions.Activity Data Source Configuration Table 43—Application Configuration .  Filter — use an XML filter or compound filter to determine the identities to which this password policy applies. Ctrl + click to select more than one category. if you add or delete a data source on this page and click Save. These Activity Data Sources are use for all activity aggregation and reporting. IdentityIQ User’s Guide 151 . Add identity attributes. For example. collect the activity information that is to be monitored. Choose one or more of the following character categories: English Uppercase English Lowercase Base 10 digits Non-alphanumeric Unicode Configure Password Filter Select a filter which will select the identities to which this password policy will apply. and transform that data into a format that can be read by IdentityIQ. Rule — use a rule to determine the identities to which this password policy applies.Password Policy Editor Field Descriptions Field Name Description A character from each of the following selected categories Select which character categories are required for a valid password. Activity Data Source Configuration Use the Activity Data Source Configuration page to add or edit activity data sources.   Note: If the "Is Null" checkbox is selected.

• The unique connection and query setting for each activity data source type. Activity Targets The Activity Targets tab is used to specify targets within this data source for use in activity searches.Windows Event Log Collector Settings on page 154 . The targets specified here are used to populate lists on the Activity Search page. descriptive name for the activity data source. and then collect activity for all three procurement databases using a single activity search. The Activity Data Source Type drop-down list contains the types of data source from which activity information can be collected.” icon to launch the Rule Editor to make changes to your rules if needed.. For example. These targets can be grouped with targets specified on other applications to create categories of targets.Log File Collector Settings on page 154 ..” icon to launch the Rule Editor to make changes to your rules if needed. create a Procurement category. For example.. Transformation Rule The transformation rule required to convert the data collected from the data source into a format that can be used by IdentityIQ. Correlation Rule The correlation rule that should be used to correlate the activity data collected with identities.RACF Audit Log Collector on page 155 Table 44—Configure Application Page Field Descriptions Field Description Name A short.JDBC Collector Settings on page 153 . 152 IdentityIQ User’s Guide .  See Rule Editor on page 437. a target might be a machine name for a login action.  See Rule Editor on page 437. This list will grow and change to meet the needs of SailPoint’s IdentityIQ users. Note: Click the “.Activity Data Source Configuration For each activity data source enter or edit the following: • The general data source information in Table 44. if you have inventory applications at three different locations and a procurement database on each. Description A brief description of the activity data source. see Activity Targets on page 152. A target is a specific object within a data source that is acted upon. or a file name for a create action. you can set each procurement database as a target. . Note: Click the “.. Activity Data Source Type The type of data source from which the activity is being collected. “Configure Application Page Field Descriptions • Activity target information found on the Activity Target tab for each source type.

Type the name of the activity target in the field at the bottom of the list and click Add Activity Target. IdentityIQ User’s Guide 153 . The password is encrypted and is not displayed with the activity data source information. See Activity Search on page 9.Activity Data Source Configuration See “Activity Targets” on page 152.JDBC Collector Query Settings Field SQL Statement Description The SQL statement used to query activity from the database. Table 46—Application Configuration . This enables IdentityIQ to perform scheduled activity aggregations without having to scan entire data sets with each subsequent aggregation. The data that is mapped in this rule is used by the condition builder to create a SQL statement used in future queries to determine the start location. Database URL The full url to the activity data source. jdbc:mysql://localhost/db JDBC Driver The driver class of the activity data source. Table 45—Application Configuration .Driver Query Settings The query settings are used to control the activity information that is collected when an Activity Aggregation task is run. For example. Condition Builder Transforms the data mapped in the rule selected as the Position Builder into a SQL statement used by subsequent queries to determine start position. Position Builder Rule that converts the last row in the result set returned by the query into a configuration map that is persisted into the IdentityIQ database. Connection Password The password associated with the Connection User if a password is required.jdbc. use the selection boxes on the left of the table and click Delete.JDBC Collector Connection Settings Field Description Connection User A valid JDBC user with access to the data source being accessed by this collector. To remove activity targets. For example. JDBC Collector Settings JDBC Connection Settings IdentityIQ uses the connection settings to access the activity data source. com. On the Activity Targets tab you can add activity targets for the data source with which you are working.mysql.

Event Log Server The server on which the activity data source resides. Table 47—Application Configuration .Activity Data Source Configuration Windows Event Log Collector Settings Note: Before you can use the Windows Event Log Collector. Event Log Settings IdentityIQ uses the connection settings to access the activity data source and the query settings to control the activity information that is collected when an Activity Aggregation task is run.Windows Event Log Collector Settings Field Description User Valid Windows user name with access to the event log containing the activity data. FTP Password — the password associated with the FTP user. IQ Service Port The listening port of the IQ service. IdentityIQ User’s Guide . Log File Collector Settings Transport Settings The transportation settings are used to access the server on which the log file containing the activity data resides. Implementation Guide for information on installing and registering the IQService. the IQService must be installed and registered. FTP Host — the host on which the log file resides. no further connection-type information is required. Refer to the SailPoint Technologies.Log File Collector Transportation Settings Field Description Transport Type — depending on the transport type selected you will see the following: 154 local If the log file containing the activity data is on the same server as IdentityIQ. Table 48—Application Configuration . Query String The MQL query use to specify the activity data to collect during the activity aggregation. ftp FTP User — a valid user name with authentication access to the FTP host. IQ Service Host The host name on which the IQ service is running. Password The password associated with the user specified. Block Size The number of events to retrieve with each activity aggregation performed on this activity data source.

therefore. For example.Log File Collector Transportation Settings Field scp Description SCP User —a valid user name with authentication access to the SCP host. Multi-lined Data A single record in this file spans multiple rows. ignore this record. SCP Password — the password associated with the SCP user.Log File Collector Log File Settings Field Description File Name The name of the log file containing the activity data. then the record cannot be correlated to a IdentityIQ identity and. SCP Host — the host on which the log file resides. Log File Settings The log file settings are used to define the query used to collect the activity data. RACF Audit Log Collector Transport Settings The transportation settings are used to access the server on which the log file containing the activity data resides. Trim Value Remove white space around the column name before creating the log field. Lines to Skip The number of lines to skip before starting the scan for activity information. Drop Nulls If the column by this name is null. cannot be used by IdentityIQ. SCP Private Key — the private key that is used to encrypt the collected data. Filter Nulls Skip lines that don't conform to the defined format. IdentityIQ User’s Guide 155 . Table 50—Application Configuration .Log File Collector Log Fields Field Description Name The name of the log field to create based on a column name from the log file. Table 49—Application Configuration . Regular Expression A regular expression groups that can be used to tokenize each record in the file.Activity Data Source Configuration Table 48—Application Configuration . Log Fields The log field settings are used to create the log fields based on the column headings in the log file. if the user field is null.

 SCP Private Key — the private key that is used to encrypt the collected data. is NOT listed as a group in the member attribute. The primary group. no further connection-type information is required. When a user object is called it contains a list of groups in the member attribute.RACF Audit Log Collector Log File Settings Field Description File Name The name of the log file containing the activity data. There are two types of group membership in Active Directory a primary group concept and other group membership. Each application type requires different information to create and maintain a connection. SCP Host — the host on which the log file resides. however. A connector is a Java class that extends the IdentityIQ AbstractConnector class and implements the IdentityIQ Connector interface. FTP Host — the host on which the log file resides.Connector Attribute Configuration Table 51—Application Configuration . applications and systems. The other groups are listed as a property of the user object in Active Directory. Active Directory Connector IdentityIQ uses the LDAP interface to Active Directory to communicate and query to Windows Domain Controllers. ftp FTP User — a valid user name with authentication access to the FTP host.RACF Audit Log Collector Transportation Settings Field Description Transport Type — depending on the transport type selected you will see the following: local If the log file containing the activity data is on the same server as IdentityIQ. SCP Password — the password associated with the SCP user. This section describes the connectors delivered with IdentityIQ and their required host connection attributes. Table 52—Application Configuration . Connectors provide the means by which IdentityIQ communicates with targeted platforms. FTP Password — the password associated with the FTP user. scp SCP User —a valid user name with authentication access to the SCP host. Filter Nulls Skip lines that don't conform to the defined format. so the connector must do a follow-up query to determine 156 IdentityIQ User’s Guide . In Active Directory you can only have one primary group. Log File Settings The log file settings are used to define the query used to collect the activity data. but any number of other groups. Lines to Skip The number of lines to skip before starting the scan for activity information. Connector Attribute Configuration IdentityIQ uses connectors to extract data and transform it into a format it can read.

Connection Attributes Attribute Description useSSL Specifies if the connection is over ssl. Typically a DN string such as Administrator. pageSize The number of objects to get. ONELEVEL_SCOPE. Active Directory Connector . primaryGroupSearchDN Where to start in the tree when resolving a user's group membership. simple.  Specifying an attribute here enables the native account group hierarchy model to be displayed through IdentityIQ. Each application type requires different information to create and maintain a connection. IdentityIQ User’s Guide 157 . and SUBTREE_SCOPE. per page.  This is a DN string. searchScope The depth to search the tree. Clear this field if you choose not to use IdentityIQ’s database hierarchy model. searchDN The search starting point. The attribute value is one of the following strings: none.SECURITY_AUTHENTICATION property in the api. filterString This setting can be used to filter object as they are returned for an underlying application. The default value is memberOf.Connector Attribute Configuration of which primary group the user is a member. authorizationType Translates to the Context. groupHierarchyAttribute The name of the attribute from the GROUP schema that represents the groups to which this account group belongs. Derived attributes can also be included in the filter. iterateSearchFilter An optional filter that can be added to the configuration to scope the objects returned when the iterateObjects method is called. host The host of the server.  This is a DN String. password The password for the administrator account. user The user to connect as. port The port the server is listening through. strong. OBJECT_SCOPE.Connection Attributes This section contains the information that IdentityIQ uses to connect and interact with the application.  The default is 100. The Active Directory connector uses the primaryGroupSearchDN attribute as the starting point when searching for a user’s primary group. The Active Directory connector uses the following connection attributes: Table 53—Active Directory Connector . when iterating over large numbers of objects.

departmentNumber This attribute contains a numerical designation for a department within your enterprise. Each telephone number is one value of this multi-valued attribute. carLicense This attribute type contains the license plate or vehicle registration number associated with the user. for example. Each description is one value of this multi-valued attribute. facsimileTelephoneNumber This attribute type contains telephone numbers and any required parameters for facsimile terminals. full time. employeeNumber This attribute contains the numerical identification key for this person within you enterprise. it is typically the person's full name. IdentityIQ User’s Guide .Connector Attribute Configuration Active Directory Connector .1 and F. It is the application's responsibility to ensure destination indicators that it stores in this attribute are appropriately constructed. “Marty Smith” and “printer12”. contractor. Table 54—Active Directory Connector . United Kingdom. When a connector is called. The group schema is used when building AccountGroup objects which are used to hold entitlements shared across identities.”. If the object corresponds to a person. Account objects are used when building identities Link objects.Schema Attributes The application schema is used to configure the objects returned from a connector. and “distribution list for sales”.31 CCITT Recommendations. or part time. at 1am. Examples: “engineering”. description This attribute type contains human-readable descriptive phrases about the object. 158 displayName This attribute contains the preferred name to be used for this person throughout the application. IdentityIQ currently supports two types of objects.1 [F. employeeType This attribute contains a descriptive type for this user. account and group. Australia. the schema is supplied to the methods on the connector interface. “finance”.1] and F.31 [F.Account Attributes Name Description businessCategory The types of business performed by an organization. Note: The directory will not ensure that values of this attribute conform to the F. Each string is one value of this multi-valued attribute. Examples: “Martin K Smith”. Each type is one value of this multi-valued attribute. Each name is one value of this multi-valued attribute. dn This attribute contains the distinguished name by which the user is known. destinationIndicator This attribute type contains country and city strings associated with the object (the addressee) needed to provide the Public Telegram Service.  Examples: “Updates are done every Saturday. Examples: “AASD” as a destination indicator for Sydney. “GBLD” as a destination indicator for London. cn This attribute type contains names of an object. and “sales”. The strings are composed in accordance with CCITT Recommendations F.31].

Connector Attribute Configuration Table 54—Active Directory Connector . mobile This attribute type contains the mobile telephone number of this person. postOfficeBox This attribute type contains postal box identifiers use by a postal service to locate a box on the premises of the Postal Service rather than a physical street address. Examples: “Austin. except the surname(s). or other geographic region. ou This attribute type contains the names of an organizational unit. Downtown Austin” and “Chicago. homePostalAddress This attribute contains the employees mailing address.”. Examples: “Austin”. county. such as a city. homePhone This attribute contains the employees home phone number. Finance Station E”. Each name is one value of this multi-valued attribute.164]. Each address is one value of this multi-valued attribute. Examples: “John”. Examples: “J. and “David”. pager This attribute type contains the telephone number of this persons pager.Account Attributes Name Description givenName This attribute type contains name strings that are the part of a person's name that is not their surname. Example: “0198 444 444". physicalDeliveryOfficeName This attribute type contains names that a Postal Service uses to identify a specific post office. “Chicago”. “Sue”. and “SailPoint. o This attribute type contains the names of an organization. A. Each name is one value of this multi-valued attribute. Each string is one value of this multi-valued attribute. Inc. as defined in the International Telecommunication Union (ITU) Recommendation E. mail This attribute type contains the RFC822 mailbox for the user. Examples: “SailPoint”.164 [E. Example: “Box 27".” and “J” internationalISDNNumber This attribute type contains Integrated Services Digital Network (ISDN) addresses. Each string is one value of this multi-valued attribute. initials This attribute type contains strings of initials of some or all of an individual's names. and “Brisbane”. “Human Resources”. and “Information Technologies”.”. l This attribute type contains names of a locality or place. IdentityIQ User’s Guide 159 . manager This attribute type contains the distinguished name of the manager to whom this person reports. Incorporated. Each name is one value of this multi-valued attribute. Each postal box identifier is a single value of this multi-valued attribute. “SailPoint Technologies. Examples: “Sales”.

o=SailPoint\. Each code is one value of this multi-valued attribute. and the house number).”.o=SailPoint\. the street name.123 [E. telephoneNumber This attribute type contains telephone numbers that comply with the ITU Recommendation E. registeredAddress This attribute type contains postal addresses to be used for deliveries that must be signed for or require a physical recipient. Since the role objects are related to the person object.” is related to the role objects “cn=Bowling Team Captain. $Austin. TX. Each street is one value of this multi-valued attribute. Example: “Receptionist$SailPoint Technologies$6034 Courtyard Dr. Each address is one value of this multi-valued attribute. Each address is one value of this multi-valued attribute. Inc. to identify Pflugerville. secretary This attribute type contains the distinguished name of this persons secretary.e. place. Each string is one value of this multi-valued attribute. Inc. seeAlso This attribute type contains the distinguished names of objects that are related to the subject object. street This attribute type contains site information from a postal address (i.123]. Example: “78664”.. Example: “15 Main St. Example: “Texas”.o=SailPoint\. IdentityIQ User’s Guide . Inc. preferredDeliveryMethod This attribute type contains an indication of the preferred method of getting a message to the object. which is preferred over all other methods.ou=sponsored activities.$Austin$Texas$USA”. postalCode This attribute type contains codes used by a Postal Service to identify postal service zones. Example: “Smith”.Account Attributes Name 160 Description postalAddress This attribute type contains addresses used by a Postal Service to perform services for the object. Each number is one value of this multi-valued attribute. Each name is one value of this multi-valued attribute. the 'seeAlso' attribute will contain the distinguished name of each role object as separate values. preferredLanguage This attribute type contains the preferred written or spoken language of this person. avenue. st This attribute type contains the full names of states or provinces. Each related object name is one value of this multi-valued attribute. Example: If the mhs-delivery Delivery Method is preferred over telephone-delivery.Connector Attribute Configuration Table 54—Active Directory Connector . Example: “1111 Elm St.ou=employee. Example: The person object “cn=Elvis Presley.” and “cn=Dart Team. roomNumber This attribute type contains the room or office number or this persons normal work location. TX$USA”.”. or family names. sn This attribute type contains name strings for surnames. the value would be: “mhs $ telephone".ou=sponsored activities. in the USA.

dn This attribute type contains the directory path to the object. Each name is one value of this multi-valued attribute. Each name is one value of this multi-valued attribute. with at least two values. “admin”. “Human Resources”. Inc. uid This attribute type contains computer system login names associated with the object. memberOf This attribute type contains the account group membership for this person on the application. objectSid Windows Security Identifier sAMAccountName This attribute type contains the sAMAccoutName for this user. “Marty Smith” and “printer12”. “SailPoint Technologies. primaryGroupDN This attribute type contains the distinguished name of this users primary group. and “Administrator”. Examples: “Martin K Smith”. Examples: “s9709015”.”. Each name is one value of this multi-valued attribute.Account Attributes Name Description teletexTerminalIdentifier The withdrawal of Recommendation F. IdentityIQ User’s Guide 161 . and answerback code of a telex terminal. and “Information Technologies”. The objectClass attribute is present in every entry. Examples: “SailPoint”. country code. Each title is one value of this multi-valued attribute. and “CEO”. If the object corresponds to a person. ou This attribute type contains the names of an organizational unit. Incorporated.”. o This attribute type contains the names of an organization.Connector Attribute Configuration Table 54—Active Directory Connector . and “SailPoint.Group Attributes Name Description cn This attribute type contains names of an object. it is typically the person's full name. One of the values is either “top” or “alias”. Table 55—Active Directory Connector . Examples: “Sales”.200 has resulted in the withdrawal of this attribute. primaryGroupID This attribute type contains the RID of the this users primary group. objectClass The values of the objectClass attribute describe the kind of object which an entry represents. telexNumber This attribute type contains sets of strings that are a telex number. Each set is one value of this multi-valued attribute title This attribute type contains the persons job title. “Software Engineer”. Each name is one value of this multi-valued attribute. Examples: “Vice President”. owner This attribute type contains the name of the owner of the object.

Unstructured data is any data that is stored in a format that is not easily readable by a machine. the body of an email.” and “cn=John Xerri. Unstructured Targets Tab Unstructured target information is used to define unstructured data sources from which the connector is to extract data. The Unstructured Targets tab contains the following information: Table 56—Application Configuration . information contained in an Excel spread sheet. For example.Connector Attribute Configuration Table 55—Active Directory Connector .. objectSid This attribute type contains the Windows Security Identifier for this user. and “distribution list for sales”. IdentityIQ User’s Guide . 162 IQService Host The host on which the IdentityIQ Service resides.”. Each name is one value of this multi-valued attribute. a Microsoft Word document. Inc.ou=Finance. Inc. because not only is the data stored in a format that is hard to extract from. Each description is one value of this multi-valued attribute. This target collector requires a the IdentityIQ Service to be installed on a machine that has visibility to the directory or share to include in the target scan. memberOf This attribute type contains the account group membership for this person on the application. Inc. Examples: “cn=James Clarke. member This attribute type contains the distinguished names of objects that are on a list or in a group.  Examples: “Updates are done every Saturday. The most common unstructured data type supported by IdentityIQ is an operating system’s file system permissions. Number of targets per block Number or targets (files) to include in each block of data returned. in which case. The unstructured targets defined on this tab are used by the Target Aggregation task to correlate targets with permissions assigned to identities and account groups for use in certifications. Refer to the SailPoint Technologies IdentityIQ Implementation Guide for information on installing and registering the IQService.Group Attributes Name Description description This attribute type contains human-readable descriptive phrases about the object.” may be two members of the financial team (group) at SailPoint. IQService Port The TCP/IP port where the IQService is listening for requests. at 1am.Unstructured Targets Tab Field Descriptions Field Description Attributes: The required settings for connecting to the IdentityIQ Service.o=SailPoint. Unstructured targets pose a number of challenges for IdentityIQ connectors. or an HTML file is considered unstructured data. the systems and directory structures in which the files reside are often difficult to access. both of these distinguished names would be listed as individual values of the member attribute.o=SailPoint.ou=Finance.

Creation Rule The rule used to determine how the unstructured data extracted from data source is transformed into data that can be read by IdentityIQ. Correlation Rule The rule used to determine how to correlate account information from the application with identity cubes in IdentityIQ. ALES Connector This connector is designed to communicate with BEA's Aqualogic Enterprise Security Server. If you target a directory. so the Administrator/Password fields may not be required in all cases. Rules: Specify the rules used to transform and correlate the targets. use *. ALES Connector .. to search only Excel spread sheets. IdentityIQ User’s Guide 163 .  You can target a specific file or a directory and its sub-directories containing multiple files from which to extract the required data. Only directly assigned permissions will be returned Administrator The administrator that has access to this share so you can collect permissions. use finance_*. Password The password associated with the specified administrator.” icon to launch the Rule Editor to make changes to your rules if needed. The integration uses the remote ALES Entitlement Query API.com name or a fully qualified domain user name in the domain\\user format. Path UNC Style path to a share or local directory. Directories Only Use to instruct to the collector to ignore files and just report back directory permission information.Unstructured Targets Tab Field Descriptions Field Description File Shares: The required information for each share.  The Directory Depth field enables you to extend your query up to ten (10) sub-directories below the one specified in the Path field.xls or to search only files with names beginning with finance_. This value should be the users principal user@xyz. Note: The service will be running as System or can be configured to be run as any user. Each application type requires different information to create and maintain a connection. use the Wildcard and Directory Depth fields to narrow the query if possible.Connector Attribute Configuration Table 56—Application Configuration .  See Rule Editor on page 437. Note: Click the “. Wildcard Use wild cards to target a particular file type of naming scheme. For example.* Include Inherited Permissions Use to instruct the collector to not report permissions unless they are directly assigned.. Directory Depth The sub-directory depth from which to extract data.Connection Attributes This section contains the information that IdentityIQ uses to connect and interact with the application.

javax.jdo. javax.jdbc.option. kodo. Account objects are used when building identities Link objects.option. IdentityIQ currently supports two types of objects. ALES Connector .Connectio nDriverName The full class name of either the JDBC java.solarmetric.jdo.Sequence A plugin string describing the kodo. or a javax. Table 58—ALES Connector .DBDictionary A plugin string describing the kodo. javax. the schema is supplied to the methods on the connector interface.option.JDBCPersistenceManagerFactory or a custom extension of this type. or to plug in your own dictionary for a database Kodo JPA/JDO does not support out-of-the-box.Log A plugin string describing a com.Schema Attributes The application schema is used to configure the objects returned from a connector.jdbc.jdo. kodo.jdo.Required Attributes Attribute Description filter The accountfilter and groupfilter can be used to scope the iteration for accounts and groups.Connectio nURL The JDBC URL for the database.option.Account Attributes Name 164 Description qualifiedName Qualified UserName groups List of groups IdentityIQ User’s Guide .JDOHelper.DBDictionary to use for database interaction.Connectio nUserName The user name to use when connecting to the database.jdbc.sql.log.LogFactory to use for logging.sql. account and group.runtime. Kodo typically auto-configures the dictionary based on the JDBC URL. kodo.PersistenceMana gerFactoryClass The name of the concrete implementation of the javax. When a connector is called.Seq implementation to use for the system sequence.PersistenceManagerFactory that javax. this should be kodo.Connector Attribute Configuration The ALES connector uses the following connection attributes: Table 57—ALES Connector .kernel.jdo. For Kodo JDO.jdo.sql.Connectio nPassword The password for the user specified in the ConnectionUserName property.Driver. The group schema is used when building AccountGroup objects which are used to hold entitlements shared across identities. but you may have to set this property explicitly if you are using an unrecognized driver. javax.DataSource implementation to use to connect to the database.jdo.getPersistenceManagerFactory should create. javax.

you might have one logical application that represents three other accounts on tier applications. Logical Connector . select the application from the Select an Application drop-down list and click Add Tier. You must correlate those attributes. Click the arrow to right of the field to display all applications configured to work with IdentityIQ or type the first few letters of an application name to display a list of applications with names containing that letter string. reporting. either manually or with a correlation rule. Specify the primary tier application by selecting it in the Primary Tier column. an LDAP authorization application. might be represented by the attribute dbid on one tier and username on another.Group Attributes Name Description qualifiedName Qualified Group name directUsers List of users Logical Connector The Logical connector was developed to create objects that function like applications in the IdentityIQ product. You can add as many applications as required. Lori Ferguson. Add Tiers to a Logical Application You must define the tier applications that are contained within the logical application and identify the application to be used as the primary tier application. or tier. A logical application can only have one primary tier application. an Oracle database. For example an identity. To remove tier applications. IdentityIQ User’s Guide 165 . The primary tier application is the application containing all of the attributes to which the attributes on the other tiers will correlate. and a custom application for internal authentication. and monitoring.Tiers Tab This section contains the information that IdentityIQ uses to build the relationships between the tier applications that make up a logical application. For an identity to have an account on a logical application they must have the required. You can then use the single. Every account on the logical application must have an account on the primary tier application. For example. select the application using the selection boxes in the left-most column and click Remove Selected. The logical application scans identities and creates an account on the logical application each time it detects the three required accounts on a single identity. applications in existing identity cubes. To add a tier application. but that are actually formed based on the detection of accounts from other. In some instances this might be a human resources application containing all of the identities in IdentityIQ. representative account instead of the three separate accounts from which it is comprised for certification. matching accounts on all tier applications.Connector Attribute Configuration Table 59—ALES Connector . to create accounts on the logical application.

. Application The tier applications that make up the logical application.Connector Attribute Configuration Correlate Tier Application Attributes Use the logical application tier attribute mapping. 5.  See Rule Editor on page 437. open the Use Correlation Rule panel and select a rule from the Correlation Rule drop-down list. Map the attributes on each application that should have matching values. matching. Provisioning Rule Select an existing provisioning rule from the drop-down list. panel to either manually map attributes for correlation or assign an existing correlation rule.  See Rule Editor on page 437. Note: Click the “. 3.  The logical application rule defines the requirements that must be met before an identity is assigned an account on this logical application.Tier Applications Attribute 166 Description Account Rule Select an existing account rule from the drop-down list. Click on the row to activate either the Tier Attribute or Primary Tier Attribute field. The Tiers tab contains the following information: Table 60—Logical Connector .. IdentityIQ User’s Guide . To use an existing correlation rule. Select a non-primary tier application in the application list. The selected application is highlighted and any mapped correlation attributes are displayed in the attribute correlation panel. The rule should contain all of the attribute mapping required for this logical application. Click Add Attribute to display a row in which to add the new attribute.  The logical provisioning rule defines how provision requests for the logical application account or any of the accounts with which it is comprised are handled. or correlation. If you select the primary tier application a note is displayed stating that no correlation is required on the primary tier. 2. Note: Click the “. accounts on all tier applications. To manually map attributes on the tier applications do the following: 1. For an identity to have an account on a logical application they must have the required.” icon to launch the Rule Editor to make changes to your rules if needed.” icon to launch the Rule Editor to make changes to your rules if needed. 4.. Click Save Changes or continue mapping attributes for the applications. Select an attribute from the drop-down list in both columns..

the schema is supplied to the methods on the connector interface. Primary Tier Attribute Attributes on the primary tier application to which the attribute values from the tier applications must match. Account Matching Use account matching to select attributes and permissions from existing application tiers as the parameters for your logical application.Connection Attributes This section contains the information that IdentityIQ uses to connect and interact with the application. In some instances this might be a human resources application containing all of the identities in IdentityIQ. Logical Connector .Tier Applications Attribute Primary Tier Description Designate one tier application as the primary tier application. Account objects are used when building identities Link objects. Operation — choose the AND / OR operator to include multiple attributes / permissions Type — indicates either Attribute or Permission Application — indicates the application from which the attribute or permission is being matched Name — select an attribute from the drop-down list or input the permission name into the field Value — input the value of the attribute or permission Group/Ungroup/Delete Selected — use the check box to select line items on which to perform the respective action Logical Connector . IdentityIQ currently supports two types of objects. This panel contains the following:  Application Items — Click Add Attribute to include application attributes in your account matching parameters. Click Add Permission to include application permissions in you account matching parameters. Tier Attribute Attributes from the selected tier application whose values must match the values of the associated attributes from the primary tier application. IdentityIQ User’s Guide 167 . by default. The group schema is used when building AccountGroup objects which are used to hold entitlements shared across identities. account and group.Connector Attribute Configuration Table 60—Logical Connector . Logical applications do not have connection attributes. Use this tab to test your logical application connection.Schema Attributes The application schema is used to configure the objects returned from a connector. If you have defined custom logical connectors there might be connection attributes on this tab. Note: A logical application can only have one primary tier application. The primary tier application is the application containing all of the attributes to which the attributes on the other tiers will correlate. Every account on the logical application must have an account on the primary tier application. When a connector is called.

Run entitlement correlation task. Define the logical application a.Connector Attribute Configuration Logical applications enable you to pull schema attribute information from the tier applications from which it is compiled. Perform the following tasks on each tiered application: a. For example. Each application type requires different information to create and maintain a connection. b. This connector can be configured to enable the automatic discovery of schema attributes. Click New Tier Attribute to display the Select Source Attribute dialog and select the tier application and attribute to pull into the logical application. Delimited File Connector . 4. 1. How to Define Logical Connectors Use the following procedure to define a logical connector. Run aggregation task. c.Schema Attributes on page 171. Scan for missing entitlements or define new managed entitlements. only the values you are interested in appear for easier editing. Logical Application Filtering Logical applications use the Find missing entitlement scan on the Managed Entitlements tab as filtering action using the Account Matching criteria provided on the Tiers tab. Discover schema attributes from selected tier applications for editing. c. This connector has rules that can be customized to handle the complexity of the data that is being extracted. With specific criteria defined in Account Matching. Define all tier applications. Scan for missing entitlements using the filters from the selected tiered applications fro editing.Connection Attributes This section contains the information that IdentityIQ uses to connect and interact with the application. Run aggregation task on your newly defined logical application. When you use this feature the schema attribute information is automatically added to the attributes table and you can edit it as needed. 3. 168 IdentityIQ User’s Guide . This gives a more focused starting point instead of using all of the entitlement values from the selected application tiers. 2. Delimited File Connector The Delimited File connector is a rule driven connector. Define application tiers b. a new logical application uses the “memberOf” attribute in Active Directory. See Delimited File Connector . There are likely thousands of values that are assigned in an enterprise.

\\u0009 is used to specify for the tab character. select Local. The group attributes are optional and the setting default to settings from the Account tab if they are not specifically defined. File has column header on first line Only available for Delimited Parsing Type. Delimiter Enter the character that should be used as a delimiter. Note: The parsing type is only applicable for Account Attributes. field is required. File Encoding Specify the encoding that was used when saving the data file. Password Specify the password for the user that will be used during the file transfer.  For example. Transport: Note: Transport attributes only apply to Accounts. If the file resides locally on the application server. you only have to configure this field if there is not a header defined or you want to rename of the columns that will be used in the buildMap rule. If this is left blank the application's server default encoding will be used when parsing the file. If this is the case in your file. Host Specify the hostname where the file is located User Specify the username that will be used during the file transfer. Sometimes the last token is left out of the data. Fail on column length mismatch Only available for Delimited Parsing Type. Regular Expression Only available for Regular Expression Parsing Type.Account Tab Descriptions Attributes Descriptions File: Parsing Type Enter which type of parsing technique should be used when parsing the contents of the data file. Columns Enter the names of the columns that will be used while parsing the file. Select this option if you want the connector to fail if all of the columns are not part of each line. File Transport Specify how the file will be transferred. Enter the regular expression using regular expression groups that can be used to break the data into tokens.Connector Attribute Configuration The Delimited File connector uses the following account and group connection attributes.  If you are using the Delimited Parsing Type. The account and group attributes are divided onto two tabs for ease and clarity of use.  If you are using the Regular Expression Parsing Type. Table 61—Delimited File Connector . If the delimiter is a unicode character use the \\u format. select this option. IdentityIQ User’s Guide 169 . File Path Enter the path and name of the data file that should be parsed. Select this option if the data file has a header defined on the first line of the file.

Comment Character Enter a comment character used in the data file. PostIterate Rule A rule that is called after the iteration process has completed.  If the data is not sorted.Account Tab Descriptions Attributes Descriptions Filtering: Number of lines to skip Enter the number of lines to skip from the top of the data file before parsing begins. If a rule is not specified the connector builds a ResourceObject using the schema. This rule is used to convert the string tokens from the data file into a java..  For example. into a ResourceObject.util. Filter String Enter the string representation of a sailpoint.Manufacturing/&quot.Connector Attribute Configuration Table 61—Delimited File Connector . If a rule is not specified the connector builds a map with the contents keyed by the column name. PreIterate Rule A rule that is called before the iteration process begins and provides a hook for things like checking the file or building an alternate feed. Data sorted by the indexColumn(s)? Select this option if the data is sorted by the index columns. Any object matching the filter will be filtered out of the dataset and will not be returned. a filter that will filter out all objects from the Manufacturing department is written as follows: department == /&quot. built from the data file. Index Column Enter the name of the index column that will be used when finding like objects in the dataset. This rules job is used to convert a java. Which Columns should be merged? Enter the names of the columns from the file from which values should be merged. 170 Build Map Rule A rule that is called for each row in the data file. Connector Rules: Note: Click the “. Map To ResourceObject Rule A rule that is called for each unique java.Map object.Map created from the data file.util.. Any line starting with this character will be skipped. Filter Empty Select this option if you want to filter out any objects that parse but have no attributes.  See Rule Editor on page 437.Filter object. an in-memory representation of the data is built and used. Merging: Data needs to be merged Select this option if the data for a single object spans multiple lines.object.Map object.” icon to launch the Rule Editor to make changes to your rules if needed. IdentityIQ User’s Guide .util.

Click Domain settings => User settings and select the Provisioning API check box.Schema Attributes The application schema is used to configure the objects returned from a connector. If this connector is configured to use the automatic discovery function and you've specified column names (columnNames. and Retrieve groups. If a rule is not specified the connector builds a combined java. The group schema is used when building AccountGroup objects which are used to hold entitlements shared across identities.util. Google Apps Connector Google Apps connector manages Google Apps users and groups.Log in to your administrator account.Save the changes. account and group. Delimited File Connector . It supports read and write to Google Apps to Create. perform the following steps: 1. Retrieve. All automatically generated schema attributes are marked as type String.Map using the original object and merges the attributes specified in the mergeColumns configuration option. Delete. To enable the API.Account Tab Descriptions Attributes MergeMaps Rule Descriptions A rule that is called during merging for each row that has a matching index column. Account objects are used when building identities Link objects. group. When a connector is called. 2. IdentityIQ currently supports two types of objects. The rule will receive the existing map along with the newly parsed map that has to be merged.columnNames. • Enable the Provisioning API for the Google Apps domain. Prerequisites • Administrator username and password for the Google Apps domain.columnNames). account. For delimited file connectors the schema is usually dictated by the data in the file. If there is a header in the file and the hasHeader option is enabled the columns are pulled directly from the file and populate the schema. 3. IdentityIQ User’s Guide 171 . the schema is supplied to the methods on the connector interface. Authenticate users. those names are used to populate the schema.Connector Attribute Configuration Table 61—Delimited File Connector . Update.

the schema is supplied to the methods on the connector interface.Connector Attribute Configuration Google Apps Connector Attirbutes Table 62—Google Apps Connector Attributes Attributes Descriptions Domain The name of the Google Apps registered domain that must be managed. When a connector is called. Nickname Nick name of the specified user. Password Password of the administrative user. GivenName Given name of the specified user. Google Apps . Google Apps . Administrator The Google Apps user with administrative rights. Groups Groups to which the specified user is connected.Account Attributes The following table lists the account attributes: Table 63—Google Apps Account Attributes Attributes Descriptions UserID User ID of the specified user. Email Email of the specified user. • Group — schema used when building AccountGroup objects that are used to hold entitlements shared across identities. FamilyName Family name of the specified user.Group Attributes The following table lists the group attributes: 172 IdentityIQ User’s Guide . Google Apps . IdentityIQ currently supports the following types of objects: • Account — objects used when building identities Link objects.Schema Attributes The application schema is used to configure the objects returned from a connector. All the requests are executed with this users context.

GroupPermission Permissions of the specified group. AdminPrivileges Whether the user to be created should have administrative privileges.Connection Attributes This section contains the information that IdentityIQ uses to connect and interact with the application. GroupDescription Description of the specified group. GroupRole Roles of the specified group. GroupEmail Email of the specified group. IBM Lotus Domino Connector .Provisioning Policy The following table lists the provisioning policy attributes: Table 65—Google Apps Provisioning Policy Attributes Attributes Descriptions UserID User ID of the user to be created. Each application type requires different information to create and maintain a connection. Google Apps .Connector Attribute Configuration Table 64—Google Apps Group Attributes Attributes Descriptions GroupName Name of the specified group. The IBM Lotus Domino connector uses the following connection attributes: IdentityIQ User’s Guide 173 . FamilyName Family name of the user to be created. IBM Lotus Domino Connector The IBM Lotus Domino connector uses the rootDSE attribute as the starting point in the directory to start searching for users and group memberships. GivenName Given name of the user to be created. GroupOwner Owners of the specified group. Password Password of the user to be created. LDAP does not store a user’s group references on the user so the IBM Lotus Domino connector must always do a separate query to return a list of all of the user’s groups. quota(optional) Maximum email quota allowed for the user to be created.

simple. IdentityIQ User’s Guide . user The user to connect as. account and group.Account Attributes Name 174 Description creatorsName This attribute contains the name of the administrator that created the account. IBM Lotus Domino Connector .Connection Attributes Attribute Description useSSL Specifies if the connection is over ssl. The group schema is used when building AccountGroup objects which are used to hold entitlements shared across identities. per page. C This attribute contains the country in which the account is located.Schema Attributes The application schema is used to configure the objects returned from a connector. password The password for the administrator account. pageSize The number of objects to get. when iterating over large numbers of objects. host The host of the LDAP server. strong.  The default is 500. iterateSearchFilter An optional filter that can be added to the configuration to scope the objects returned when the iterateObjects method is called. When a connector is called. ONELEVEL_SCOPE.  This is a DN string. authorizationType Translates to the Context. and SUBTREE_SCOPE. groupMemberSearchDN Where to start in the tree when resolving a user's group membership. port The port the server is listening through.Connector Attribute Configuration Table 66—IBM Lotus Domino Connector . searchDN The search starting point. groupMemberAttribute The name of the attribute used on the LDAP server to store group members.SECURITY_AUTHENTICATION property in the api. searchScope The depth to search the LDAP tree. Typically a DN string such as Administrator. IdentityIQ currently supports two types of objects. Derived attributes can also be included in the filter.  This is a DN String. the schema is supplied to the methods on the connector interface. The attribute value is one of the following strings: none. OBJECT_SCOPE. Account objects are used when building identities Link objects. filterString This setting can be used to filter object as they are returned for an underlying application. Table 67—IBM Lotus Domino Connector .

1] and F. displayName This attribute contains the preferred name to be used for this person throughout the application. and “distribution list for sales”. it is typically the person's full name. The strings are composed in accordance with CCITT Recommendations F. “GBLD” as a destination indicator for London.31]. Examples: “engineering”. Each type is one value of this multi-valued attribute. and “sales”.31 [F. Examples: “AASD” as a destination indicator for Sydney.  Examples: “Updates are done every Saturday. employeeNumber This attribute contains the numerical identification key for this person within you enterprise. Note: The directory will not ensure that values of this attribute conform to the F. full time. dn This attribute contains the distinguished name by which the user is known. Australia.Account Attributes Name Description businessCategory The types of business performed by an organization. and “David”.1 [F. Each name is one value of this multi-valued attribute. Example: “Sales” or “Engineering” homeFax This attribute home facsimile (Fax) telephone number. “finance”.1 and F.”. Each telephone number is one value of this multi-valued attribute. If the object corresponds to a person. Examples: “Martin K Smith”. destinationIndicator This attribute type contains country and city strings associated with the object (the addressee) needed to provide the Public Telegram Service. Examples: “John”. groups This attribute type contains a list of groups of which this person is a member.31 CCITT Recommendations. firstName This attribute type contains name strings that are the part of a person's name that is not their surname. Comment This attribute type contains human-readable descriptive phrases about the object.Connector Attribute Configuration Table 67—IBM Lotus Domino Connector . departmentNumber This attribute contains a numerical designation for a department within your enterprise. cn This attribute type contains names of an object. Each string is one value of this multi-valued attribute. or part time. United Kingdom. “Sue”. contractor. “Marty Smith” and “printer12”. employeeType This attribute contains a descriptive type for this user. for example. carLicense This attribute type contains the license plate or vehicle registration number associated with the user. at 1am. Each description is one value of this multi-valued attribute. facsimileTelephoneNumber This attribute type contains telephone numbers and any required parameters for facsimile terminals. Each string is one value of this multi-valued attribute. It is the application's responsibility to ensure destination indicators that it stores in this attribute are appropriately constructed. IdentityIQ User’s Guide 175 .

Each string is one value of this multi-valued attribute. pager This attribute type contains the telephone number of this persons pager. internationalISDNNumber This attribute type contains Integrated Services Digital Network (ISDN) addresses. 176 postOfficeBox This attribute type contains postal box identifiers use by a postal service to locate a box on the premises of the Postal Service rather than a physical street address.”. or other geographic region. middleName This attribute type contains the middle name of the user. OU This attribute type contains the names of an organizational unit. Each name is one value of this multi-valued attribute. InternetAddress This attribute type contains the RFC822 mailbox for the user. postalAddress This attribute type contains addresses used by a Postal Service to perform services for the object. Incorporated. Each name is one value of this multi-valued attribute. manager This attribute type contains the distinguished name of the manager to whom this person reports.164]. such as a city. county. mobile This attribute type contains the mobile telephone number of this person. Each postal box identifier is a single value of this multi-valued attribute. Each address is one value of this multi-valued attribute.Account Attributes Name Description homePhone This attribute contains the employees home phone number. Examples: “SailPoint”. Example: “0198 444 444".”. and “Information Technologies”. A. Example: “Box 27". IdentityIQ User’s Guide . physicalDeliveryOfficeName This attribute type contains names that a Postal Service uses to identify a specific post office. Finance Station E”. Example: “1111 Elm St.164 [E. Examples: “Austin”. Examples: “Austin.$Austin$Texas$USA”. as defined in the International Telecommunication Union (ITU) Recommendation E. O This attribute type contains the names of an organization. Downtown Austin” and “Chicago. Examples: “J. “SailPoint Technologies. initials This attribute type contains strings of initials of some or all of an individual's names.Connector Attribute Configuration Table 67—IBM Lotus Domino Connector . “Human Resources”. “Chicago”. Each name is one value of this multi-valued attribute. homePostalAddress This attribute contains the employees mailing address. except the surname(s). Examples: “Sales”.” and “J”. l This attribute type contains names of a locality or place. Inc. and “SailPoint. and “Brisbane”. Each address is one value of this multi-valued attribute.

Each related object name is one value of this multi-valued attribute.. registeredAddress This attribute type contains postal addresses to be used for deliveries that must be signed for or require a physical recipient. Example: “Receptionist$SailPoint Technologies$6034 Courtyard Dr.200 has resulted in the withdrawal of this attribute. telephoneNumber This attribute type contains telephone numbers that comply with the ITU Recommendation E. sn This attribute type contains name strings for surnames. Inc.o=SailPoint\.”.” and “cn=Dart Team. TX. teletexTerminalIdentifier The withdrawal of Recommendation F. Each name is one value of this multi-valued attribute.ou=sponsored activities. TX$USA”.Connector Attribute Configuration Table 67—IBM Lotus Domino Connector . Inc. IdentityIQ User’s Guide 177 . Example: The person object “cn=Elvis Presley.”. Example: “78664”. Each number is one value of this multi-valued attribute. Example: “15 Main St. Each address is one value of this multi-valued attribute. Example: If the mhs-delivery Delivery Method is preferred over telephone-delivery. in the USA. Example: “Texas”. seeAlso This attribute type contains the distinguished names of objects that are related to the subject object.ou=employee.ou=sponsored activities.e. Each string is one value of this multi-valued attribute. preferredDeliveryMethod This attribute type contains an indication of the preferred method of getting a message to the object.o=SailPoint\. to identify Pflugerville. or family names. street This attribute type contains site information from a postal address (i.123 [E. the 'seeAlso' attribute will contain the distinguished name of each role object as separate values. and the house number). Each street is one value of this multi-valued attribute. Since the role objects are related to the person object. st This attribute type contains the full names of states or provinces. the street name. Each code is one value of this multi-valued attribute. $Austin.123]. Example: “Smith”. roomNumber This attribute type contains the room or office number or this persons normal work location.” is related to the role objects “cn=Bowling Team Captain. place. preferredLanguage This attribute type contains the preferred written or spoken language of this person.o=SailPoint\. the value would be: “mhs $ telephone”. Inc. Assistant This attribute type contains the distinguished name of this persons secretary. which is preferred over all other methods.Account Attributes Name Description postalCode This attribute type contains codes used by a Postal Service to identify postal service zones. avenue.

Group Attributes Name 178 Description cn This attribute type contains names of an object. “SailPoint Technologies. and answerback code of a telex terminal. Each name is one value of this multi-valued attribute. and “distribution list for sales”. IdentityIQ User’s Guide . and “Administrator”. and “Information Technologies”. objectClass The values of the objectClass attribute describe the kind of object which an entry represents. uid This attribute type contains computer system login names associated with the object.Connector Attribute Configuration Table 67—IBM Lotus Domino Connector . Each title is one value of this multi-valued attribute. whose DN is “cn=All Employees. DisplayName This attribute contains the display name of the object. Inc.o=SailPoint.”. is owned by the Human Resources Director. If the object corresponds to a person. Each description is one value of this multi-valued attribute.  Examples: “Updates are done every Saturday. “admin”. dn This attribute type contains the directory path to the object.”. Each owner's name is one value of this multi-valued attribute. OU This attribute type contains the names of an organizational unit. Each name is one value of this multi-valued attribute. The objectClass attribute is present in every entry. the value of the 'owner' attribute within the mailing list object. ou=Mailing List. “Human Resources”. member This attribute type contains the groups to which this person is a unique member. “Software Engineer”. Examples: “Sales”. and “SailPoint.o=SailPoint. Inc. ListOwner This attribute type contains the distinguished names of objects that have ownership responsibility for the object that is owned. One of the values is either “top” or “alias”. O This attribute type contains the names of an organization.ou=employee.”. Each name is one value of this multi-valued attribute. country code. at 1am. Examples: “s9709015”. Examples: “SailPoint”.”. it is typically the person's full name. Each set is one value of this multi-valued attribute title This attribute type contains the persons job title. Examples: “Vice President”. Examples: “Martin K Smith”. and “CEO”. Therefore. Inc. Example: The mailing list object. Table 68—IBM Lotus Domino Connector .Account Attributes Name Description telexNumber This attribute type contains sets of strings that are a telex number. Comment This attribute type contains human-readable descriptive phrases about the object.”. “Marty Smith” and “printer12”. Each name is one value of this multi-valued attribute. Incorporated. with at least two values. would be the DN of the director (role): “cn=Human Resources Director.

ONELEVEL_SCOPE. IBM Tivoli Directory Server Connector The IBM Tivoli Directory Server connector uses the groupMemberSearchDN attribute as the starting point in the directory to start searching for ALL group memberships. searchScope The depth to search the server tree. groupMemberSearchDN Where to start in the tree when resolving a user's group membership. searchDN The search starting point. authorizationType Translates to the Context.SECURITY_AUTHENTICATION property in the api. port The port the server is listening through. IdentityIQ User’s Guide 179 . This connector uses the following connection attributes: Table 69—IBM Tivoli Directory Server Connector . and SUBTREE_SCOPE. Each application type requires different information to create and maintain a connection.Connection Attributes Attribute Description useSSL Specifies if the connection is over ssl.Connector Attribute Configuration Table 68—IBM Lotus Domino Connector . IBM Tivoli Directory Server does not store a user’s group references on the user so this connector must always do a separate query to return a list of all of the user’s groups.Connection Attributes This section contains the information that IdentityIQ uses to connect and interact with the application. pageSize The number of objects to get.  This is a DN String. LocalAdmin This attribute contains the administrator of the object.  The default is 500. Typically a DN string such as Administrator. iterateSearchFilter An optional filter that can be added to the configuration to scope the objects returned when the iterateObjects method is called. IBM Tivoli Directory Server Connector .Group Attributes Name Description GroupType This attribute contains the type associated with the object. per page. password The password for the administrator account. when iterating over large numbers of objects. simple. host The host of the server. The attribute value is one of the following strings: none. strong.  This is a DN string. OBJECT_SCOPE. DocumentAccess This attribute contains the access level of the object. user The user to connect as.

and “sales”. “GBLD” as a destination indicator for London. account and group.1] and F. Each type is one value of this multi-valued attribute. it is typically the person's full name.Account Attributes Name Description businessCategory The types of business performed by an organization. Table 70—IBM Tivoli Directory Server Connector . The group schema is used when building AccountGroup objects which are used to hold entitlements shared across identities. The strings are composed in accordance with CCITT Recommendations F. at 1am. Account objects are used when building identities Link objects. IdentityIQ currently supports two types of objects.Connector Attribute Configuration Table 69—IBM Tivoli Directory Server Connector . cn This attribute type contains names of an object. departmentNumber This attribute contains a numerical designation for a department within your enterprise.31 CCITT Recommendations.”. IBM Tivoli Directory Server Connector .  Examples: “Updates are done every Saturday.1 and F. IdentityIQ User’s Guide . “finance”.1 [F. United Kingdom.Connection Attributes Attribute Description filterString This setting can be used to filter object as they are returned for an underlying application. Examples: “Martin K Smith”. destinationIndicator This attribute type contains country and city strings associated with the object (the addressee) needed to provide the Public Telegram Service. Derived attributes can also be included in the filter.31 [F. dn This attribute contains the distinguished name by which the user is known.31]. Note: The directory will not ensure that values of this attribute conform to the F. Each description is one value of this multi-valued attribute. description This attribute type contains human-readable descriptive phrases about the object. displayName 180 This attribute contains the preferred name to be used for this person throughout the application. “Marty Smith” and “printer12”. carLicense This attribute type contains the license plate or vehicle registration number associated with the user. and “distribution list for sales”.Schema Attributes The application schema is used to configure the objects returned from a connector. Examples: “AASD” as a destination indicator for Sydney. groupMemberAttribute The name of the attribute used to store group members. the schema is supplied to the methods on the connector interface. Australia. If the object corresponds to a person. When a connector is called. Examples: “engineering”. Each string is one value of this multi-valued attribute. It is the application's responsibility to ensure destination indicators that it stores in this attribute are appropriately constructed. Each name is one value of this multi-valued attribute.

as defined in the International Telecommunication Union (ITU) Recommendation E. full time. Example: “0198 444 444". Examples: “John”. for example. Example: “Sales” or “Engineering” homePhone This attribute contains the employees home phone number.”. IdentityIQ User’s Guide 181 . Examples: “J. and “David”. o This attribute type contains the names of an organization. or part time.164]. Each string is one value of this multi-valued attribute. county. and “Brisbane”. and “Information Technologies”.Account Attributes Name Description employeeNumber This attribute contains the numerical identification key for this person within you enterprise. Each address is one value of this multi-valued attribute. contractor. such as a city. internationalISDNNumber This attribute type contains Integrated Services Digital Network (ISDN) addresses.” and “J”.”. Each name is one value of this multi-valued attribute. Each name is one value of this multi-valued attribute. ou This attribute type contains the names of an organizational unit. pager This attribute type contains the telephone number of this persons pager. “Sue”. employeeType This attribute contains a descriptive type for this user. givenName This attribute type contains name strings that are the part of a person's name that is not their surname. mail This attribute type contains the RFC822 mailbox for the user. manager This attribute type contains the distinguished name of the manager to whom this person reports.Connector Attribute Configuration Table 70—IBM Tivoli Directory Server Connector . “Human Resources”. Incorporated. Each telephone number is one value of this multi-valued attribute. Each name is one value of this multi-valued attribute.164 [E. except the surname(s). facsimileTelephoneNumber This attribute type contains telephone numbers and any required parameters for facsimile terminals. Inc. “Chicago”. Examples: “Sales”. Each string is one value of this multi-valued attribute. homePostalAddress This attribute contains the employees mailing address. or other geographic region. Examples: “SailPoint”. A. initials This attribute type contains strings of initials of some or all of an individual's names. “SailPoint Technologies. l This attribute type contains names of a locality or place. mobile This attribute type contains the mobile telephone number of this person. and “SailPoint. Examples: “Austin”. groups This attribute type contains a list of groups of which this person is a member.

Each string is one value of this multi-valued attribute. or family names. Inc. Example: “Receptionist$SailPoint Technologies$6034 Courtyard Dr. TX$USA”. Example: If the mhs-delivery Delivery Method is preferred over telephone-delivery. Finance Station E”. Example: “Smith”.” and “cn=Dart Team.o=SailPoint\. postalCode This attribute type contains codes used by a Postal Service to identify postal service zones. registeredAddress This attribute type contains postal addresses to be used for deliveries that must be signed for or require a physical recipient. sn This attribute type contains name strings for surnames. $Austin.o=SailPoint\. Each code is one value of this multi-valued attribute.ou=sponsored activities. IdentityIQ User’s Guide . 182 postOfficeBox This attribute type contains postal box identifiers use by a postal service to locate a box on the premises of the Postal Service rather than a physical street address. postalAddress This attribute type contains addresses used by a Postal Service to perform services for the object. the value would be: “mhs $ telephone". the 'seeAlso' attribute will contain the distinguished name of each role object as separate values. Each postal box identifier is a single value of this multi-valued attribute. Since the role objects are related to the person object. Downtown Austin” and “Chicago. to identify Pflugerville. Example: The person object “cn=Elvis Presley.ou=sponsored activities. which is preferred over all other methods. in the USA. Example: “1111 Elm St. Example: “Box 27".$Austin$Texas$USA”. preferredLanguage This attribute type contains the preferred written or spoken language of this person.” is related to the role objects “cn=Bowling Team Captain.ou=employee.”. TX. Inc. seeAlso This attribute type contains the distinguished names of objects that are related to the subject object. Each address is one value of this multi-valued attribute.Connector Attribute Configuration Table 70—IBM Tivoli Directory Server Connector .Account Attributes Name Description physicalDeliveryOfficeName This attribute type contains names that a Postal Service uses to identify a specific post office. preferredDeliveryMethod This attribute type contains an indication of the preferred method of getting a message to the object. roomNumber This attribute type contains the room or office number or this persons normal work location. Example: “78664”. Inc. Examples: “Austin. secretary This attribute type contains the distinguished name of this persons secretary. Each related object name is one value of this multi-valued attribute. Each address is one value of this multi-valued attribute.o=SailPoint\.

200 has resulted in the withdrawal of this attribute. and “Information Technologies”. Table 71—IBM Tivoli Directory Server Connector .”. Incorporated. Examples: “Martin K Smith”. and “Administrator”. Examples: “SailPoint”. o This attribute type contains the names of an organization. Each set is one value of this multi-valued attribute title This attribute type contains the persons job title. member This attribute type contains the groups to which this person is a unique member. One of the values is either “top” or “alias”.123].”. telephoneNumber This attribute type contains telephone numbers that comply with the ITU Recommendation E.e. objectClass The values of the objectClass attribute describe the kind of object which an entry represents. uid This attribute type contains computer system login names associated with the object.Group Attributes Name Description cn This attribute type contains names of an object. “Software Engineer”. Examples: “s9709015”. The objectClass attribute is present in every entry. avenue. Example: “Texas”.Account Attributes Name Description st This attribute type contains the full names of states or provinces. “Marty Smith” and “printer12”. “Human Resources”. Examples: “Sales”. country code. it is typically the person's full name. “SailPoint Technologies. and “SailPoint. telexNumber This attribute type contains sets of strings that are a telex number. teletexTerminalIdentifier The withdrawal of Recommendation F. Each name is one value of this multi-valued attribute. Inc.”. IdentityIQ User’s Guide 183 . and the house number). ou This attribute type contains the names of an organizational unit. Each name is one value of this multi-valued attribute. with at least two values. Each name is one value of this multi-valued attribute. “admin”. street This attribute type contains site information from a postal address (i. Each number is one value of this multi-valued attribute. dn This attribute type contains the directory path to the object. Each street is one value of this multi-valued attribute.123 [E. and answerback code of a telex terminal. and “CEO”. Examples: “Vice President”. If the object corresponds to a person.Connector Attribute Configuration Table 70—IBM Tivoli Directory Server Connector . the street name. Example: “15 Main St. place. Each name is one value of this multi-valued attribute. Each title is one value of this multi-valued attribute.. Each name is one value of this multi-valued attribute.

o=SailPoint. authorizationType Translates to the Context. the value of the 'owner' attribute within the mailing list object. Each description is one value of this multi-valued attribute. description This attribute type contains human-readable descriptive phrases about the object. The attribute value is one of the following strings: none.Connection Attributes This section contains the information that IdentityIQ uses to connect and interact with the application.o=SailPoint. port The port the server is listening through.  Examples: “Updates are done every Saturday.Connector Attribute Configuration Table 71—IBM Tivoli Directory Server Connector . Each owner's name is one value of this multi-valued attribute. searchScope The depth to search the LDAP tree. ou=Mailing List. at 1am. Each application type requires different information to create and maintain a connection. and “distribution list for sales”. Example: The mailing list object. IdentityIQ User’s Guide . ONELEVEL_SCOPE.Connection Attributes Attribute 184 Description useSSL Specifies if the connection is over ssl.ou=employee.SECURITY_AUTHENTICATION property in the api. Therefore. IBM Tivoli Identity Manager Connector .”.”. This connector uses the following connection attributes: Table 72—IBM Tivoli Identity Manager Connector . Typically a DN string such as Administrator. The IBM Tivoli Identity Manager does not store a user’s group references on the user so this connector must always do a separate query to return a list of all of the user’s groups. is owned by the Human Resources Director. host The host of the LDAP server.Group Attributes Name Description owner This attribute type contains the distinguished names of objects that have ownership responsibility for the object that is owned. and SUBTREE_SCOPE. user The user to connect as.”. password The password for the administrator account. would be the DN of the director (role): “cn=Human Resources Director. IBM Tivoli Identity Manager Connector The IBM Tivoli Identity Manager connector uses the groupMemberSearchDN attribute as the starting point in the directory to start searching for ALL group memberships. Inc. strong. whose DN is “cn=All Employees. OBJECT_SCOPE. simple. Inc.

the schema is supplied to the methods on the connector interface. carLicense This attribute type contains the license plate or vehicle registration number associated with the user.Connection Attributes Attribute Description searchDN The search starting point.”. iterateSearchFilter An optional filter that can be added to the configuration to scope the objects returned when the iterateObjects method is called. account and group.Account Attributes Name Description businessCategory The types of business performed by an organization.Connector Attribute Configuration Table 72—IBM Tivoli Identity Manager Connector . per page. IdentityIQ currently supports two types of objects. groupMemberAttribute The name of the attribute used to store group members. “finance”.  Examples: “Updates are done every Saturday.Schema Attributes The application schema is used to configure the objects returned from a connector. Examples: “Martin K Smith”. dn This attribute contains the distinguished name by which the user is known. Derived attributes can also be included in the filter. When a connector is called. pageSize The number of objects to get.  This is a DN String. description This attribute type contains human-readable descriptive phrases about the object. it is typically the person's full name. when iterating over large numbers of objects. “Marty Smith” and “printer12”. Each description is one value of this multi-valued attribute. and “distribution list for sales”. The group schema is used when building AccountGroup objects which are used to hold entitlements shared across identities. Each type is one value of this multi-valued attribute. and “sales”. cn This attribute type contains names of an object. IBM Tivoli Identity Manager Connector . Each name is one value of this multi-valued attribute.  This is a DN string. Table 73—IBM Tivoli Identity Manager Connector . If the object corresponds to a person.  The default is 500. Account objects are used when building identities Link objects. at 1am. departmentNumber This attribute contains a numerical designation for a department within your enterprise. filterString This setting can be used to filter object as they are returned for an underlying application. IdentityIQ User’s Guide 185 . Examples: “engineering”. groupMemberSearchDN Where to start in the tree when resolving a user's group membership.

Connector Attribute Configuration Table 73—IBM Tivoli Identity Manager Connector . “Chicago”.1 and F. county.164 [E. givenName This attribute type contains name strings that are the part of a person's name that is not their surname. mail This attribute type contains the RFC822 mailbox for the user. facsimileTelephoneNumber This attribute type contains telephone numbers and any required parameters for facsimile terminals. United Kingdom. Note: The directory will not ensure that values of this attribute conform to the F. employeeType This attribute contains a descriptive type for this user.1] and F. groups This attribute type contains a list of groups of which this person is a member. IdentityIQ User’s Guide . or other geographic region. Each string is one value of this multi-valued attribute. Examples: “Austin”.164]. The strings are composed in accordance with CCITT Recommendations F.31 [F. Each string is one value of this multi-valued attribute. Each telephone number is one value of this multi-valued attribute. except the surname(s).” and “J”. such as a city. Example: “0198 444 444". homePostalAddress This attribute contains the employees mailing address. A. initials This attribute type contains strings of initials of some or all of an individual's names. for example. It is the application's responsibility to ensure destination indicators that it stores in this attribute are appropriately constructed. Each address is one value of this multi-valued attribute. Each name is one value of this multi-valued attribute. and “David”. Examples: “AASD” as a destination indicator for Sydney. Examples: “J. full time. Australia. or part time. l This attribute type contains names of a locality or place. “GBLD” as a destination indicator for London.31]. 186 displayName This attribute contains the preferred name to be used for this person throughout the application.Account Attributes Name destinationIndicator Description This attribute type contains country and city strings associated with the object (the addressee) needed to provide the Public Telegram Service. contractor. internationalISDNNumber This attribute type contains Integrated Services Digital Network (ISDN) addresses.31 CCITT Recommendations. and “Brisbane”. employeeNumber This attribute contains the numerical identification key for this person within you enterprise. “Sue”.1 [F. Example: “Sales” or “Engineering” homePhone This attribute contains the employees home phone number. as defined in the International Telecommunication Union (ITU) Recommendation E. Examples: “John”. Each string is one value of this multi-valued attribute.

 Example: “Box 27". preferredLanguage This attribute type contains the preferred written or spoken language of this person. Examples: “Sales”. TX$USA”. postalAddress This attribute type contains addresses used by a Postal Service to perform services for the object. Example: “Receptionist$SailPoint Technologies$6034 Courtyard Dr. and “SailPoint. Inc. pager This attribute type contains the telephone number of this persons pager. and “Information Technologies”. Downtown Austin” and “Chicago.”. Finance Station E”. Examples: “Austin. IdentityIQ User’s Guide 187 . in the USA. physicalDeliveryOfficeName This attribute type contains names that a Postal Service uses to identify a specific post office. “Human Resources”. Example: “78664”. $Austin. registeredAddress This attribute type contains postal addresses to be used for deliveries that must be signed for or require a physical recipient. TX. Each postal box identifier is a single value of this multi-valued attribute. roomNumber This attribute type contains the room or office number or this persons normal work location.$Austin$Texas$USA”. Examples: “SailPoint”. ou This attribute type contains the names of an organizational unit. secretary This attribute type contains the distinguished name of this persons secretary. postOfficeBox This attribute type contains postal box identifiers use by a postal service to locate a box on the premises of the Postal Service rather than a physical street address. “SailPoint Technologies. the value would be: “mhs $ telephone". Example: “1111 Elm St. Each address is one value of this multi-valued attribute. mobile This attribute type contains the mobile telephone number of this person. preferredDeliveryMethod This attribute type contains an indication of the preferred method of getting a message to the object. Each code is one value of this multi-valued attribute. Example: If the mhs-delivery Delivery Method is preferred over telephone-delivery.Connector Attribute Configuration Table 73—IBM Tivoli Identity Manager Connector . Each name is one value of this multi-valued attribute.Account Attributes Name Description manager This attribute type contains the distinguished name of the manager to whom this person reports. to identify Pflugerville.”. Incorporated. o This attribute type contains the names of an organization. which is preferred over all other methods. Each address is one value of this multi-valued attribute. postalCode This attribute type contains codes used by a Postal Service to identify postal service zones. Each name is one value of this multi-valued attribute.

One of the values is either “top” or “alias”. and the house number). and answerback code of a telex terminal.”. Examples: “Martin K Smith”. Example: The person object “cn=Elvis Presley. telexNumber This attribute type contains sets of strings that are a telex number. Inc. “admin”. st This attribute type contains the full names of states or provinces.ou=sponsored activities. it is typically the person's full name. Example: “Texas”. with at least two values. “Marty Smith” and “printer12”.123 [E. Each number is one value of this multi-valued attribute. teletexTerminalIdentifier The withdrawal of Recommendation F. Since the role objects are related to the person object. “Software Engineer”.” is related to the role objects “cn=Bowling Team Captain. The objectClass attribute is present in every entry. Each street is one value of this multi-valued attribute. telephoneNumber This attribute type contains telephone numbers that comply with the ITU Recommendation E. Each related object name is one value of this multi-valued attribute.ou=sponsored activities. Table 74—IBM Tivoli Identity Manager Connector . Inc. Examples: “s9709015”. Each name is one value of this multi-valued attribute.Connector Attribute Configuration Table 73—IBM Tivoli Identity Manager Connector . Example: “Smith”. the street name.o=SailPoint\. Each title is one value of this multi-valued attribute. Example: “15 Main St. or family names.o=SailPoint\. IdentityIQ User’s Guide .ou=employee.123]. the 'seeAlso' attribute will contain the distinguished name of each role object as separate values.200 has resulted in the withdrawal of this attribute. Each string is one value of this multi-valued attribute. sn This attribute type contains name strings for surnames.o=SailPoint\.Group Attributes Name cn 188 Description This attribute type contains names of an object.e. Each name is one value of this multi-valued attribute. objectClass The values of the objectClass attribute describe the kind of object which an entry represents. uid This attribute type contains computer system login names associated with the object. avenue. street This attribute type contains site information from a postal address (i.. country code.”.Account Attributes Name Description seeAlso This attribute type contains the distinguished names of objects that are related to the subject object. Inc.” and “cn=Dart Team. place. Each name is one value of this multi-valued attribute. and “Administrator”. and “CEO”. If the object corresponds to a person. Each set is one value of this multi-valued attribute title This attribute type contains the persons job title. Examples: “Vice President”.

multi-table data. Each name is one value of this multi-valued attribute. and “Information Technologies”. you need to define a rule and a more complex SQL statement. owner This attribute type contains the distinguished names of objects that have ownership responsibility for the object that is owned.”.Schema Attributes on page 190.Group Attributes Name Description member This attribute type contains the groups to which this person is a unique member. Inc. JDBC Connector The JDBC Connector is used to extract data from JDBC enabled database engines. Inc. the value of the 'owner' attribute within the mailing list object. Each description is one value of this multi-valued attribute.xml file. at 1am. Note: An example of a provisioning rule is located in examplerules. This connector can be configured to enable the automatic discovery of schema attributes. Example: The mailing list object. • Ability to define provisioning rule(s) called for each row in the data file to provision account attributes. ou=Mailing List. Inc. Examples: “SailPoint”.o=SailPoint. is owned by the Human Resources Director.”. description This attribute type contains human-readable descriptive phrases about the object. To handle complex. whose DN is “cn=All Employees. o This attribute type contains the names of an organization.”. dn This attribute type contains the directory path to the object. Each owner's name is one value of this multi-valued attribute.  Examples: “Updates are done every Saturday. This connector supports flat table data. ou This attribute type contains the names of an organizational unit. IdentityIQ User’s Guide 189 .ou=employee. Incorporated.”. Therefore. “Human Resources”. IdentityIQ supports for the following additional JDBC Connector features in version 5. and “distribution list for sales”.”.2 and later: • Ability to provide the SQL statement or stored procedure during application configuration for automatic discovery of account-group schema attributes from same or different database used for the account schema. See JDBC Connector . “SailPoint Technologies. Examples: “Sales”.Connector Attribute Configuration Table 74—IBM Tivoli Identity Manager Connector . Each name is one value of this multi-valued attribute. and “SailPoint.o=SailPoint. would be the DN of the director (role): “cn=Human Resources Director.

indexColumns The column name that indicates how the like rows are correlated. mergeColumns The columns that are used if the default merge implementation is true mergeMapsRule A rule can be called to merge objects. (call mystoredProcedure).Required Attributes Attribute Description user The user with which to connect to the host. JDBC Connector .Connection Attributes This section contains the information that IdentityIQ uses to connect and interact with the application. If this connector is configured to use the automatic discovery function. mapToResourceObjectRule Rule that is called to override the transformation of the data from the Map<String. SQL The SQL attribute can be used to customize the select statement that is generated when iterating over objects. This overrides the default implementation. password The password associated with the specified user.String> form into a ResourceObject. driverClass The Java JDBC class to use for the connection. The JDBC connector uses the following connection attributes: Table 75—JDBC Connector . The group schema is used when building AccountGroup objects which are used to hold entitlements shared across identities. url The URL with which to connect to the database. Each application type requires different information to create and maintain a connection. You can specify the exact SQL that is executed if you want to filter out objects or only want to select a few objects from a table. mergeRows true or false. buildMapRule The rule called for each row returned by the database after the SQL has been executed. The rule uses ResultSet and builds a Map out of it to be consumed by IIQ. account and group. the schema is supplied to the methods on the connector interface. By default if the SQL option is null when the query string is built using the schema attributes and nativeObjectType. Additionally. When a connector is called. it’s impossible to describe with the schema alone.Schema Attributes The application schema is used to configure the objects returned from a connector. IdentityIQ currently supports two types of objects. if you need to perform joins between more then one table.Connector Attribute Configuration JDBC Connector . Indicates if the connector needs to be aware of rows that are alike so they can be merged. In other cases it is select from a table with any number of joins included. In many cases this is a stored procedure. it connects to the 190 IdentityIQ User’s Guide . Account objects are used when building identities Link objects. The JDBC connector's most important attribute is the sql statement.

password The password for the administrator account. authorizationType Translates to the Context. LDAP Connector You must be able to access the data using a LDAP server to use the LDAP Connector. The LDAP connector should plug into almost any LDAP server with no customization. Each application type requires different information to create and maintain a connection. host The host of the LDAP server.Connection Attributes This section contains the information that IdentityIQ uses to connect and interact with the application. This connector was developed using the LDAP RFC. The LDAP connector uses the groupMemberSearchDN attribute as the starting point in the directory to start searching for ALL group memberships. When merging. and SUBTREE_SCOPE. OBJECT_SCOPE. IdentityIQ User’s Guide 191 . The LDAP connector uses the following connection attributes: Table 76—LDAP Connector .  This is a DN string. it is very important to have the ORDER BY clause in your SQL statement to prevent out of order errors. simple.0. searchScope The depth to search the LDAP tree. user The user to connect as. LDAP does not store a user’s group references on the user so the LDAP connector must always do a separate query to return a list of all of the user’s groups. Typically a DN string such as Administrator. LDAP Connector . port The port the server is listening through.Merging and Ordering Starting in version 5.Connector Attribute Configuration database and executes the statement provided and then uses the meta-data returned from the result to build the column names. JDBC Connector . The attribute value is one of the following strings: none. IdentityIQ checks the order of the data returned from the database when merging to prevent data loss. searchDN The search starting point.Connection Attributes Attribute Description useSSL Specifies if the connection is over ssl.SECURITY_AUTHENTICATION property in the api. strong. ONELEVEL_SCOPE.

 The default is 500. groupMemberSearchDN Where to start in the tree when resolving a user's group membership. and “sales”. account and group. Derived attributes can also be included in the filter. cn This attribute type contains names of an object. and “distribution list for sales”. The group schema is used when building AccountGroup objects which are used to hold entitlements shared across identities. when iterating over large numbers of objects. it is typically the person's full name. the schema is supplied to the methods on the connector interface. Each type is one value of this multi-valued attribute. LDAP Connector . Table 77—LDAP Connector . Each description is one value of this multi-valued attribute.Connection Attributes Attribute Description iterateSearchFilter An optional filter that can be added to the configuration to scope the objects returned when the iterateObjects method is called. per page. carLicense This attribute type contains the license plate or vehicle registration number associated with the user.Account Attributes Name 192 Description businessCategory The types of business performed by an organization. When a connector is called.  This is a DN String. Account objects are used when building identities Link objects.  Examples: “Updates are done every Saturday.Connector Attribute Configuration Table 76—LDAP Connector . departmentNumber This attribute contains a numerical designation for a department within your enterprise.”. Examples: “engineering”. at 1am. IdentityIQ User’s Guide . filterString This setting can be used to filter object as they are returned for an underlying application. pageSize The number of objects to get. “finance”. Examples: “Martin K Smith”. groupMemberAttribute The name of the attribute used on the LDAP server to store group members.Schema Attributes The application schema is used to configure the objects returned from a connector. If the object corresponds to a person. Each name is one value of this multi-valued attribute. dn This attribute contains the distinguished name by which the user is known. IdentityIQ currently supports two types of objects. description This attribute type contains human-readable descriptive phrases about the object. “Marty Smith” and “printer12”.

as defined in the International Telecommunication Union (ITU) Recommendation E. Each string is one value of this multi-valued attribute. Example: “Sales” or “Engineering” homePhone This attribute contains the employees home phone number. l This attribute type contains names of a locality or place.Connector Attribute Configuration Table 77—LDAP Connector . Note: The directory will not ensure that values of this attribute conform to the F. and “Brisbane”. The strings are composed in accordance with CCITT Recommendations F. Example: “0198 444 444".164 [E. contractor. for example. or part time. Examples: “AASD” as a destination indicator for Sydney. internationalISDNNumber This attribute type contains Integrated Services Digital Network (ISDN) addresses. employeeType This attribute contains a descriptive type for this user. Australia. employeeNumber This attribute contains the numerical identification key for this person within you enterprise. “GBLD” as a destination indicator for London. such as a city. county. givenName This attribute type contains name strings that are the part of a person's name that is not their surname.1 [F.31 [F.Account Attributes Name destinationIndicator Description This attribute type contains country and city strings associated with the object (the addressee) needed to provide the Public Telegram Service. Each address is one value of this multi-valued attribute. A. and “David”. Examples: “John”. full time. Each string is one value of this multi-valued attribute. IdentityIQ User’s Guide 193 . “Sue”. Each telephone number is one value of this multi-valued attribute.” and “J”. Examples: “J. mail This attribute type contains the RFC822 mailbox for the user. displayName This attribute contains the preferred name to be used for this person throughout the application. Each string is one value of this multi-valued attribute. initials This attribute type contains strings of initials of some or all of an individual's names. “Chicago”.1 and F. facsimileTelephoneNumber This attribute type contains telephone numbers and any required parameters for facsimile terminals. groups This attribute type contains a list of groups of which this person is a member.1] and F.164]. Each name is one value of this multi-valued attribute.31]. except the surname(s). homePostalAddress This attribute contains the employees mailing address. United Kingdom.31 CCITT Recommendations. It is the application's responsibility to ensure destination indicators that it stores in this attribute are appropriately constructed. Examples: “Austin”. or other geographic region.

postalCode This attribute type contains codes used by a Postal Service to identify postal service zones. Each postal box identifier is a single value of this multi-valued attribute. mobile This attribute type contains the mobile telephone number of this person. Each address is one value of this multi-valued attribute.”. TX. and “SailPoint. “Human Resources”. o This attribute type contains the names of an organization. IdentityIQ User’s Guide . registeredAddress This attribute type contains postal addresses to be used for deliveries that must be signed for or require a physical recipient. Each name is one value of this multi-valued attribute. “SailPoint Technologies. Each name is one value of this multi-valued attribute. Examples: “Sales”. Finance Station E”. Each address is one value of this multi-valued attribute. ou This attribute type contains the names of an organizational unit. TX$USA”. Examples: “SailPoint”. preferredLanguage This attribute type contains the preferred written or spoken language of this person. and “Information Technologies”. Example: If the mhs-delivery Delivery Method is preferred over telephone-delivery.Connector Attribute Configuration Table 77—LDAP Connector . $Austin. secretary This attribute type contains the distinguished name of this persons secretary. preferredDeliveryMethod This attribute type contains an indication of the preferred method of getting a message to the object. the value would be: “mhs $ telephone". Example: “78664”. physicalDeliveryOfficeName This attribute type contains names that a Postal Service uses to identify a specific post office. Downtown Austin” and “Chicago. Each code is one value of this multi-valued attribute. pager This attribute type contains the telephone number of this persons pager. Example: “Box 27". in the USA. roomNumber This attribute type contains the room or office number or this persons normal work location. Example: “1111 Elm St.Account Attributes Name Description manager This attribute type contains the distinguished name of the manager to whom this person reports. Example: “Receptionist$SailPoint Technologies$6034 Courtyard Dr. which is preferred over all other methods. postalAddress This attribute type contains addresses used by a Postal Service to perform services for the object. Inc.”. 194 postOfficeBox This attribute type contains postal box identifiers use by a postal service to locate a box on the premises of the Postal Service rather than a physical street address. Examples: “Austin.$Austin$Texas$USA”. Incorporated. to identify Pflugerville.

 Example: “Texas”. uid This attribute type contains computer system login names associated with the object. and the house number). Each name is one value of this multi-valued attribute.200 has resulted in the withdrawal of this attribute.Connector Attribute Configuration Table 77—LDAP Connector . telephoneNumber This attribute type contains telephone numbers that comply with the ITU Recommendation E.o=SailPoint\. Each name is one value of this multi-valued attribute.o=SailPoint\. Examples: “s9709015”.. Each title is one value of this multi-valued attribute. Table 78—LDAP Connector .” and “cn=Dart Team. Examples: “Martin K Smith”. sn This attribute type contains name strings for surnames.”. and “CEO”. Example: “Smith”. with at least two values. Example: The person object “cn=Elvis Presley. One of the values is either “top” or “alias”. and “Administrator”.o=SailPoint\. Inc.” is related to the role objects “cn=Bowling Team Captain. street This attribute type contains site information from a postal address (i.123].ou=sponsored activities. or family names. “Marty Smith” and “printer12”. Inc. it is typically the person's full name. Example: “15 Main St. avenue.ou=employee. Each name is one value of this multi-valued attribute. The objectClass attribute is present in every entry. If the object corresponds to a person.ou=sponsored activities. Each string is one value of this multi-valued attribute. “admin”. “Software Engineer”.Group Attributes Name cn Description This attribute type contains names of an object. Each number is one value of this multi-valued attribute. country code. the 'seeAlso' attribute will contain the distinguished name of each role object as separate values. the street name. and answerback code of a telex terminal. teletexTerminalIdentifier The withdrawal of Recommendation F. objectClass The values of the objectClass attribute describe the kind of object which an entry represents. Inc. telexNumber This attribute type contains sets of strings that are a telex number. IdentityIQ User’s Guide 195 . Examples: “Vice President”. Since the role objects are related to the person object. Each set is one value of this multi-valued attribute title This attribute type contains the persons job title.”.Account Attributes Name Description seeAlso This attribute type contains the distinguished names of objects that are related to the subject object. st This attribute type contains the full names of states or provinces. Each related object name is one value of this multi-valued attribute.e. Each street is one value of this multi-valued attribute. place.123 [E.

”.”.  Examples: “Updates are done every Saturday. Inc. The LDIF connector uses the following connection attributes: 196 IdentityIQ User’s Guide . Each name is one value of this multi-valued attribute. at 1am. Add this attribute to account schema and mark it multi-valued. Examples: “SailPoint”. whose DN is “cn=All Employees. Example: The mailing list object. description This attribute type contains human-readable descriptive phrases about the object. owner This attribute type contains the distinguished names of objects that have ownership responsibility for the object that is owned. would be the DN of the director (role): “cn=Human Resources Director. Incorporated. “Human Resources”. Examples: “Sales”.”. Therefore. Each owner's name is one value of this multi-valued attribute. LDIF Connector The LDIF connector is used to extract data from LDIF files.o=SailPoint. Inc. “SailPoint Technologies. During account iteration the connector will read in the groups file to get the group->use mapping and adorn each account with their assigned groups as they are aggregated.”. The “groupMembershipAttribute” along with a group file must be configured for this feature to work. o This attribute type contains the names of an organization.Connection Attributes This section contains the information that IdentityIQ uses to connect and interact with the application. This configuration setting holds the name of the attribute from the group file which contains the list of its members. LDIF Connector .Group Attributes Name Description uniqueMember This attribute type contains the groups to which this person is a unique member. Each description is one value of this multi-valued attribute. and “Information Technologies”.Connector Attribute Configuration Table 78—LDAP Connector . dn This attribute type contains the directory path to the object.ou=employee. ou=Mailing List. the value of the 'owner' attribute within the mailing list object. Each application type requires different information to create and maintain a connection. is owned by the Human Resources Director. and “SailPoint. Each name is one value of this multi-valued attribute.”. ou This attribute type contains the names of an organizational unit.o=SailPoint. and “distribution list for sales”. To help when the membership is not part of the account data there is an option that can be configured named “groupMembershipAttribute”. Inc.

  For validation this rule can use the existing statistics stored by the postIterationRule during the last aggregation. file The fully qualified path to the file. ftp. Account objects are used when building identities Link objects. filterString Filter lines that match this string. fileEncoding Specify the file encoding to be used by the connector. the default encoding (the value of file. account and group. the schema is supplied to the methods on the connector interface.String> form into a ResourceObject. but before iteration over the objects in the file is started. filterEmptyRecords If activated. mapToResourceObjectRule Rule that is called to override the transformation of the data from the Map<String. scp host The host of the server to which you are connecting. Valid values for this attribute can be found at: http://www. IdentityIQ currently supports two types of objects.Connector Attribute Configuration Table 79—LDIF Connector . The group schema is used when building AccountGroup objects which are used to hold entitlements shared across identities.Schema Attributes The application schema is used to configure the objects returned from a connector. Not valid with local.org/assignments/character-sets  If this field is empty.Connection Attributes Attribute Description filetransport local. LDIF Connector . Not valid with local. groupMembershipAttribute Holds the name of the attribute from the group file which contains the list of its members.encoding specified by the jvm) is used.  This rule is called after aggregation has completed and ALL objects have been iterated. transportUserPassword The password to use with of ftp and scp. When a connector is called. transportUser The user to use with ftp and scp.iana. preIterativeRule The pre-iterate rule will check for a specially named Configuration object that will hold the last run statistics that can be compared against the current values. The rule can compare the stored values with the new values to check for problems postIterativeRule The post-iterate rule can store away the configuration object and rename/delete the file if desired. IdentityIQ User’s Guide 197 . records that have no data are filtered.  This rule is called after the file has been transferred.

198 displayName This attribute contains the preferred name to be used for this person throughout the application. dn This attribute contains the distinguished name by which the user is known. Each string is one value of this multi-valued attribute.1 and F. groups This attribute type contains a list of groups of which this person is a member. Example: “Sales” or “Engineering” IdentityIQ User’s Guide .1 [F. Australia. Examples: “John”. Examples: “Martin K Smith”.Account Attributes Name Description businessCategory The types of business performed by an organization. at 1am. givenName This attribute type contains name strings that are the part of a person's name that is not their surname. and “David”. facsimileTelephoneNumber This attribute type contains telephone numbers and any required parameters for facsimile terminals. Note: The directory will not ensure that values of this attribute conform to the F. Each string is one value of this multi-valued attribute.31 CCITT Recommendations. Each name is one value of this multi-valued attribute. employeeNumber This attribute contains the numerical identification key for this person within you enterprise. carLicense This attribute type contains the license plate or vehicle registration number associated with the user.  Examples: “Updates are done every Saturday.Connector Attribute Configuration Table 80—LDIF Connector . Each type is one value of this multi-valued attribute. and “distribution list for sales”. and “sales”. It is the application's responsibility to ensure destination indicators that it stores in this attribute are appropriately constructed. departmentNumber This attribute contains a numerical designation for a department within your enterprise. destinationIndicator This attribute type contains country and city strings associated with the object (the addressee) needed to provide the Public Telegram Service.31]. Each telephone number is one value of this multi-valued attribute. description This attribute type contains human-readable descriptive phrases about the object. If the object corresponds to a person.”. The strings are composed in accordance with CCITT Recommendations F. full time. it is typically the person's full name. Each description is one value of this multi-valued attribute. “Sue”. “finance”. United Kingdom. “Marty Smith” and “printer12”. Examples: “engineering”. cn This attribute type contains names of an object. “GBLD” as a destination indicator for London.31 [F. employeeType This attribute contains a descriptive type for this user. for example. or part time. contractor.1] and F. Examples: “AASD” as a destination indicator for Sydney.

homePostalAddress This attribute contains the employees mailing address. Example: “78664”. as defined in the International Telecommunication Union (ITU) Recommendation E. initials This attribute type contains strings of initials of some or all of an individual's names. and “Brisbane”. A. Examples: “Austin. Each postal box identifier is a single value of this multi-valued attribute. Downtown Austin” and “Chicago. TX. and “Information Technologies”.”.$Austin$Texas$USA”. postalAddress This attribute type contains addresses used by a Postal Service to perform services for the object. Each name is one value of this multi-valued attribute. county. mobile This attribute type contains the mobile telephone number of this person. IdentityIQ User’s Guide 199 . Each name is one value of this multi-valued attribute.Account Attributes Name Description homePhone This attribute contains the employees home phone number.164]. pager This attribute type contains the telephone number of this persons pager. physicalDeliveryOfficeName This attribute type contains names that a Postal Service uses to identify a specific post office. Each string is one value of this multi-valued attribute. Examples: “SailPoint”.164 [E. mail This attribute type contains the RFC822 mailbox for the user. Incorporated. Finance Station E”. Each code is one value of this multi-valued attribute. Example: “0198 444 444". Each address is one value of this multi-valued attribute. Example: “1111 Elm St. postalCode This attribute type contains codes used by a Postal Service to identify postal service zones. except the surname(s). Inc. Each name is one value of this multi-valued attribute.”. l This attribute type contains names of a locality or place. postOfficeBox This attribute type contains postal box identifiers use by a postal service to locate a box on the premises of the Postal Service rather than a physical street address. to identify Pflugerville. Example: “Box 27". Examples: “Austin”. and “SailPoint. Examples: “Sales”. “SailPoint Technologies. Each address is one value of this multi-valued attribute. o This attribute type contains the names of an organization. “Chicago”. or other geographic region. Examples: “J. internationalISDNNumber This attribute type contains Integrated Services Digital Network (ISDN) addresses.Connector Attribute Configuration Table 80—LDIF Connector . “Human Resources”. ou This attribute type contains the names of an organizational unit. such as a city. manager This attribute type contains the distinguished name of the manager to whom this person reports.” and “J”. in the USA.

Inc. avenue. st This attribute type contains the full names of states or provinces. or family names. Example: “Smith”.o=SailPoint\. Each address is one value of this multi-valued attribute. Each name is one value of this multi-valued attribute.” is related to the role objects “cn=Bowling Team Captain. the street name. the 'seeAlso' attribute will contain the distinguished name of each role object as separate values.ou=employee. $Austin.”. Example: If the mhs-delivery Delivery Method is preferred over telephone-delivery. the value would be: “mhs $ telephone". and the house number). Inc. country code. secretary This attribute type contains the distinguished name of this persons secretary. street This attribute type contains site information from a postal address (i. roomNumber This attribute type contains the room or office number or this persons normal work location.e.o=SailPoint\. TX$USA”. sn This attribute type contains name strings for surnames. Since the role objects are related to the person object.Account Attributes Name 200 Description preferredDeliveryMethod This attribute type contains an indication of the preferred method of getting a message to the object. teletexTerminalIdentifier The withdrawal of Recommendation F.123].”. registeredAddress This attribute type contains postal addresses to be used for deliveries that must be signed for or require a physical recipient. Each string is one value of this multi-valued attribute. seeAlso This attribute type contains the distinguished names of objects that are related to the subject object.123 [E.o=SailPoint\. telexNumber This attribute type contains sets of strings that are a telex number. Example: “Receptionist$SailPoint Technologies$6034 Courtyard Dr.. which is preferred over all other methods.” and “cn=Dart Team.ou=sponsored activities. place. telephoneNumber This attribute type contains telephone numbers that comply with the ITU Recommendation E.ou=sponsored activities. Each set is one value of this multi-valued attribute IdentityIQ User’s Guide . Each related object name is one value of this multi-valued attribute. and answerback code of a telex terminal. Example: The person object “cn=Elvis Presley. Example: “Texas”. Inc.200 has resulted in the withdrawal of this attribute. Example: “15 Main St.Connector Attribute Configuration Table 80—LDIF Connector . preferredLanguage This attribute type contains the preferred written or spoken language of this person. Each number is one value of this multi-valued attribute. Each street is one value of this multi-valued attribute.

Each name is one value of this multi-valued attribute. and “Administrator”.Account Attributes Name Description title This attribute type contains the persons job title.o=SailPoint. “Human Resources”.Group Attributes Name Description cn This attribute type contains names of an object. Inc.”. Incorporated. owner This attribute type contains the distinguished names of objects that have ownership responsibility for the object that is owned. The objectClass attribute is present in every entry. the value of the 'owner' attribute within the mailing list object. Examples: “SailPoint”. at 1am. IdentityIQ User’s Guide 201 .Connector Attribute Configuration Table 80—LDIF Connector . “SailPoint Technologies. If the object corresponds to a person. Each owner's name is one value of this multi-valued attribute. Inc.”. and “Information Technologies”. objectClass The values of the objectClass attribute describe the kind of object which an entry represents. description This attribute type contains human-readable descriptive phrases about the object.o=SailPoint. Each name is one value of this multi-valued attribute. Examples: “s9709015”. ou=Mailing List. is owned by the Human Resources Director. Each description is one value of this multi-valued attribute. and “CEO”.”.  Examples: “Updates are done every Saturday. Examples: “Martin K Smith”. Table 81—LDIF Connector . Examples: “Vice President”. uid This attribute type contains computer system login names associated with the object. Therefore. it is typically the person's full name. dn This attribute type contains the directory path to the object. whose DN is “cn=All Employees. “Marty Smith” and “printer12”.”. ou This attribute type contains the names of an organizational unit. uniqueMember This attribute type contains the groups to which this person is a unique member. “Software Engineer”. with at least two values. “admin”. Example: The mailing list object. o This attribute type contains the names of an organization. and “SailPoint. and “distribution list for sales”. would be the DN of the director (role): “cn=Human Resources Director. One of the values is either “top” or “alias”. Inc.”.ou=employee. Each title is one value of this multi-valued attribute. Examples: “Sales”. Each name is one value of this multi-valued attribute. Each name is one value of this multi-valued attribute.

password The password associated with the connection user. This rule takes the text from the screens and converts it to a ResourceObject. userIterateCommand The command used to natively iterate over all users defaultTimeout The length of time scripts should wait for data to be returned during command execution. Each Mainframe connector requires a lot of hands on configuration. The Mainframe connector is designed for TN3270 applications and built on the IBM Host Access API libraries.Connector Attribute Configuration Mainframe Connector This connector uses a technique called screen scraping and each deployment must write Rules to drive the login/logout/fetch accounts. This expression breaks the screens into records that can be manipulated by the script. You can purchase these libraries from IBM. Mainframe Connector . defaultIdleTimeout The length of time the screen should be idle before timing out. The Mainframe connector uses the following connection attributes: Table 82—Mainframe Connector .Require Attributes Attributes Descriptions host The host of the server to which you are connecting. 202 userTransformRule The rule called for each record delineated by the regular expression. You must have the IBM Host Access API libraries before working with this connector. morePrompt The prompt scripts should expect to receive to indicate there is more data on the screen readyPrompt The prompt scripts should expect to receive to indicate the mainframe is ready IdentityIQ User’s Guide . user The valid user name with which to connect to the server.Connection Attributes This section contains the information that IdentityIQ uses to connect and interact with the application. because the Rules that drive this connector are very specific to the application on which the connector is running. logonRule The rule used to log on to the application logoffRule The rule called to log off of the application userIterateRegularExpression The regular expression that should be used when fetching/iterating accounts. The connector parses the screens and emulates the user during the interaction. port The port the server is listening through. On some legacy systems screen scraping is the only way to get to the data needed by IdentityIQ. Each application type requires different information to create and maintain a connection.

Table 84—SharePoint Connector . IdentityIQ User’s Guide 203 . NAME The user’s name. SECURITY-LABEL The security label assigned to the data being collected as defined by the Open Systems Interconnection Security Architecture. DEFAULT-GROUP The default group to which the owner of the attribute belongs. Microsoft SharePoint® Connector Microsoft SharePoint provides tools which let users set up Web sites to share information with others. GROUP Group ID for the owner group. password The password associated with the UserName. The format of the UserName must follow the fully qualified domain format. The group schema is used when building AccountGroup objects which are used to hold entitlements shared across identities. ATTRIBUTES The attributes assigned to the user. Account objects are used when building identities Link objects. the schema is supplied to the methods on the connector interface.Attributes Attributes Descriptions SharePoint Server URL URL to the site collection from which you want to aggregate. folders and documents. OWNER The owner of the profile. It also collects SharePoint groups and Domain groups during the group aggregation process. account and group.Connector Attribute Configuration Mainframe Connector . manage documents from start to finish. The Microsoft SharePoint connector is designed to aggregate accounts and groups from SharePoint 2007 and 2010 environments using the Microsoft WebServices which ship as part of the SharePoint software.Account Attributes Name Description USER The user ID or login ID of the user. Table 83—Mainframe Connector .Schema Attributes The application schema is used to configure the objects returned from a connector. When a connector is called. IdentityIQ currently supports two types of objects. For user aggregation IdentityIQ gathers the synchronized UserProfile data as the basis of the user accounts. or object. UserName Username of an administrator that has access to read UserProfiles and group definitions. and publish reports to help everyone make better decisions IdentityIQ offers the ability to aggregate existing SharePoint users from multiple SharePoint sites and show what access rights those SharePoint users have to SharePoint groups.

SharePoint Target Collector SharePoint uses a data structure which requires the configuration of the Unstructured Targets tab to collect targeted data. The IdentityIQ connector uses the sAMAccountName to correlate the user profiles to Active Directory accounts and SharePoint Domain groups to Active Directory groups. By default IdentityIQ uses sAMAccountName. Authenticated Application Correlation Attribute (OPTIONAL) The name of the attribute used when finding the account from the underlying source. The IdentityIQ connector uses information from both SharePoint and the application that stores the SharePoint source data. By default Sharepoint stores the sAMAccountName as the identifier for Active Directory users and groups. If one is not defined. To correlate the SharePoint objects to the IdentityIQ Authentication Application. Note: The UserProfile does not contain the groups of which a user is a member. for example Active Directory. User Fetch SQL (OPTIONAL) Microsoft query performed when fetching a single object. User SQL (OPTIONAL) Microsoft query performed when iterating over users. 204 IdentityIQ User’s Guide .Attributes Attributes Descriptions Authentication Application The name of the IdentityIQ application from where SharePoint user data is sourced. or a re-run of aggregation will be required.Connector Attribute Configuration Table 84—SharePoint Connector . See Unstructured Targets Tab on page 162 for more information. a default query is generated. The connector configuration must be populated with the underlying SharePoint source data to allow the correlation of the SharePoint profile accounts back to existing links. Note: Marking the account and group schema as “Correlation Key” must be done prior to running aggregation on the authentication application. SharePoint synchronizes with the authorization store to build UserProfiles which contains very sparse account data. For both UserProfile and DomainGroup aggregation the data from SharePoint and the data from the Authentication Application are merged into a single account or group which is used to represent the SharePoint account or group in IdentityIQ. You can do this using the user interface by selecting the Correlation Key checkbox on the schema page. SharePoint Data The accounts and SharePoint domain groups always come from another source. Note: The Authentication Application Links and groups will remain unaffected. the sAMAccountName in the account and group schema must be marked as “Correlation Key”.

Schema Account Attributes Name native_identity Description A fabricated unique identifier for the account consisting of the user name and the database OR server name to which the user/login is mapped. The credentials utilized are specified in the user and password fields of the application configuration. Table 85—Microsoft SQL Server Connector . Examples: jsmith@SQLServerApp jsmith@invDatabase database_name The name of the database on which the account exists. name The user name for this account on this database/server. IdentityIQ approaches this by combining server logins and the database users into this single account schema. Table 86—Microsoft SQL Server Connector . Driver The fully qualified name of SQL Server driver class. account and group. database_id The ID of the database on which the account exists. Password The password associated with the connection user. IdentityIQ User’s Guide 205 . The user's privileges require view access to all definitions in order to query the catalog views and procedures necessary to extract users. which allows both Windows groups authentication and native SQL Server logins. Account objects are used when building identities’ Link objects. The group schema is used when building AccountGroup objects which are used to hold entitlements shared across identities.Connector Attribute Configuration Microsoft SQL Server® 2005 & 2008 Connector The Microsoft SQL Server connector initiates a JDBC connection to the specified instance in the URL field of the application configuration screen in IdentityIQ. Schema Attributes The application schema is used to configure the objects returned from a connector. server_login The server login to which this account is mapped. separated by an ampersand. User The valid user name with which to connect to the server. When a connector is called. the schema is supplied to the methods on the connector interface. IdentityIQ currently supports two types of objects. and roles. permissions. In order for the connector to have access to the server. the server must have mixed-mode authentication enabled.Attributes Attributes Descriptions URL The URL of the database.

If the user is created from a certificate or asymmetric key. create_date Time at which this account was created. db_datareader. principal_id The SQL Server generated unique ID number of the user/login. type_desc A string that describes the type of object on the database. database_name The name of the database on which the group exists. if the user is created from a SQL Server login. roles A multivalued attribute that has a list of roles of which this account is a member. Examples: jsmith@SQLServerApp jsmith@invDatabase 206 name The user name for this group on this database/server. separated by an ampersand.Connector Attribute Configuration Table 86—Microsoft SQL Server Connector . is_fixed_role If the value of this field is 1. Table 87—Microsoft SQL Server Connector . server_name The name of the SQL Server application on which this account is located. db_datawriter. db_accessadmin.Schema Group Attributes Name native_identity Description A fabricated unique identifier for the group consisting of the user name and the database OR server name to which the user/login is mapped. owning_principal_id The owner of this database account. For example. principal_id The SQL Server generated unique ID number of the user/login. db_securityadmin. default_schema_name Specifies the first schema that is searched by the server when it resolves the names of objects. db_backupoperator. type A character that describes the type of object on the database. then this is one of the nine fixed roles (i. IdentityIQ User’s Guide . database_id The ID of the database on which the group exists. db_denydatareader. db_denydatawriter). db_ddladmin. The naming convention used is the role name and database name separated by an ampersand. the SID is derived from the SHA-1 hash of the public key. modify_date Time at which this account was modified. it is given the SID of the login.e db_owner.Schema Account Attributes Name Description description This attribute type contains human-readable descriptive phrases about the object. sid Unique ID within the database that is dependent on its creation method.

port The port the server is listening through.Connector Attribute Configuration Table 87—Microsoft SQL Server Connector . and database permissions using SQL queries.Connection Attributes Attribute Description isMultiplexing Specifies if this connector is multiplexing. server_name The name of the SQL Server application on which this account is located. server permissions. it iterates through every database and begins to accumulate server logins. In the non-multiplexed mode. ONELEVEL_SCOPE. The attribute value is one of the following strings: none. IdentityIQ User’s Guide 207 . host The host of the server. strong. and SUBTREE_SCOPE. In the multiplexed mode. authorizationType Translates to the Context. OBJECT_SCOPE. Novell IDM connector can be used as both a multiplexing and a non-multiplexing connector. simple. both aggregation and remediation happen through the IDM vault. This connector uses the following connection attributes: Table 88—Novell Identity Manager Connector . Each application type requires different information to create and maintain a connection. Novell Identity Manager Connector The Novell Identity Manager connector uses the groupMemberSearchDN attribute as the starting point in the directory to start searching for ALL group memberships.Schema Group Attributes Name Description roles A multivalued attribute that has a list of roles of which this account is a member.SECURITY_AUTHENTICATION property in the api. server roles. The naming convention used is the role name and database name separated by an ampersand. database roles. Novell Identity Manager Connector . aggregation happens through individual connectors but the removal and disabling of the account happens through the vault. After the connector successfully links to the database instance.Connection Attributes This section contains the information that IdentityIQ uses to connect and interact with the application. password The password for the administrator account. database users. useSSL Specifies if the connection is over ssl. Typically a DN string such as Administrator. searchScope The depth to search the LDAP tree. The Novell Identity Manager does not store a user’s group references on the user so this connector must always do a separate query to return a list of all of the user’s groups. user The user to connect as.

account and group. Each description is one value of this multi-valued attribute. the schema is supplied to the methods on the connector interface. dn This attribute contains the distinguished name by which the user is known. pageSize The number of objects to get. When a connector is called. Examples: “Martin K Smith”. “Marty Smith” and “printer12”. departmentNumber This attribute contains a numerical designation for a department within your enterprise. and “distribution list for sales”.  This is a DN string. cn This attribute type contains names of an object. Table 89—Novell Identity Manager Connector . IdentityIQ currently supports two types of objects.”.Schema Attributes The application schema is used to configure the objects returned from a connector. “finance”.Connector Attribute Configuration Table 88—Novell Identity Manager Connector . Derived attributes can also be included in the filter. iterateSearchFilter An optional filter that can be added to the configuration to scope the objects returned when the iterateObjects method is called. If the object corresponds to a person. The group schema is used when building AccountGroup objects which are used to hold entitlements shared across identities. filterString This setting can be used to filter object as they are returned for an underlying application.Connection Attributes Attribute Description searchDN The search starting point. description This attribute type contains human-readable descriptive phrases about the object. per page. Each type is one value of this multi-valued attribute. Examples: “engineering”. when iterating over large numbers of objects. and “sales”. Each name is one value of this multi-valued attribute.Account Attributes Name 208 Description businessCategory The types of business performed by an organization. IdentityIQ User’s Guide .  This is a DN String. carLicense This attribute type contains the license plate or vehicle registration number associated with the user. it is typically the person's full name.  The default is 500. at 1am. groupMemberAttribute The name of the attribute used on the server to store group members. groupMemberSearchDN Where to start in the tree when resolving a user's group membership.  Examples: “Updates are done every Saturday. Account objects are used when building identities Link objects. Novell Identity Manager Connector .

as defined in the International Telecommunication Union (ITU) Recommendation E. “Sue”.1] and F. homePostalAddress This attribute contains the employees mailing address.1 [F. contractor.164]. and “Brisbane”. Australia.Account Attributes Name destinationIndicator Description This attribute type contains country and city strings associated with the object (the addressee) needed to provide the Public Telegram Service. or part time.31]. “Chicago”. l This attribute type contains names of a locality or place. Note: The directory will not ensure that values of this attribute conform to the F. except the surname(s). The strings are composed in accordance with CCITT Recommendations F. initials This attribute type contains strings of initials of some or all of an individual's names. IdentityIQ User’s Guide 209 . Each string is one value of this multi-valued attribute. Each name is one value of this multi-valued attribute. Each string is one value of this multi-valued attribute.” and “J”. county. Example: “Sales” or “Engineering” homePhone This attribute contains the employees home phone number.1 and F. full time. Each telephone number is one value of this multi-valued attribute. groups This attribute type contains a list of groups of which this person is a member. employeeNumber This attribute contains the numerical identification key for this person within you enterprise. Each address is one value of this multi-valued attribute. “GBLD” as a destination indicator for London. for example.164 [E. and “David”.31 CCITT Recommendations. Example: “0198 444 444". displayName This attribute contains the preferred name to be used for this person throughout the application. or other geographic region. mail This attribute type contains the RFC822 mailbox for the user. Examples: “J. Examples: “John”.31 [F. givenName This attribute type contains name strings that are the part of a person's name that is not their surname. A. Each string is one value of this multi-valued attribute. employeeType This attribute contains a descriptive type for this user. facsimileTelephoneNumber This attribute type contains telephone numbers and any required parameters for facsimile terminals. It is the application's responsibility to ensure destination indicators that it stores in this attribute are appropriately constructed. United Kingdom. Examples: “AASD” as a destination indicator for Sydney. Examples: “Austin”. internationalISDNNumber This attribute type contains Integrated Services Digital Network (ISDN) addresses. such as a city.Connector Attribute Configuration Table 89—Novell Identity Manager Connector .

”. TX$USA”. mobile This attribute type contains the mobile telephone number of this person.$Austin$Texas$USA”. Each address is one value of this multi-valued attribute. $Austin. registeredAddress This attribute type contains postal addresses to be used for deliveries that must be signed for or require a physical recipient. preferredLanguage This attribute type contains the preferred written or spoken language of this person. postalCode This attribute type contains codes used by a Postal Service to identify postal service zones. Downtown Austin” and “Chicago. Example: “Receptionist$SailPoint Technologies$6034 Courtyard Dr. secretary This attribute type contains the distinguished name of this persons secretary. “SailPoint Technologies. which is preferred over all other methods. Each name is one value of this multi-valued attribute. Incorporated. Example: “Box 27". physicalDeliveryOfficeName This attribute type contains names that a Postal Service uses to identify a specific post office. Each address is one value of this multi-valued attribute. Examples: “Sales”.”. Example: If the mhs-delivery Delivery Method is preferred over telephone-delivery. the value would be: “mhs $ telephone". Examples: “SailPoint”. and “SailPoint. Finance Station E”. Example: “1111 Elm St.Account Attributes Name Description manager This attribute type contains the distinguished name of the manager to whom this person reports. Inc. to identify Pflugerville. postalAddress This attribute type contains addresses used by a Postal Service to perform services for the object. Examples: “Austin. “Human Resources”. IdentityIQ User’s Guide . Example: “78664”. TX. Each name is one value of this multi-valued attribute. ou This attribute type contains the names of an organizational unit. o This attribute type contains the names of an organization. and “Information Technologies”. Each postal box identifier is a single value of this multi-valued attribute. roomNumber This attribute type contains the room or office number or this persons normal work location. preferredDeliveryMethod This attribute type contains an indication of the preferred method of getting a message to the object. pager This attribute type contains the telephone number of this persons pager.Connector Attribute Configuration Table 89—Novell Identity Manager Connector . in the USA. Each code is one value of this multi-valued attribute. 210 postOfficeBox This attribute type contains postal box identifiers use by a postal service to locate a box on the premises of the Postal Service rather than a physical street address.

ou=sponsored activities. and the house number). “Software Engineer”.”. avenue. telexNumber This attribute type contains sets of strings that are a telex number. One of the values is either “top” or “alias”. and “CEO”. Each street is one value of this multi-valued attribute. Since the role objects are related to the person object. and “Administrator”. uid This attribute type contains computer system login names associated with the object. Example: “Texas”. Inc. Each related object name is one value of this multi-valued attribute.123]. The objectClass attribute is present in every entry. Each set is one value of this multi-valued attribute title This attribute type contains the persons job title. Each name is one value of this multi-valued attribute.Account Attributes Name Description seeAlso This attribute type contains the distinguished names of objects that are related to the subject object. Examples: “Vice President”. country code. or family names. Inc.Group Attributes Name cn Description This attribute type contains names of an object.e. and answerback code of a telex terminal. Example: “Smith”.200 has resulted in the withdrawal of this attribute. objectClass The values of the objectClass attribute describe the kind of object which an entry represents. teletexTerminalIdentifier The withdrawal of Recommendation F. street This attribute type contains site information from a postal address (i. Each string is one value of this multi-valued attribute. Examples: “s9709015”.ou=sponsored activities. place. Example: The person object “cn=Elvis Presley.. “Marty Smith” and “printer12”. Each name is one value of this multi-valued attribute. Inc. Each name is one value of this multi-valued attribute. Example: “15 Main St.” is related to the role objects “cn=Bowling Team Captain.o=SailPoint\. sn This attribute type contains name strings for surnames. st This attribute type contains the full names of states or provinces. Table 90—Novell Identity Manager Connector . telephoneNumber This attribute type contains telephone numbers that comply with the ITU Recommendation E.” and “cn=Dart Team. “admin”.”. the 'seeAlso' attribute will contain the distinguished name of each role object as separate values.ou=employee.123 [E. it is typically the person's full name. IdentityIQ User’s Guide 211 .o=SailPoint\.o=SailPoint\. Each title is one value of this multi-valued attribute. the street name. with at least two values.Connector Attribute Configuration Table 89—Novell Identity Manager Connector . Each number is one value of this multi-valued attribute. Examples: “Martin K Smith”. If the object corresponds to a person.

Inc.”. the value of the 'owner' attribute within the mailing list object. ou=Mailing List. 212 IdentityIQ User’s Guide . This requires the following steps: 1. Unzip the tdi. and “distribution list for sales”. Example: The mailing list object. description This attribute type contains human-readable descriptive phrases about the object. To use this connector. 2. Configure Component Interface security. Each name is one value of this multi-valued attribute. and “SailPoint.ou=employee. would be the DN of the director (role): “cn=Human Resources Director. Select Tools -> Copy Project -> From File. “Human Resources”. 5. 2.”. Examples: “SailPoint”. Each name is one value of this multi-valued attribute. Incorporated.Group Attributes Name Description uniqueMember This attribute type contains the groups to which this person is a unique member.”. dn This attribute type contains the directory path to the object. 3. Inc. is owned by the Human Resources Director. owner This attribute type contains the distinguished names of objects that have ownership responsibility for the object that is owned.. Login to the PeopleTools Application Designer. Each owner's name is one value of this multi-valued attribute.o=SailPoint. and “Information Technologies”.”. o This attribute type contains the names of an organization. and browse to the temporary directory from step 2.zip file in integration/TDI to a temporary directory. Select the IIQ_CONN project to open it. Create the Component Interfaces 1. Create and copy the required jar files. 4. whose DN is “cn=All Employees.. Create the Compoent Interfaces.”. Inc. PeopleSoft Connector The PeopleSoft connector communicates to the PeopleSoft server through component interfaces. “SailPoint Technologies. Browse to config/applications/peoplesoft and highlight the IIQ_CONN directory. Examples: “Sales”. you must first configure the component interfaces on PeopleSoft. ou This attribute type contains the names of an organizational unit. 3. Each description is one value of this multi-valued attribute. at 1am. Therefore.  Examples: “Updates are done every Saturday.Connector Attribute Configuration Table 90—Novell Identity Manager Connector . Highlight Component Interfaces and click Copy to copy the project into PeopleSoft.o=SailPoint.

CompIntfc. 1. 2. 4. Open the command prompt and change directories to the folder where the generated JAVA files are located. Navigate to the PeopleSoft\Generated\CompIntfc\ directory. You must select the following options from the drop down menu: 5. From the menu select Build -> PeopleSoft APIs.* (all Component Interfaces that begin with the prefix PeopleSoft) . For example.jar The iiqPeopleSoftCompInt.CompIntfc.Connector Attribute Configuration Create and Copy the Required jar Files The following jars must be copied from the PeopleSoft server: • iiqPeopleSoftCompInt.PeopleSoft. The Component Interface JAVA files are generated in the PeopleSoft\Generated\CompIntfc directory that is created in the specified location. In the JAVA Classes frame check Build and select the appropriate Component Interfaces from the drop down menu. Compile the JAVA files by performing the following steps: a.CompIntfcPropertyInfo . c. if you specify C:\CI as the file path. Specify the appropriate file path for the JAVA files. For example. Open the IIQ_CONN Component Interface project and open all the component interfaces by double clicking each component interface. Logon to PeopleSoft Application Designer in two tier mode.jar *. Perform the following steps to create the iiqPeopleSoftCompInt. then the Component Interface Java files are generated in C:\CI\PeopleSoft\Generated\CompIntfc.jar • psjoa.IIQ_* (all Component Interfaces that begin with the prefix CompIntfc. From the Build PeopleSoft API Bindings window. . Run the following command:  javac -classpath %PS_HOME%\class\psjoa.CompIntfc. It must be generated from the respective PeopleSoft resource and then copied into the IdentityIQ classpath. select the JAVA classes Build checkbox and clear the COM Type Library and C Header Files Build check boxes. b. C:\CI.IIQ_) Note: If you need to generate Component Interface Java files for the entire group of Component Interfaces click ALL. 3. 6.  Important: Ensure that the JAVA compiler used for compiling the generated JAVA files is compatible with the JAVA provided with the PeopleSoft installation that needs to be managed. IdentityIQ User’s Guide 213 .jar file from the Component interface java files.java  Where %PS_HOME% is the location that PeopleSoft is installed.jar file contains the PeopleSoft Component Interface java classes.CompIntfcPropertyInfoCollection .

to access the generated component interfaces. Click Add a New Value to create a new role. Configure Component Interface Security Before using the connector. do not delete the . Navigate to PeopleTools -> Security -> Permissions & Roles -> Permission Lists. Perform the following steps to package the compiled files as the iiqPeopleSoftCompInt.jar from %PS_HOME%\classes into the IdentityIQ classpath. 2.IIQ_PSOPRALIAS . Open the Command prompt and change directories to the folder where the generated JAVA files are located. 6. Click Save to save the new permission list. click Edit -> Full Access (All).IIQ_USERS 5.IIQ_ROLES . perform the following: 1. for whom the connector is configured. 8. then click Add.IIQ_DEL_USER . Type “IIQ_ALL” as the name of the permission list.IIQ_CURCODE .IIQ_LANG . Copy psjoa. you must allow the PeopleSoft user.IIQ_PERMLIST . 9. Navigate to PeopleTools -> Security -> Permissions & Roles -> Roles. Type “IIQ_ROLE” as the name then click Add. then click OK. 7. 7. To set security for the PeopleTools project.IIQ_DEL_ROLE . Type “Allows access to the IIQ component interfaces” as the description. however.jar file into the IdentityIQ classpath.jar * 8.IIQ_IDTYPE . Click the Permission Lists tab and add the “IIQ_ALL” permission list. 3. Copy the generated iiqPeopleSoftCompInt. Optional: You can delete all the generated java files from the existing directory. 214 IdentityIQ User’s Guide . For example cd C:\CI b. For each added component interface. Click Save to save the role. Log into the PeopleSoft web interface.jar file: a. Click the Component Interfaces tab and add the following to the list: . 10. 4. Run the command: jar -cvf iiqPeopleSoftCompInt. 9.class files.Connector Attribute Configuration d. Click Add a New Value to create a new permission list.

port The port on which the PeopleSoft server is listening. password The password to use to login to PeopleSoft. 12. group.Required Attributes Attribute Description user The user with which to connect to the host. and select the user that is being used in the connector. password The password associated with the specified user. driverClass The Java JDBC class to use for the connection. The Oracle Database connector uses the following connection attributes: Table 92—Oracle Database Connector . Each application type requires different information to create and maintain a connection. Oracle Database . user The user name used to login to PeopleSoft.Connection Attributes This section contains the information that IdentityIQ uses to connect and interact with the application. nterface Oracle Database Connector The Oracle Connector is an extension of the JDBC Connector but built specifically to model Oracles DBA_USERS and DBA_ROLES. componentInterfa ce The name of the PeopleSoft component interface to use to read accounts.Connector Attribute Configuration 11. The PeopleSoft connector uses the following connection attributes: Table 91—PeopleSoft Connector . Click Save to add the role to the user. Each application type requires different information to create and maintain a connection.Required Attributes Attribute Description host The hostname of the PeopleSoft server.componentI The name of the PeopleSoft component interface to use to read groups. IdentityIQ User’s Guide 215 . PeopleSoft Connector Attributes This section contains the information that IdentityIQ uses to connect and interact with the application. Click the Roles tab and add the “IIQ_ROLE” role. Navigate to PeopleTools -> Security -> User Profiles. url The URL with which to connect to the database.

 .EXPIRED & LOCKED . PASSWORD_REQUIRED The password required for the group and role.EXPIRED & LOCKED(TIMED) .EXPIRED(GRACE) . RACF Connector The RACF connector was developed to read the file produced by the RACF unload utility. When a connector is called. or cluster and no tablespace is specified to physically contain the schema object.Group Attributes Name Description ROLE The named groups of related system and object privileges assigned to the users. The default tablespace provides Oracle Database with information to direct space use in situations where schema object's location is not specified. IdentityIQ currently supports two types of objects. ROLES The named groups of related system and object privileges assigned to the users. Table 93—Oracle Database Connector .Schema Attributes The application schema is used to configure the objects returned from a connector. the user's default tablespace is used if the user has the privilege to create the schema object and a quota in the specified default tablespace. account and group. Table 94—Oracle Database Connector .Connector Attribute Configuration Oracle Database . 216 IdentityIQ User’s Guide .LOCKED .EXPIRED(GRACE) & LOCKED(TIMED) . ACCOUNT_STATUS The status of the user’s account.EXPIRED .EXPIRED(GRACE) & LOCKED DEFAULT_TABLESPACE The default tablespace associated with the user. The group schema is used when building AccountGroup objects which are used to hold entitlements shared across identities. USER_ID The ID associated with the USERNAME.OPEN . Profiles provide for management of resource limits within Oracle.Account Attributes Name Description USERNAME The name used to connect to and access objects in the database. Account objects are used when building identities Link objects. When a user creates a table. the schema is supplied to the methods on the connector interface. index. PROFILE The named set of specified resource limits assigned to the user name.LOCKED(TIMED) .

fileEncoding Specify the file encoding to be used by the connector. Valid values for this attribute can be found at: http://www.  This rule is called after the file has been transferred. scp host The host of the server to which you are connecting. file The fully qualified path to the file. ftp. The rule can compare the stored values with the new values to check for problems postIterativeRule The post-iterate rule can store away the configuration object and rename/delete the file if desired. transportUser The user to use with ftp and scp. RACF Attribute Customization Rule The rule used to extend the parsing capabilities to customer records or redefine existing record configurations. The RACF connector uses the following connection attributes: Table 95—RACF Connector .encoding specified by the jvm) is used. transportUserPassword The password to use with of ftp and scp. IdentityIQ User’s Guide 217 . filterString Filter lines that match this string. the default encoding (the value of file. Not valid with local. mapToResourceObjectRule Rule that is called to override the transformation of the data from the Map<String. records that have no data are filtered.iana.Connection Attributes This section contains the information that IdentityIQ uses to connect and interact with the application. The RACF attribute customization rule creates a map of LineRecord objects that hold the record ID and other field definitions.org/assignments/character-sets  If this field is empty.String> form into a ResourceObject.  For validation this rule can use the existing statistics stored by the postIterationRule during the last aggregation.Connector Attribute Configuration RACF Connector . but before iteration over the objects in the file is started. Each application type requires different information to create and maintain a connection. filterEmptyRecords If activated. Not valid with local. preIterativeRule The pre-iterate rule will check for a specially named Configuration object that will hold the last run statistics that can be compared against the current values.  This rule is called after aggregation has completed and ALL objects have been iterated.Required Attributes Attribute Description filetransport local.

There is one record per general resource/category combination. INSTALL_DATA Installation-defined data. CREATE_DATE The date that the profile was created. DEFGRP_ID The default group associated with the user. KERB_ENCRYPT_DES Is key encryption using DES enabled? KERB_ENCRYPT_DES3 Is key encryption using DES3 enabled? KERB_ENCRYPT_DESD Is key encryption using DES with derivation enabled? KERB_ENCRYPT_A128 Is key encryption using AES128 enabled? KERB_ENCRYPT_A256 Is key encryption using AES256 enabled? KERB_KEY_FROM Key source. LASTJOB_TIME The time that the user last entered the system. Account objects are used when building identities Link objects. KERB_KEY_VER Current key version. PROGRAMMER The name associated with the user ID.Schema Attributes The application schema is used to configure the objects returned from a connector.Connector Attribute Configuration RACF Connector . IdentityIQ currently supports two types of objects. OWNER_ID The user ID or group name that owns the profile. LASTJOB_DATE The date that the user last entered the system. account and group. ADSP Does the user have the ADSP attribute? SPECIAL Does the user have the SPECIAL attribute? OPER Does the user have the OPERATIONS attribute? REVOKE Is the user REVOKEd? GRPACC Does the user have the GRPACC attribute? PWD_INTERVAL The number of days that the user’s password can be used. Valid values are PASSWORD or PHRASE. NAME User ID as taken from the profile name. KERB_MAXLIFE Maximum ticket life.Account Attributes Attribute Description CLASSES 218 CATEGORIES Defines the categories associated with a general resource. Table 96—RACF Connector . When a connector is called. PWD_DATE The date that the password was last changed. The group schema is used when building AccountGroup objects which are used to hold entitlements shared across identities. KERB_NAME RACF user name as taken from the profile. IdentityIQ User’s Guide . the schema is supplied to the methods on the connector interface.

 PHR . NOPWD YES . REVOKE_DATE The date that the user will be revoked.  PRO .  NO . CERT_SEQN Sequence number that is incremented whenever a certificate for the user is added. PWDENV_EXISTS Has a PKCS#7 envelope been created for the user’s current password? PWD_ASIS Should the password be evaluated in the case entered? PHR_DATE The date the password phrase was last changed.Account Attributes Attribute Description UAUDIT Do all RACHECK and RACDEF SVCs cause logging? AUDITOR Specifies if the user has the auditor attribute. RESUME_DATE The date that the user will be resumed.indicates that the user has a password phrase.indicates a protected user ID. ATTRIBS Other user attributes (RSTD for users with RESTRICTED attribute). REVOKE_CNT The number of unsuccessful logon attempts.indicates that this user ID can logon without a password using OID card.Connector Attribute Configuration Table 96—RACF Connector . MODEL The data set model profile name. PWD_GEN The current password generation number. or altered. PHR_GEN The current password phrase generation number. SECLEVEL The user’s security level. deleted.indicates that this user must specify a password. PPHENV_EXISTS Has the user's current password phrase been PKCS#7 enveloped for possible retrieval? IdentityIQ User’s Guide 219 . ACCESS_SUN Can the user access the system on Sunday? ACCESS_MON Can the user access the system on Monday? ACCESS_TUE Can the user access the system on Tuesday? ACCESS_WED Can the user access the system on Wednesday? ACCESS_THU Can the user access the system on Thursday? ACCESS_FRI Can the user access the system on Friday? ACCESS_SAT Can the user access the system on Saturday? START_TIME After what time can the user logon? END_TIME After what time can the user not logon? SEC_LABELS The user’s default security label. OIDCARD Specifies if this user has the OIDCARD data.

OVM_HOME_PATH Home path associated with the user identifier (UID). NETVIEW_IC Command list processed at logon. There is one record per combination of user and CICS RSL key. OVM_PROGRAM Default program associated with the user identifier (UID). CSDATA_CUSTOM Record type of the User CICS Data record LNOTES_SHORTNAME User ID as taken from the profile name. GLOBAL. LDAP_BIND_DN LDAP BIND distinguished name. CICS_OPIDENT The CICS operator identifier. DCE_HOMEUUID Home cell UUID. SECONDARY_LANGUAGE The secondary language for the user. CICS_OPPRTY The CICS operator priority. PRIMARY_LANGUAGE The primary language for the user. OVM_FSROOT File system root for this user. DCE_AUTOLOGIN Is this user eligible for an automatic DCE login? IdentityIQ User’s Guide . NETVIEW_CONSOLE_NAME Default console name. DCE_UUID DCE UUID associated with the user name from the profile. CICS_RSL_KEY Defines the resource security level (RSL) keys associated with a CICS user.Connector Attribute Configuration Table 96—RACF Connector . NETVIEW_CTL CTL value: GENERAL. DCE_HOMECELL Home cell name. CICS_OP_CLASSES The class associated with the CICS operator. CICS_NOFORCE Is the extended recovery facility (XRF) NOFORCE option in effect? CICS_TIMEOUT The terminal time-out value. LDAP_HOST LDAP server URL. DCE_NAME DCE principal name associated with this user. NDS_UNAME NDS user name associated with the user ID. NETVIEW_MSGRECVR Eligible to receive unsolicited messages? NETVIEW_NGMFADMN Authorized to NetView graphic monitoring facility? NETVIEW_NGMFVSPN Value of view span options. GROUPS 220 OVM_UID User identifier (UID) associated with the user name from the profile. Expressed in hh:mm. or SPECIFIC.Account Attributes Attribute Description ASSOCIATED_MAPPING Defines the certificate name filter in the DIGTNMAP class associated with this user ID.

BUILDING Building for delivery.Connector Attribute Configuration Table 96—RACF Connector . TSO_MSG_CLASS The default message class. TSO_LOGIN_PROC The default logon procedure. CICS_TSL_KEY Defines the transaction security level (TSL) keys for a CICS user. TSO_USER_DATA The TSO user data. ADDRESS2 Address line 2. ADDRESS3 Address line 3. TSO_UNIT_NAME The default SYSDA device. DFP_DATA_RECORDS Defines the information required by the System Managed Storage facility of the Data Facility Product (DFP). IdentityIQ User’s Guide 221 . TSO_DEST The default destination identifier. TSO_HOLD_CLASS The default hold class. TSO_LOGIN_SIZE The default logon region size. TSO_JOB_CLASS The default job class.Account Attributes Attribute Description CERTIFICATE Defines the names of the certificate profiles in the DIGTCERT class that are associated with this user ID. TSO_LOGON_MAX The maximum logon region size. ADDRESS4 Address line 4. ADDRESS1 Address line 1. TSO_SECLABEL The default logon security label. MVS_UID z/OS UNIX user identifier (UID) associated with the user name from the profile. ROOM Room for delivery. AREA_NAME Area for delivery for the user. ACCOUNT_NUMBER User account number for delivery. MVS_HOME_PATH HOME PATH associated with the z/OS UNIX user identifier (UID). DEPARTMENT Department for delivery. in hexadecimal in the form X<cccc>. TSO_ACCOUNT_NAME User ID as taken from the profile name. TSO_SYSOUT_CLASS The default sysout class. TSO_PERF_GROUP The performance group associated with the user. There is one record per combination of user and CICS TSL key. TSO_COMMAND The command issued at LOGON.

There is one record per combination of group and CSDATA custom fields. MVS_MAX_THREADS Maximum number of threads associated with the UID. GROUP_MODEL Data set profile that is used as a model for this group. UACC The default universal access.Account Attributes Attribute Description MVS_PROGRAM Default Program associated with the z/OS UNIX user identifier (UID). SUPERIOR_GROUP Name of the superior group to this group. CSDATA_CUSTOM Defines the custom fields associated with a group. NOTERMUACC Indicates if the group must be specifically authorized to use a particular terminal through the use of the PERMIT command. NETVIEW_OPCLASS OPCLASS value from 1 to 2040. MVS_GID OMVS z/OS UNIX group identifier (GID) associated with the group name from the profile. INSTALL_DATA Installation-defined data. MVS_MAX_MAP_STORAGE Maximum mappable storage amount associated with the UID. OVM_GID OMVS z/OS UNIX group identifier (GID) associated with the group name from the profile. MVS_MAX_PROC Maximum number of processes associated with the UID.Connector Attribute Configuration Table 96—RACF Connector . MVS_SHMEM_LIMIT Maximum size of shared memory. Valid values are NONE for all groups other than the IBM-defined VSAMDSET group which has CREATE. IdentityIQ User’s Guide . TME_ROLE Role profile name. MVS_MAX_ASSSIZE Maximum address space size associated with the UID. OWNER_ID The user ID or group name which owns the profile.Group Attributes Attribute 222 Description SUBGROUPNAME The name of a subgroup within the group. Table 97—RACF Connector . EIM_LDAPPROFFILE EIM LDAPBIND profile name. MVS_MAX_CPUTIME Maximum CPU time associated with the UID. MVS_MAX_FILEPROC Maximum active or open files associated with the UID. NAME Group name as taken from the profile name. CREATE_DATE Date that the group was defined. UNIVERSAL Indicates if the group has the UNIVERSAL attribute. MVS_MEM_LIMIT Maximum size of non-shared memory. MEMBERS A user ID within the group.

  The logical application rule defines the requirements that must be met before an identity is assigned an account on this logical application. The SAP connector uses the following connection attributes: Table 99—SAP Connector . reporting. an LDAP authorization application.0. Go to the customer service marketplace and download the Java Connector (under Tools and Services) JCO Release 3. Rule Based Logical Connector .Required Attributes Attribute host Description Host on which the SAP Java Connector is running IdentityIQ User’s Guide 223 .x.Connection Attributes This section contains the information that IdentityIQ uses to connect and interact with the application. an Oracle database. but that are actually formed based on the detection of accounts from other applications in existing identity cubes. You can then use the single.Connection Attributes The Rule Based Logical connector uses the following rules to assign accounts: Table 98—Rule Based Logical Connector .x The jco libraries must be downloaded from SAP.Rules Attribute Description Logical Application Rule Enter the name of a logical application rule. For example. you might have one logical application that represents three other accounts on different applications.Connector Attribute Configuration Rule Based Logical Connector The Rule Based Logical connector was developed to create objects that function like applications in the IdentityIQ product. and monitoring throughout the product. and a custom application for internal authentication. Each application type requires different information to create and maintain a connection. Logical Remediation Rule Enter the name of a logical remediation rule. SAP Connector The SAP connector was developed to return all of the users and roles of the SAP system. SAP Connector .  The logical remediation rule defines how remediation request for the logical application account or any of the accounts with which it is comprised are handled.0. representative account instead of the three separate accounts from which it is comprised for certification. This connector uses JCO v 3. The logical application rule scans identities and creates an account on the logical application each time it detects the three required accounts on a single identity.

 Default value is Child Roles.jco. 224 IdentityIQ User’s Guide .SAPBuildMap This rule is called by both the SAPHR and the base SAP connector call this rule when building objects from SAP. SAP Connector .Required Attributes Attribute Description user SAP Administrator password SAP Administrator password clientNumber 001 in our install systemID SAP system ID clientLanguage Language used by the client SAP client router Router number groupHeirarchyAttribute Name of the group attribute that provides hierarchical information. Two examples in examplerules.sap.Connector Attribute Configuration Table 99—SAP Connector . It is similar BuildMap rule from the DelimitedFileConnector. This is the main object for making BAPI calls with the JCo interface.Central User Administration Central User Administration (CUA) is a feature in SAP that helps to streamline multiple users account management on different clients in a multi SAP systems environment. application The SAP application_object that connects to the SAP system state A map object that holds the attributes from the default connector implementation. schema Represents the object being built.SAPBuildMap Name Description destination A connected/ready to use com.JCoDestination object that can call BAPI function modules and SAP tables. This destination is shared with the base implementation so it controls this object's lifecycle. connector The SAP connector that communicates with SAP.conn.xml illustrate the usage of the rules: Table 100—SAP Connector . SAP CUA .

the schema is supplied to the methods on the connector interface. When a connector is called.g.a list of CUA systems in a multi-valued string format.Required Attributes Attribute Description host Host on which the SAP Java Connector is running user SAP Administrator password SAP Administrator password clientNumber 001 in our install systemID SAP system ID clientLanguage Language used by the client SAP client router Router number groupHeirarchyAttribute Name of the group attribute that provides hierarchical information.This is a returned value which requires the following syntax: . SAP HR/HCM Connector The SAP HR/HCM connector was developed to return all of the user information from the SAP HR/HCM system. IdentityIQ User’s Guide 225 .This is a returned value which requires the following syntax: . Each application type requires different information to create and maintain a connection.$server\$profileName (e. • LocalProfiles .Connector Attribute Configuration The following three new attributes are required in the IdentityIQ SAP application configuration when working in a CUA Environment. Account objects are used when building identities Link objects.AMDCLNT001\SAP_AL) • LocalRoles . The SAP HR/HCM connector uses the following connection attributes: Table 101—SAP HM/HCM Connector . Note: IdentityIQ does not support the “group” flag with local role assignments. SAP HR/HCM Connector .$server\$roleName (e.g. Default value is Child Roles. ERDCLNT001\SAP_S_RFCACL) • Systems ( CUA Systems ) .Schema Attributes The application schema is used to configure the objects returned from a connector. SAP HR/HCM Connector .Connection Attributes This section contains the information that IdentityIQ uses to connect and interact with the application.

Account Attributes Name Description Academic Grade Academic grade attained by the person Address Address Address Type Address type. Sir FullName Full.Connector Attribute Configuration Table 102—SAP HR/HCM Connector . no Cost Center Cost center with which they are associated Country Country in which they are located Country Code Country code Country of Birth Country in which they were born Country of Birth Code Country code for country in which they were born District District in which they are located or report E Group E-mail groups to which they belong Email E-mail address Employee Number Employee number FirstName Given name Form of Address Form of address. Mrs. legal name Fund Funds Center 226 Gender Gender Gender Code Gender code IdentityIQ User’s Guide . home.. work Address Type Code Address type code Admin Group Administrative group to which the person belongs Aristrocratic Title Aristocratic title that apply to this person Birth Date Date of birth Birth Name Name given at time of birth Birth Place Name or location of birth place Business Area Business area Changed By HR record last changed by City City in which the person is located Co Area Corporate area Comp Code Compensation code Company Name Name of the company by which they are employed Contract Contract: yes. Miss.

Account Attributes Name Description Id Number Identification number Initials Initials Job Title Job Description Description of their function Known As Nickname or preferred name Language Primary language Language Code Language code Language ISO Primary language ISO code Last Changed On Date on which this record was last changed or updated LastName Surname LegPerson Marital Status Code Code associated with the marital status of this person Marital Status Since Time period since the last change in marital status MaritalStatus Marital status MiddleName Middle name Name Full name Name Format Indicator Nationality Nationality Nationality Code Nationality code Number of Children Number of children Org Key Organizational key Org Unit Organizational unit Organization Description Organization description P subArea Payarea The area from which their pay is received Payrole Admin The payroll administrator associated with this person Personal Admin The personal administrator associated with this person Personal Area The personal area to which they report Personal Number Their personal number Position Title Position Description Description of job function Reason Code Religion Religion IdentityIQ User’s Guide 227 .Connector Attribute Configuration Table 102—SAP HR/HCM Connector .

User Management Web Service The SAP Portal UMWebService was developed to return all of the users and roles of the SAP User Management Engine (UME).Connector Attribute Configuration Table 102—SAP HR/HCM Connector . SAP Portal UMWebService Connector .Connection Attributes This section contains the information that IdentityIQ uses to connect and interact with the application. Each application type requires different information to create and maintain a connection.Account Attributes Name Description Religion Code Religion code Second Academic Grade Secondary academic grade associated with this person Second Address Line Second line of address Second Name Prefix Secondary name prefix Second Nationality Secondary nationality Second Nationality Code Secondary nationality code SecondName Second name State State in which they are located State Abreviation State abbreviation of the state in which they are located State of Birth State of birth Sub E Group Supervisor Supervisors name Surname Prefix Last name prefix System user name (SY-UNAME) User ID Telephone Telephone number and dialing code Third Nationality Third nationality Time Admin Title Function Valid End Valid end date for this record to terminate Valid Start Valid start date for this record to begin Zip Code Zip code for this person SAP Portal . The SAP Portal UMWebService connector uses the following connection attributes: 228 IdentityIQ User’s Guide .

the the portal server’s keystore and the application server’s keystore must be configured. profiles. For example:  http://HOST:PORT/irj/servlet/prt/soap/UMWebService?s tyle=rpc_enc  This url can use either http or https.quo t. Account Filter Enter the string representation of a sailpoint. Any account object matching the filter is filtered out of the dataset.pct :  displayName.sap.pct&amp. Group Filter Enter the string representation of a sailpoint. roles. password Password for the user account specified in Username.&am p. filtering happens on the IdentityIQ server side and does not filter on the SAP portal side.Connection Attributes This section contains the information that IdentityIQ uses to connect and interact with the application.   Note: When using https.quot.object.quot. Username The SAP Portal user name used when connecting to the web service. The Salesforce connector uses the following connection attributes: IdentityIQ User’s Guide 229 .R3_DATASOURCE.)   If this property is non-empty.startsWith(&amp.object.Connector Attribute Configuration Table 103—SAP Portal UMWebservice Connector .Filter object.quot. Salesforce Connector . and public groups of within a Salesforce environment. The following is an example of a filterString that filters out all objects from the that have a displayName starting with com.sap.startsWith(&amp. Any roles object matching the filter is filtered out of the dataset.USER.Primary Attributes Attribute Description UMWebService URL The url for the UMWebService.)  When this property is non-empty filtering happens on the IdentityIQ server side and does not filter on the SAP portal side Salesforce Connector The Salesforce was developed to return all of the users.com.R3_DATASOURCE:  uniqueId. The following is an example of a filterString that filters out all objects where the uniqueId starts with USER. Each application type requires different information to create and maintain a connection.Filter object.

login to salesforce.com/services/Soap/c/20.Primary Attributes Attribute Description URL Enter the fully qualified url to the root of the salesforce server e. filterTermRule If you need more complex filters you can generate them in a rule that gets called by the option named filterTermRule. Click Develop under the Application heading toward bottom. IdentityIQ User’s Guide . That rule needs to return a list of one or more FilterTerms.Connector Attribute Configuration Table 104—SAP Portal UMWebservice Connector .com. This file is located in the WEB-INF/lib folder of your IdentityIQ installation directory. Note: The openspml.jar file is required to integrate Sun IdM with IdentityIQ.Required Attributes Attribute 230 Description user The administrative account for IDM. Sun IDM Connector The Sun IDM connector was developed to return all of the user accounts and the capabilities defined in the Sun IDM system. Password Password for the user account specified in Username. Salesforce User Provisioning IdentityIQ has a default Provisioning Policy defined which allows for the creation of accounts. click API > Generate enterprise WSDL. The Sun IDM connector uses the following connection attributes: Table 105—Sun IDM Connector . then click Generate.g http://login. IncludeOnlyAdmins Return only administrators (Users with capabilities) when iterating over account objects.Connection Attributes This section contains the information that IdentityIQ uses to connect and interact with the application. Each application type requires different information to create and maintain a connection. rpcRouterURL The URL of the IDM environment. The URL is located under the SforceService service name. Next. Sun IDM Connector . password The password associated with the administrative account.salesforce. The provisioning policy can be edited to fit a specific customer environments.0/[yoursiespecificid]  Note: To figure out the url of your site. The rule gets the application and the schema and is called before the iteration begins. Username The user account used when connecting to the web service.

Required Attributes Attribute Description filetransport local. filterEmptyRecords If activated. Top Secret Connector . The Top Secret connector uses the following connection attributes: Table 106—Top Secret Connector . transportUserPassword The password to use with of ftp and scp. file The fully qualified path to the file. preIterativeRule The pre-iterate rule will check for a specially named Configuration object that will hold the last run statistics that can be compared against the current values.org/assignments/character-sets  If this field is empty. Not valid with local.encoding specified by the jvm) is used.iana. fileEncoding Specify the file encoding to be used by the connector. scp host The host of the server to which you are connecting. Not valid with local. but before iteration over the objects in the file is started. The rule can compare the stored values with the new values to check for problems IdentityIQ User’s Guide 231 .String> form into a ResourceObject. records that have no data are filtered. ftp.  For validation this rule can use the existing statistics stored by the postIterationRule during the last aggregation.Connector Attribute Configuration Top Secret Connector The Top Secret connector was developed to read the a TSSCFILE export. the default encoding (the value of file. filterString Filter lines that match this string.Connection Attributes This section contains the information that IdentityIQ uses to connect and interact with the application. Valid values for this attribute can be found at: http://www. transportUser The user to use with ftp and scp.  This rule is called after the file has been transferred. mapToResourceObjectRule Rule that is called to override the transformation of the data from the Map<String. Each application type requires different information to create and maintain a connection.

VMMDISK The VM minidisks owned by the user. ACTION Specifies which action(s) CA-Top Secret will take when access to a resource is attempted. LOCK TIME(MINUTES) The time interval before unattended or inactive terminals are locked. NAME Identifies the ACID name.Required Attributes Attribute Description postIterativeRule The post-iterate rule can store away the configuration object and rename/delete the file if desired.   Names can be up to 32 characters in length.Connector Attribute Configuration Table 106—Top Secret Connector . groupTypes The group type of the connector. Table 107—Top Secret Connector . IdentityIQ currently supports two types of objects. This rule use the TopSecretRecord and TopSecretField classes to work with that information.  This rule is called after aggregation has completed and ALL objects have been iterated. The group schema is used when building AccountGroup objects which are used to hold entitlements shared across identities. LANGUAGE PREFERENCE The language preference code the user. Top Secret Attribute Customization Rule The rule used to extend the parsing capabilities to customer records or redefine existing record configurations. The default values are GROUP ACID and PROFILE ACID. account and group. Top Secret Connector .  The default value is USER. must be surrounded by single quotes if embedded with blanks. VOLSER(OWNED) The volumes to which the user has access. When a connector is called. TopSecret records hold a record identifier and all of the fields that are part of that record. and can use letters. but additional values can be specified. IdentityIQ User’s Guide . Account objects are used when building identities Link objects. accountTypes The type of account use to connect to the server.Schema Attributes The application schema is used to configure the objects returned from a connector. LOCK TIME FACILITY The lock time for all terminals connected to the specified facility. and special characters.Account Attributes Attribute 232 Description XAUTH The authorized level at which the user can access the resource. numbers. the schema is supplied to the methods on the connector interface.

globally administrable. DUFUPD enables an ACID to use the CA-Top Secret Application Interface to update the installation data (INSTDATA) or field data from a Security Record. This is the initial directory used when a user enters the OMVS command or enters the ISPF shell. TRACE Used to activate a diagnostic trace on all ACID activity (initiations. Note: If a SITRAN is added to an ACID that already has a CICS transaction defined. or will cease to be. If HOME isn't defined. the transaction is replaced. For VM. XA ACID XAUTH Resource Class Name MULTIPW Used to assign or remove multiple password attributes. TSOMPW Used to support multiple TSO UADS passwords.) SUSPEND Used to prevent ACIDs from accessing the system when a violation occurs. NOADSP Used to prevent data sets. With VSE and OS/390. resource access. DUFUPD is a component of the CA-Top Secret Dynamic Update Facility (DUF). The HOME keyword accepts from one to 1024 characters. CONSOLE Used to grant or remove an ACID's ability to modify control options. options are modified via the TSS MODIFY command only. IdentityIQ User’s Guide 233 . from being automatically secured by MVS by setting the RACF bit.Connector Attribute Configuration Table 107—Top Secret Connector . MRO Used to support the use of the multi-region option. user's security mode. etc. DUFXTR Used to add or remove the DUFXTR attribute to an ACID. HOME Defines the initial directory pathname. which means ACIDs need a different password to access each facility. on a user-by-user basis. AUDIT Used to allow an audit of ACID activity. options are modified at the O/S console or via the TSS MODIFY command function. OpenEdition MVS sets the initial directory for the user to the root directory. violations.Account Attributes Attribute SITRAN Description Specifies which CICS transaction CA-Top Secret automatically executes after an ACID successfully signs on to a facility. created by an ACID.  NOADSP is used to define an ACID that will be used to create data sets that cannot be automatically protected by CA-Top Secret. NOPWCHG To prevent ACIDs from changing passwords at either signon or initiation. DUFXTR is a component of the CA-Top Secret Dynamic Update Facility (DUF). OIDCARD Used to support the physical identification of users through operator identification cards. HOME is optional. DUFXTR enables an ACID to use a RACROUTE REQUEST=AUTH (RACHECK) macro or the CA-Top Secret Application Interface to extract installation data (INSTDATA) or field data from a Security Record. GAP Used to specify that a profile will become. DUFUPD Used to add or remove the DUFUPD attribute to an ACID. Both uppercase and lowercase characters are allowed.

The OPPRTY value is placed into the ACID's TCT (Terminal Control Table) at signon. XA DATASET WHO HAS RESOURCE PROFILE ACID Used to assign profiles to an ACID. PASSWORD FACILITY The facility name applied to ACIDs with the multipw attribute.to eight-character logon procedure name. ACIDS2 SOURCES 234 TSOLPROC Used to provide a default proc to be used for TSO logon. PROGRAM Used to secure system programs and utilities. OPPRTY Used to assign or remove a CICS operator priority from the associated ACID. in string format. WHOHAS XAUTH A list of resources that may be accessed by the ACID shown in the command. SUSPENDED The date. Procedure names are also TSO-related resources and the user must be permitted to any procedure name with which he attempts to log on. PASSWORD INTERVAL The interval in which the password must be changed. PASSWORD Used to assign a password. along with values that control its use. DIV ACID Specifies the Division ACID to which the ACID is attached. to a previously defined ACID. PASSWORD EXPIRES DATE The date. WHOHAS ADMIN Used to determine who has administrative authority on the application. the level at which the ACID may access the resource. IdentityIQ User’s Guide .Account Attributes Attribute NOATS Description Used to prevent an ACID in CICS and CA-IDMS from signing on via ATS (Automatic Terminal Signon). and the owner of the resource. in string format. DIV NAME The name assigned to the ACID within the zone. that the suspension ends.  The one. OPIDENT Used to assign or remove a CICS operator identification value that is equal to the ACID's OPIDENT entry in the CICS SNT (Signon Table). The OPIDENT value is placed into the ACID's TCT at signon. that the password expires.Connector Attribute Configuration Table 107—Top Secret Connector . ACEDEFAU ASUSPEND Used to remove the suspension of an ACID that was suspended for administrative reasons.

Account Attributes Attribute Description TSOUNIT The default unit name to be used for dynamic allocations under TSO. division. MISC2 Used to give. to assign the SCOPE of an LSCA.Connector Attribute Configuration Table 107—Top Secret Connector . WHO OWNS RESOURCE The resources owned by the ACID. TIME LAST MODIFIED The time at which the ACID was last modified. XA SYSID The SYSID (which is actually the SMFID) that the authorizations for the ACID apply to. WANAME The person to whom SYSOUT information should be delivered for this ACID. The name must be a defined generic unit class name at the installation. and zone to include. or to remove. DATE CREATED The date on which the ACID was created. DATE LAST MODIFIED The date on which the ACID was last modified. TSOCOMMAND Default commands issued upon login of the ACID. DIGITAL CERT STARTS The date. or to remove.to eight-character unit (device) name for dynamically allocated data sets. ACID WITHIN DEPT/DIV/ZONE Used to specify department. TSOOPT The default options that a TSO user may specify at logon. ROOM NUMBER The room number assigned to the ACID. BUILDING The building in which the ACID is located. or to remove their authority. a CA-Top Secret administrator's authority to list the contents of the RDT. that the digital certification starts. FDT or STC or to use the ASUSPEND administrative function. DEPARTMENT The Department ACID to which the ACID is attached. a CA-Top Secret administrator's authority to perform one or more administrative functions. in string format. SCOPE Used to give CA-Top Secret administrators the authority. DLFTGRP The default group for the ACID. XA MINIDISK The minidisk authorization information for the ACID. DIGITAL CERT NAME The name of the digital certification. PHYSKEY PHYSKEY (physical security key) supports external authentication devices. IdentityIQ User’s Guide 235 . This field is not alterable by the user at logon and is not required for successful logon.  The one. ACCESSLEVELS MISC8 Used to give.

Thus. which may link to many minidisks. for all owned resources except data sets and volumes. No auditing is done. division. ADDRESS1 Physical address for the ACID.Account Attributes Attribute Description XAUTH LIBRARY The libraries for which the ACID has authority. XAUTHDAYS Days of the week the ACID is authorized on this application. ACID SIZE The size of the ACID. DIGITAL CERT EXPIRES The date. FCT/PREFIX(OWNE D) FACILITIES The facilities to which the user has access. when the digital certification expires.Connector Attribute Configuration Table 107—Top Secret Connector . regardless of LCF (Limited Command Facility) restrictions.  NOVMDCHK is intended only to be applied to special products such as DASD space managers. WHOHAS FACILITY Returns facility information for the ACID. All data set access will be audited. including auditing. NOSUBCHK Used to allow an ACID to bypass alternate ACID usage as well as all job submission security checking. NOVMDCHK Used to allow an ACID to bypass all checking for minidisk links. RESTRICT ADDRESS4 Alternative physical address for the ACID. CA-Top Secret will bypass all data set access security checks. NORESCHK Used to allow an ACID to bypass security checking. IdentityIQ User’s Guide . in string format. ZONE ACID The Zone ACID to which the ACID is attached. RESOURCE CLASS NAME The resource class for which the ACID has authority. for example zone. or department. ACID TYPE The ACID type. TSOHCLASS The default hold class for TSO generated JCL for TSO the user. NODSNCHK To specify that no data set name check will be performed. NOVOLCHECK NOLCFCHK Used to allow an ACID to execute any command or transaction for all facilities. XA VOLUMN TSODEFPRFG 236 The default TSO performance group. All links will be audited. NOSUSPEND Used to allow an ACID to bypass suspension due to violations. That is. associated ACIDs may submit all jobs regardless of the (derived) ACID on the job card being submitted. TSODEST The default destination identifier for TSO generated JCL for TSO users. ZONE NAME The name assigned to the ACID within the zone.

COUNT SEGMENT Used to allow TSS administrators to list data about fields in a specific segment. IMS. or any installation-defined facility. GID IDs of the groups to which the ACID belongs. EXPIRES The date on which the ACID expires.Account Attributes Attribute Description RESOURCE CLASS NAME2 An additional resource class for which the ACID has authority. DEPT NAME The name assigned to the ACID within the department. ADMIN BY XAUTH MODE TSOLACCT The default account number used for TSO logon. TSO. UID The unique user ID for the ACID. LISTDATA OMVSPGM The user's OpenEdition MVS shell program. TSOSCLASS The default SYSOUT class for TSO generated JCL for the TSO users. IdentityIQ User’s Guide 237 .Connector Attribute Configuration Table 107—Top Secret Connector . MISC1 A CA-Top Secret administrator's authority to perform one or more administrative functions. or when an OpenEdition MVS batch job is started using the BPXBATCH program. XAUTH FAC DEPT ACID The Department ACID to which the ACID is attached. WYLBUR. RESOURCES TSOJCLASS The default job class for TSO generated job cards from TSO users. DATE LAST USED Date the ACID was last used. This is the first program started when the OMVS command is entered. TSOUDATA The site-defined data fields for a TSO user. CA-Roscoe. ACCESSLEVELS2 DSN/PREFIX(OWNE D) TSOMSIZE The maximum region size (in kilobytes) that the TSO user can specify at logon. NCCF. SMSSTOR The default storage keyword for the ACID. CPU Name of the CPU on which the ACID was used. TSOLSIZE The default region size (in kilobytes) for TSO. TIME LAST USED Time the ACID was last used. ADDRESS3 Alternative physical address for the ACID. FAC System facilities defined to CA-Top Secret: BATCH. STC. CICS.

must be surrounded by single quotes if embedded with blanks. VOLSER(OWNED) The volumes to which the user has access. the transaction is replaced. Up to 255 characters of information about an associated ACID may be used for convenient record keeping. GROUP ACID The Group ACID to which the ACID is attached. or to remove. TSOMCLASS The default message class for TSO generated JCL for TSO users. 238 IdentityIQ User’s Guide .Account Attributes Attribute Description XAUTH PRIVPGM The program pathing. numbers.   Names can be up to 32 characters in length. SITRAN Specifies which CICS transaction CA-Top Secret automatically executes after an ACID successfully signs on to a facility. or for interrogation by a user-written Installation Exit. TIME ZONE The time zone attached to the ACID. LOCK TIME FACILITY The lock time for all terminals connected to the specified facility. if privileged program is in use.Group Attributes Attribute Description XAUTH The authorized level at which the user can access the resource. LOCK TIME(MINUTES) The time interval before unattended or inactive terminals are locked. LANGUAGE PREFERENCE The lanuguage preference code the user. ADDRESS2 Alternative physical address for the ACID. VMMDISK The VM minidisks owned by the user. a TSS administrator's authority to perform one or more high-level administrative functions. Table 108—Top Secret Connector .Connector Attribute Configuration Table 107—Top Secret Connector . Note: If a SITRAN is added to an ACID that already has a CICS transaction defined. and special characters. MASTER FACILITY LCF FACILITY FACILITY NAME FACILITY UNTIL DATE INSTDATA Used to record or remove information about an ACID. MISC9 To give. NAME Identifies the ACID name. and can use letters. ACTION Specifies which action(s) CA-Top Secret will take when access to a resource is attempted.

This is the initial directory used when a user enters the OMVS command or enters the ISPF shell. options are modified via the TSS MODIFY command only. OpenEdition MVS sets the initial directory for the user to the root directory. CONSOLE Used to grant or remove an ACID's ability to modify control options. AUDIT Used to allow an audit of ACID activity.) SUSPEND Used to prevent ACIDs from accessing the system when a violation occurs.Connector Attribute Configuration Table 108—Top Secret Connector . NOATS Used to prevent an ACID in CICS and CA-IDMS from signing on via ATS (Automatic Terminal Signon). violations.Group Attributes Attribute Description HOME Defines the initial directory pathname. The HOME keyword accepts from one to 1024 characters. globally administrable. options are modified at the O/S console or via the TSS MODIFY command function. NOADSP Used to prevent data sets. With VSE and OS/390. from being automatically secured by MVS by setting the RACF bit. or will cease to be. DUFUPD Used to add or remove the DUFUPD attribute to an ACID. DUFXTR Used to add or remove the DUFXTR attribute to an ACID. MRO Used to support the use of the multi-region option.  NOADSP is used to define an ACID that will be used to create data sets that cannot be automatically protected by CA-Top Secret. ACEDEFAU IdentityIQ User’s Guide 239 . TRACE Used to activate a diagnostic trace on all ACID activity (initiations. which means ACIDs need a different password to access each facility. XA ACID XAUTH Resource Class Name MULTIPW Used to assign or remove multiple password attributes. HOME is optional. DUFUPD is a component of the CA-Top Secret Dynamic Update Facility (DUF). OIDCARD Used to support the physical identification of users through operator identification cards. DUFUPD enables an ACID to use the CA-Top Secret Application Interface to update the installation data (INSTDATA) or field data from a Security Record. DUFXTR is a component of the CA-Top Secret Dynamic Update Facility (DUF). user's security mode. TSOMPW Used to support multiple TSO UADS passwords. For VM. etc. If HOME isn't defined. GAP Used to specify that a profile will become. created by an ACID. on a user-by-user basis. NOPWCHG To prevent ACIDs from changing passwords at either signon or initiation. Both uppercase and lowercase characters are allowed. resource access. DUFXTR enables an ACID to use a RACROUTE REQUEST=AUTH (RACHECK) macro or the CA-Top Secret Application Interface to extract installation data (INSTDATA) or field data from a Security Record.

DIV ACID Specifies the Division ACID to which the ACID is attached. The OPIDENT value is placed into the ACID's TCT at signon. OPIDENT Used to assign or remove a CICS operator identification value that is equal to the ACID's OPIDENT entry in the CICS SNT (Signon Table).Group Attributes Attribute ASUSPEND Description Used to remove the suspension of an ACID that was suspended for administrative reasons. This field is not alterable by the user at logon and is not required for successful logon. PROGRAM Used to secure system programs and utilities.to eight-character logon procedure name. along with values that control its use. OPPRTY Used to assign or remove a CICS operator priority from the associated ACID. The OPPRTY value is placed into the ACID's TCT (Terminal Control Table) at signon. and the owner of the resource. Procedure names are also TSO-related resources and the user must be permitted to any procedure name with which he attempts to log on. WHOHAS XAUTH A list of resources that may be accessed by the ACID shown in the command. PASSWORD Used to assign a password. SUSPENDED The date. in string format. PASSWORD INTERVAL The interval in which the password must be changed. PHYSKEY PHYSKEY (physical security key) supports external authentication devices. to a previously defined ACID. that the password expires. PASSWORD FACILITY The facility name applied to ACIDs with the multipw attribute. TSOUNIT The default unit name to be used for dynamic allocations under TSO. XA DATASET WHO HAS RESOURCE PROFILE ACID Used to assign profiles to an ACID. in string format. ACIDS2 SOURCES 240 TSOLPROC Used to provide a default proc to be used for TSO logon. The name must be a defined generic unit class name at the installation.to eight-character unit (device) name for dynamically allocated data sets. the level at which the ACID may access the resource.  The one. WHOHAS ADMIN Used to determine who has adminstrative authority on the application. IdentityIQ User’s Guide .Connector Attribute Configuration Table 108—Top Secret Connector .  The one. PASSWORD EXPIRES DATE The date. that the suspension ends. DIV NAME The name assigned to the ACID within the zone.

XA SYSID The SYSID (which is actually the SMFID) that the authorizations for the ACID apply to. BUILDING The building in which the ACID is located. WHO OWNS RESOURCE The resources owned by the ACID. that the digital certification starts. RESOURCE CLASS NAME The resource class for which the ACID has authority. XA MINIDISK The minidisk authorization information for the ACID. a CA-Top Secret administrator's authority to list the contents of the RDT. IdentityIQ User’s Guide 241 . TSOOPT The default options that a TSO user may specify at logon. or to remove their authority. DLFTGRP The default group for the ACID. FDT or STC or to use the ASUSPEND administrative function. and zone to include. a CA-Top Secret administrator's authority to perform one or more administrative functions. SCOPE Used to give CA-Top Secret administrators the authority. TSOCOMMAND Default commands issued upon login of the ACID. DEPARTMENT The Department ACID to which the ACID is attached. DATE LAST MODIFIED The date on which the ACID was last modified. WHOHAS FACILITY Returns facility information for the ACID. MISC2 Used to give. WANAME The person to whom SYSOUT information should be delivered for this ACID. to assign the SCOPE of an LSCA. ACCESSLEVELS MISC8 Used to give. or to remove. ROOM NUMBER The room number assigned to the ACID. TIME LAST MODIFIED The time at which the ACID was last modified. in string format. XAUTH LIBRARY The libraries for which the ACID has authority. DATE CREATED The date on which the ACID was created. DIGITAL CERT NAME The name of the digital certification.Group Attributes Attribute Description ACID WITHIN DEPT/DIV/ZONE Used to specify department. division. DIGITAL CERT STARTS The date.Connector Attribute Configuration Table 108—Top Secret Connector . or to remove.

XA VOLUMN 242 TSODEFPRFG The default TSO performance group. which may link to many minidisks. for all owned resources except data sets and volumes. NOVOLCHECK NOLCFCHK Used to allow an ACID to execute any command or transaction for all facilities.  NOVMDCHK is intended only to be applied to special products such as DASD space managers. associated ACIDs may submit all jobs regardless of the (derived) ACID on the job card being submitted. or department. XAUTHDAYS Days of the week the ACID is authorized on this application. MISC1 A CA-Top Secret administrator's authority to perform one or more administrative functions. regardless of LCF (Limited Command Facility) restrictions. All links will be audited. That is. NOSUBCHK Used to allow an ACID to bypass alternate ACID usage as well as all job submission security checking. for example zone. DIGITAL CERT EXPIRES The date. ADDRESS1 Physical address for the ACID. No auditing is done.Group Attributes Attribute Description FCT/PREFIX(OWNE D) FACILITIES The facilities to which the user has access. TSODEST The default destination identifier for TSO generated JCL for TSO users. NORESCHK Used to allow an ACID to bypass security checking. NOSUSPEND Used to allow an ACID to bypass suspension due to violations. ZONE NAME The name assigned to the ACID within the zone. CA-Top Secret will bypass all data set access security checks. TSOHCLASS The default hold class for TSO generated JCL for TSO the user. in string format. All data set access will be audited. IdentityIQ User’s Guide . RESTRICT ADDRESS4 Alternative physical address for the ACID. RESOURCE CLASS NAME2 An additional resource class for which the ACID has authority. division. ACID TYPE The ACID type. Thus. NODSNCHK To specify that no data set name check will be performed. when the digital certification expires. including auditing. ACID SIZE The size of the ACID. ZONE ACID The Zone ACID to which the ACID is attached. NOVMDCHK Used to allow an ACID to bypass all checking for minidisk links.Connector Attribute Configuration Table 108—Top Secret Connector .

XAUTH PRIVPGM The program pathing.Group Attributes Attribute Description GID IDs of the groups to which the ACID belongs. FAC System facilities defined to CA-Top Secret: BATCH. DEPT NAME The name assigned to the ACID within the department. CA-Roscoe. ACCESSLEVELS2 DSN/PREFIX(OWNE D) TSOMSIZE The maximum region size (in kilobytes) that the TSO user can specify at logon. XAUTH FAC DEPT ACID The Department ACID to which the ACID is attached.Connector Attribute Configuration Table 108—Top Secret Connector . TIME LAST USED Time the ACID was last used. MASTER FACILITY IdentityIQ User’s Guide 243 . TSOLSIZE The default region size (in kilobytes) for TSO. RESOURCES TSOJCLASS The default job class for TSO generated job cards from TSO users. TIME ZONE The time zone attached to the ACID. ADMIN BY XAUTH MODE TSOLACCT The default account number used for TSO logon. ADDRESS3 Alternative physical address for the ACID. CPU Name of the CPU on which the ACID was used. SMSSTOR The default storage keyword for the ACID. TSO. COUNT SEGMENT Used to allow TSS administrators to list data about fields in a specific segment. if privileged program is in use. CICS. NCCF. EXPIRES The date on which the ACID expires. DATE LAST USED Date the ACID was last used. This is the first program started when the OMVS command is entered. IMS. TSOUDATA The site-defined data fields for a TSO user. STC. TSOSCLASS The default SYSOUT class for TSO generated JCL for the TSO users. UID The unique user ID for the ACID. or when an OpenEdition MVS batch job is started using the BPXBATCH program. or any installation-defined facility. LISTDATA OMVSPGM The user's OpenEdition MVS shell program. WYLBUR.

Since this connector is file based. IdentityIQ determines login success by authenticating using the ftp or scp service with the provided login credentials. transportUserPassword The password to use with of ftp and scp. Depending on your application configuration.Connector Attribute Configuration Table 108—Top Secret Connector . The UNIX Database connector uses the following connection attributes: Table 109—UNIX Connector . GROUP ACID The Group ACID to which the ACID is attached. Therefore. scp transportUser The user to use with ftp and scp. UNIX Connector . passwdfile The fully qualified path to the passwd file. This password file is typically /etc/passwd. Not valid with local. filetransport local. TSOMCLASS The default message class for TSO generated JCL for TSO users. Not valid with local. MISC9 To give. or for interrogation by a user-written Installation Exit. Each application type requires different information to create and maintain a connection. the passwdfile attribute of the UNIX application must be the same password file used by the system for authentication.Connection Attributes This section contains the information that IdentityIQ uses to connect and interact with the application.Required Attributes Attribute 244 Description host The host of the server to which you are connecting. or to remove. there is some synergy between the UNIX and Delimited File connector. but might be different in an environment where NIS is used.Group Attributes Attribute Description LCF FACILITY FACILITY NAME FACILITY UNTIL DATE INSTDATA Used to record or remove information about an ACID. Up to 255 characters of information about an associated ACID may be used for convenient record keeping. ADDRESS2 Alternative physical address for the ACID. IdentityIQ User’s Guide . ftp. a TSS administrator's authority to perform one or more high-level administrative functions. UNIX Connector The UNIX connector was developed to read and parse the passwd and group file from UNIX servers to build identities and groups.

account and group. Account objects are used when building identities Link objects. When a connector is called. Table 111—UNIX Connector . the schema is supplied to the methods on the connector interface. IdentityIQ currently supports two types of objects.Account Group Members Before you can view account group members in the user interface using the Windows local connector. Account Mapping must be configured in IdentityIQ. Members are listed in the forth comma-delimited field of the groups text file. The home directory is the directory in which the user keeps personal files such as initialization files and mail. Table 110—UNIX Connector .Required Attributes Attribute groupfile Description The fully qualified path to the group file. This server provider not only connects to Windows NT Domains. members A comma-delimited list of users who are members of the group. Windows Local Connector . preferred by the user for accessing the command line interface. Windows Local Connector The Windows Local connector was developed to connects to Windows through the WinNT ADSI service provider.Group Attributes Attribute Description groupname A name associated with the group. UNIX Connector . info The information pertaining to the user. The group names are listed in the first comma-delimited field of the groups text file. IdentityIQ User’s Guide 245 . shell The shell.Account Attributes Attribute Description homedir The path to the user’s home directory on the host system.Connector Attribute Configuration Table 109—UNIX Connector . The group ids are listed in the third comma-delimited field of the groups text file. or program. The group schema is used when building AccountGroup objects which are used to hold entitlements shared across identities. but also to the local user/group registry for all Windows versions. groupid A group id used to identify the group.Schema Attributes The application schema is used to configure the objects returned from a connector. groups The groups to which the user belongs.

Account Attributes Attribute Description AutoUnlockInterval 246 Disabled Flag to indicate if the user is disabled.. IdentityIQ currently supports two types of objects. Account objects are used when building identities Link objects.. Defaults to 1000.Connection Attributes This section contains the information that IdentityIQ uses to connect and interact with the application. FullName User's fullname groups List of groups assigned to a user IdentityIQ User’s Guide . The group schema is used when building AccountGroup objects which are used to hold entitlements shared across identities. This can be in the form: DOMAIN\\USER ( i. domain The domain that should be aggregated if you are not targeting a specific server in a domain server The server that should be aggregated if targeting a specific server in a domain. IQServicePort Port the IQService is listening defaults to 5050. user Administrator to use when connecting.e. account and group. Each application type requires different information to create and maintain a connection.OR- USER ( Administrator ) local user password Password to use when connecting.Required Attributes Attribute Description IQServiceHost Host where IQ Service is installed. pageSize Number of objects to fetch in a single request. The Windows Local connector uses the following connection attributes: Table 112—Windows Local Connector . Description User's description DirectoryPath Fully qualified directory path WinNt://. the schema is supplied to the methods on the connector interface.Connector Attribute Configuration  Account Mappings on page 334 Windows Local Connector .Schema Attributes The application schema is used to configure the objects returned from a connector. Table 113—Windows Local Connector . When a connector is called. Windows Local Connector . NTTRUST\Administrator ) .

Connector Attribute Configuration Table 113—Windows Local Connector . PasswordExpired Indicates if the password is expired PasswordNotRequired Flag to indicate if the user requires a password. Profile User's Profile PrimaryGroupID Id of the user's primary group.Account Attributes Attribute Description HomeDirectory Location of the user's home directory Lockedout Flag to indicate a user is locked out MaxStorage Maximum amount of disk space the user can use MinPasswordLength Minimum length of the user's password Name Name of the account unqualified SAMAccountName objectSid Windows SID PasswordAge Time duration of the password in use. This property indicates the number of seconds that have elapsed since the password was last changed... sAMAccountName Fully qualified version of the sAMAccountName UserFlags User Flag defined in ADS_USER_FLAG_ENUM Table 114—Windows Local Connector .Group Attributes Attribute Description Description User's description DirectoryPath Fully qualified directory path WinNt://. PasswordUnchangeable Flag to indicate if the user password can be changed. GroupMembers List of groups assigned to a group GroupType Windows SID Members List of users assigned to a group objectSid Windows SID sAMAccountName Fully qualified version of the sAMAccountName IdentityIQ User’s Guide 247 .

Connector Attribute Configuration 248 IdentityIQ User’s Guide .

For example. IdentityIQ searches for access patterns to determine logical groupings of entitlements. Role management also uses the concept of permissions to enable you to grant users permission to certain roles without assigning them the role or incorporating it in their role hierarchy. When you define roles based on entitlements from the applications being monitored by IdentityIQ. IdentityIQ also supports the creation of roles based on the mining of entitlements within the enterprise. B. type might be used to control inheritance or automatic assignment of roles. After the mining task is completed. Roles enable business managers to make more accurate decisions and to make an appropriate trade-off between business benefits and risks. or geographic location. and an identity is discovered that is assigned all of the entitlements that defined roles C. IT roles typically model how application entitlements (or permissions) are logically grouped for streamlined access. they are assign role A. These roles typically model the IT privileges required to perform a specific function within an application or other target system. and role B is a member of role C. matches them to the roles you defined. the aggregation and correlation process discovers the entitlements. Business role mining within IdentityIQ facilitates the creation of organizational groupings based on identity attributes – for example department. if role A is a member of role B. These roles. Assigning the lowest level role enables operations such as certifications to be performed on one role instead of on each entitlement assigned to the user. Roles enable better visibility into IT data so that results and metrics can be understood and approved by business managers and executives. Role mining enables you to create new roles within IdentityIQ by analyzing data within the system using pattern-matching algorithms. IdentityIQ supports role mining to create both business and IT roles. cost center or job title. The business role mining supports multiple configuration options to assist users in generating new roles. This function enables you to roll-back to previous versions of the role if necessary. Role type is used to configure roles to perform different functions within your business model. while a non-IT user with a business-type role might need access to the entitlements contained within an IT-type role. project teams.Chapter 7: Role Management Role management is used to create and maintain the roles that define your enterprise. For example. the new roles are added to the Role Viewer where they can be modified as necessary. and assigns those roles to the users that have those entitlements. including functional hierarchies. Roles make it easier to translate business process rules into technical IT controls. Roles are an important part of any identity control system. combined with information discovered from your application and user configuration. and A. they probably do not need to have that role assigned to them or included as part of their hierarchal role structure. For example. Using a configurable algorithm. create the Identity Cubes that enable you to monitor and maintain compliance. Business roles typically model how users are grouped by business function. users are assigned the lowest level role discovered during aggregation. Role archiving enables you to store versions of roles that have changed over time. If roll approval is required in your IdentityIQ User’s Guide 249 . If you create a hierarchical structure of roles using the inheritance function of the Role Viewer. Role types are configured on the System Setup page.

Granted IdentityIQ user rights enables you to associate specific IdentityIQ capabilities and scopes to roles. role roll-backs also require approval. modified. If there is information associated 250 IdentityIQ User’s Guide . Role analysis and role approval are an important part of the overall role life-cycle management. Right-click on an existing role and select Clone to create a new role based on the existing one. Some of the sections listed in the table might not be available for all role types. Role activation events enable you to use business processes to automatically activate or deactivate roles based on dates specified in the role modeler. You must then confirm the deletion request. Click the arrow icon on the top. Role activation business processes can be configured to automatically refresh identities to include or exclude the affected roles.Role Viewer Tab enterprise. Inactive roles that are not pending approval or analysis are displayed with a gray icon. See Role Editor Page To delete a role. The grid shows a simple list of roles in alphabetic order. Use filtering to locate specific roles in the Top Down and Bottom Up views. or rolled-back roles are controlled thought business processes configured for your implementation of IdentityIQ. If you expand a role in the Top Down view you see the roles that are members of the expanded role. By default this function is disabled in IdentityIQ and must be turned on during the deployment and configuration process. The Role Management page includes the following: • Role Viewer Tab on page 250 • Role Search Tab on page 259 • Entitlement Analysis on page 262 • IT Role Mining on page 264 • Business Role Mining on page 266 • Working with the Role Manager on page 271 Role Viewer Tab The Role Navigation panel of the Role Viewer tab displays your existing roles. Role analytics and approval for new. The list of roles can be organized in a top down. The Role Information panel contains all of the information associated with the selected role. Role archiving is controlled through business processes and is enabled during the configuration of the IdentityIQ product. Those capabilities and scopes are then granted to identities when they are assigned the role and the Identity Cube Refresh task is run with the Provision assigned roles option selected. Click Add to display the Role Editor page and define a new role. If approval and impact analysis are active. right side to contract or expand the Role Navigation panel. If you expand a role in the Bottom Up view you see the roles in which the expanded role is a member. right-click on the role and select Delete. bottom up. or grid format. Click on a role to display detailed information in the Role Information panel of the Role Viewer. roles and profiles that have changes pending approval or are undergoing impact analysis are displayed with a red square surrounding their icon. Contracting the panel provides more screen space to view role details in the Role Information panel.

Extended Attributes Any extended role attributes configured for your enterprise and marked as searchable are displayed with the role information. Scope The scope of this role.Information Panel Descriptions Field Name Field Description Name The name of the role. Roles in which activation rules are enabled display a notice in the upper right-hand corner of the information panel containing activation or deactivation information. If scoping is active.Role Viewer Tab with a role that is not supported by the assigned role type. the information is displayed with a warning message. Role type definitions are customizable and created as part of the configuration process. Description A short description of the role. Scope is used to determine the objects to which a user has access. identities can only see objects that they created or that are within the scopes they control. Owner The owner assigned to the role. Type The type of role being displayed. Enablement Status Specifies if the role is enabled and if activity monitoring is turned on for this role. IdentityIQ User’s Guide 251 . Table 115—Role Viewer .

Information Panel Descriptions Field Name Role Statistics Field Description The Role Statistics panel displays detailed statistical information on the users and entitlments of a given role. "Members with Additional Entitlements . "Members with Missing Required Roles . not to custom roles. versions of this role.  -OR-  Run the Refresh Role Scorecard task to populate and display the statistical data by default on all roles.Number of Identities that have entitlements which are not permitted or required by this role or any other role they have been assigned. not to custom roles. Click each applicable category to view a window containing itmen-specific statistical information. and Entitlement Roles provided by IdentityIQ. 252 Scheduled Events The events scheduled for this role.Number of Entitlements that would be provisioned in order for an Identity to match all roles permitted by this one. If archiving is active.Number of Identities whose entitlements indicate that they have this role.Number of Identities that are missing roles which are required by this one.Role Viewer Tab Table 115—Role Viewer . This applies to Business Roles provided by IdentityIQ. Available IdentityIQ categories include hte following:  "Members . not to custom roles. "Identities Detected to be Exceptions . Click to view a grid displaying those identities. This applies to Business Roles provided by IdentityIQ. not to custom roles.  Note: The “Refresh role metadata” option must be selected in the Refresh Identity Cubes task in order for Role Statistics panel to display any information. even though they have not been assigned any roles that permit or require this one. Archived roles Previous. each time a change is made to a role definition a version of the role is stored. IT.Number of Identities assigned the role.Number of Identities whose entitlements indicate that they have this role. not to custom roles. "Permitted Entitlements . This applies to IT and Entitlement Roles provided by IdentityIQ. This applies to Business. "Provisioned Entitlements . Click to view a grid displaying those identities. This enables you to roll-back to previous versions if required. Activate — the date on which the role will become active.Number of Entitlements that would be provisioned if this role were to be assigned to and/or required by a new Identity. Click to view a grid displaying those identities.  Click the Refresh button at the bottom of the panel of each role you wish to view the statistics. This applies to IT and Entitlement Roles provided by IdentityIQ. "Identities Detected . or different. IdentityIQ User’s Guide . This applies to Business Roles provided by IdentityIQ. Deactivate — the date on which the date will be deactivated. not to custom roles.

Permitted Roles Roles to which users have access if they are assigned this role. Inherited Roles The roles in which this role is a member. IdentityIQ User’s Guide 253 . and compile identity risk scores to enable you to maintain compliance. Required Roles The roles to which the user must have access if they are to be assigned this role. If the approval business process is active an approval work item is sent to the role owner and the role changes are inactive until the approval is complete. the list of attributes changes to reflect the currently selected role type. A role is a collection of roles or profiles that enable an identity to perform certain operations. Note: When adding new roles.Information Panel Descriptions Field Name Field Description Assignment Rule The rule used to automatically assign roles to identities during a correlation process.Edit Entitlement Panel on page 256. Click Submit with Impact Analysis to save the changes and create an impact analysis report that provides details on the impact these changes will have on the rest of your product implementation and statistics on the amount of overlap between the new role and existing roles.Archived Role Panel on page 255.Role Editor Page Table 115—Role Viewer . These rights are granted to the identities to whom this role is assigned. For example. Click Submit to save the changes made on this page. one role might enable an identity to request a purchase order and another might enable an identity to approve purchase requests. The entitlements are grouped by application. The included entitlements are grouped by application. Role Editor Page Use the Role Editor to define the roles that make up your enterprise. The Role Viewer tab enables you to work with the following IdentityIQ components: • Roles — See Role Editor Page on page 253. Entitlements The rules and permissions (targets and rights) that define the profiles contained within the role. if the role type changes. • Profiles — See Role Editor . • Archived Roles — See Role Editor . When editing a role. Granted IdentityIQ User Rights The IdentityIQ capabilities and scopes associated with role. Roles assigned either manually on the identities pages or through an assignment rule are considered Assigned Roles throughout IdentityIQ. Use roles to monitor identity’s entitlements. Note: These capabilities and scopes are not assigned until a Identity Cube Refresh task is run with the Provision assigned roles option selected. Inherited Entitlements The entitlement details for the entitlements that define the roles to which this role is a member. any attributes from the original role are preserved and the user is propmted with the warning message "This attribute does not apply to the current role type". identify policy violations. See How to Approve Role Changes on page 278 and How to Perform Impact Analysis on page 278.

but the latest. the Activity Monitoring Enabled check-box is replaced by the following note:  This application does not currently have activity monitoring configured. Custom or Extended Role Attributes Any extended role attributes configured for your enterprise and marked as searchable are displayed with the role information. Table 116—Role Management . The Role Editor panel contains all of the information associated with the selected role. You can further edit roles with approval or analysis pending. Note: This description is displayed with the role throughout IdentityIQ and should be as intuitive as possible. This enables you to view the role as it currently exists in the Role Information panel. Scope Select a scope from the drop-down list. If you change and submit a role with changes pending. Scope is used to determine the objects to which a user has access. See How to Create or Edit a Role From the Role Management Page on page 271 for information on how to work with roles. Disable Disable the role so that it is no longer available in your application. A role with changes pending approval displays the original.  Typing the first few letters of a name displays a list of all of the user and workgroup names in the system containing that letter combination. For example. Role type definitions are customizable and created as part of the configuration process. but you will see a notice that says “An approval or impact analysis work item is pending on this role” at the top of this page.Role Editor Page Roles that are awaiting approval are displayed with a red square around the role icon. Type The type of role. changed. 254 Enable Activity Monitoring Activate this feature to track activity for any user that is assigned this role. information on the Role Editor page. You can select from the displayed list. Owner Enter a valid user or workgroup. but ensures that you do not duplicate changes on the Role Edit page. If scoping is active. business. Description A brief description of the role. identities can only see objects that they created or that are within the scopes they control. unchanged. or IT. IdentityIQ User’s Guide . role information on the Role Information panel. the original work item is deleted and replaced with a work item containing the latest changes.  If activity monitoring is not available on the selected application.Role Editor Field Descriptions Field Name Description Name The name of the role. the information is displayed with a warning message. Some of the sections listed in the table might not be available for all role types. Only scopes that you control are displayed in the list. Disabled roles names appear gray in the Role Navigation panel. If there is information associated with a role that is not supported by the assigned role type. organizational.

If approval is required on role changes it is required when a role is rolled back to a previous version. Rule — select an existing rule from the drop-down list.Role Editor Field Descriptions Field Name Description Scheduled Events The activation events scheduled for the role.  Filter — a custom database query for role creation..” icon to launch the Rule Editor to make changes to your rules if needed. Permitted Roles Roles to which users have access if they are assigned this role. Granted IdentityIQ User Rights Use this panel to specify the IdentityIQ capabilities and scopes associated with role. Role Editor . Customize further by creating attribute groups to which this assignment rule applies.   Note: If the "Is Null" checkbox is selected. Use the action buttons on the bottom of the page to complete the procedure. Add identity attributes. Profiles Detailed information about the profiles that are contained in the role. application attributes and application permissions. When the "is null" match is processed. Mouse over the information icon to display the description of a profile. Population — select an existing population and assign this role to identities in that population. Assignment Rule A rule used to automatically assign roles to identities during a correlation process. These rights are granted to the identities to whom this role is assigned. Click Roll Back to Archive Role to return to the Role Editor page.  See Rule Editor on page 326.  Use this panel to create new profiles or edit or delete existing profiles. Required Roles The roles to which an identity must have access before this role can operate properly. Script — a custom script for role creation. IdentityIQ User’s Guide 255 . The criteria is configured using the tools provided.. Inherited Roles The roles in which this role is a member. Assignment rules can be created using: Match List — only identities whose criteria match that specified in thelist. Note: Click the “. the associated value textbox is disabled. Activation events use business processes to automatically activate or deactivate roles based on the dates specified in the Add New Event dialog.Role Editor Page Table 116—Role Management . Note: These capabilities and scopes are not assigned until a Identity Cube Refresh task is run with the Provision assigned roles option selected.Archived Role Panel Click on an archived role to display the Archived Role panel and view the details of the archived role and determine the proper version for this roll-back. the term matches users on the chosen application who have a null value for that attribute/permission.

An entitlement is either a specific value for an account attribute. See How to Create or Edit a Profile on page 274. is less than or equal to. is not equal. Application The application associated with the account attributes or permissions for this profile. is less than. is greater than. is in. Profiles are not shared between roles. is not null Permission — equals. most commonly group membership.Edit Entitlement Panel Field Descriptions Field Name Description Description A brief description of the profile. is less than. Multi Valued attributes — contains all. The attribute rules associated with a profile can be as simple or complex as needed. is in. is not equal Boolean — equal. is null. is not null Long. The Profile panel contains the following information: Table 117—Role Editor . Attribute Rules: Attribute rules are made up of filters that can be grouped and controlled using AND\OR operations. Date — All except contains all and is like — equals.  The Add a Filter box is used to create the individual filters.  This field is not available for unary operations. is greater than or equal to. is not equal Value The value of the attribute. See Configure Applications on page 139. Int. is less than or equal to. is greater than or equal to.Role Editor Page Role Editor . is in. This field is not available for unary operations. is not null. The drop-down list contains all attributes configured for the selected application. Search Type The qualifier associated with the attribute value. 256 Field The attribute associated with the attribute filter. Note: This description is displayed with the role throughout the product and should be as intuitive as possible. the entitlements defined in profiles are compared with entitlements assigned to users to determine roles and additional entitlements for certifications. is null. the Filter(s) box is used to view and manipulate the existing filters. is not null. is null. equals. Click Save to save changes or add the profile to the role. During identity correlation. A profile is a set of entitlements on an application. is not null Everything else — All operations except contains all — is like. See How to Create or Edit a Profile on page 274 for information on how to work with profiles. is not equal to. or a permission.Edit Entitlement Panel Use the Edit Entitlement panel to define the profiles that are included in the role. Applications are configured on the Configure Application page. is greater than. is null. is null. IdentityIQ User’s Guide . Ignore Case Specifies if case should be a factor when comparing entitlements defined for profiles with those assigned to users.

update.Provisioning Policy Editor Panel Provisioning Policies are used to define account attributes that must be set when creating an account due to a change in role assignments or due to a Lifecycle Manager request. IdentityIQ User’s Guide 257 . Help Text The text you wish to appear when hovering the mouse over the help icon. Script — use a script to determine the owner of this provisioning policy Edit Provisioning Policy Fields Panel Use the Edit Provisioning Policy Fields panel to customize the look and function of the form fields generated from the provisioning policy. Role Owner — identity assigned as owner of the role in which the provisioning policy resides.Provisioning Policy Editor Field Descriptions Field Name Description Name The name of your provisioning policy.Role Editor Page Table 117—Role Editor . A policy can be attached to an IdentityIQ application or role and is used as part of the provisioning process. Application Owner — identity assigned as owner of the application in which the provisioning policy resides. read. Permissions: Rights The rights associated with this profile on the target attribute.Edit Entitlement Panel Field Descriptions Field Name Operation Description The operation used to control the interaction between the filters. Application The application associated with the account attributes or permissions for this provisioning policy. Name The name of the field. This is determined by selecting from the following: None — no owner is assigned to this provisioning policy. delete. Owner The owner of the provisioning policy. With a provisioning policy in place. execute. See How to Create or Edit a Provisioning Policy on page 258 for information on how to work with provisioning policies. when a role is requested the user must input specified criteria into a generated form before the request can be completed. Target The target attribute for this permission. Use the Shift and Ctrl keys to select multiple rights from the list. Rule — use a rule to determine the owner of this provisioning policy. Description A brief description of the provisioning policy. For example. The Provisioning Policy Editor panel contains the following information: Table 118—Role Editor . create. Role Editor . Display Name The name displayed for the field in the form generated by the provisioning policy.

Select from the following: Literal — value is based on the information you provide Rule — value is based on a specified rule Script — value is determined by the execution of a script Default Value The value displayed in the field of the generated form before editing. Script — use a script to determine the owner of this provisioning policy How to Create or Edit a Provisioning Policy To Create or Edit a Provisioning Policy: 258 IdentityIQ User’s Guide . Click the plus sign to add another value. For example. This is determined by selecting from the following: None — no owner is assigned to this provisioning policy. Type Select the type of field from the drop-down list. Rule — use a rule to determine the owner of this provisioning policy. Application Owner — identity assigned as owner of the application in which the provisioning policy resides. Owner The owner of this provisioning policy field. a script that validates that a password is 8 characters or longer. Review Required Choose whether or not to require the person who is approving the workflow item to approve this field. Choose from the following: Boolean — true or false values field Date — calendar date field Integer — only numerical values field Long — similar to integer but is used for large numerical values Identity — specific identity in IdentityIQ field Secret — hidden text field String — text field Value Determine how the value is derived. Role Owner — identity assigned as owner of the role in which the provisioning policy resides. Choose from the following: None — the field is blank Literal — value is based on the information you provide Rule — value is based on a specified rule Script — value is determined by the execution of a script Allowed Values The value(s) which may be displayed in the field of the generated form. Choose from the following: None — the field is blank Literal — value is based on the information you provide Rule — value is based on a specified rule Script — value is determined by the execution of a script Multi Valued Choose this to have more than one selectable value in this field of the generated form.Provisioning Policy Editor Field Descriptions Field Name Description Required Choose whether or not to have the completion of this field a requirement for submitting the form.Role Editor Page Table 118—Role Editor . Validation Gives the ability to specify a script or rule for validating the user's value.

the number of entitlements they contain. owner. You can also search for roles by the number of users to whom they are assigned. type. or status. Select fields to include in the form. Loaded Saved Search: The name and description of the saved query with which you are working.Role Editor Field Descriptions on page 254 for descriptions of the fields in each section. their risk score weight. Access the Provisioning Policy panel from the Role Editor page. The Role Search tab contains the following information: Table 119—Role Management . 3. Saving a search as a report enables scheduling of the search on an on-going basis for monitoring and tracking purposes. events with any action type are included. The search fields are inclusive. See Role Management . See Reports on page 17. or saved as reports. Note: The Refresh Role Indexes task must have run at least once before a roles search will yield results. Note: These Saved Searches are only available for your use. These searches can be used to locate roles by name.Role Search Tab 1. 4. you can identify roles that were created but are not being used by searching for setting Detected Total and Assigned Total to less than one (1). Role Search Tab Use the Role Search tab to generate searches on the roles. Search criteria is used to narrow the result set for a search. IdentityIQ User’s Guide 259 . Optional: Add or delete provisioning policy fields. Click Save to return to the Role Editor.Role Search Criteria Criteria Description Saved Searches: Search Name The names of past searches that you have saved for reuse. only actions matching values specified in all fields are returned with the results. For example. the last time they were assigned or certified. either manually or through role assignment rules. Not entering information or making a selection in a search criteria field implies that all possible choices should be included. 5. Click on an existing provisioning policy to edit or click Add Provisioning Policy to create a new one. Searches yielding helpful results can be saved for your reuse. or any combination of that criteria. their association to other roles. 2. 6. Edit the provisioning policy information. For example. if you do not enter an type in the Type field.

  Assigned roles are roles that were manually assigned to an identity by someone with role assignment authority or through a role assignment rule.Role Search Tab Table 119—Role Management . or zero (0) entitlements. the search returns roles that contain two (2). Note: If you have modified the criteria of the Loaded Saved Search. select Less Than from the drop-down list and type 1 in the empty field. This search returns all roles that were not manually assigned to at least one identity.Role Search Criteria Criteria Run Search Description Run the search with the criteria displayed on the current page. one (1). Entitlement Total Specify an upper or low limit to the number of entitlements a role can contain and still be included in the search results. select Less Than from the drop-down list and type 1 in the empty field. SysAdmin.  For example.  For example. IT. if you select Less Than and type 3.  Entering a string of characters returns all roles with that string in their name that your controlled scopes enable you to view. Delete Search Delete the specified Loaded Saved Query. the modified criteria is used for the search. Role Attributes: 260 Name Enter a role name on which to search. Assigned Total Specify an upper or lower limit for the number of identities to whom this role can be assigned and still be included in the search results. or enter a few letters in the field to display a list of role owners whose names start with that letter string. to search for roles that were not detected by any identity during correlation. Owner Enter the role owner on which to search.  Click the arrow to the right of the suggestion field to display a list of all role owners.  For example. Type Select the role type on which to search. Organizational.  Detected roles are roles that are automatically assigned to identities based on the entitlements to which they have access. Clear Search Unload the Loaded Saved Search and clear all query options. Status Select the status of the roles to include in the search.  Role types are defined for your enterprise during the role modeling process. Detected Total Specify an upper or lower limit to the number of identities by whom this role can be detected and still be included in the search results. or Business. if you enter admin the search returns information for the roles System Administrator. Enabled or Disabled. to search for roles that were not assigned to any identity. For example. IdentityIQ User’s Guide . This search returns all roles that were not automatically assigned to at least one identity. For example. and Administrative Assistant.

Searches Options: IdentityIQ User’s Guide 261 . or you can specify a Less Than value to search for roles that were created with a risk score weight that is too low for their type. Start Date Specify a beginning date for this search.  Each field defines a column on the results table. Last Assigned — the date the role was last assigned to an identity. The results are dependent on the Fields to Display list on the Role Search tab.  True — include only roles that are associated with at least one other role.  For example. Last Composition Certification — the date the last role composition certification was performed. and type 100 in the empty field to return all IT-type roles with a risk score weight less than 100. you can specify a Greater Than value to search for high-risk roles. Associated To Another Role Include only roles that are associated with at least one other role or only roles that are not associated with any other role. In the second example.Role Search Tab Table 119—Role Management . The search returns information pertaining to any action performed on or before the date specified. See Role Search Results on page 3. you can select IT from the Type drop-down list. if your enterprise has a policy that requires that all IT-type roles have a risk score weight of 100. Role Search Results The Role Search Results panel displays all of the roles that match the criteria specified in your search. Filter By: Date Date Type Select a state with which to relate the dates specified:  Last Membership Certification — the date the last role membership certification was performed. False — include only roles that are not associated with any other roles. The search returns information pertaining to any action performed on or after the date specified. From the Role Search Results panel you can export your search results to file and save the search criteria for use in the future. select Less Than from the Risk Score Weight drop-down list. Note: You must select at least one field to display on the results page. End Date Specify an end date for this search.Role Search Criteria Criteria Description Risk Score Weight Specify an upper or lower limit for risk score weight that can be assigned to a role for it to be included in the search results. Fields to Display: Fields to Display Specify the information displayed on the Role Search Results page associated with this search.

Entitlement Analysis IdentityIQ supports the creation of roles based on the mining of entitlements within the enterprise. IdentityIQ searches for access patterns to determine logical groupings of entitlements.See Reports on page 17. Identity Search Results page. Using a configurable algorithm. 2. Optional: Narrow your entitlement search using the Identity Attribute fields or a list of populations. right of the Role Search Results dialog to export the search results to file for archiving and auditing purposes. Access the Entitlement Analysis tab from the Role Management page. Enter the fist letters of an application name to display a suggestion list. Populations are defined from the Advanced Analytics. • Save Search as Report — searches saved as reports are added to your list of reports and can be scheduled to run on an on-going basis. Performing Entitlement Analysis involves three distinct phases: • Searching for entitlements • Analyze the search results • Creating roles Search for Entitlements: 1. or click the arrow to the right of the field to display a list of all the applications to which you have access. Entitlement analysis enables you to search for entitlements based on specific application and identity information or by populations defined within your deployment of IdentityIQ. . The search results can be exported to an Adobe PDF or Microsoft Excel format. Entitlement Analysis also enables you to analyze the entitlement information collected to further refine the roles you are creating before saving. Use the Search by Attribute or Search by Populations radio buttons to switch between the options.Entitlement Analysis Use the drop-down list above the Role Search Results panel to save search criteria for use in future searches: • Save Search — save the search for your own use. A list of saved searches is displayed at the top of the search tab each time you log in. Export Searches: Use the buttons on the top. These roles typically model the IT privileges required to perform a specific function within an application or other target system. The Identity Attribute fields displayed are dependent on the identity attributes defined during configuration. 262 IdentityIQ User’s Guide . Select the applications on which to search for entitlements. 3. This feature enables you to create meaningful roles without having to remember every entitlement on every application or be familiar with the access assigned to each employee in your enterprise.

click Create Role. or Manager. select multiple entitlements and click Group and Analyze. To group and analyze. Use the results to analyze the entitlements that exist within your enterprise. Name The name of the attribute from which this entitlement was derived. This enables you to see how assigning multiple entitlements to a role will effect access within the application. or type the percentage in the field to the right. Value The value assigned to the attribute. Attributes used to define entitlements are specified during configuration. Filter Type The type of filter applied to the search criteria. Analyze the Search Results: The search returns the following information: Note: The search only returns those entitlements based on account or group attributes. IdentityIQ User’s Guide 263 . Last Name. You must enter an name for the new role. and click Save to return to the Role Viewer. For example. For example. Click a group to see the details for the entitlements within. Click Search to begin the entitlement mining based on the specified criteria. if you are only interested in entitlements that apply to at least forty percent (40%) of the population searched. The Group and Analyze feature enables you to group entitlements within an application and generate results based on that group. Table 120—Role Management IT . Application.Role Analysis Search Results Descriptions Column Description Search Parameters: Attribute The criteria used to define this search. Equal or Like. Save the Profile: When you are satisfied with the information you have mined and analyzed. click on the slider and move it to that percentage. not those based on permissions.Entitlement Analysis 4. You can perform analysis multiple times on entitlements or on the groups created. Click on a value to expand a list of users to whom the entitlement is assigned. Entitlement Information: Click on a value to display a list of all identities to whom that entitlement is assigned. optionally a type and description. Population. For example. The results are displayed below the entitlements table. Value The value entered in the search field. Only show percentages above: Use the slider to limit the results displayed in the table based on the percentage of the population to which the results apply. Percent of Population The number of identities assigned to that value of that attribute on this application expressed as a percentage of all identities that have an account on the application.

Note: Names are required when creating role mining templates. IdentityIQ separates role mining into the following categories: IT Role Mining on page 264 Business Role Mining on page 266 The IT Role Mining panel generates roles in bulk. applications. The current population size is presented along with a warning that mining details are not available for large populations. you can select an existing template from the Role Mining Template panel and use the predefined criteria in your role mining task. When you edit an existing template. Select IT Role Mining or Business Role Mining from the Create New drop-down list to create and launch a new role mining task. Users can prevent the entitlements from being considered in the analysis by clicking the “x” next to them. When an application is added to the mining analysis. A threshold percentage limits the entitlements that are added to those held by a percentage of the population that exceeds the threshold. IT Role Mining IT Role Mining creates roles based on the mining of entitlements within the enterprise. The mining task itself generates or updates a single IT role with entitlements that are mined from a user population specified by groups. Using a configurable algorithm. all of its entitlements are added to a box to the right. IdentityIQ searches for access patterns to determine logical groupings of entitlements. These roles typically model the IT privileges required to perform a specific function within an application or other target system. The entitlements from which roles are generated are defined on a by-application basis. Role Editor Page on page 253 Role Mining Role Mining is used to create roles based on specified criteria in an existing enterprise. boolean. The population size is restricted by the defined identity population as well as the applications under consideration. Alternatively. If you create a new template you are require to give it a new name. 264 IdentityIQ User’s Guide . The population of identities from which to mine can be restricted by IPOP or by String. or integer attributes (multi-valued are not supported at this time). or an identity filter. you are given the choice to either change the existing template or create a new template.Role Mining Additional Information From the Role Editor you can add additional profiles. edit the role or save the role and return to the Role Viewer. You can restrict the roles that are generated by specifying a minimum number of identities and entitlements per role.

IT Role Mining Field Descriptions on page 265 for details about the IT Role Mining panel. who meet the role mining criteria. Once you have entered your criteria. that are Identities per Role required to create this role.  Note: The role mining task will fail if the number of candidate roles discovered exceeds the number specified in this field.IT Role Mining Field Descriptions Field Name Description Owner Enter a valid user or workgroup. Identities to Mine Search By Attributes – Input the attribute data to target specific identity criteria used in the role mining task. Input your mining criteria in the IT Role Mining panel. click Save to save your selections as an IT Role Mining template. View Role Management . Table 121—Role Management .Role Mining Create New IT Role Using Role Mining Use the Create New drop-down list at the top-right corner of the page and select IT Role Mining. Minimum Specify the minimum number of Identities. Enter the name of your role mining template then click OK. You can select from the displayed list. Applications to Mine Specify the application(s) on which to focus the mining task. The size of the population that will be mined is currently X identities The variable value of the total number of identities used in the role mining task based on the current mining criteria. Search By Population – Select a population on which the role mining task is run. which meet the role mining criteria. Minimum Entitlements per Role Specify the minimum number of entitlements. IdentityIQ User’s Guide 265 . which can be generated to Mine using this role mining criteria.  Note: Selecting a population automatically filters the applications to those included in the selected population. Entitlements to Exclude Select any entitlements that are associated with the application to exclude in the role mining task. All other entitlements are used as part of the role mining criteria. Maximum Groups Specify the maximum number of groups (candidate roles). Click Save and Execute to save the template and run the role mining task.  Typing the first few letters of a name displays a list of all of the user and workgroup names in the system containing that letter combination. that are required to create this role. Use An Existing IT Role Mining Template Use or edit an existing IT Role Mining template to generate a role based on previous criteria by clicking a template name in the Role Mining Templates panel on the Role Mining tab.

Table 122—Role Management . you are given the choice to either change the existing template or create a new template. The generated roles are either organized into a hierarchy based on identity attributes of the users from which the roles are mined or they are generated in a flattened manner. click Save to save your selections. The name created here is used to identify the settings used in the event the same role mining routine is reused in the future. Entitlement mining is optionally performed on the generated business roles. To clear the role mining form. After the mining task is completed. When you edit an existing template. These entitlements are either directly attached to those business roles or place in newly created IT roles that are then added to the business roles' Permits or Requires lists. When the task is launched a success message dialog is displayed. If you create a new template you are require to give it a new name. The criteria used to generate the business role can be saved as a template for future use. From there they are moved into either an existing container role or one that was newly created. Click Save and Execute to save the template and run the role mining task. Once you have entered your criteria. Any changes to the template are saved for this template unless the template name is changed. IdentityIQ User’s Guide . Note: Names are required when creating role mining templates. click Save to save your selections as a Business Role Mining template.Business Role Mining Field Descriptions Field Name Description General Settings: Name 266 The name of the business role mining routine. Executed mining tasks appear on the Role Mining Results tab. click Reset Mining Form. cost center or job title. Once the roles are created and active they can be used just like any other roles. click View Latest Mining Results. The Business Role Mining panel generates roles from identity attributes and entitlements. To review the results of the mining task. Enter the name of your role mining template then click OK. Note: Roles created through business role mining are disabled by default.Role Mining Click View Latest Mining Results to view the results of the most recent mining task for this template. the new roles are added to the Role Viewer where they can be modified as necessary. Business Role Mining Business role mining within IdentityIQ facilitates the creation of organizational groupings based on identity attributes – for example department. Click Save and Execute to save the template and run the role mining task. The business role mining supports multiple configuration options to assist users in generating new roles. Once you have entered your criteria. Role Mining Results on page 269 The roles generated by the mining task are displayed on the Role Viewer tab.

Generate a role hierarchy. You can select from the displayed list. separated by periods. Role Settings: Type of Business Roles to Generate Type of role generated by the task. For example if the list order is 1.  Generate a Role Each attribute will generate its own level in the hierarchy. The generic UID naming algorithm generates random role names. Specify an Existing Root Container Role Select an existing role into which all the newly generated roles should be place. 2. Department then all users in the same department for a given location in a given region are assigned that role.Business Role Mining Field Descriptions Field Name Description Compute Population Statistics Compute statistics for the mined roles and display them in the task result.Role Mining Table 122—Role Management . Perform Analysis Only (no roles are generated) Perform the role mining for analysis purpose only. 3. Naming Algorithm The filter-based naming algorithm concatenates all the attributes. and that level will contain Hierarchy from the roles whose names match the values for that given attribute. Minimum Number of Users per Role Minimum number of users that must the mining criteria before a role is generated.   Note: This option is hidden when the "Perform Analysis Only" is selected on the business role mining page. to generate role names.  Typing the first few letters of a name displays a list of all of the user names in the system containing that letter combination. IdentityIQ User’s Guide 267 . Location.  Mining Attributes Users are assigned the role based on this list's ordering. No roles are generated when this mining is complete. Region.  Note: This option is hidden when the "Perform Analysis Only" is selected on the business role mining page. Hierarchical Settings: Generate a New Root Container Role Generate a container role into which all generated roles should be placed. the Identity Mining Attributes Ordered Identity Arrange the list of attributes used to order the hierarchy of the generated roles. See the results of the task on the Task Results tab of the Tasks page.  Note: This option is hidden when the "Perform Analysis Only" is selected on the business role mining page. Owner Enter a valid user.

Once you have entered your criteria. Attach Mined Profiles directly to Business Functional Roles Attach mined profiles directly to the generated roles. Type of IT Roles to Generate Type of role that is generated to hold the entitlements. Executed mining tasks appear on the Role Mining Results tab. Click View Latest Mining Results to view the results of the most recent mining task for this template.  Note: This option is hidden when the "Perform Analysis Only" is selected on the business role mining page.Role Mining Table 122—Role Management . you are given the choice to either change the existing template or create a new template.  If this option is not selected new IT roles are created to hold the entitlements and these IT roles are added to the generated roles' Permits or Requires list based on the selection below. IT Settings: Mine for Entitlements on Generated Business Roles Mine for entitlements as part of this task. If you create a new template you are require to give it a new name. Use An Existing Business Role Mining Template Use or edit an existing Business Role Mining template to generate a role based on previous criteria by clicking a template name in the Role Mining Templates panel on the Role Mining tab. Note: Names are required when creating role mining templates. click Save to save your selections. Percentage Threshold for Inclusion of an Entitlement Specify the minimum inclusion threshold that an entitlement must meet before it is included in the role. Entitlement Source Applications Applications to mine for entitlements. Roles This enables you to review and modify the roles if necessary before they are available for use. Disable Generated Disable all newly generated roles upon creation. Business Roles' Relationship to Mined IT Roles Determines if the newly created IT roles are added to the generated roles' Permits or Requires list. When you edit an existing template. 268 IdentityIQ User’s Guide .Business Role Mining Field Descriptions Field Name Description Prefix to Apply to Generated Role Names Prefix to add to the generated role names. Any changes to the template are saved for this template unless the template name is changed. Click Save and Execute to save the template and run the role mining task.

Click a line item in the table to view the details of the mining result. Export to CSV. Group Summary The Group Summary window displays a quick view of the application and entitlements which make up that group. Owner The identity named as owner of the role mining template. Date Complete The date the role mining task completed. Right-click the task and select Delete to remove it from the Role Mining Results tab. Click View List of Mining Results to return to the previous page.Role Mining Results Role Mining Results The Role Mining Results tab displays a table containing information about the role mining tasks run in IdentityIQ. Business Role mining submenu options include View Results and Delete. IT Role Mining submenu options include View Results. Table 123—Role Management . Create Role. Viewing the information and actions available on the role mining result details varies depending on the role mining type. or View Population. Use the filtering tools to narrow down the viewable results by name. IT Role Mining Results Details on page 269 Business Role Mining Results Details on page 270 IT Role Mining Results Details The IT Role Mining Results Details page displays a table containing a visual representation of the available unique roles generated based on the critera used in the role mining task. Right-click the row to bring up a submenu from which you can select either View Group Summary. Result The result of the role mining task.   Note: Click the refresh button at the bottom of the panel if the task status is “Pending”. Click a line item to highlight that row. start / end date and result. and Delete. IdentityIQ User’s Guide 269 . Type The type of role mining task. Right-click a line item to open a submenu with different options depending on the role mining type.Role Mining Results Field Descriptions Field Name Description Name The name of the role mining template used for the task.

By default the table displays Name. Entitlements can only be removed from the list. Click the “X” icon to remove Inherited Roles any entitlements. Click Save to complete the role creation or Cancel to close the window. Entitlements from Displays the entitlements included in the inherited role. Additional changes can be made here prior to commiting to the role creation. The window displays detailed information on the roles generated based on the critera used in the role mining task. Owner The owner of the role being created. First Name. The information displayed in this table is defined when IdentityIQ is configured for your enterprise. 270 IdentityIQ User’s Guide . Only scopes that you control are displayed in the list. Click the “X” icon to remove any entitlements. Inherited Roles Select from the drop-down list the roles. If scoping is active. Business Role Mining Results Details Click a Business Role Mining type line item to open the Latest Mining Results window for that mining task. At least one entitlement must be included to successfully create a role. identities can only see objects that they created or that are within the scopes they control. in which this role is a member.  Note: No entitlements may be added. if any. The new role is available on the Role Viewer tab. Scope Select a scope from the drop-down list. Scope is used to determine the objects to which a user has access. Use the drop-down list at the top of the window to filter the results to display identites that match the criteria exclusively or those that match but have additional entitlements.Create Role Field Descriptions Field Name Description Name Input the name of the role being created.Role Mining Results Create Role The Create Role window displays information about the role and its entitlements which were generated by the role mining task. Last Name and Manager. Table 124—IT Role Mining Results . Direct Entitlements Displays the entitlements that were mined as a result of the role mining criteria entered. View Population The View Population window displays information about the identites in IdentityIQ which match the criteria used by the role mining task. Description Enter a brief description of the role. Container Role Select a container role from the drop down list in which to have the created role placed.

number of roles updated as a result of the latest mining task.Working with the Role Manager Table 125—Business Role Mining Results . Status Current status of the role mining task. and approve new or modified roles. Coverage of mined roles . Started By Displays the name of the person that launched the role mining task. Use the approval function to open approval work items for role owners. Working with the Role Manager Use the following sections to work with roles in the Role Manager.displays the percentage of comparative roles used in the mining task based off of the mining criterea. • How to Create or Edit a Role From the Role Management Page on page 271 • How to Create a Role From a Role Creation Request on page 273 • How to Create or Edit a Profile on page 274 • How to Approve Role Changes on page 278 • How to Perform Impact Analysis on page 278 How to Create or Edit a Role From the Role Management Page Use the following procedure to edit existing roles or create new roles. See How to Approve Role Changes on page 278. Type The type of the role which was created. Started Displays the date and time on which the mining task was started.attibutes selected in the mining criteria. Business Role Mining Attributes Attribute Displays information regarding the following topics: Identity Mining attributes . Roles can also be created from certifications and role mining. perform role analysis. Description A brief description of the role which was created. Roles mined . IdentityIQ User’s Guide 271 . Completed Displays the date and time on which the mining task was completed. These sections enable you to create and edit roles and profiles. Roles updated .total number of roles mined based on the provided mining criteria.Latest Mining Results Window Field Descriptions Field Name Description Details Name The name of the role which was created.

but the source is stored with the role and can be edited from this page. the term matches users on the chosen application who have a null value for that attribute/permission. d. Enter the role information. Optional: Define an assignment rule for the role being created. — OR — Select Add to create a new role.  Note: If the " Is Null" checkbox is selected. 6. Type — The type of role being created. Owner — The name of the owner for this role. Description — A detailed description of the role. .Script — enter a custom script for role assignment.  For attributes select an attribute from the drop-down list and type a value. . Members of that population are assigned the role. See How to Perform Impact Analysis on page 278. This information is used throughout the product.Population — select a population from the list. Click or mouse over the Define tab and select Roles. business. Select a name from the list. For example.Rule — select an existing rule from the drop-down list. Click Add Event to display the Add New Event dialog. Click Save to return to the Role Editor page. Select Activate or Deactivate from the Action drop-down list.Working with the Role Manager Use the impact analysis function to create a report that provides details on the impact these changes will have on the rest of your product implementation. For permissions. or IT. 2. type the name (target) and value (right). Entering the first few letters of a name displays a select list of valid users and workgroups with names starting with those letters. organizational. Scripts are similar to rules.Filter — enter a custom XML database query to define user for this role. a. c. Optional: Define activation events for the role being created. 5.Match List — define a list of entitlements to determine role assignment. b. Name — A descriptive name of this role. Click on a role to edit. Select an event and click Delete to remove the event. Role type definitions are customizable and created as part of the configuration process. the associated value textbox is disabled. Procedure 1. Populations are generated as the results of identity searches. Note: Only one activation or deactivation event can be defined at a time. Optional: Click Modify Permitted Roles in the Permitted Roles panel and modify the list of roles permitted by this role. Enter the first few letters of a role name in the Select a role field and select a role from the 272 IdentityIQ User’s Guide . . Access Role Management. 4. a. Manually enter a date or click the calendar icon to select a date. When the "is null" match is processed. . . 3.

Optional: Click Modify Inheritance in the Inherited Roles panel and modify the list of roles of which this role is a member. Take one of the following actions: . b. This role inherits entitlements from any role to which it is a member.Click Submit with Impact Analysis to create a report that provides details on the impact these changes will have on the rest of your product implementation and open an approval work item if the approval work flow is active. Click Add to add the role to the membership list. 9. Policy checking is only available if impact analysis has been run. 7.Click Check Policy Conflicts to display any policy violations created by changes made on this page. Enter the first few letters of a role name in the Select a role field and select a role from the selection list. a. c. a. . b. Add as many roles as required.Working with the Role Manager selection list. 10. Create new profiles or edit existing profiles from the Profiles panel. Enter the first few letters of a role name in the Select a role field and select a role from the selection list. Click Save. Click Save. Role creation request work items can be generated through the certification process. if the approval work flow is active. . Add as many roles as required. IdentityIQ User’s Guide 273 . Optional: Click Add Provisioning Policy in the Provisioning Policy panel. Add as many roles as required. b. c. c. 11. Profiles created for this role are inherited by any role that is a member of this role.Click Submit to save the role or. Click Save. open an approval work item for the specified role owner. Click Add to add the role to the membership list. The approval feature is only available if the work flow was activated during configuration. See How to Create or Edit a Profile on page 274. Optional: Click Modify Required Roles in the Required Roles panel and modify the list of roles required by this role. See How to Create or Edit a Provisioning Policy on page 258. Click Add to add the role to the inheritance list. Additional Information To work with profiles associated with a role see: • How to Create or Edit a Profile on page 274 • How to Approve Role Changes on page 278 How to Create a Role From a Role Creation Request Use the following procedure to create roles from role creation request work items. 8.

most commonly group membership. 3. 4. Click Approve to display the Approval Comments dialog. Profiles are specific to one role. Optionally add comments on the Forward Comments dialog. 274 IdentityIQ User’s Guide . 7.Working with the Role Manager Note: Approval is only required if the approval work flow is active. 2. Review the information in the work item and do one of the following: . Optional: Edit the name of the role. . Additional Information • My Access Reviews Page on page 9.Approve — continue with step 3 to proceed with the approval process. Access the Profile panel from the Role Editor page. 3. or a permission. An entitlement is either a specific value for an account attribute. Entering the first few letters of a name or workgroup displays a select list of valid IdentityIQ users and workgroups with names starting with those letters. all entitlements that you have created are removed. Optionally add comments on the Rejection Comments dialog. Optional: Edit the owner of the role. Procedure To create a new role from a role creation request. If approval is not required roles are added directly from the Create Role dialog. do the following: 1. Select a name from the list. 2. 6. Optional: Edit or enter a description of the role being created. 5. Note: If you change the application with which this profile is associated. See Role Editor . Click on the work item requesting the role in your Dashboard inbox. 4. To Edit a Profile: 1. Add or delete attribute rules and permissions. Edit the profile information.Forward — forward the work item to another authorized user to make the decision on the role. Add comments if they are required and click Approve to create this role.Edit Entitlement Panel on page 256 for descriptions of the fields in each section. . How to Create or Edit a Profile A profile is a set of entitlements on a specific application.Reject — reject the proposed role. Click Save to return to the Role Editor.

2. IdentityIQ searches for access patterns to determine logical groupings of entitlements. not those based on permissions. IdentityIQ User’s Guide 275 .Working with the Role Manager To Create a Profile: • Create a new profile — See How to Create a New Profile on page 277. Profiles can only be added within a role. See How to Create or Edit a Role From the Role Management Page on page 271. This feature enables you to create meaningful profiles without having to remember every entitlement on every application. Click Create in the Profiles panel of the Role Editor and select New Profile From Entitlement. Analyze the Search Results: The search returns the following information: Note: The entitlement analysis search only returns those entitlements based on account or group attributes. Select the application on which to search for entitlements. How to Create a Profile Using Entitlement Analysis IdentityIQ supports the creation of roles based on the mining of entitlements within the enterprise. Entitlement analysis enables you to search for entitlements based on specific application and identity information. or be familiar with the access assigned to each employee in your enterprise. Access the Create Profile from Entitlement Analysis panel. The Identity Attribute fields displayed are dependent on the identity attributes defined during configuration. Click Search to begin the role analysis based on the specified criteria. Optional: Narrow your entitlement search using the Identity Attribute fields. Entitlement mining also enables you to analyze the entitlement information collected to further refine the profiles you are creating before saving. 4. These roles typically model the IT privileges required to perform a specific function within an application or other target system. 3. Using a configurable algorithm. Procedure Creating a profile using entitlement analysis actually involves three distinct phases: • Searching for entitlements • Analyze the search results • Saving the profile Search for Entitlements: 1. • Create a profile using entitlement mining — How to Create a Profile Using Entitlement Analysis on page 275.

click Create Profile. Name The name of the attribute from which this entitlement was derived. For example. Attributes used to define entitlements are specified during configuration. Filter Type The type of filter applied to the search criteria. Entitlement Information: Click on a value to display a list of all identities to whom that entitlement is assigned. click on the slider and move it to that percentage. The Group and Analyze feature enables you to group entitlements within an application and generate results based on that group. This enables you to see how assigning multiple entitlements to a profile will effect access within the application. edit the role or save the role and return to the Role Viewer. To group and analyze. optionally a description. You must enter an name for the new profile. or type the percentage in the field to the right. Additional Information From the Role Editor you can add additional profiles. Application. Click on a value to expand a list of users to whom the entitlement is assigned. Role Editor Page on page 253 276 IdentityIQ User’s Guide . Only show percentages above: Use the slider to limit the results displayed in the table based on the percentage of the population to which the results apply. if you are only interested in entitlements that apply to at least forty percent (40%) of the population searched. or Manager. For example.Working with the Role Manager Table 126—Entitlement Mining Search Results Descriptions Column Description Search Parameters: Attribute The criteria used to define this search. You can perform analysis multiple times on entitlements or on the groups created. Value The value entered in the search field. Percent of Population The number of identities assigned to that value of that attribute on this application expressed as a percentage of all identities that have an account on the application. Value The value assigned to the attribute. Use these results to analyze the entitlements that exist within your enterprise. and click Save to return to the Role Editor. Last Name. Equal or Like. Click a group to see the details for the entitlements within. Save the Profile: When you are satisfied with the information you have mined and analyzed. select multiple entitlements and click Group and Analyze. The results are displayed below the entitlements table. For example.

edit the role or save the role and return to the Role Modeler page. • Search Type — the qualifier to associate with the value. Role Editor Page on page 253 Creating Attribute Rules Use the Attribute Rules function to add and combine filters to define your profiles. Enter the first few letters of an application name and select the application from the suggest list. • Value — the value of the attribute. See How to Create or Edit a Role From the Role Management Page on page 271 2. This list contains all of the attributes mapped from the selected application. Filter(s): The Operations drop-down list enables you to specify AND/OR relationships between the filters in the list. 5. IdentityIQ User’s Guide 277 . 3. see Creating Attribute Rules on page 277. • Ignore Case — specifies if case should be factored into the query. Select the application on which to apply this profile from the Application suggestion list. see Creating Attribute Permissions on page 278. Procedure 1. Additional Information From the Role Editor you can add additional profiles. Apply qualifiers to attributes within filters to limit the values returned and then use grouping and AND\OR operations to create the rules that make up the profile. you can create an attribute rule that returns all users that are in payroll OR human resource AND located in Chicago. Click Create in the Profiles panel of the Role Editor and select New Profile. Add Attribute Rules and Permissions to the profile.Working with the Role Manager How to Create a New Profile Use the following procedure to create a new profile. For an explanation of the permission options. To use the filter. You can use multiple layers of filter grouping containing AND\OR operations to create complex attribute rules. Enter a description for the profile. Add a Filter: Create the filters that make up the attribute rules. 4. for example equals or like. For example. Click Save to return to the Role Editor. Profiles can only be added within a role. • Field — select an attribute value from the drop-down list.

Some of the information is read only. make the necessary modifications. Make a decision. Work items are created and sent to the owners when approval is necessary. Permissions define rights on targets on the application. they might require approval from the designated owner before they become active. Add comments if needed and confirm the approve on the Approval Comments dialog. Reject — reject the request for approval on the creation or modification. update.Working with the Role Manager Creating Attribute Permissions Use the permissions panel to add permissions to the profile. 278 IdentityIQ User’s Guide . Role analytics and approval. Select rights from the rights lists. and specify the target attribute in the Target field. optionally. 4. Procedure 1. Use this procedure to review and approve or reject role changes. Entering the first few letters of a name displays a select list of valid users with names starting with those letters. Add comments if needed and confirm the rejection on the Rejection Comments dialog. 3. How to Approve Role Changes When roles are created or edited. Role analysis and role approval are an important part of the overall role life-cycle management. read. both for new or modified roles are controlled thought business processes configured for your implementation of IdentityIQ. for example. execute. Approve — approve the creation or modification. Click Review Pending Changes to display the Role Editor and review the changes proposed for the role. Select a name from the list. Review the details sections. 5. Cancel — cancel the work you have done on the work item and return to the Dashboard. Review the comments associate with the work item and. Use the Shift and Ctrl keys to select multiple rights. Add comments if needed. create. Forward — forward the approval work item to another user. and make a decision. Review the summary information of the work item. 2. 6. delete. Click on an approval work item in your inbox on the Dashboard to display the Approval page. Creation approvals — review the information in the New Role or New Profile panel. add comments. How to Perform Impact Analysis Use the impact analysis function to create a report that provides details on the impact these changes will have on the rest of your product implementation. Modification approvals — review the changes in the Modified Role or Modified Profile table and make a decision.

Cancel — cancel the work you have done on the work item and return to the Dashboard. Make a decision. Review the details of the changes being analyzed by the impact analysis task associated with the work item. Review the comments associate with the work item and. Click on an impact analysis work item in your inbox on the Dashboard to display the Role Approval page. Review the summary information of the work item. 6. Click Click to view analysis task results to display the task results page containing the actual impact information obtained by the task. Reject — discard any changes made to the role based on the impact analysis results. 4. You can navigate from the work item to the task result to check on the status of the task as it is running. 2. 5. the changes are rolled into a work item that is assigned to you. Add comments if needed. and a link is created inside the work item that points to the task results. See View Work Item Page on page 368. IdentityIQ User’s Guide 279 . Overlap analysis returns information on the following overlap facets: • Attributes — overlap between extended attributes and a some system attributes • Local Assignment — overlap between assignment rules and profiles defined directly on the role (not inherited) • Hierarchal Assignment — overlap between both local and inherited assignment rules and profiles • Local Provisioning — overlap between provisioning side effects defined directly on the role • Hierarchical Provisioning — overlap between both local and inherited provisioning side effects Note: The Assignment and Provisioning numbers are the same for simple roles. Forward — forward the impact analysis work item to another user. optionally. but will be different if there are manually written provisioning plans. Select a name from the list. or if the profiles use OR terms since provisioning will only pick the first terms using OR. Review the impact information and click Return to Work Item to return to the work item and make a decision on the request.Working with the Role Manager When you click the Submit with Impact Analysis from the Role Editor. 7. Impact analysis can also be performed from the Task page using the Role Overlap Analysis tasks. 3. Procedure 1. Entering the first few letters of a name displays a select list of valid users with names starting with those letters. Approve — apply the creation or modification based on the content of the impact analysis task results. an analysis task is launched. add comments.

Working with the Role Manager 280 IdentityIQ User’s Guide .

Account groups are defined by the values assigned to the group attribute on the applications configured within your enterprise. An entitlement is either a specific value for an account attribute or a permission. In addition to grouping Identities you are also able to assign capabilities and scope to these groups of identities so that you do not have to assign the same scopes and capabilities to each individual member of the group. such as Austin. The highest level might be able to create. Population membership is based entirely on identity search parameters. Groups based on common entitlements within an application are defined by shared access and are listed under role. See Account Groups Tab on page 285. See Group Tab on page 282. not common qualities as defined within IdentityIQ. Austin.Chapter 8: Group and Population Configuration Use the Group Configuration page to work with groups and populations within your enterprise. Populations are query based groups created from the results of searches run from the Identity Search page. See Workgroups Tab on page 287. Identities assigned entitlements that do not combine to match the criteria of a role are assigned to the group No role. and displayed on the Dashboard. the Location identity attribute might have a value for each city in which your enterprise has an office. Workgroups enable the assignment of object ownership. one for each value of the attribute. or are based on common entitlements within an application. When these are enabled. and London. and update information. Groups associated with identity attribute values are defined by the values assigned to those attributes. A role is a collection of entitlements that enable an identity to perform certain operations within your enterprise. in your enterprise you might have three levels of account managers that all work off of the information on a single customer database. such as policy violations or risk scores. Location. Manager and Organization. each role becomes a group consisting of all identities that share the entitlements that make up that role. delete. Members of a population might not share any of the same identity attributes or account group membership. When the role group attribute is created and enabled. See Populations Tab on page 283. activity can be tracked and monitored by membership and risk information. The tabs are empty until groups are defined and enabled. but that do not have the same levels of access and permissions. New_York. New_York. Each of the account manager levels would constitute an account group containing its own members and permissions. certification. The Global group contains all identities. IdentityIQ User’s Guide 281 . For example. revocations and work items to pre-defined lists of identities. Searches that result in interesting populations of identities can be saved as populations for reuse. while the lowest level might just have read access. Groups are defined automatically by values assigned to identity attributes such as Department. and each containing the identities that have the corresponding value assigned to Department. In that case. there are three groups created. and London. For example.

To create a new group. The Edit Group page contains the following information: Table 128—Edit Groups Column Descriptions Column Name Description Group Information: 282 IdentityIQ User’s Guide . Edit Group Page This page is used to enable or disable all of the groups contained within a group factory. enable (check mark) or disabled (exclamation mark). you receive identical results for all three group factories when you run a task that updates group information. The Edit Group page contains the group factory information from the table and a list of the groups associated with the group factory. Status The status of the groups within the group factory. The Group tab contains the following information: Table 127—Groups Tab Column Descriptions Column Name Description Name The name assigned to the group factory when it was created. or group factories.Group Tab Select Groups from the Define tab to access the Group Configuration page. but are used to define. Each group factory is associated with either an identity attribute or an entitlement within an application. right-click and select Delete. and view the groups that make up a group factory. Creating multiple group factories of the same type produces identical results when a task is run that updates group information. These group factories are not groups themselves. To delete a group factory. Y. This status controls all of the groups contained within this group factory. Attribute The attribute used to define the groups within the group factory. See Edit Group Page on page 282. Group Tab The Groups table contains a list of the high-level containers. For example. X. recreate a group factory that has been deleted. maintain. if you create three (3) group factories. Description Description of the group factory or the groups contained within. and enable groups. For example. click Create New Group to open the Edit Group page. that contain the actual groups used within IdentityIQ. and Z and specify the Department attribute for each. Click on a group factory or right-click and select edit to display the Edit Group page. for a Manager group factory the table will contain a row for every value assigned to the manager attribute in IdentityIQ.

or the value assigned to the specified attribute. Policy Violations The total number of policy violations for members of the group.Populations Tab Table 128—Edit Groups Column Descriptions Column Name Description Name The name assigned to the group factory when it was created. Searches that result in interesting populations of identities can be saved as populations for reuse. Name The name of the group. Disabled — the groups exist. Sub-Group Information: Note: This information is not displayed until group aggregation is performed by a task. If scope is assigned. Members of a population might not share any of the same identity attributes or account group membership. Last Updated The last time a task was run that updated the group’s information.  Depending on configuration settings. Member Count The number of identities matching the group criteria. Scope The scope for this group factory. Enable — the groups are active and available for use on the Dashboard and activity searching. This status controls all of the groups contained within this group factory. objects with no scope assigned might be visible to all users with the correct capabilities. only the users that control the designated scope will see this group factory in select lists on pages such as the Certification Schedule or Search pages. Population membership is based entirely on identity search parameters. Description Description of the group factory or the groups contained within. Enabled/Disabled The status of the groups within the group factory. Composite Score The average composite risk scores of each member of the group. Group Attribute The attribute used to define the groups within the group factory. See Tasks on page 397. The Populations tab contains the following information: IdentityIQ User’s Guide 283 . Populations are query based groups created from the results of searches run from the Identity Search page.  The sub-groups associated with this application are visible to a user with any or no controlled scope. Populations Tab The Populations tab contains a list of populations that either you created from identity searches or that were created by other users and defined as public. but are not included in statistical tracking or available on the search pages. Enabled or Disabled.

 Enable — the populations are active and available for use on the Dashboard and activity searching. The Edit Population page contains the population information and a list of associated identities. Description Description of the population. set the scope for the population. IdentityIQ User’s Guide .  Private — only visible to the user that created them. mark populations as private or public. you will no longer be able to see that population.  Not Private — available to any user with access to pages on which they are used and control of the correct scope. if scoping is active.  Public — available to any user with access to pages on which they are used and control of the correct scope. Private — only visible to the user that created it from the search results page. enable or disable populations. To delete a population. See Edit Population Page on page 284. but are not included in statistical tracking or available on the search pages. if scoping is active. That Edit Population page contains the following information: Table 130—Edit Populations Column Descriptions Column Name Description Group Information: 284 Name The name assigned to the population when it was created. enable (check mark) or disabled (exclamation mark). Disabled — the populations exist. Status The status of the population. Visibility If the population is Private or Public. Click on an identity to display the View Identity page for that user. and you are not the creator of that population. Description Description of the population. and view the identities that make up a population. Note: If you mark a public population as private.Populations Tab Table 129—Populations Tab Column Descriptions Column Name Description Name The name assigned to the population when it was created. Private Select or clear the check-box to specify if the population is private or not private. right-click and select Delete. Note: Any user that has access to a public population can make changes on that population. Edit Population Page This page is used to edit population information. Click on a population or right-click and select edit to display the Edit Population page.

IdentityIQ User’s Guide 285 . Not Enabled — the populations exist. The Account Groups tab contains the following information: Table 131—Account Groups Tab Column Descriptions Column Name Description Name The name assigned to the account groups on the application. Account Groups Tab The Account Groups tab contains a list of account groups that were discovered on the applications connected to IdentityIQ. work items and certifications associated with this account group are assigned to the application owner.Account Groups Tab Table 130—Edit Populations Column Descriptions Column Name Description Enabled/Disabled Select or clear the check-box to specify if the population enabled or not enabled. Application The application on which the account group was discovered. Native Identity The value assigned to the group attribute on the application. First Name The value of the firstname attribute for the identity. Manager The value of the manager attribute for the identity. Name The value of the accountId attribute for the identity. but are not included in statistical tracking or available on the search pages. Last Name The value of the lastname attribute for the identity. Last Refresh The date on which the account group was last refreshed. Population Information: Population Count The number of identities in IdentityIQ matching the populations search criteria. This scope only applies to the population. Enable — the populations are active and available for use on the Dashboard and activity searching. Account groups are defined by the values assigned to attributes on the applications configured within your enterprise. If scope is assigned. Owner The owner assigned to this account group. only the users that control the designated scope will see this population in select lists on pages such as the Certification Schedule or Search pages. not the identities contained within. Last Refresh The date on which the identity was last refreshed. Scope The scope for this population. If no owner is assigned.

Application The application on which the account group was discovered. Inherited Groups The account groups in which this group is a member. Note: This description is read only. 286 Scope The scope for this account group. right-click and select Delete. Account group descriptions are defined on the Description tab of the Application Configuration page. This scope only applies to the account group. members. If scope is assigned. Inheriting Groups The account groups that are a member of this group. only the users that control the designated scope will see this account group in select lists on pages such as the Certification Schedule or Search pages. and permissions that make up that account group. Attributes A list of attributes associated with the account group. That Edit Account Group page contains the following information: Table 132—Edit Account Groups Column Descriptions Column Name Description Group Information: Name The name assigned to the account groups on the application. Edit Account Groups Page This page is used to edit account group information and view the attributes. work items and certifications associated with this account group are assigned to the application owner. Reference Attribute The attribute from which this account group was generated. members.  Click on an inherited account group to view that groups details. To delete a account group from the list. Owner The owner assigned to this account group.Account Groups Tab Click on an account group or right-click and select edit to display the Edit Account Group page. When you delete an account group you temporarily delete that link between the account group and IdentityIQ. See Edit Account Groups Page on page 286. Members A list of the members of the account group. The Edit Account Groups page contains the group information and a list of associated attributes. The group is recreated the next time and account group aggregation task runs.  Click on an inheriting account group to view that groups details. Member Attribute The attribute that contains a list of this groups identifiers. not the entitlements or identities contained within. If no owner is assigned. and permissions. Description Description of the account group. IdentityIQ User’s Guide . Native Identity The value assigned to the group attribute on the application.

Workgroups Tab The Workroups tab contains a list of workgroups enable the assignment of object ownership. That Edit Workgroup page contains the following information: Table 134—Edit Account Groups Column Descriptions Column Name Description Group Information: Name The name assigned to the workgroup.Workgroups Tab Table 132—Edit Account Groups Column Descriptions Column Name Permissions Description All of the permissions assigned to this account group. IdentityIQ User’s Guide 287 . See Edit Workgroups Page on page 287. The Workgroups tab contains the following information: Table 133—Workgroups Tab Column Descriptions Column Name Description Name The name assigned to the workgroups. To create a new workgroup. Owner The owner assigned to this group. Description Description of the group. Modified The date and time the workgroup was last modified. scope and members that make up a group. certification. The Edit Workgroup page contains the group information and a list of capabilities and members. right-click and select .Delete Edit Workgroups Page This page is used to edit workgroup information and view the capabilities. revocations and work items to pre-defined lists of identities. In addition to grouping Identities you are also able to assign capabilities and scope to these groups of identities so that you do not have to assign the same scopes and capabilities to each individual member of the group. Description A short description of the workgroup. click Create Workgroup to open the Edit Workgroup page. Click on a workgroup or right-click and select edit to display the Edit Workgroup page. To delete a workgroup from the list.

. Notification Setting Specify to whom notifications should be delivered. The capabilities currently assigned to the workgroup are highlighted on the list.Workgroups Tab Table 134—Edit Account Groups Column Descriptions Column Name Description Scope The scope for this workgroup.  See “Scopes” on page 345 288 IdentityIQ User’s Guide . If scoping is active.Enter a few letters in the suggestion field to display a list of all scopes that start with that letter string. the members will receive the notification twice. Scope is used to determine the objects to which the members of this group have access.  Assign scopes to the workgroup using the suggestion field at the top of the Authorized Scopes list box. Note: Each member of the group assumes the capabilities of the group. not the capabilities or identities contained within. Group Email Specify the email address assigned to this workgroup. Depending on configuration. Disable notifications .  Control determines access. . only the users that control the designated scope will see this workgroup in select lists on pages such as the Certification Schedule or Search pages. This restriction only applies to items assigned to the workgroup. Use the Ctrl and Shift keys to select multiple capabilities. Notify group email only . Rights: Capabilities The SailPoint capabilities available. even if different capabilities were assigned to them individually. Note: If you select Notify members and group email and the group email is a distribution list. but not the group email address. Note: A workgroup email account needs to be created in your email system. A workgroup email address should be a distribution list.Click the arrow to the right of the suggestion field to display a list of all scopes defined. Notify members and group email .send no notifications to this group. Authorized Scope The scopes controlled by this workgroup. the workgroup members can only see objects that are within the scopes controlled by the group. Notify members only .send notifications to each group member. This scope only applies to the workgroup.send notifications to the group email address but not the individual group members. notifications are sent to each member of the group. If no address is specified here.send notifications to each group member and the group email address. objects with no scope assigned might be visible to all users with the correct capabilities. If scope is assigned.

If this option is cleared. Use the select boxes to select members and click Remove Members to remove members from the workgroup.Workgroups Tab Table 134—Edit Account Groups Column Descriptions Column Name Description Group Controls Assigned Scope Select this option to enable the workgroup members to control the scope to which they are assigned. the users will not have access to objects within the scope to which the workgroup is assigned. identities can only see objects that are within the scopes they control. If scoping is active. Control determines access. IdentityIQ User’s Guide 289 . Use the drop-down list at the bottom of the table to select identities and the click Add Member to add members to the workgroup. Members: The list of members of the workgroup.

Workgroups Tab 290 IdentityIQ User’s Guide .

If no activity data source and targets were defined. Activity Target Categories he Activity Target Categories page displays a list of all of the categories that have been defined for use with the Activity Search page. you cannot create Activity Target Categories. you can set each procurement database as a target. Note: Activity Data Sources and Activity Targets are defined when applications are configured to work with IdentityIQ.Activity Target Categories Chapter 9: Configure Activity Settings Configure the activity settings to focus activity tracking and monitoring within your enterprise. create a Procurement category. See Add Targets to Activity Category on page 291. For example. If no activity data sources and targets were defined. Click on an existing category or click New Category to open the Add Targets to Activity Category page and create or edit a category. Click Cancel at any time to return to the Activity Target Categories page without saving your changes. By properly configuring your activity settings you can narrow the focus of activity searches and obtain more specific and meaningful information to use when identifying and managing risk. The categories defined here are used as search criteria on the Activity Search page. use the selection boxes on the left side of the list and click Remove Targets. Add Targets to Activity Category The Add Targets to Activity Category page contains a list of the targets included in the selected category and a selection box from which you can choose any target defined within IdentityIQ. IdentityIQ User’s Guide 291 . right-click on the category and select Delete. To delete an active target category from the list. Use this page to add or remove targets from the selected activity target category. Note: Activity Data Sources and Activity Targets are defined when applications are configured to work with IdentityIQ. if you have inventory applications at three different locations and a procurement database on each. Activity Target Categories are groups of targets from one or more applications. and then collect activity for all three procurement databases using a single activity search. Use the Activity Target Categories page to add or edit activity target categories. To remove targets from the category. you cannot create Activity Target Categories.

3.Add Targets to Activity Category Add Targets on an Activity Category To add targets to a category displayed do the following: 1. type a name in the Category Name field. Select the activity data source containing the targets being added from the Activity Data Source drop-down list. Category list. 292 IdentityIQ User’s Guide . 4. Select targets from the Targets list. Use the Ctrl and Shift keys to select multiple targets.. If you are creating a new category.. Click Add Targets to add the selected targets to the Targets For . through 5. 5. Click Save to save your changes and return to the Activity Target Categories page. Select the application associated with the targets being added from the Application drop-down list. 2. The Application drop-down list contains all of the applications that have at least one activity data source defined. You can add targets from multiple applications or data sources by repeating steps 2. The Activity Data Source drop-down list is displayed after an application is selected. The Targets list is displayed after an activity data source is selected. or 3. 6.

See Edit Policy Page on page 294. Account — ensure that an identity does not have multiple accounts on an application. in the Policy Names field displays any policies with names beginning with that letter pattern. You can filter by both policy name and policy type. rules. when detected. scripts. SOD – separation of duties policies ensure that identities are not assigned conflicting roles. Policy violations can be dealt with either through certifications or through the policy violations page. These violations also appear on identity score cards and enable you to identify high-risk employees and act accordingly. IdentityIQ User’s Guide 293 . or populations. See Certification / Access Review Overview on page 3 and Policy Violations on page 453. Risk — ensure that users are not exceeding the maximum risk threshold set for your enterprise. For example. Use the filtering options to limit the number of policies displayed in the table. filters. are stored in the identity cube. a separation of duties policy might disallow one identity from requesting and approving purchase orders or an activity policy might disallow an identity with the Human Resource role from updating the payroll application even though they do have view access to that application. Select a type from the drop-down menu to display the Edit Policy page. Activity — ensure that users are not accessing sensitive application if they should not or when they should not. right-click on the policy and select Delete from the drop-down menu. To work with an existing policy. Policies are defined and used to monitor for identities that are in violation of those policies. Violations can also be configured to trigger a business process used to send email notifications and generate work items so that policy violations can be handled immediately upon detection. Table 135—Policies Page Column Definitions Column Name Description Name The name of the policy assigned when it was defined. or partial name. EntitlementSOD — separation of duties policies ensure that identities are not assigned conflicting entitlements. click on that policy row in the table or right-click on the policy and select Edit from the drop-down menu. Violations on each of a policy’s rules. Description A brief description of the policy as entered when it was defined. Entering a letter. Use the Create new policy drop-down menu to create a new policy.Chapter 10: Define Policies Use the Policies page to define policies for your enterprise. Type The type of policy. To remove a policy. Advanced — custom policies created using match lists.

Use the SailPoint provided account policy to ensure that no identities have multiple accounts on any of the applications within your enterprise. Owner The owner of the policy. of a name or workgroup displays a selection list of valid users and workgroups with names containing that letter string. Click on the risk policy in the Policies table to display the Edit Policy page and enter the Composite score threshold. only the owner receives a work item. Use the Edit Policy page to view information about a custom policy. You can also assign owners to each individual rule that makes up the policy.” icon to launch the Rule Editor to make changes to your rules if needed. Inactive — the policy is not being used. Use the SailPoint provided risk policy to set a maximum risk threshold for identities before they are considered in violation of your compliance standards. If you assign an owner at the rule level it overrides the policy-level violation owner. the policy owner receives an email notification for each violation of the policy by default. not just to the policy itself.  Note: Click the “.  See Rule Editor on page 326. Policies are comprised of rules used to enforce the policies. but only one is operational within IdentityIQ at any time. but changes made here will not affect the performance of the policy. Edit Policy Page Use the Edit Policy page to create new policies and to edit existing policies. If the notification option is enabled as part of policy and identity refresh tasks. the observers only receive email notifications IdentityIQ User’s Guide . The Edit Policy page contains the following information: Table 136—Edit Policy Page Field Description Field Name 294 Description Name A descriptive name of this policy. Custom policies are any policies that were created outside of IdentityIQ to meet special needs of your enterprise. This is the name that displays on the Policies page. You cannot create a custom policy from inside the product.. Entering the first letter.Table 135—Policies Page Column Definitions Column Name State Description The status of the policy. Violation Owner Use to assign an owner to the violation.. or letters. You can create additional risk policies. Use the Edit Policy page to activate the account policy and add information such as a name and owner. Active — the policy is currently being used. If the notification option is enabled.

” icon to launch the Rule Editor to make changes to your rules if needed.  Violation formatting rules are defined when your system is configured. process  A business process specified for the entire policy is overwritten by any business process specified as part of a policy rule on the Edit Rule pages.  Depending on configuration settings. Violation business Select a business process from the drop-down list. if the work item is not completed in a timely manner. If scope is assigned. Note: Click the “.  See Rule Editor on page 326. the work item is escalated. or monitored. Escalation Specify a level of escalation for this policy. Description A brief description of the policy and its use in your organization. None — after the initial alert no further messages are sent and the work item is never escalated. only the owner of the policy and users that control the designated scope will see this policy on the Policies page. Alert Properties: Not all of the alert property options are visible initially. Reminders then Escalation — email reminders are sent periodically until the work item is complete or.. State The state of the policy: Active — use the policy to monitor roles or activity. You can set alerts to be sent by email and a work item opened each time a violation is detected. reported. Send Reminders — email reminders are sent periodically until the work item is complete.  The scope assigned to the policy does not affect the way violations are displayed. This section expands as options are activated.Table 136—Edit Policy Page Field Description Field Name Description Scope The scope for this policy. IdentityIQ User’s Guide 295 . Initial Notification Email The email template used for the initial notification of the policy violation and work item assignment. Escalation only — the work item is escalated after a specified time period with no notifications or warning being sent.  business processes can be use to define how violation work items are assigned or how to handle the violation based on decision made on the work item. Open Work Item Select to automatically generate a work item for this violation. objects with no scope assigned might be visible to all users with the correct capabilities. Violation formatting rule Select a violation rule from the drop-down list. Send Alerts Activate to display the Alert Properties section.. Inactive — do not use the policy to monitor role or activity at this time.

IdentityIQ User’s Guide . Reminders Before Maximum number of reminders to send before escalation begins. Click on a rule to access the edit rule pages. To create or Edit a policy. Reminder Email Template Template used to format the reminder email. Reminder Frequency The number of days. To work with the rules for each policy type. This information is displayed in the Rules column of the Rules table on the Edit Policy page. If none is selected. Rule Table A list of the rules contained in this policy and a description of each. Description A brief description of the rule. or interval. Rules are used to monitor roles or entitlements for conflicts of interest. This enables you to identify high-risk employees and take the appropriate action as needed. Enter the first letter. The following information is displayed on an Edit SOD Rule page: Table 137—Edit SOD Rule Page Field Descriptions Field Name 296 Description Summary A brief summary of this rule. or letters. see How to Create or Edit a Separation of Duty Policy on page 300. Observers Identities to whom the email notifications and work items are sent. no reminders are sent and escalation begins immediately. Select as many observers as required. a system default is used. see: • Edit SOD Rule Page on page 296 • Edit Activity Rule Page on page 298 • Edit Advanced Policy Rule Page on page 299 Edit SOD Rule Page Use the Edit SOD Rule page to define new rules for separation of duty polices or edit existing rules.Edit SOD Rule Page Table 136—Edit Policy Page Field Description Field Name Description Days Before First Reminder The number of days after which the first email reminder is sent. between email reminders being sent. of an identity name to display the suggest list or click the arrow to the right of the field to display all identities and select from the list. Escalation Owner Rule The rule used to determine the new owner of the escalated work item. Account and Risk policies do not have a separate rule page. If this field is set to Escalation zero. Escalation Email Template used to format the escalation email.

the observers only receive email notifications Violation formatting rule Select a violation rule from the drop-down list. For example. Role SOD Rules: Any of these roles/entitlements The lists of conflicting roles that define this rule. Correction Advice Text entered in this field is displayed if a violation of this policy appears on a certification request and is selected for revocation. If the notification option is enabled.” icon to launch the Rule Editor to make changes to your rules if needed. these Each table might contain multiple items. certain policies or rules might not apply to users at the executive level in your organization.  A business process specified for the entire policy is overwritten by any business process specified as part of a policy rule on the Edit Rule pages.  Note: Click the “. Information entered here does not affect risk scoring associated with this rule or the reporting of policy violations. they are in violation of this rule and their risk score card will reflect that conflict with any of violation. Add identity attributes or account attributes and permissions to create lists of conflicting entitlements. Disabled Enable or disable the policy Compensating Control A textual description of exceptions or compensating factors that apply to this rule.  Violation formatting rules are defined when your system is configured. only the owner receives a work item.  See Rule Editor on page 326. Use the Match all attributes or Match any attributes drop-down list to determine if an identity has to match all of the items in the list or just one to be in violation of this policy. but if a user has even one role in each list it roles/entitlements is a violation of the policy. not just to the policy itself. You can also assign owners to each individual rule that makes up the policy. If an identity is assigned ANY of the roles from the Any of these table and ANY of the roles from the conflict with any of these table. Use this field to enter information that can be used by a certifier to make the correct revocation decision. IdentityIQ User’s Guide 297 .. Entitlement SOD Rule: First Entitlement Set Second Entitlement Set The list of conflicting entitlements that define this rule. Note: This field is for documentation purposes only.Edit SOD Rule Page Table 137—Edit SOD Rule Page Field Descriptions Field Name Description Violation Owner Use to assign an owner to the violation. Violation business process Select a business process from the drop-down list.. If you assign an owner at the rule level it overrides the policy-level violation owner.

.” icon to launch the Rule Editor to make changes to your rules if needed.  Note: Click the “.  Violation formatting rules are defined when your system is configured. Violation Owner Use to assign an owner to the violation.. This information is displayed in the Rules column of the Rules table on the Edit Policy page. Description A brief description of the rule. For example. The following information is displayed on the Edit Activity Policy Rule page: Table 138—Edit Activity Policy Rule Page Field Descriptions Field Name Description Activity Rule: Summary A brief summary of this rule. Information entered here does not affect risk scoring associated with this rule or the reporting of policy violations. certain policies or rules might not apply to users at the executive level in your organization. Disable Enable or disable the policy. Corrective Advice 298 Text entered in this field is displayed if a violation of this policy appears on a certification request and is selected for revocation. If the notification option is enabled.Edit Activity Rule Page Edit Activity Rule Page Use the Edit Activity Policy Rule page to define new rules for activity polices or edit existing rules. only the owner receives a work item.  See Rule Editor on page 326. You can also assign owners to each individual rule that makes up the policy. IdentityIQ User’s Guide . Violation business process Select a business process from the drop-down list. see How to Create or Edit an Activity Policy on page 301. Rules are used to monitor the activities performed by users within your enterprise. the observers only receive email notifications Violation formatting rule Select a violation rule from the drop-down list. Compensating Control A textual description of exceptions or compensating factors that apply to this rule. If you assign an owner at the rule level it overrides the policy-level violation owner. To create or Edit a policy. not just to the policy itself. Note: This field is for documentation purposes only.  A business process specified for the entire policy is overwritten by any business process specified as part of a policy rule on the Edit Rule pages. Use this field to enter information that can be used by a certifier to make the correct revocation decision.

Time Periods The time periods during which the activity is in violation of the policy. equals or is like. Value The value of the attribute. Ignore Case Specifies if case should be a factor when scanning for the value specified. Edit Advanced Policy Rule Page Use the Edit Advance Rule page to define new rules for advanced polices or edit existing rules. rules. You can also choose Time Periods in order to define when this activity is considered a violation of this policy. equals or is like. For example. Activity Filters: Enable you to select which types of activities should be considered violations of this policy. or the data source on which the action occurred. scripts. if some one is logging into a sensitive application on the weekends or during non-office hours it might be a violation. Field A distinguishing characteristic associated with the identity type for which you are searching. start or end date. Field A distinguishing characteristic associated with the action for which you are searching. The following information is displayed on the Edit Advanced Rule page: IdentityIQ User’s Guide 299 . Operation The operation used to control the interaction between the filters. Value The value of the attribute. Operation The operation used to control the interaction between the filters. The choices in this drop-down list are dependent on the Field specified. custom. see How to Create or Edit an Advanced Policy on page 302. The drop-down list contains all of the categories by which identities can be differentiated. The choices in this drop-down list are dependent on the Field specified. filters. and populations. the Filter(s) box is used to view and manipulate the existing filters. Search Type The qualifier associated with the field value. violation monitoring based on a variety of entitlement. Search Type The qualifier associated with the attribute value. For example.  These filters can be grouped and controlled using AND\OR operations and be as simple or complex as needed. For example. Ignore Case Specifies if case should be a factor when scanning for the value specified.  The Add a Filter box is used to create the individual filters.  For example. Advanced rules are used to create advanced.Edit Advanced Policy Rule Page Table 138—Edit Activity Policy Rule Page Field Descriptions Field Name Description Identity Filters: Enable you to identify which types of identities should be considered when scanning activities for violations of this policy. The time periods are configured during the deployment of IdentityIQ. To create or Edit a policy.

 An identity that is assigned the entitlements in this list is in violation of this policy. Selection Method: The selection method used when scanning for and assigning policy violations. Filter A custom filter used to define a rule for this policy. Use this procedure to create new policies.  A business process specified for the entire policy is overwritten by any business process specified as part of a policy rule on the Edit Rule pages. Violation formatting rule Select a violation rule from the drop-down list. Information entered here does not affect risk scoring associated with this rule or the reporting of policy violations.How to Create or Edit a Separation of Duty Policy Table 139—Edit Activity Policy Rule Page Field Descriptions Field Name Description Activity Rule: Summary A brief summary of this rule. Compensating Control A textual description of exceptions or compensating factors that apply to this rule. Disable Enable or disable the policy. Violation business process Select a business process from the drop-down list. How to Create or Edit a Separation of Duty Policy Policies are created using the Edit Policy and Edit SOD Rule pages. Corrective Advice Text entered in this field is displayed if a violation of this policy appears on a certification request and is selected for revocation. certain policies or rules might not apply to users at the executive level in your organization. Procedure 1. Any identity that matches the criteria defined for the population displayed is in violation of this policy. Population The population used to define this rule. Use this field to enter information that can be used by a certifier to make the correct revocation decision. This information is displayed in the Rules column of the Rules table on the Edit Policy page. Click or mouse over the Define tab and select Policies. 300 IdentityIQ User’s Guide .  Violation formatting rules are defined when your system is configured. Match List A list of entitlements that define a policy violation. Description A brief description of the rule and its use in your organization. Script A custom script used to define a rule for this policy. For example. Note: This field is for documentation purposes only. Rule The rule selected from the rules list.

Right-click on a rule or select Create New Rule to display the Edit SOD Rule page. — OR — a. 3. Select either Role SOD or Entitlement SOD from the Create new policy drop-down list or click on an existing policy to display the Edit Policy page. 4. 6. Enter the policy information.  You can filter by both policy name and policy type. Optional: Use the filtering options to limit the number of policies displayed in the table. 9. How to Create or Edit an Activity Policy Policies are created using the Edit Policy and Edit Activity Policy Rule pages. Click or mouse over the Define tab and select Policies. Enter the policy information. 10. The drop-down list contains all of the roles defined for your organization. 2. Click Save to save the policy and return to the Policies page. For attributes select an attribute from the drop-down list and type a value. b.How to Create or Edit an Activity Policy 2. Enter the SOD Rule information in the top portion of the page. Repeat steps 5 thru 8 until all of the rules needed for this policy have been added or modified. Use this procedure to create new policies. See Edit SOD Rule Page on page 296 for detailed descriptions of those fields. Select a role from the Add Role drop-down list below the Any of these roles table. Select Activity Policy from the Create new policy drop-down list or click on an existing policy to display the Edit Policy page. Click Done to return to the Edit Policy page. 8. For permissions. Select an application and use the Add Attribute or Add Permission buttons to build the First Entitlement Set. 5. Procedure 1. You can enter as many roles as are needed to build this rule. type the name (target) and value (right). b. 7. IdentityIQ User’s Guide 301 . You can enter as many attributes and permissions as needed to build this rule. Select an application and use the Add Attribute or Add Permission buttons to build the Second Entitlement Set.  You can filter by both policy name and policy type. See Edit Policy Page on page 294 for detail description of the Edit Policy page. a. Select a role from the Add Role drop-down list below the conflict with any of these roles table. Do one of the following: Select a role from the Add Role drop-down list below the Any of these roles table. Optional: Use the filtering options to limit the number of policies displayed in the table. 3. 4.

4.Field — select an attribute value from the drop-down list. 3. Use this procedure to create new policies. 5. See Edit Activity Rule Page on page 298 for detailed descriptions of those fields. 6.Ignore Case — specifies if case should be factored into the query. Enter the policy information. Select multiple filters and group them to create sub-filters and use multiple layers of filter grouping to create complex rules.Value — the value of the field selected. See Advanced Identity Search on page 458 for details on using the advanced filtering functions. . 8. .Search Type — the qualifier to associate with the value. Procedure 1. Create the filters necessary to identify the identity and activity types that should be considered when performing the policy scans for this violation. Select Advanced Policy from the Create new policy drop-down list or click on an existing policy to display the Edit Policy page. 5. How to Create or Edit an Advanced Policy Policies are created using the Edit Policy and Edit Activity Policy Rule pages. Use the Identity Filters and Activity Filters panels to add and combine filters for use in the policy. See Edit Policy Page on page 294 for detail description of the Edit Policy page.How to Create or Edit an Advanced Policy See Edit Policy Page on page 294 for detail description of the Edit Policy page. 302 IdentityIQ User’s Guide . Click Done to save the new policy and return to the Edit Policies page. Click or mouse over the Define tab and select Policies. Click Create New Rule or right-click on an existing rule to display the Edit Advanced Rule page.  You can filter by both policy name and policy type. Click on a rule or Create New Rule to display the Edit Activity Policy Rule page. . Optional: Use the filtering options to limit the number of policies displayed in the table. Apply qualifiers to filters to limit the values returned and then use grouping. Add a Filter: Create the filters that make up the rules. Enter the Activity Policy Rule information in the top portion of the page. and time periods to create the rules that make up the policy. for example equals or like. Click view/edit filter source to display an editable text version of the filter. 7. AND\OR operations. . Filter(s): The Operations drop-down list enables you to specify AND/OR relationships between the filters in the list. 2.

Filter — enter a custom XML database query to define user for this rule. Select a method by which to generate this rule: . Enter the Advanced Rule information in the top portion of the page.Rule — select an existing rule from the drop-down list. .  For attributes select an attribute from the drop-down list and type a value.Match List — define a list of entitlements to determine the rule. . IdentityIQ User’s Guide 303 . . Any identity that matches the criteria defined for the population displayed is in violation of this policy. 7. type the name (target) and value (right). For permissions.Population — select a population from the list. Click Done to save the new policy and return to the Edit Policies page.How to Create or Edit an Advanced Policy 6. 8. . but the source is stored with the policy and can be edited from this page. See Edit Advanced Policy Rule Page on page 299 for detailed descriptions of those fields. Scripts are similar to rules.Script — enter a custom script to define the rule.

How to Create or Edit an Advanced Policy 304 IdentityIQ User’s Guide .

used throughout the product. The basic scores that are used to determine the overall score are: Table 140—Access Risk Scoring Definitions Score Base Risk Score Definition The score assigned to each role. Base access risk is a measure of inherent user access risk. Scoring Definitions There are a number of scores. entitlement. and policy defined. Base risk scores are set on each role. For example. These compensated scores are then weighted using a maximum contribution percentage and combined to form an overall Composite Risk Score for each user. or types of scores. The compensating factors and weighted values enable IdentityIQ to accurately identify high risk users based on more than just the roles they are assigned within your enterprise. Risk scores are used throughout the product to highlight high risk users and accounts and trigger notices when configured to do so. that contribute to the overall Identity Risk Score. Account weights are factored in to the entitlement baseline access risk scores. or Composite Risk for each IdentityIQ user. or Composite Risk Score. or policy violation. a user assigned only low risk roles might be considered high risk if they have never been included in a certification process or the roles they do have are in violation of separation of duty policies. To configure risk scoring for identities and applications refer to following: • Identity Risk Score Configuration on page 305 • Application Risk Score Configuration on page 309 Identity Risk Score Configuration IdentityIQ uses a combination of base access risk and compensated scoring to determine the overall Identity Risk Scores. Base risk scores are also affect by the account weight assigned to any additional entitlements assigned to an identity. IdentityIQ User’s Guide 305 .Identity Risk Score Configuration Chapter 11: Configure Risk Scoring Use the risk scoring configuration pages to define the algorithms used by IdentityIQ to determine risk scores for identities and applications within your organization. entitlement. IdentityIQ applies a series of compensating factors to each base risk score to calculate compensated scores. This type of score ranges from 0 (lowest risk) to 1000 (highest risk).

Role Baseline Access Risk Role Baseline Access Risk score is calculated based on the roles correlated to the identity. • Composite Scoring Tab — apply compensating factors to base risk scores. entitlement. Table 141— Role Baseline Access Risk Configuration Column Descriptions Column 306 Description Name The name of the role. and policy violation. is applied to the total compensated risk scores for each component. The number of bands is configured on the Advanced Configuration page and applies to the entire IdentityIQ application. Use the sliding bars or manually enter a value. Composite Risk Score or The overall risk score for a user after the composite weighing. This list contains every role defined in IdentityIQ. See Baseline Access Risk Tab on page 306. Baseline Access Risk Tab The Baseline Access Risk score is a measure of inherent risk. Type The role type as defined when the role was modeled.Identity Risk Score Configuration Table 140—Access Risk Scoring Definitions Score Definition Total Base Risk Score The total score of all base risk scores of the same component type on a per user basis. Total Compensated Risk Score The Total Base Risk Score for a specific component type multiplied by the Compensated Risk Score for that component type. and policy violation is assigned a score that falls into a band. This type of score ranges from 0 (lowest risk) to 1000 (highest risk). to define scoring on each panel. entitlement.  For example. Each role. or maximum Identity Risk Score contribution to total score factor. Select one of the following options to define how IdentityIQ calculates base access risks. IdentityIQ User’s Guide . entitlements and policy violations. A user's Baseline Access Risk score is expected to change rarely because it is primarily defined by their role within the enterprise.  The time since the last certification was performed on the user is also figured into this score with the total compensated scores for role. Use the following tabs to create risk score factors for your enterprise: • Baseline Access Risk Tab — apply base risk scores to roles. Filter the list by role name and type to limit the number of items displayed in the list. Compensated Risk Score The value of the base risk score for a component multiplied by the compensating factor for that component type. add the base risk scores for all roles assigned to a specific user together to determine the role total base risk score. See Composite Scoring Tab on page 308.

Identity Risk Score Configuration Table 141— Role Baseline Access Risk Configuration Column Descriptions Column Description Description The description of the role as defined when the role was modeled. Attributes are customized user characteristics made up of an attribute/value pair. Modify permission weight by using the sliding bar or entering a value in the field to the right. The list contains all of the application configure to work with IdentityIQ that are not currently on the list. Additional entitlements are entitlements that are assigned to a user. Entitlement Baseline Access Risk Entitlement Baseline Access Risk score is calculated based on the additional entitlements correlated to as identity. and click Add to assign a weight to a new attribute. Account Weight The default score assigned to any identity that is assigned entitlements on this application. This score is not applied to the identity risk score if the entitlements assigned to the user are. A user's Entitlement BAR score is determined by summing the risks associated with each of the additional entitlements that they hold. A risk score is configured for each Permission and Attribute/Value pair in the system. update. Select an attribute using the check-boxes on the left and click Delete to remove an attribute from the list. and execute. Use this page to add applications to the list and to work with the entitlements on each. A Permission is a privilege. delete or modify the weight assigned to the attributes for the associated application. Select an attribute from the drop-down list. read. Click on a role to display the configuration panel to see the role details and set or modify the risk level. IdentityIQ User’s Guide 307 . Permissions Click in this column to modify the weight assigned to the permissions for the associated application. Select an application from the drop-down list on the bottom of the page to add an application to the list. The Entitlement Baseline Access Risk Configuration page contains the following information: Table 142— Entitlement Baseline Access Risk Configuration Column Descriptions Column Description Application The name of the application with which the entitlements are associated. for example. but are not part of any of the roles assigned to that user. Use the slider control to set the risk level or enter a value in the field on the right. for example group/Administrators. create. Attributes Click in this column to add. delete. or modify and existing attribute in the list. Entitlements fall into one of two categories: Permissions and Attributes. either all used as part of roles assigned to the user. type an attribute name. Use the Permissions and Attributes columns to added entitlements to application for risk tracking. Risk Level The current risk level assigned to the role. or if the risk score for all of the entitlements assigned to the user are zero based on certification rules. Account Weight scores are not compensated.

For example. you might set the Separation of Duty Violation Compensated Score to 100% so that policy violations move users into the high risk category quickly. If the policy does not contain rules. • The user's role has never been certified before • The user's role is approved • The user's role was allowed as an exception • An allowed exception on the user's role has expired • Revocation of the user's role is pending • Activity monitoring is enabled on one or more applications associated with the user's role 308 IdentityIQ User’s Guide . as well as. policy violations are considered high risk. A risk score is configured for every rule in each policy or for the policy itself if no rules apply. This score is calculated by taking the sum of the risks associated with every policy or rule that is violated by the user. Use the Composite Scoring tab to define the maximum impact of a total compensated score on a user's Composite Risk Score. The page is divided into tables based on policy type. Composite Scoring Tab The Composite Scoring tab is used to assign value to the compensating factors for each base component used to calculate the composite risk scores for users. Use the Maximum Contribution to Total Score value to control the impact of compensated scores on composite scores. set the risk level for the entire policy.Identity Risk Score Configuration Policy Violation Baseline Access Risk Policy Violation Baseline Access Risk score is calculated using policy violations that are detected for a user based on defined policy rules. Role Compensated Score Role Compensated Score is calculated based on applying the following compensating factors to each role base score. however. Use the slider or type a value in the field to the right. The maximum composite risk score is 1000. you might set the Certification Age to a low value such as 20% so that even at its maximum value that component will only contribute 200 points of the total 1000. If. define the maximum contribution of each component to the total score. if the time since the last certification on an identity is considered low risk. Use the Policy Violation Baseline Access Risk page to view and modify the risk level associated with each policy or policy rule defined.

a default risk score of 500 is assigned for this score component.10). then the raw percentage is ten percent (. For example.50). if 10 out of 100 accounts are flagged as service accounts. IdentityIQ User’s Guide 309 . • The risk score starts increasing this many days after the latest certification: • The risk score reaches its maximum value this many days later: Inactive User Score The Inactive User Score looks for inactive users. • The user's entitlement has never been certified before • The user's entitlement is approved • The user's entitlement was allowed as an exception • An allowed exception on the user's entitlement has expired • Revocation of the user's entitlement is pending • Activity monitoring is enabled on one or more applications to which the user's entitlement applies Policy Violation Compensated Score Policy Violation Compensated Score is calculated based on applying the following compensating factors to policy base score. Application Risk Score Configuration IdentityIQ uses a combination of component risk and compensated scoring to determine the overall application risk scores. This final percentage is then applied to the score range of 1000 resulting in a component score of 500.Application Risk Score Configuration Entitlement Compensated Score Entitlement Compensated Score is calculated based on applying the following compensating factors to each entitlement base score. All scores are calculated by first determining the percentage of accounts that have the qualities tested by the component score. • The user's violation has never been certified before • The user's violation was allowed • An allowed exception on the user's policy violation has expired • The user's policy violation remains uncorrected • Activity monitoring is enabled on the applications on which the user's violation occurred Certification Age Score Expired Certification Score is calculated based on applying the following compensating factors to an expired certification. used throughout the application. When this score is enabled any identity is found to be inactive. or composite risk score. The default sensitivity value is 5 making the adjusted percentage fifty percent (. This number is then multiplied by a sensitivity value which can be used to increase or decrease the impact of the original percentage.

a few violator accounts might increase risk more than many inactive accounts. The Violator Account score looks for links whose owning identity has a number of policy violations greater than a configured threshold. the component service with a configured value true. The default threshold is five hundred (500). or compensating factor. daysTillDormant. The Risky Account score looks for links whose owning identity has a composite risk score greater than a configured threshold.Application Risk Score Configuration After the component score is calculated a weight. Service. for example lastLogin. 310 IdentityIQ User’s Guide . and Privileged component scores look for links that have a configured attribute. This algorithm has an argument. For example. If the last login date is more than thirty (30) days prior to the current date. or compensating factor. The default threshold is ten (10). the account is considered dormant and is factored into the risk score. The Dormant Account score looks for a configured attribute that is expected to have a date value. that defaults to thirty (30). For example. to each component score. is applied to each component score to determine the amount each will contribute to the overall risk score for the application. Inactive. Use the Component Scores tab to define the values for each component score and the Composite Scores tab to apply a weight.

the transitions in the step containing the approval are evaluated and a new step is chosen. Instead they are launched as a side effect of some IdentityIQ operation such as editing a role. When a work item is completed. Rejected. It might be found that work items previously sent to users are no longer required and they are automatically deleted. Once the approval process terminates. Each work item can also control how its information is presented. When a business process is running it can open work items to handle human interaction. The business process maintains a set of variables that can change as the steps execute. An approval action can define a sequence of user interactions that are managed automatically by the business process engine. or Expired. Returned. This state is used by the business process engine to decide whether to continue advancing through the approval process or to stop and go on to the next step. and sequencing from one approver to another is all handled by the business process engine rather than being modeled as steps in the business process. the business process engine begins interpreting or. and. Immediately after launching. The business process remains suspended until one of the work item owners completes a work item. Variables can be copied into work items to convey information to an approver and copied from work items to assimilate responses from the approver. though you can schedule a custom task that launches a business process. the transitions are evaluated and the next step is located. executing the business process. Usually an email notification is sent to the work item owner. An approval action results in the generation of one or more work items. Moving from one step to another is called a transition and transitions can be conditional based on the results of prior actions. This process continues until a step is found with an approval action. Business processes are not normally launched directly like tasks or reports. updating an identity.Chapter 12: Business Process Management A business process contains a sequence of steps or activities and each step can perform one or more actions. if configured. the business process uses the information from the work item to influence the transitions between steps. the work item can enter the escalation process. escalation. work items are created and the business process enters a suspended state. or the discovery of a policy violation. The work related to notifications. The evaluation of steps and transitions continues IdentityIQ User’s Guide 311 . and can include forms to solicit additional information from the user beyond just an approval or rejection decision. If the approval process continues. more work items might be generated and the business process will again enter a suspended state. The work item also contains a State value which can be Finished. The starting step is located and it's action is performed. reminders. This provides a concise way to define one of the most common parts of a business process. You cannot schedule a business process through the task or report scheduler. When the business process advances to a step containing an approval. Completing a work item is normally done by editing it in the IdentityIQ user interface and clicking one of the default completion buttons.

Description Detailed description of the business process and its intended purpose. This is done to adapt to variability in the approval process. or an unknowable number of phases in an approval sequence. Use the business process Variables tab to view. 312 IdentityIQ User’s Guide . the original business process definition can be modified at any time without disrupting business processes that are already executing. such as an unknowable number of approvers. See Process Details Tab on page 312. You must select a type when creating a new business process. See Process Designer Tab on page 313. See Process Metrics Tab on page 318. and give it a default value. • — a graphical representation of the business process. Process Details Tab The business process Details tab contains the business process name and as detailed a description as you can provide. Variables can change as the business process executes and be used to select transitions. One unique aspect of this business process system is that the process can be modified during execution. and edit business process variables.  You must enter a name when creating a new business process.Panel Descriptions Field Name Field Description Name Name of the business process. click Edit a business process in the left-hand panel of the business processes page and click on a business process in the list. Since a copy of the original business process definition is maintained. create. • — a graphical representation of the business process. how it is used. • — the variables contained in the business process.Process Details Tab until another approval is reached or until all of the steps are evaluated and the business process terminates. Type Type of the business process. The business process Editor contains the following tabs: • — the name and description of the business process. To work with an existing business process. Variables can also be copied into work items to convey information to an approver and copied from work items to assimilate responses from the approver. Table 143—business process Details . See Process Variables Tab on page 312. Similarly. Self-modification can also be used in custom actions to replicate a sequence of steps for an unknowable number of objects. modifying it during execution does not effect the persistent definition used when launching it again. Process Variables Tab The Variable element is used to declare the name of a business process variable.

click Add a New Variable at the top of the panel. click Remove directly underneath the variable that you would like to remove. IdentityIQ User’s Guide 313 . Initializer The initializer is the script used to calculate the default value of the variable. drag-and-drop the steps into a logical patter. Required This is a required input variable. From this tab you can add or remove steps from a business process. they have all of the necessary fields and variables configured. These templates provide representational icons to make it easier to visualize the steps as the business process progresses. Table 144—business process Variables . Process Designer Tab The business process Designer provides a graphical representation of a business process. The business process will not launch if an initial value for this variable is not supplied by the calling application or calculated through one of the initialization methods.Process Designer Tab To add a variable.Panel Descriptions Field Name Field Description Name The name of the variable. These templates are essentially buckets of steps. Click Load Steps from Template in the left-hand panel of the business process page. Input Determines if the variable can accept input. right-click on a transition icon and select an action from the pop-up menu. right-click on the step and select an action from the pop-up menu. When you add them to your business process. To view the step-templates. To work with a transition. Editable This variable can be edited during business process execution Output This is an output variable and the final value is copied into the task results Description A detailed description of the variable. click Add a Step in the left-hand panel of the business processes page. so you could define a bucket of steps such as approvals. IdentityIQ provides a number of step-templates to get you started. create the transitions between steps. and insert approvals when required. To delete a variable. To work with a step. messages or rollbacks that all come preconfigured in the XML. Select Change Icon to select a different iconic representation for the step selected. IdentityIQ also provides business process templates.

Add or Edit a Step To add a step. click Add a Step in the left-hand panel and select one of the step-templates provided. Right-click on a step and select Edit Step to display the step dialog. IdentityIQ User’s Guide . Name The name of the step. Sub-arguments can be used as temporary variables to hold the results of expensive computations you might need several times during the evaluation of other arguments. Drag-and-drop the new step to its location in the business process. Action - Defines how arguments are made available to the step action.values defined previously can be referenced Source . Enable Monitoring Choose whether or not to track the metrics of this business process step.api. Arguments: The Arguments tab is used to create sub-arguments that are referenced by other arguments.values are passed as global variables Call .Add or Edit a Transition on page 317 Business Process Management .Dialog Descriptions Field Name Field Description Details Tab: The Details tab defines the main step action. The new step is displayed in the top-left corner of the business process Designer tab. 314 Name Name of the argument. Result Variable Input a string value associated with this business process step variable.business processContext object and passed to every handler method. Reference .Add or Edit an Approval on page 315 • — Business Process Management . Table 145—Edit Step .Process Designer Tab Refer to the following section for detailed information: • — Business Process Management .values are passed as global variables Rule . Value - Defines how arguments are made available to the step action.values are collected into a Map that is accessed through the sailpoint.the source of the rule or script action Description The detailed description of the step.values are passed as global variables to embedded scriptlets Script .Add or Edit a Step on page 314 • — Business Process Management . String .

values are collected into a Map that is accessed through the sailpoint. You cannot combine approval actions within a single step.Dialog Descriptions Field Name Field Description String .api.Add or Edit an Approval Use the edit approval dialog to define an approval processes. Name The name of the approval and default work item description Send CSV list of variable names to include in the work items IdentityIQ User’s Guide 315 .the source of the rule or script action Business Process Management . Approval processes can be dynamically modified at runtime to adapt to such things as an arbitrary number of approvers that cannot be known at the time the business process is written. All approvals in a hierarchy use the work item defined in the highest level approval unless you manually override that work item definition.business processContext object and passed to every handler method. The business process engine handles most of the details involved in typical approval processes such as notification and escalation. Click Add Child Approval to add multiple.values are passed as global variables to embedded scriptlets Script . Table 146—Edit Approval . A tree view showing the parent/child hierarchy is displayed in the Approval Children panel on the left side of the dialog. Reference . upon the successful completion of a parent approval. hierarchical approvers to a business process. The Approval element always appears within a Step and becomes the action of the step.values are passed as global variables Rule .Dialog Descriptions Field Name Field Description Details: The Details tab defines the attributes that make up the approval. To add or edit an approval. If you use the approval attributes the name of the approval becomes the work item description used throughout IdentityIQ. If a step requires multiple approvers you can build a hierarchy of approvers and the business process. right-click on a step and select Add Approval or Edit Approval from the pop-up menu. or using the description scriptlet from the Description panel. An important part of the approval process is creation and handling of the approval work item created by the approval element.Process Designer Tab Table 145—Edit Step . using the approval attributes on the Details tab. right-click on a step and select Remove Approval. will launch the child. Child approvals use the work item defined by the parent unless they define their own work item.values are passed as global variables Call . There are two ways to create the approval work item.values defined previously can be referenced Source . To remove an approval.

business processContext object and passed to every handler method.  String . String .business processContext object and passed to every handler method.values are passed as global variables Rule . Name Name of the argument. Reference . Reference .values are collected into a Map that is accessed through the sailpoint.api. Sub-arguments can be used as temporary variables to hold the results of expensive computations you might need several times during the evaluation of other arguments.values are passed as global variables to embedded scriptlets Script .values are passed as global variables to embedded scriptlets Script .values are collected into a Map that is accessed through the sailpoint.values are collected into a Map that is accessed through the sailpoint.the source of the rule or script action Description - Scriptlet that defines the work item description.values are passed as global variables to embedded scriptlets Script .Process Designer Tab Table 146—Edit Approval . When Approval elements are nested.business processContext object and passed to every handler method.values are passed as global variables Rule .the source of the rule or script action Owner - A scriptlet to define one or more approvers.Dialog Descriptions Field Name Field Description Return CSV of variable names to copy from completed work items back into the business process Renderer JSF include to render the work item details Mode A scriptlet used to define the mode of evaluation.values defined previously can be referenced Source .values are collected into a Map that is accessed through the sailpoint. Reference .values defined previously can be referenced Source .values are passed as global variables Call .api.business processContext object and passed to every handler method. String .values are passed as global variables Rule . the work item defined by the parent approval is used by any child approvals unless the child approvals define their own work item.the source of the rule or script action 316 IdentityIQ User’s Guide .values are passed as global variables Call .values are passed as global variables to embedded scriptlets Script .api. String .values defined previously can be referenced Source .values are passed as global variables Call . Reference .values defined previously can be referenced Source .api.values are passed as global variables Rule . Value - Defines how arguments are made available to the approval action.the source of the rule or script action Arguments: The Arguments tab is used to create sub-arguments that are referenced by other arguments in the approval.values are passed as global variables Call .

Reminders than Escalation - In addition to the reminders. and select the escalation notification email to send. To remove a transition. To edit an existing transition. Escalation - Defines the escalation policy for this work item. An unconditional transition is an implied transition and no condition must be met for the business process to move to the next step. right click the transition icon and select Edit Transition. Override Work Item Configuration Override the work item defined by the parent approval.Dialog Descriptions Field Name Field Description Work Item Configuration: The Work Item Configuration tab is used by child approvals to override the work item defined by the parent approval. Escalation Only - Specify the days before the expiration date of the work item to perform escalation. Edit the new transition as needed for your business process. To create a transition. double-clicking on a step starts the creation of a transition. Initial Notification Email Select the initial email notification sent by this approval action. Owner Assign an owner for this work item.Process Designer Tab Table 146—Edit Approval . right-click a transition icon and select Remove Transition.Add or Edit a Transition A Transition is used to specify the next step in the business process after the current step completes. Business Process Management . and the reminder email template to use. and select the escalation notification email to send. the escalation owner rule to use for the escalation. Send Reminders - Specify the days before the first reminder is sent. set the number of reminders to send before the work item is escalated. then right-click the step that should end the transition and select End Transition. Alternatively. right-click the step that should start the transition and select Start Transition. Transitions can either be conditional or unconditional. IdentityIQ User’s Guide 317 . Open Work Item Create a work item for this action. None - No escalation will occur for this work item. select an escalation owner rule to use for the escalation.  Email templates are created when IdentityIQ is configure. Double clicking on another step after that ends the transition and creates a line between the two. A conditional transition has a script or scriptlet that must return a value that is considered logically true in order for the transition to be taken. Unconditional transitions are displayed with an arrow icon and conditional transitions are displayed with a question mark icon. the frequency in days between reminders.

Panel Descriptions Field Name Field Description Show Time In Select Minutes. Maximum Execution Time Displays the longest amount of time.api.Process Metrics Tab For unconditional transitions leave the fields on the Edit Transition dialog blank. You can monitor all steps in a business process by clicking Monitor Entire Process. • Reference . Hours. or Days from the drop-down list. For conditional transitions define the source of the action and method used to make the value of the arguments available to the action: • String .values are passed as global variables to embedded scriptlets • Script . Date of Last Execution displays the date the process was last executed. from Start to Stop. and the last time the execution took place for any defined business process. Process Metrics Tab Use the Process Metrics tab to view business process metrics.business processContext object and passed to every handler method. Monitor Process Use Monitor Process to track the metrics of business processes or specific business process steps. right-click a transition icon and select Remove Transition. Executions Displays total number of executions attempts. You can measure the number of execution attempts. Active Executions Displays total number of current executions in process. Table 147—Business Process Variables .business processContext object and passed to every handler method. Business processes that 318 IdentityIQ User’s Guide . from Start to Stop the process has taken.values are collected into a Map that is accessed through the sailpoint. the amount of time for execution. Failed Executions Displays total number of failed executions attempts.values are passed as global variables • Call .values are passed as global variables • Rule . Successful Executions Displays total number of successful executions attempts. Average Execution Time Displays the average amount of time. • Negate .values are collected into a Map that is accessed through the sailpoint. To remove a transition.api. the process takes.values defined previously can be referenced.

Right-click a step in the flow chart and choose Enable/Diable Monitoring from the submenu accordingly. Click Save Process once you have completed making your selections. IdentityIQ User’s Guide 319 .Process Metrics Tab are monitored are denoted by an “eyeball” icon next to the process name in the Edit an Existing Process panel. You can select which steps of a precess to monitor in the Process Designer tab.

Process Metrics Tab 320 IdentityIQ User’s Guide .

Table 128 displays the available options. object expiration. See Login Configuration on page 329 You must be a System Administrator to access this page. You must be a System Administrator to access this page. Login Configuration Set an application other than IdentityIQ for authentication verification and select the automatic identity creation rule. from which the identity data. is derived. and application attributes. and identity history. work item policy. See Account Mappings on page 334 You must be a System Administrator to access this page. Account Mappings Specify the account attributes to be used in filters and searches throughout the application. Application Attributes Define application attributes in addition to those provided by the connectors. See Identity Mappings on page 331. Table 148—System Setup IdentityIQ Page Descriptions Page Description Identity IQ Identity IQ Configuration Use this page to set default values for use with notifications. user interface preferences.IdentityIQ Chapter 13: System Setup Use System Setup to configure the different options for the following: • See “IdentityIQ” on page 321 • See “Lifecycle Manager Setup” on page 549 • See “Compliance Manager” on page 349 IdentityIQ Select an iten from IdentityIQ panel on the System Setup page to launch the respective configuration page. See Application Attributes on page 340 You must be a System Administrator to access this page. See IdentityIQ Configuration on page 322 You must be a System Administrator to access this page. Identity Mappings Specify the applications. IdentityIQ User’s Guide 321 .

IdentityIQ Configuration Use this page to set default values for use with notifications. and identity history.IdentityIQ Configuration . You must be a System Administrator to access this page. user interface preferences. work item policy. See Time Periods on page 347.IdentityIQ Table 148—System Setup IdentityIQ Page Descriptions Page Description Role Configuration Define custom extended role attributes and role types See Role Configuration on page 341 You must be a System Administrator to access this page. See Audit Configuration on page 348. Time Periods Define the time periods for use in activity searches. Import from File See Import From File on page 348 You must be a System Administrator to access this page. IdentityIQ User’s Guide . Scopes Define scopes for use throughout your enterprise. Import files into IdentityIQ. Audit Configuration Specify the actions that are audited and stored in the audit logs. This page is broken up into the following sections: • See “Miscellaneous” on page 322 • See “Risk” on page 326 • See “Rules” on page 326 • See “Business Processes” on page 327 • See “Password Policy” on page 328 Miscellaneous Table 149— System Setup .IdentityIQ . See Scopes on page 345 You must be a System Administrator to access this page. object expiration.Miscellaneous Settings Field Description Email Settings Default SMTP Host 322 Specify a default mail host.

Set this to 0 to disable retries. For escalation notices Specify the email template to be used when escalation notices are sent for certification requests or work items.Miscellaneous Settings Field Description Default SMTP Port Specify a default SMTP port.IdentityIQ Configuration . For example. For task and report Specify the email template to be used when notices are sent regarding task and report signoff notices signoff requests. Maximum Email Retries Specify the maximum number of times to retry sending emails if the SMTP server returns a temporary error. Default From Address Specify the address to be used as the From address for all notices automatically generated by IdentityIQ. Note: This setting overrides the Redirection Email Address. Email Notification Type Specify whether to send email using SMTP or to use a redirection email address or file name. Suppress Duplicate Emails Prevent multiple emails of the same type from being sent to the same recipient at one time. Work Item Policy: IdentityIQ User’s Guide 323 . For approval notices for model changes Specify the email template to be used when notices are sent regarding changes made in the role modeler. For work item comment notices Specify the email template to be used when notices are sent about comments being added to work items. they will only receive an email for the first.IdentityIQ Table 149— System Setup . Email Templates: For reminder notices Specify the email template to be used when reminder notices are sent for certification requests or work items.IdentityIQ . Reminder notices are sent to the owner of a certification or work item. Note: This setting is ignored if a Redirection File Name is set. Redirection Email Specify the email address to which email is redirect if Redirecting is selected as the Address Email Notification Type. Escalation notices are sent to the manager of the owner of a certification or work item. This option is enabled by default. For policy violation notices Specify the email template to be used when notices are sent regarding the discovery of policy violations. For work item forwarding notices Specify the email template to be used when notices are sent about forwarded work items. Redirection File Name Specify the name of the file to which email is redirect if Redirecting is selected as the Email Notification Type. if five work items reminders are sent to the same person at one time. Notices are sent to the owner and requestor of the work item.

Identity snapshots are used to build history. Days before certifications are archived Specify the number of days after which to archive certifications. before a work item expires. It is recommended that you do not change the default setting at this time. Leaving the settings at zero (0) means that there is no time delay once objects are released. Maximum Managers Selectbox The maximum number of managers to display in a select box before switching the select box to a suggest component with paging. Maximum Applications Selectbox The maximum number of applications to display in a select box before switching the select box to a suggest component with paging. Minutes before object locks are released Specify the number of minutes to elapse before releasing an object lock. Leaving the settings at zero (0) means that certifications are never archived. Identity Snapshots: 324 IdentityIQ User’s Guide .IdentityIQ . that IdentityIQ should begin sending the owner of that work item reminder notices. Days before task result deletion Specify the number of days to keep task results on the Task Results page before removing them from the system.IdentityIQ Configuration . Other Object Expirations: Days before snapshot deletion Specify the number of days to keep an identity snapshot in the system before it is deleted.Miscellaneous Settings Field Description Days before expiration Specify the number of days after which a work item should expire. Note: Certification archives are not visible from the IdentityIQ GUI. Days before certification archive deletion Specify the number of days to maintain the certification archive before deleting certifications records.IdentityIQ Table 149— System Setup . Number of notices Specify the number of reminder notices that should be sent before the first escalation before escalation notice is sent to the manager of the owner of the assess certification or work item. Days before expiration to send first notice Specify the number of days. Maximum Roles Selectbox The maximum number of roles to display in a select box before switching the select box to a suggest component with paging. Note: Certification archives are not visible from the IdentityIQ GUI. It is recommended that you do not change the default setting at this time. Leaving the settings at zero (0) means that certifications archives are never deleted. UI Preferences: Enable Role Mining Pages Enable role mining pages. Frequency of expiration notices Specify the frequency with which reminder notices should be sent to the owners of certifications and work items.

This means that when a snapshot is taken it overwrites any snapshots taken within the previous week (7 days). Note: This number should match the number configured during the installation and deployment process. Enable Sunrise/Sunset Dates on Role Activation Enable the ability to insert activation and deactivation events into roles from the role modeler. The default is 10.IdentityIQ . groups. Account Attributes: Number of searchable account attributes Specify the number of attributes that can be configured for use as searchable attributes. The email account is accessible from an Email Help button displayed at the bottom of some pages. the maximum number you can enter is 5. Identity snapshots Snapshot are used to build the risk score card history that can be used to track trends and patterns frequency in for individual users. This is the directory in which IdentityIQ will store temporary files. snapshots are preserved on a weekly basis. departments.IdentityIQ Configuration .  Any snapshot that is older than 7 days is saved. For example. Role Sunrise/Sunset Dates: Enable Sunrise/Sunset Dates on Role Assignment Enable the ability to set activation and deactivation dates on roles when they are assigned. If no customization was performed during the installation and deployment process. Activation and deactivation dates can be used to grant temporary access to sensitive roles. System Help Settings: Help Contact Email Address An email address of a user responsible for supporting IdentityIQ in your enterprise. This can be any number between 1 and 20. the maximum number you can enter is 10. if the Identity history is set to week. IdentityIQ User’s Guide 325 . If no customization was performed during the installation and deployment process. and your entire organization. Identity Attributes: Number of searchable attributes Specify the number of attributes that can be configured for use as searchable attributes on the Identity Attributes page. during processing.Miscellaneous Settings Field Description Specify the frequency with which identity snapshot should be taken. File Preferences: Temporary Directory The path to a default temporary director for use by IdentityIQ.IdentityIQ Table 149— System Setup . days(2 equals every second day) Index History Granularity: Identity history Group history The increments at which to story history. The default is 5. such as log files. This can be any number between 1 and 20. Activation events are used to automatically activate or deactivate roles using business processs. Note: This number should match the number configured during the installation and deployment process.

IdentityIQ . These bands are used to indicate various levels of risk associated with ranges of Identity risk scores.Risk Settings Field Number of Bands Description Use the slider to specify the number of colored bands. determine the way risk score information displays throughout the IdentityIQ. Risk scores are determined by multiple contributing factors defined on the See “Configure Risk Scoring” on page 305. This rule is run forwarding rule every time a work item is assigned. Label The text label associated with the colored risk bank. Table 150— System Setup .IdentityIQ . If necessary this rule reassigns work items each time rule the Perform Maintenance task is run General work item This rule is used to set the reassignment path for any work item. Specify a number that best meets the needs of your enterprise. or a request is made to create a new role though an certification or role mining. Inactive user work This rule is used specifically to determined the escalation path for work items item forwarding assigned to inactive users.IdentityIQ Risk Use this tab to set the number and value of bands used to display and report risk scores throughout IdentityIQ. The number of bands and their associated values.IdentityIQ Configuration . Rules Use this tab to select the rules that are used to determine the path for the assignment of work items relating to the approval of roles and profiles and handling orphaned work items. You can use the default labels or create your own.IdentityIQ Configuration . Table 151— System Setup . from 2 to 6. to display on all score card charts.Rules Settings Field Role and profile change approver Description This rule is called to determine assignment of the related approval request work item when approval is needed on a new or changed role or profile from the role modeler. graphs. Range The numeric risk score associated with each risk band. Rule Editor 326 IdentityIQ User’s Guide . Indicator The indication color associated with the risk level. and tables. including the Dashboard panels and Identity Risk Scores page.

state.e.e..IdentityIQ . You will return to the previous page where you can now use the drop-down list to select your new rule. Identity refresh Select which business process is executed when an identity is refreshed in a background task. click Save. context.e.. Arguments. This option is available if you did not select a rule from the drop-down list on the previous page. Identity update Select which business process is executed when an identity is edited in IdentityIQ.IdentityIQ The Rule Editor page allows you to edit any existing rule to the specifications of your enterprise.. etc. Table 153—System Setup . Once you have completed your rule edits.. modified. The Rule Editor panel consists of the following: Table 152—Rule Editor Panel Field Descriptions Option Description Copy from an existing rule Use the drop-down list to select and exisitng rule.” icon next to a rule drop-down list throughout IdentityIQ. Returns. PolicyViolation). IdentityIQ recognizes BeanShell programing language. Violation). Non-editable feild which displays the arguments used in the rule (i. The rule editior is accessible by clicking the “. IdentityIQ User’s Guide 327 . log.e. This may perform role assignment approvals and send provisioning requests.Business Process Settings Option Description Role create. or deleted update. and modification of identity information. Violation). and delete in the role modeler. Rule Name Enter the name of your rule. Select which business process is executed when roles are created. You can choose to edit a rule from scratch or based upon an exisitng rule structure. Non-editable feild which displays the type of return the rule executes (i. You can edit code from an existing rule or create a new one from scratch. Code input area Field where code is input.. Rule Type Non-editable feild which displays the type of rule (i. Description Enter the description of your new rule. Business Processes Use this tab to select the business processes that are used to determine the steps involved in the approval of role creation or modification.IdentityIQ Configuration . These business processes are used to control a sequence of steps required to perform defined procedures within your enterprise. This may perform role assignment approvals and send provisioning requests. Non-editable feild which displays the type of return (i.. Identity Correlation Select which business process is executed when a manual correlation of accounts is performed. Return Type..).

This number includes the current password so if the length is two. Deferred role activation Select which business process is executed when a scheduled role activation becomes due. Minimum number The minimum number of letters required for a valid password.IdentityIQ . This will activate the role and may refresh all identities. Deferred role deactivation. of letters Minimum number The minimum number of digits required for a valid password. letters or digits. Minimum lowercase letters The minimum number of lowercase letters required for a valid password.IdentityIQ Configuration . Password history length The number of previous passwords stored by IdentityIQ. Select which business process is executed when a scheduled role deactivation becomes due.IdentityIQ Configuration . This will assign the role and may perform provisioning. of characters Maximum number of characters The maximum number of characters. Select which business process is executed when a scheduled role deassignment becomes due. the history is the current password and one other.Password Policy Settings Field Description Minimum number The minimum number of characters. allowed in a valid password. If the length is set to zero there is no history. This will deactivate the role and may refresh all identities. Deferred role deassignment.. Table 154— System Setup . IdentityIQ User’s Guide . required for a valid password. Minimum special characters Minimum number of special characters required. of digits 328 Minimum uppercase letters The minimum number of uppercase letters required for a valid password.. Password Policy Use this tab to define the password policy for IdentityIQ. All of the users with access to the application must set up their passwords according to the policy created on this tab.Business Process Settings Option Description Deferred role assignment Select which business process is executed when a scheduled role assignment becomes due. Click Save once all selections have been made. letters or digits.IdentityIQ Table 153—System Setup . This will deassign the role and may perform provisioning.

changes Ensure that the password being created is unique.IdentityIQ Configuration . use that server to verify users logging into IdentityIQ. the Auto create user rules creates a IdentityIQ IdentityIQ User’s Guide 329 . Validate passwords against the identity's list of attributes Require users to enter their current password when setting a new password Require users to enter there current password before creating a new password. Validate passwords against the password dictionary Check the new password for validity against the attributes assigned to the identity. The first time a user logs into the application. Use Auto create user rules when adding users to the application. however.IdentityIQ Table 154— System Setup . If zero the days are zero passwords do not expire. and is verified by the pass-through server.Password Policy Settings Field Description Days until expiration for manually set passwords The number of days until a password set manually expires. Login Configuration Use the Login Configuration page to set an application for authentication verification. Minimum Hours The minimum number of hours that must past before a user’s password can be changed between password again. If the days are zero passwords do not expire. For example. they must be validated by some authentication verification server. Before a user can access IdentityIQ and the work item. Login Configuration is comprised of the following tabs: • See “Login Settings” on page 329 • See “Authentication Questions” on page 330 Login Settings Use the Login Settings tab to configure general settings for login criteria. Note: Any user discovered by an aggregation task will appear in the identities lists and can be assigned work items. if all of the users in your organization are set up with roles and authorization in an LDAP server. Days until expiration for generated passwords The number of days until a password set by the identity create rule during aggregation expires.

the dashboard will be displayed.  Note: Click the “.” icon to launch the Rule Editor to make changes to your rules if needed. Those rules are applied each time the user accesses product. Note: Click the “.IdentityIQ . such as SiteMinder. Simple — shows an error with no information about what is incorrect. text entered directly on this tab. Question authentication is enabled using the Enable Forgot Password select box on the Login Settings tab. Authentication Questions Authentication questions are used to confirm a user's identity if they have forgotten their IdentityIQ password and your environment is configured to enable the question authentication feature.. Table 155— System Setup .. or a combination of both.Login Configuration . Auto create user rule Specify an auto create user rule to use when creating IdentityIQ identities based on account attributes discovered during aggregations.IdentityIQ user according to specifications defined in this rule. Mapping tags from a properties file is generally used for internationalization purposes. Detailed — provides information about the incorrect part of the login. Enable Forgot Password Select to enable a “Forgot Password” link on the login page that allows users to have their password reset.” icon to launch the Rule Editor to make changes to your rules if needed. For example. These question are displayed when the user clicks the Forgot Password link off of the Login page during the authentication process. the session will return to the page being viewed that the time of the timeout. Invalid password for user admin Single Sign-On Rule Specify the rule to use when authorizing users through and single sign-on system.  If checked.Login Settings Field Description Pass through application Specify an application to use as the authentication verification server for all users logging into IdentityIQ..  See Rule Editor on page 326 Login after timeout returns to dashboard Specify how navigation is handled after a session times out and you log back in to that session. 330 IdentityIQ User’s Guide .  See Rule Editor on page 326 Login error style Select a login error message style. Questions The Questions list can contain tags from the properties file configured when your IdentityIQ instance was deployed.  Note: This feature is only available with Lifecycle Manager. If not..

  When enabled.Authentication Questions Field Description Number of correct Specify the number of authentications that must be answered correctly in order to reset answers required the password. Number of authentication answers a user must have defined in IdentityIQ Prompt users for answers to unanswered authentication questions upon successful login Adds an extra layer of security to logon screen. to reset a forgotten password Specifiy the number of authentication answers a user must have defined in IdentityIQ. number of unsuccessful authentication attempts before IdentityIQ lockout Specify how long a user is locked out after the specified number of failed Number of minutes a user will authentication question answer attempts has been exceeded. Table 156— System Setup . Specify the number of failed authentication question answer attempts before the user Maximum is locked out of IdentityIQ. Select to have users prompted for answers until they define the required number. or if questions are added or changed. IdentityIQ User’s Guide 331 .IdentityIQ .IdentityIQ Click the plus (+) icon to add a new question and the minus (-) icon to remove a question.Login Configuration . and to collect and correlate identity data across applications. searches. A user that forgets their password might not have to answer all of the questions in the list. users are automatically redirected to the Answer Authentication Questions page upon successfully entering user name and password. These attributes are used throughout the product for certifications.  remain locked out The lockout period can be overwritten by a user with the proper capability. You can enter as many questions as you deem necessary. due to unsuccessful authentication Identity Mappings Use the Identity Attributes page to view and edit the identity attributes information for your configuration. Settings Use the Settings section to configure behaviors for password attempts. as defined in Edit Preferences on the Dashboard. The number of questions a user must answer for authentication is defined in the Settings section below.

 Set up the list of sources on the Edit Identity Attributes page. advanced options and source mapping. Advanced Options The advanced options that are enabled for this attribute. Note: Deleting an identity attribute will also delete any group factories that reference it. Group Factory — the attribute can be used to create groups that are used for analytical purpose throughout IdentityIQ. Account Attributes on page 337 332 IdentityIQ User’s Guide .IdentityIQ The Identity Attributes page contains the following information: Table 157— System Setup . The maximum number of searchable attributes you can create is defined during the application installation and configuration process and controlled from the System Setup pages. The default number is ten (10). Primary Source Mapping The first of the list of application/attribute pairs from which employee attributes are derived. Searchable — the attributes that are available for filtering in identity searches. Editable — the attribute can be edited. the collection process continues down the list of configured sources until the information is found. see Edit Identity Attributes Page on page 332 To delete identity attributes. Edit Identity Attributes Page Use the Edit Identity Attribute page to create and edit identity attributes including the display name.IdentityIQ . right-click on the attribute and select Delete. but any identity attribute can be used for grouping by defining it as a group factory in the Advanced Options.Identity Mapping .Identity Attributes Descriptions Column Description Attribute The display name of an identity attribute derived from the attribute and its associated application in the Primary Source Mapping column. Review the group factory information in the Confirm Deletion of Attribute dialog before clicking Yes.  The following attributes are required by IdentityIQ to perform correctly: accountId manager email firstname lastname  Manager and role are system attributes configured for grouping. If the required data is unavailable on this primary source. See Application Attributes on page 340. To work with the attributes and sources.

a business process can be written to send change notifications. the collection process continues down the list of configured sources until the information is found. Note: Click the “. Value Change Rule Specify a rule to run every time a change is detected on this attribute during the aggregation process. Identity — creates a drop-down list from which you choose an existing identity. Multi-Valued Specify attributes for which multiple values might be returned during aggregation. Permanent — changes made on the identities pages are not overwritten by refresh tasks. Read Only — this attribute cannot be edited from the Identities pages. For example. Display Name The IdentityIQ user assigned name.IdentityIQ The Edit Identity Attribute page contains the following information: Table 158— Edit Identity Attributes Page Field Descriptions Field Description Identity Attribute: Attribute Name The name of the attribute as it appears in the application. Source Mappings: The list of application/attribute pairs from which employee attributes are derived.” icon to launch the Rule Editor to make changes to your rules if needed. If the required data is unavailable on the primary source. a rule can be written to send change notifications. IdentityIQ User’s Guide 333 . Temporary — changes made on the identities pages are overwritten by the refresh task. For example.. request change approval or launch a certification.  Attributes flagged as multi-valued are stored as a list. Edit Mode Enable editing of this attribute from the Identity pages. Group Factory Enable this attribute for use in creating groups used for analytical purpose throughout IdentityIQ. Multi-valued attributes are used for queries throughout the product. Searchable Enable this attribute for use in searches and filtering through IdentityIQ. request change approval or launch a certification. Note: Changing an attribute name might cause attributes that were previously aggregated to no longer be recognized.  See Rule Editor on page 326 Value Change Business Process Specify a business process to run every time a change is detected on this attribute during the aggregation process. Even objects that have a single value for a multi-value attribute are stored as a single-item list.. Advanced Options: Attribute Type Select from the following attribute types: String — creates a text-editable field.

b. Any attribute extended on this page is available for searching on the Identity Search page. For example privileged accounts such as Root. a. This section describes two of the most common scenarios. Administrator. b. 8. Account Mappings Use the Account Mapping page to setup and map specialized accounts. c. Click Add to add the new source. first and then work down the list. a. This rule only applies to the application specified. Select Application attribute. 4. Note: Changing an attribute name might cause attributes that were previously aggregated to no longer be recognized. Select an application from the Application drop-down list. 3. b. and any other extended attributes for use in certifications and searches. Click Add New Attribute or click on an existing attribute to display the Edit Identity Attribute page. 5. c. Click Save to create the new attribute and return to the Identity Attribute page. Map to an application rule. Map directly to an attribute on an application: a. Use the Account Attributes page to view the extended account attribute information for your configuration. and service accounts that access a specific service or function on an application. Optional: Enable or change the Advance Options. Specialized account attributes can be modeled to handle any concept using simple one-to-one mapping and rules. Specify a source for the new attribute. Select an attribute from the Attribute drop-down list. Select a rule from the Rule drop-down list. The Account Attributes page contains the following information: 334 IdentityIQ User’s Guide . or Super User. This rule applies to all applications that contain this attribute. See Create Icons to Represent Specialized Account Attributes on page 339. You can assign icons to extended attributes to highlight these accounts in certifications and the detailed identity pages. Select an application from the Application drop-down list. or the primary source. Select Global rule (all apps). Select a rule from the Rule drop-down list. 7. Select Application rule. 2. 6. Specialized accounts can be any accounts that justify special handling throughout your enterprise.IdentityIQ How to Add or Edit Identity Attributes 1. Enter or change the attribute name and an intuitive display name. Map to a global rule. Use this page to set up specialized account attributes such as Privileged and Service. When aggregation tasks are run they search the source at the top of the list. Click Add Source Mapping to display the Add a source dialog. Use the arrows to the right of the sources list to rearrange the search order for the attribute sources.

To work with the attributes and sources.Account Attributes Descriptions Column Description Attribute The display name of an account attribute derived from the attribute and its associated application in the Primary Source Mapping column. If the required data is unavailable on this primary source. right-click on the attribute and select Delete. Note: Changing an attribute name might cause attributes that were previously aggregated to no longer be recognized. The maximum number of searchable attributes you can create is defined during the installation and configuration process. Set up the list of sources on the Edit Account Attribute page. See Account Attributes on page 337. Primary Source Mapping The first of the list of attribute/application pairs or rules from which account attributes are derived. See System Setup on page 321. see Edit Account Attributes Page on page 335. the collection process continues down the list of configured sources until the information is found.IdentityIQ . By default you can set five (5) searchable account attributes. You can also use this page to create specialized account attributes. To delete account attributes. Advanced Options: IdentityIQ User’s Guide 335 . Display Name The IdentityIQ user assigned name for use throughout IdentityIQ.IdentityIQ Table 159— System Setup. To edit account attributes. attribute type and source mapping. The Edit Account Attribute page contains the following information: Table 160— Edit Account Attributes Page Field Descriptions Field Description Account Attribute: Attribute Name The name of the attribute as it appears in the application. Edit Account Attributes Page Use the Edit Account Attribute page to create and edit account attributes including the display name.Account Mapping . right-click on the attribute and select Edit.

This rule only applies to the application specified. Read Only — this attribute cannot be edited. boolean or date. Click Add New Attribute or click on an existing attribute to display the Edit Account Attribute page. Note: Changing an attribute name might cause attributes that were previously aggregated to no longer be recognized. 5. b. Click Add Source Mapping to display the Add a source dialog. Select Application rule. Even objects that have a single value for a multi-value attribute are stored as a single-item list. a. Searchable Account attributes are existing link values and are always searchable. This field is displayed as selected and read only so that identity and account attribute configuration pages are consistent in appearance. For example. Select an application from the Application drop-down list. Source Mappings: The list of attribute/application pairs or rules from which account attributes are derived. for example string. If the required data is unavailable on this primary source. When an aggregation detects a value that is not A. 3. 2. Specify a source for the new attribute. Select Application attribute. 4. Temporary — changes made to this attribute manually are overwritten by the first refresh task that detects a value different than the original value. Select an attribute from the Attribute drop-down list. if the original value is A and it is manually changed to B.IdentityIQ Table 160— Edit Account Attributes Page Field Descriptions Field Description Edit Mode Enable editing of this attribute. Map to an application rule. Multi-valued attributes are used to build account groups and for queries throughout the product. Attribute Type The attribute type being linked. the value is not overwritten by a refresh task until the newly aggregated value is not A. it will refresh the manually changed value and the value will be updated with each subsequent refresh. Select an application from the Application drop-down list. Multi-Valued Specify attributes for which multiple values might be returned during aggregation. Edit the Advance Options as required. Note: This feature is unlikely to be used for Account Attribute mapping.  Attributes flagged as multi-valued are stored as a list. the collection process continues down the list of configured sources until the information is found. c. 336 IdentityIQ User’s Guide . Permanent — changes made to this attribute manually are not overwritten by refresh tasks. b. Enter or change the attribute name and an intuitive display name. How to Add or Edit Account Attributes 1. Map directly to an attribute on an application: a.

or the primary source. This rule applies to all applications that contain this attribute. Select Global rule (all apps). 6. Select Service from the Attribute drop-down list. 6. To configure the mapping: 1. Map to a global rule.IdentityIQ c. Select a rule from the Rule drop-down list. Select Application Attribute. Click Add to add the new source. When aggregation tasks are run they search the source at the top of the list. 2. 7. b. a. Specify the following values: Attribute Name — service Display Name — Service Account Edit Mode — Read Only Attribute Type — boolean Searchable — Read Only Multi-Valued — this is not a multi-valued attribute so do not select this field. 8. c. Click Save to create the new attribute and return to the Account Attribute page. Access the Account Attributes page. 3. Use the arrows to the right of the sources list to rearrange the search order for the attribute sources. if IdentityIQ finds an attribute named Service that has a value of true on the application DB Application it is marked as a service account. Map the attribute: a. Note: After configuring these attributes you must re-aggregate or refresh the identity cubes to set the values. Click Add. For this case the database connector has already provided an attribute value to reflect the service state. Click Add New Attribute to display the Edit Account Attribute page. 4. Select DB Application from the Application drop-down list. b. Account Attributes Create a Service Account Using Simple Mapping In this example. first and then work down the list. Select a rule from the Rule drop-down list. IdentityIQ User’s Guide 337 . Click the System Setup tab and select Account Mappings from the table. so a simple mapping is all that is required. Click Add Source Mapping to display the Add a source to the attribute dialog. 5.

338 IdentityIQ User’s Guide . if IdentityIQ finds an account that is a member of the group Domain Admins on any AD application. that account should be marked as a privileged account. ]]> </Source> </Rule> 2. List groups = (List)link. and the account is considered privileged. Write the rule to define the logic. Click the System Setup tab and select Account Mappings from the table. Specify the following values: Attribute Name — privileged Display Name — Privileged Account Edit Mode — Read Only Attribute Type — boolean Attribute Type — boolean Multi-Valued — this is not a multi-valued attribute so do not select this field. Access the Account Attributes page. 1. Click Add New Attribute to display the Edit Account Attribute page. 4. If ( link.getAttribute("memberOf").startsWith("cn=Domain Admins") ) ) { privileged = new Boolean(true).getName(). This rule will check each account on every AD application and look for the Domain Admins group.IdentityIQ Create a Privilege Account Using a Rule In this example. 3. the rule returns true. Example rule: <Rule language="beanshell" name="Example privileged promotion rule" type="LinkAttribute"> <Source> <![CDATA[ Boolean privileged = null. If the Domain Admins group is found. if ( groups != null ) { for ( String group : groups ) { if ( ( group != null ) && ( group. } } } ) return privileged.getApplication().contains(“AD”) ) { privileged = new Boolean(false).

IdentityIQ 5. The following example references the attributes defined in this section. Create Icons to Represent Specialized Account Attributes Assign icons to extended attributes to highlight these accounts in certifications and the detailed identity pages. 7. To assign icons you must modify the UIConfig file and add AccountIconConfig entries for any value that should be recognized. -> <AccountIconConfig attribute="service" value="true" source="/images/icons/service. The title will be used in hover-over help. Select Global Rule (all applications). 6. Click Save.png" title="This is a service account"/> </List> </value> </entry> </Map> </Attributes> </UIConfig> </ImportAction> Use the IdentityIQ console to import the modifications. Click Add Source Mapping to display the Add a source to the attribute dialog. -> <AccountIconConfig attribute="privileged" value="true" source="/images/icons/privilege_16. b. Map the attribute: a. The title will be used in hover-over help. IdentityIQ User’s Guide 339 . <ImportAction name='merge'> <UIConfig name='UIConfig'> <Attributes> <Map> <entry key='accountIconConfig'> <value> <List> <!—This indicates that when we are displaying accounts and we see the value “true” for the extended account attribute named  privileged we should display the icon listed in the “source”  attribute. Select Example privileged promotion rule from the Application drop-down list.png" title="This is a privileged account"/> <!—This indicates that when we are displaying accounts and we see  the value “true” for the extended account attribute named  service we should display the icon listed in the “source”  attribute.

You can use these extended attributes inside rules and custom reports and queries. the values of the extended attribute overwrite the values of the connector attribute. Note: Changing an attribute name might cause attributes that were previously aggregated to no longer be recognized. Category The category defined when the attribute was created. If no category was defined this column is blank. The Edit Application Configuration page contains the following information: Table 161— System Setup. Note: The fields displayed on the Edit Extended Attribute page are dependent on the attribute type selected. attribute type and description.IdentityIQ Application Attributes Use the Edit Application Configuration page to define extended application attributes not provided by the application connectors during aggregation. for example string. To edit or delete an existing attribute from the list. or identity. Edit Application Attributes Use the Edit Extended Attribute page to create and edit additional application attributes including the display name. 340 Display Name The IdentityIQ user assigned name for use throughout IdentityIQ. Click New Attribute to add additional attributes to the applications. See “Edit Application Attributes” on page 340. Description A short description of the extended application attribute. Since the additional attributes are stored with those provided by the connector. boolean. The Edit Extended Attribute page contains the following information: Table 162— Edit Extended Attribute Page Field Descriptions Field Attribute Name Description The name of the attribute as it appears in the application.IdentityIQ -Configure Account Mapping Descriptions Column Description Name The display name of the application attribute assigned when it was added. IdentityIQ User’s Guide . right-click on the attribute and select the corresponding option from the menu. if you define an extended attribute with a name that matches any connector attribute. These extended attributes are displayed on the Attributes tab of the Application Configuration page below the connection attributes provided by the connector. date. Type The attribute type being linked. If you are deleting an attribute you must confirm the deletion in the pop-up dialog. rule.

Note: If you define an extended attribute with the same name as an application attribute. Select the attribute type from the drop-down list. Enter or change the attribute name and an intuitive display name. Date. Enter a category name or select an existing one from the drop-down list. 3. Allowed Values For String type attributes only. depending on the attribute type you are working with. Role type is used to configure roles to perform IdentityIQ User’s Guide 341 . Required attributes must have a value before you can save an application. Default Value Enter a default value for the attribute or select a value from the drop-down list. An example of a extended role attribute might be role status. The values entered in this list are used to populate the drop-down value list on the Application Configuration page. Rule. Role Configuration Use the Edit Role Configuration page to define custom extended role attributes and role types. or Identity. 8. Integer. 11. 2.IdentityIQ Table 162— Edit Extended Attribute Page Field Descriptions Field Description Description A brief description of the application attribute. Category An optional category used to separate the attributes into categories on the Application Configuration page. Required For String type attributes only. 6. Optional: Enter allowed values for the attribute. Optional: Mark the attribute as required. The extended attributes are displayed with the rest of the role information throughout the product. 4. Editable Enable editing of this attribute from other pages in the product. Boolean. For string type attributes only. 9. Optional: Specify a default value. For string type attributes only. 10. Searchable Enable this application attribute for use in searches throughout the product. Optional: Activate the Editable check-box to enable this attribute for editing from other pages within the product. Enter the values that are allowed for this attribute. String. 7. Click Save to save your changes and return to the Edit Application Configuration page. Optional: Activate the Searchable check-box to enable this attribute for searching throughout the product. the value of the extended attribute overwrites the value of the connector attribute. Optional: Specify a category for the attribute. Optional: Enter a description of the additional attribute. How to Add or Edit Extended Attributes 1. Click New Attribute or click on an existing attribute to display the Edit Extended Attribute page. 5.

Description A short description of the role type. To edit or delete an existing attribute or type from the list. Click New Attribute to add additional role attributes. Role Types: Name The display name of the role type. attribute type and description. Category An optional category used to separate the attributes into categories on the Application Configuration page. for example string.IdentityIQ -Configure Role Attribute Column Descriptions Column Description Role Attributes: Name The display name of the role attribute assigned when it was added. The Edit Extended Attribute page contains the following information: Table 164— Edit Extended Role Attribute Page Field Descriptions Field Attribute Name Description The name of the attribute as it appears in the application. If you are deleting. Description A short description of the role attribute. Type The attribute type being linked. Enter a category name or select an existing one from the drop-down list. you must confirm the deletion in the pop-up dialog. Edit Extended Role Attributes Use the Edit Extended Attribute page to create and edit additional role attributes including the display name. Category The category defined when the attribute was created.IdentityIQ different functions within your business model. See How to Add or Edit Extended Attributes on page 343. right-click on the item and select the corresponding option from the menu. or identity. For example. 342 Display Name The name for use throughout the product. Note: Changing an attribute name might cause attributes that were previously aggregated to no longer be recognized. See Edit Role Types on page 343. date. boolean. rule. Click New Type to add or edit a role type. The Edit Role Configuration page contains the following information: Table 163—System Setup. If no category was defined this column is blank. type might be used to control inheritance or automatic assignment of roles. IdentityIQ User’s Guide . Description A brief description of the role attribute.

The values entered in this list are used to populate the drop-down value list on the Roles page. Required For String type attributes only. Optional: Activate the Searchable check-box to enable this attribute for searching throughout the product. 9. 6. Select the attribute type from the drop-down list. Role modeling also uses the concept of permission to enable you to grant users permission to certain roles without assigning them the role or incorporating it in their role hierarchy. Date. Optional: Specify a default value. Default Value Enter a default value for the attribute or select a value from the drop-down list. For example. they probably do not need to have that role assigned to them or included as part of their hierarchal role structure. String. Optional: Enter allowed values for the attribute. Role type is used to configure roles to perform different functions within your business model. Rule. Edit Role Types Use the Edit Role Type Definition page to create and edit types to use with roles. Boolean. 11. Enter or change the attribute name and an intuitive display name. Optional: Activate the Editable check-box to enable this attribute for editing from other pages within the product. Click New Attribute or click on an existing attribute to display the Edit Extended Attribute page. Optional: Mark the attribute as required. Editable Enable editing of this attribute from other pages in the product. type might be used to control inheritance or automatic assignment of roles. Integer. For string type attributes only. For string type attributes only. Click Save to save your changes and return to the Edit Role Configuration page. For example. 4. 3. Enter the values that are allowed for this attribute. 10. IdentityIQ User’s Guide 343 . Allowed Values For String type attributes only. 2. Note: You cannot define an extended attribute with the same name as any application attribute that is provided by a connector.IdentityIQ Table 164— Edit Extended Role Attribute Page Field Descriptions Field Description Searchable Enable this role attribute for use in queries. Optional: Enter a description of the additional attribute. while a non-IT user with a business-type role might need access to the entitlements contained within an IT-type role. How to Add or Edit Extended Attributes 1. 7. depending on the attribute type you are working with. or Identity. 8. Optional: Specify a category for the attribute. 5. Required attributes must have a value before you can save a role.

Description A brief description of the role type. See How to Add or Edit Role Types on page 345 Disallow inheritance of other roles Do not allow roles of this type to inherit other defined roles. Disallow other Do no allow roles of this type to be inherited. the Granted IdentityIQ User Rights table is not displayed on Rights the Role Editor page.  For example. roles from inheriting this role No automatic detection with profiles Do not automatically detect and assign this role to identities during aggregation and correlation.IdentityIQ The Edit Role Type Definition page contains the following information: Table 165— Edit Role Type Definition Page Field Descriptions Field Description Type Name The name of the role type. No manual assignment Do not allow roles of this type to be assigned manually from the Identities User Rights tab. of IdentityIQ User If this option is selected. list Disallow this role Do not display roles of this type on the select list of the Permitted Roles panel of any from being on a other role. 344 IdentityIQ User’s Guide . a roles used to create hierarchy in your business model might only gain access to entitlement profiles through permitted IT roles. Disallow this role from being on a required roles list Do not display roles of this type on the select list of the Required Roles panel of any other role. Icon Path The path to the iconic representation of this role type. No automatic assignment with rule Do not allow a rule to automatically assign roles of this type to identities. No entitlement profiles Do not enable the direct assignment of profiles to this role type. No permitted roles Do not display the Permitted Roles panel in the Role Modeler for rules of this type. permitted roles list No required roles list Do not display the Required Roles panel in the Role Modeler for rules of this type. Display Name The display name of the role type used throughout the product. No assignment rule Do not display the Assignment Rule panel in the Role Modeler for rules of this type. Disallow Granting Do not allow the granting of IdentityIQ capabilities or scopes based on role assignment.

Reference the images from the iip-custom. and configure scoping for your enterprise. Enter or change the name and display name. automatically./images/icons/ modeler_application_approval_16. background-repeat: no-repeat. . Controlled scope is hierarchical. Controlled scopes refer to the scopes to which an identity has access. do the following: a. b. 2. that you created.. Note: If you manually create scopes they should be associated with existing identity attributes or be defined in a scope correlation rule.itIconPendingbusiness process { background-image: url(". 5. You can only see objects that are within your controlled scopes. Use the Scopes page to create new scopes.  . Assigned scope is the scope assigned to an identity or object manually. Enter an icon path to link to the iconic image associated with roles of this type in the Role Modeler. Optional: Select configuration options for the role type.itIcon { background-image: url(". or possibly that have no scope assigned. Scope is referred to in two ways. If scoping is active.png") !important. identities can only see objects that they created or that are within the scopes they control. If you control a parent scope you control any child scopes contained within. edit existing scopes.css file in the iiq_home/css directory.IdentityIQ How to Add or Edit Role Types 1. a user might be able to access the Identity Search page. background-repeat: no-repeat. IdentityIQ User’s Guide 345 . Add two icon images to iiq_home/images/icons folder of your IdentityIQ installation. one for the role and one for the role as it is undergoing analysis or approval./images/icons/modeler_application_16. but the Application and Role drop-down lists will only display application and roles that are contained within a scope they control. 3.png") !important. Click Save to save your changes and return to the Edit Role Configuration page. Scope controls access to the individual objects within those components. To assign an icon to a role type. For example. For example. or through aggregation and correlation. Controlled Scope and Assigned Scope. IdentityIQ capabilities control the components within the product to which a user has access. Click New Type or click on an existing type to display the Edit Role Type Definition page.. Scopes Scope is used to determine the objects to which a user has access. 4.

Drag and drop existing scopes to create a scope hierarchy. Scope Identity Attribute Select an identity attribute from the drop-down list to use for scoping. Configure Scoping Use the Configure Scoping page to configure scope assignment and correlation. right-click and select New to display the Create Scope page. right-click on the scope and select Delete to display the Delete Scope page. Delete Scopes To delete a scope.IdentityIQ Create and Edit Scopes To create a new scope. You can only edit the display name. Scopes do not take effect until this is enabled.  Note: Deselecting this is useful in troubleshooting performance issues. even if the scopes are already defined and assigned. Controlled Scope Replacement Assign a controlled scope to replace the one being deleted. Use the Scope Correlation Rule to correlate identities with the correct scopes. Table 167—Scope Configuration . Delete Child Scopes Delete all child scopes in the scope hierarchy. right-click on the scope and select Edit to display the Edit Scope page. scoping mechanisms are enabled.Configure Scoping Page Field Descriptions Field 346 Description Enable Scoping When checked. Enter the scope name and click Create to return to the Scope page. This attribute is used to correlate identities to assigned scope. The Configure Scoping page contains the following: Note: You must run an identity refresh task with the refresh scope option enabled before scope configuration changes are visible.Delete Scope Page Field Descriptions Field Description Assigned Scope Replacement Reassign objects to a different scope upon deletion. To edit an existing scope. IdentityIQ User’s Guide . The Delete Scope page contains the following: Table 166—Scope Configuration . A scope is created for each value of the selected attribute aggregated during the identity refresh task.

For example. all objects that do not have an assigned scope are available to all users. When cleared. See Configure Time Period. • Time ranges — a range of hours. Accessible Identity Controls Assigned Scope When selected.. this rule determines which value to use as the assigned scope. There are four type of time periods: • Date ranges — a range of specific dates that define things such as fiscal quarters. To edit a time period. Scope correlation rules enable more flexibility in scope assignment than specifying a single identity attribute. . • Day lists — a list of days that define week days and weekends.Configure Scoping Page Field Descriptions Field Description Scope Correlation Select a rule to use to correlated scopes and identities during aggregation and refresh Rule task. but when they are doing it.  Note: Click the “. and weekends. if department is specified as the scope identity attribute and the identity aggregation task returns more then on value for department for an identity.. Setting time periods for your enterprise enables you to track not only who is accessing your sensitive applications. all objects that do not have an assigned scope are only available to Globally system administrators. identities automatically control the scope to which they are assigned.. Time Periods Use the Configure Time Periods page to specify the time periods used for activity searching. holidays..” icon to launch the Rule Editor to make changes to your rules if needed. If a scope is not found that correlates to the value returned by an attribute. that define office hours and non-office hours.” icon to launch the Rule Editor to make changes to your rules if needed. See Rule Editor on page 326 Scope Selection Rule Select a selection rule to use if the identity attribute or scope correlation rule return more then one value for the assigned scope of an identity.  Note: Click the “.. one is created.  See Rule Editor on page 326 Unscoped Objects When selected.IdentityIQ Table 167—Scope Configuration . Each time period is set individually so that you can customize the setting to meet the needs of your enterprise. click on a time period in the Time Periods column to access the Configure Time Period page and make the required changes. Time periods include things such as office hours. or times.. IdentityIQ User’s Guide 347 . • Date lists — a list of dates that define enterprise holidays. Access at unusual times might indicate a security issue that requires investigation.

. creating a policy. and specifying the default email template are class actions. IdentityIQ must be configured for auditing. or regularly schedule dates on which your enterprise business would not normally conduct business. Weekends are defined separately from a day list. or de-activate. This list might also include extended identity attributes. editing a role. capabilities.. Time Ranges: For time ranges. Before any data is collected by the audit logs for use in an audit search. a system administrator must specify the actions that are audited. For example. This list does not include weekends. Day Lists: Use the day lists to specify week days from weekend days. Import From File Use the Import from file page to import files into IdentityIQ.. icon and select a date from the calendar. You can enter dates manually of click the . For example. Time ranges are used to define working and non-working hours.. For example. Some file contents might require a application restart. running a task and signing off on a certification are general actions. Since collecting event information and storing it in the audit logs affects performance. and controlled scopes. The Audit Configuration page contains the following types of actions: • General Actions — typical action performed while using IdentityIQ. Note: Imported files might not be immediately available. 348 IdentityIQ User’s Guide . For these date ranges you can enter dates manually of click the . Date Lists: Use the date list to specify a list of holidays.IdentityIQ Configure Time Period The appearance of the Configure Time Period page is dependent on the type of time period being edited. icon and select a date from the calendar. specify the Begins on and Ends on dates for the time period being defined. Audit Configuration Use the Audit Configuration page to specify the actions that are collected for audit logs. • Class Actions — action taken on the underlying classes used to configure the way in which IdentityIQ operates. the days that should not be included. use this page to import custom rules or scoring pages. Select the correct days using the selection boxes on the right of the table and deselect. Date Ranges: For date ranges. Use the Add and Delete buttons to add or remove dates from the list. specify the starting at and ending at times. authorized scopes. and changes to the password. • Identity Attribute Changes — changes to assigned roles.

display only the assigned value of the entitlement. Subordinate Access Review page size Input the number of subordinate access reviews to show per page on the certification page before paging.Compliance Manager Note: Any include directives in the import file will include files from the application server file system and not that of the client browser. Individual user preferences can override this setting. Use the Browse button to navigate to a file or enter the path manually and click Import to begin the download process. paging is disabled. Default Entitlement Display Mode Select the default display mode for entitlements.disply the longer description of the entitlement. The Certification Configuration page includes the following: Table 168—Compliance Manager . or roles. Detailed — open the Access Review Decisions tab associated with the first item in the access review. Default Access Select the grid view to display for all identity-type access review report list pages. or Done to return to the System Setup page.Certification Configuration Descriptions Field Description Presentation Initial Access Review View Select the view displayed when access review reports are initially accessed. If set to zero. IdentityIQ User’s Guide 349 . Use the Certification Configuration page to configure control and default settings for certifications. Certification item page limit Input the number of items of each type to show per page on the certification entity page before paging. account groups. When the import is complete the results are displayed on the Import from File Results page. Review Grid View Worksheet — the individual line items that are assigned to the identities within identity-type access reviews. Entitlement Description . paging is disabled. Lifecycle Notify users of revocations Select to enable email notifications to users that have items revoked. This is a default and can be overridden when certifications are scheduled Certification escalation rule Select a rule from the drop-down list as the default rule used by the system when an access review is escalated. Identity — the top-level items that make up a access review. List — open the grid view. Entitlement Value . identities. Compliance Manager Click Certification Configuration from the System Setup page. If set to zero. Individual user preferences can override this setting. either the worksheet or list view. Click Import Another File to go back to the Import from File page.

Certification Configuration Descriptions Field Description When exceptions expire Select the action performed on a mitigation when it expires Active Period Duration Input the number of units and unit type (hours. all subordinate access reviews be completed before the parent access review can be completed.Compliance Manager Table 168—Compliance Manager . Note: This item is not available if the Required Reassignment Completion or the Return Reassignments to Original Access Review options are selected. This decision can be overwritten on the Schedule Certification page. days. Require Comments for Approval Require that all certifiers enter comments for each item they approve in an access review request. IdentityIQ User’s Guide . This decision can be overwritten on the Schedule Certification page. Bulk revocation requests are made during the certification process. Prompt for Sign Off Select to display a pop-up window when an access review is complete and ready for sign off. The challenge period enables users to challenge requests from certifiers to remove access privileges. the content of reassigned access reviews be returned to the parent access review upon sign off. by default. Enable Select to enable the default revocation period and its default duration. Input the number Revocation Period of units and unit type (hours. Require Reassignment Completion Require that. weeks or months) to use as the revocation period. This decision can be overwritten on the Schedule Certification page. by default. The revocation period places a limit on the amount of time a revoker has to act on a revocation request before that request work item is escalated. Enable Challenge Period Select to enable default challenge period and its default duration. either from the Select Bulk Action drop-down list on the Certification Report worksheet view or by clicking Revoke All on the Certifications Decision tab. Default Revoker Select the user to whom all bulk remediation request will be sent. all reassigned access review items be completed before the parent access review can be completed. If this field is left blank. Require Subordinate Completion Select to require that. days. Use this option to ensure that the original content of an access review request is preserved for tracking and reporting purposes. Closing Behavior 350 Require Bulk Certification Confirmation Select to prompt user for confirmation on bulk acces reviews. by default. weeks or months) to use as the default active period duration. Automatically Sign Off When All Items Are Reassigned Specify that an access review be automatically signed off on when all items in that access review are reassigned. Return Reassignments to Original Access Review Specify that. the remediator is specified as part of the request process. Enable Automatic Select to enable the configuration of automatic certification closing for access reviews.

Enable Line Item Delegation Enables certifiers to delegate individual access review items. if self-certification is not enabled and an attempt is made to forward an access review to an identity contained within that access review.Certification Configuration Descriptions Field Require Comments When Allowing Exceptions Description Require certifier to include comments when a certification decision is made. Remediator Enable Role Creation Requests from Certifications Activate this field to enable certifiers to request that new roles be created from the certification pages. such as a single role or entitlement. or delegate access review items to the item owner. The assignment of role approval requests is controlled by a rule specified on the Configure System Settings Rules tab. the forwarding request is denied. Enable Overriding Enable certifiers to specify a remediator from the policy violation pop-up dialog even Violation if there is a default remediator specified. Enable Certifiers to Allow Exceptions Enables certifiers to set an expiration date on the length of time for which a user should have access to specific role or entitlement.Compliance Manager Table 168—Compliance Manager . Enable Account Approval Enable certifiers to bulk approve all accounts for a given entitlement. Enable Identity Delegation Enable certifiers to delegate entire identities from a certification request. on delegated role. Enable Allow Exception Popup Enables certifiers to view the Allow Exception pop-up and manually set expiration dates and add comments.  For example. Roles requested from the certification pages must be approved before they are available for use by the system. entitlement. Require a review Select to require that all access review approvers review the decision made on any user. rather than the entire identity being reviewed. Decisions Enable Provisioning Missing Role Requirements Enable the certifier to provision missing role requirements from within an access review. Enable Account Revocation Allow users to bulk revoke all entitlements for a given account. IdentityIQ User’s Guide 351 . Require delegated Select to require that all items in a delegation work item have a decision associated with certification items them before the work item can be marked as complete. or policy violation that they delegated to another approver before they certification items can complete the access review containing that delegation. reassign. to be completed Enable Self Certification Select to enables an identity to forward.

 This only applies to logical applications. separately. each permission associated with each attribute is listed. 352 IdentityIQ User’s Guide . Select the Flatten Hierarchy option to include all of the employees that report directory to the selected managers and the employees that report to their subordinate managers on the access review request. This decision can be overwritten on the Schedule Certification page. weeks or months) to use as the exception duration. Tier applications are those application that make up a logical application. Exclude Logical Tier Entitlements Exclude entitlements on tier application accounts from the access review. or for the specified managers and all of their subordinate managers. the Flatten Hierarchy option is displayed. If you select For the specified manager(s) only. For example.Compliance Manager Table 168—Compliance Manager . The actions include the following:  Enable Bulk Approve Enable Bulk Revoke Enable Bulk Allow Exceptions Enable Bulk Reassigning Enable Bulk Account Revocation Enable Bulk Clear Decisions Certification Contents Generate Certification(s) Specify whether. Use this section to specify the template to use for each certification-related notice. and must be acted upon. Input the number of units Duration and unit type (hours. access review requests should generate an access review request for the specified managers. by default.Certification Configuration Descriptions Field Description Default Exception Set the time period for which exceptions should be allowed. Additional Entitlement Granularity The default granularity at which additional entitlements are listed in the access review. days. if you select Attribute/Permission. Bulk Actions Select the actions to enable from the Grid and Details view. Email Templates Much of the communication performed during the access review process is done through email notifications sent automatically by IdentityIQ as an access review proceeds through its life cycle.

Section III: Using IdentityIQ .

to find answers to precise certification. with drag-and-drop formatting. define parameters to run new reports. • Tasks on page 397 — automate the process of discovering users. • Advanced Analytics on page 453 — create very specific queries on users. and audit logging within your enterprise. policy. user. assigning those users to contextual roles. These searches can be used to isolate specific areas of risk and create interesting populations of users from multiple organizations. • IdentityIQ Dashboard on page 355 — a web-based console that enables business and IT users to review and act on compliance-related data and activities across the enterprise. Your system can be configured to notify policy owners or their delegates through email or work items each time a policy violation is detected by a regularly scheduled scan. The Dashboard enables you to display the charts. activity. or activity questions. Identity Cubes are multi-dimensional data models of identity information that offer a single. departments and locations. optimize compliance efforts and more effectively manage risk. logical representation of each managed user. • Policy Violations on page 453 — manage policy violations outside of access certifications. This page enables you to identify policy violations within your organization as soon as they are detected and take action to rectify those violations immediately. 354 IdentityIQ User’s Guide . and correlating these with user activity from log files to form Identity Cubes. or submit ad hoc queries against the normalized data . detailed reports. associated business context and historical records of user access configurations and activity. role. graphs. Use this page to manage those violations instead of creating and running interim certifications manually. • Reports on page 17 — locate stored reports. Each Cube contains information about user entitlements. application.Chapter 14: Using IdentityIQ Use the following components to improve internal governance measures. and task status required to do your job. • IdentityIQ Identity Cube Management on page 383 — monitor and access individual identity cube risk information. • Managing Application and Identity Risk Scores on page 521 — Use the Identity Risk Score and Application Risk Score pages to view individual risk scores and the risk scores associated with each application.

Depending on which dashboard view you are in. IdentityIQ User’s Guide 355 . Note: Lifecycle Manager must be installed in order to access the Lifecycle Dashboard. Contact your SailPoint representative for more information. while a department manager might only see access and activity data for the users they manage. some or all of the components will not be available. • Lifecycle Manager Components on page 527. To select the components that display on your Dashboard. Note: The first time you log into the IdentityIQ application your Dashboard the inbox and outbox are displayed. Panel order becomes important if you select one of the formats with columns of different width as some panels lend themselves to narrow columns and others do not. The Dashboard enables you to display the charts. The IdentityIQ Dashboard has three separate views: • My Dashboard Components on page 356. • Compliance Dashboard Components on page 356. graphs. roles which do not include any compliance related duties will not have the Compliance Dashboard. detailed reports. with drag-and-drop formatting. For example. Customize the layout of the components to optimize the space on the page and prioritize the information as it appears on your screen. This also applies to the dashboards themselves. See System Setup on page 321. see How to Edit the Dashboard on page 366.Chapter 15: IdentityIQ Dashboard The IdentityIQ Dashboard is a web-based console that enables business and IT users to review and act on compliance-related data and activities across the enterprise. The Dashboard is tailored to individual roles and authority. The number of score bands displayed in score related components of the Dashboard is configurable based on your requirements. you can define your IdentityIQ Dashboard by choosing from the available components: Note: If your particular role lacks the necessary privileges. For example. See How to Edit the Dashboard on page 366 for information on setting up your Dashboard to meet your needs. and task status required to do your job. compliance officers might have a complete view of all audit and compliance data company-wide.

Work items 356 IdentityIQ User’s Guide . • Policy Violations Chart on page 364 — historical look at policy violations over time. • Access Review Owner Status on page 362 — graphic view of the certification completion status of a user and all of the users that report directly to them. • Risk Score Chart on page 365 — historical look at identity risk scores over time. A work item is anything that requires a user to take an action before it is completed. and Revocations) that were made in certifications that were completed for a given month. • Application Status on page 360 — list view of every application in your enterprise to which you have access. • Application Risk Score Chart on page 359 — graphic view of the risk score for every application to which you have access. Inbox Use your Inbox to view all work items that are assigned to you or to a workgroup to which you are a member. • Access Review Completion Chart on page 360 — graphical view of the number of certifications that were completed for a given month. • Online Tutorials on page 364 — mini-tutorials that walk through the steps involved in some of the most common operations in IdentityIQ • Policy Violation Status on page 365 — a list of the employees who directly report to you and have a violation. • Outbox on page 358 — all work items that you created and assigned to others. • My Access Reviews on page 363 — graphic representation of the state of your currently active certification requests. • Access Review Owner Status on page 362 — graphic view of the completion status of certifications owned by members specific groups or populations. • Signoff Status on page 366 — list view of the sign off status for tasks and reports on which sign off is required. • Certification Decision Chart on page 362 — graphical view of the certification decisions (Delegations. Compliance Dashboard Components • Application Access Review Status on page 359 — graphic view of the Application Certification completion status for every application in your organization. • Access Review Completion Status on page 361 — list view of certification to which you have access and the completion status of each.Inbox My Dashboard Components • Inbox on page 356 — all work items that are assigned to you. Mitigations. • Group Access Review Status on page 363 — graphic view of the certification completion status for every group in your organization.

only your own. Assignee The name of the identity to whom you assigned the work item. Requestor The name of the user that assigned this work item to you. Use the drop-down list to specify if your Inbox displays all work items assigned to you and any groups to which you belong. Use escalation rules to determine the proper escalation path for orphaned work items. it is forwarded to that user’s manager or supervisor. the work item is assigned to the IdentityIQ administrator. Orphaned work items are discovered and identified during the Perform Maintenance task. If a work item is created for a user that is no longer active in IdentityIQ. Type The type of work item. Access Request ID Identification number designated for the Lifecycle Manager access request. or any piece of a process. Created The date the work item was assigned. personal work items or only the work items assigned to a selected workgroup. The inbox contains the following information: Table 169—Inbox Column Descriptions Column Name Description ID Identification number assigned to the work item. Workgroup Displays the workgroup to which this work item is assigned if applicable. IdentityIQ User’s Guide 357 . Name The name of the work item.Inbox can be entire processes. Priority Specifies the priority level to whichc the work item was designated. such as the approval of one entitlement for one user on one application. Click on a work item in the table to open the View Work Item or Access Review Details page. Use the drop-down list and edit the priority level. such as certifications. If no manager is listed. Escalation rules are created and set during the configuration and implementation of the product. This edit is visible in the Work Items Manager and Inbox of the identity to whom the work itemis assigned. as well the Outbox of the person that assigned the work item.

For example. See How to Complete Revocation Work Items on page 69. IdentityIQ User’s Guide . Reassigned — work items that you reassigned to another user. See How to Perform Impact Analysis on page 278. See Certification / Access Review Overview on page 3. • Approval — changes to a role or profile are pending your approval. Delegation — work items that you have delegated to another approver from your certification requests. See How to Complete Reassigned or Forwarded Access Reviews on page 70. Review the report and apply or discard the pending changes. These work item types are linked directly to the Access Review Details Page. See How to Approve Role Changes on page 278. Click on a work item in your outbox to view details about the work item. View the details and approve or reject the changes. Your Outbox contains the following information: Table 170—Outbox Column Descriptions Column Name 358 Description ID Identification number assigned to the work item.Outbox Your inbox might contain the following type of work item: • Certification — certifications that are assigned to you. Name The name of the work item. Outbox Use your Outbox to view all work items that you created and assigned to others. Reassigned work items are labeled reassigned. • Reassigned or Forwarded — work items that have been forwarded or reassigned to you by another user. Or an access change request has been generated by the Access Request Manager. might require approval. a candidate role requires your approval before it can become active in the modeler. Type The type of work item:  Approval — work items that require your review and approval.  Access Review — access review requests you have scheduled for other approvers. Or. forwarded work items contain the forwarding user’s name in the description. the creation or modification of a role. or a change to an identities access.  Revocation — requests to remove specific user access to applications on which you do not have the authority to grant or remove privileges. • Impact Analysis — impact analysis has been performed on a change to a role or profile. See Access Review Details on page 11. • Delegation — work items that have been delegated to you from another user’s certification requests or policy violations. Owner The login name of the user or workgroup to whom you assigned the work item. • Revocation — requests to remove specific user access to applications on which you have the authority to grant or remove privileges. See How to Complete Delegated Access Reviews on page 68.

The chart displays as many risk levels as are configured for you enterprise. This edit is visible in the Work Items Manager and Inbox of the identity to whom the work itemis assigned. Priority Specifies the priority level to whichc the work item was designated. Click on an access review request in the details list to display the Access Review Details page. Application Access Review Status A list view of the Application Access Review completion status for every application to which you have access. This final percentage is then applied to the score range of 1000 resulting in a component score of 500. See Application Risk Scores on page 522. then the access review is 80% complete. The default sensitivity value is 5 making the adjusted percentage fifty percent (. as well the Outbox of the person that assigned the work item.10). if there is an access review request that contains 30 entitlement that must be acted upon before it is complete and only 24 of those entitlements have been acted upon. For example. For example. The algorithms used by the Refresh Application Scoring task to update this page are defined on the Application Risk page. IdentityIQ User’s Guide 359 . if applicable. if 10 out of 100 accounts are flagged as service accounts.50). The percentage displayed is calculated by figuring the number of entitlements that require access reviews into the number that have been certified and rounding to the nearest whole number. Click on the chart to display the Application Risk Scores page. Use the drop-down list and edit the priority level. Click on an application in the list to display detailed information on all access review requests that apply to the application. See Access Review Details on page 11. This number is then multiplied by a sensitivity value which can be used to increase or decrease the impact of the original percentage. Access Request ID Identification number designated for the Lifecycle Manager access request. then the raw percentage is ten percent (. Expiration The date by which the work item must be completed. Click on the mail icon next to a name to send an access review reminder notice to that user or workgroup. See Application Risk Score Configuration on page 309 All scores are calculated by first determining the percentage of accounts that have the qualities tested by the component score.Application Access Review Status Table 170—Outbox Column Descriptions Column Name Description Created The date the work item was assigned. Application Risk Score Chart A graphic view of the risk score for every application to which you have access.

numer of accounts that are classified as privileged • Dormant Account . Click a listed application to view the detailed status information.Application Status After the component score is calculated a weight. a few violator accounts might increase risk more than many inactive accounts.number of accounts classifies as domant • Risky Account . Inactive. Access Review statistics for a given month include only those access reviews that were due within that month.(visible in the primary application table) date the application risk score was calculated • Total Links . Access Review Completion Chart A graphical view of the number of access reviews that were completed for a given month. but that is not completed until August. the component service with a configured value true.number of entitlements within this application • Service Account .number of accounts in violation Use the search options to limit the number of applications displayed in the list. is added to the completed access reviews for July. The default threshold is ten (10). The status information contains the following information: • Statistics Updated . This algorithm has an argument. The default threshold is five hundred (500).number of links to other applications / accounts this application uses • Total Entitlements .number of accounts no longer active • Privileged Account . Similarly. but that is completed in July. The Risky Account score looks for links whose owning identity has a composite risk score greater than a configured threshold.number af acccounts identified as at risk • Violator Account . an access review that is set to expire in July. The Violator Account score looks for links whose owning identity has a number of policy violations greater than a configured threshold. or compensating factor. 360 IdentityIQ User’s Guide . is added to the number of completed access reviews for August. if you are viewing statistics for more than one month. If the last login date is more than thirty (30) days prior to the current date. For example.number of accounts classified as service accounts • Inactive Account . daysTillDormant. Application Status A list view of every application in your enterprise to which you have access. Service. is applied to each component score to determine the amount each will contribute to the overall risk score for the application. that defaults to thirty (30). for example lastLogin. the account is considered dormant and is factored into the risk score. For example. The Dormant Account score looks for a configured attribute that is expected to have a date value. For instance an access review request that is set to expire in August. and Privileged component scores look for links that have a configured attribute.

Identity. Click on an access review to display the Access Review Details page. Access Review Completion Status A list view of the access reviews to which you have access and the completion status of each. Type Filter by access review type. • Total Certifications Due — all certifications that were scheduled to expire in the specified month regardless of their current status. Use the configuration options at the top of the panel to modify the display. Click configure again to hide the selection boxes.Access Review Completion Status Search Options Field Name Description Filter the access reviews by name. current phase. and due date for each access review. only those access reviews that were scheduled to expire on or before the current date are included in the access review count. Enter a text string to filter by only access reviews with that string in their name. Continuous access reviews are never signed. See Access Review Details on page 11. Advanced. Phase Filter by access review phase. percentage complete.The full page view displays the current chart options and enables you to change them as needed. To display the configuration options. That statistics for each month are broken into two categories on the charts: • On Time Certifications — the number of certifications that were scheduled to expire in the specified month and were completed on time. IdentityIQ User’s Guide 361 . Click Expand Chart to view a full page version of this chart. access review type. Click Back to Dashboard to return to the dashboard view. Use the search features to limit the number of access reviews displayed. The table contains the name. Account Group Permissions. Signed Filter by signed status. Active. Revocation. click configure. Table 171—Dashboard . End. Role Membership. Challenge. To obtain the latest certification completion data you must run a refresh groups task for the groups included in the chart. Account Group Membership. Role Composition. Manager. Application Owner.Access Review Completion Status Note: For the current month. Click Refresh to view the reconfigured information. Advanced Search: Completed Filter by completion state. See Tasks on page 397.

362 IdentityIQ User’s Guide . • Revocations — roles or entitlement for which automatic revocation was performed or for which a revocation request was submitted. no matter how many entitlements that identity was assigned. if a user has 10 access reviews with 1 entitlement each and 5 of those access reviews are complete.Certification Decision Chart Certification Decision Chart A graphical view of the certification decisions (Delegations. and Revocations) that were made in certifications that were completed for a given month. Click the plus icon (+) to display the access review status of all users that report to the user currently displayed. This includes all access review types. click configure. Certifications appear in the chart for the month in which they were completed. only those certifications that were completed on or before the current date are included. To display the configuration options. The percentage displayed represents the total number of certifiable items that must be acted on in all of the access reviews open against the associated user. Mitigations. The delegated information does not have to be acted upon to be included in this count. Click Expand Chart to view a full page version of this chart. roles. See Tasks on page 397. mitigations. For example. That statistics for each month are broken into four categories on the charts: • Delegations — identities. Click one of the access reviews listed to open a read only version of the Access Review Details page for that access review. Click Back to Dashboard to return to the dashboard view. and click Show Certifications to update the list. Access Review Owner Status A graphic view of the access review completion status of a user and all of the users that report directly to them. revocations and approvals. or entitlements that were delegated to other approvers for certification. See Access Review Details on page 11. • Total — the total number of certification decision made. Enter the first few letters of a user or workgroup name in the Certifier field. Click configure again to hide the selection boxes.The full page view displays the current chart options and enables you to change them as needed. To obtain the latest certification decision data you must run a refresh identities and then refresh groups task for the identities included in the chart. Note: For the current month. Use the configuration options at the top of the panel to modify the display. the Percentage Complete column shows 50%. select the correct name from the selection box. The delegation of an identity counts as one delegation in these statistics. This number includes the delegations. • Mitigations — policy violations discovered. but approved for a certification. Click Refresh to view the reconfigured information.

Group Access Review Status A graphic view of the access review completion status for every group in your organization. This dashboard component enables you to progressively filter down a list of certification owners based on their group or population membership. The percentage displayed represents the total number of certifiable items that must be acted on in all of the access reviews open against the associated user. IdentityIQ User’s Guide 363 . you can use the filters to display only the certifications owned by members of department A. Click on the group name a second time to close the detailed information view. C. Click Reset to clear your list of filters. In the Details panel. Click on the detailed view of the access review to open theAccess Review Details page. Select a group from the Group drop-down list to filter by group or select Population to filter by populations saved within your environment. From the access review details. click an access review name to go to the Access Review Details page or use the arrow icon to forward the access review to a different identity. For example. and Q and location 2. Use the Value drop-down list to select specific groups and populations. Click on a user name in the list to view the Details panel or click the notification icon to send an email notification to the access review owner. The percentage displayed represents the total number of certifiable items that must be acted on in all of the certifications open against the associated user. Click on the identity name a second time to close the detailed information view. Continue adding filter as needed to return the information you are interested in viewing. 4.Access Review Owner Status By Group Click on the mail icon next to a name to send a certification reminder notice to that user or workgroup. Access Review Owner Status By Group A graphic view of the completion status of certifications owned by members specific groups or populations. Click the plus (+) icon to add additional filters. Click Show Access Reviews to update the list. you can forward the access review request to a different certifier or send an access review notification to the current owner. Select a group from the Group drop-down list and click Show Access Reviews to update the list. F. My Access Reviews The state of your currently active access review requests. if your organization has departments A through Z and locations 1 through 10. and 6. Click on a group within the list to view the access review details.

Click Back to Dashboard to return to the dashboard view. 364 Group The group from which to draw snapshot information.Online Tutorials Click on the Identity bar at the bottom of the panel to expand a full list of access reviews assigned to you. Groups are defined by values assigned to the following identity attributes. For example. Click Expand Chart to view a full page version of this chart. Stackedbar. The Policy Violations dashboard panel configuration options are: Table 172—Dashboard Policy Violation Options Option Description Type The type of chart to display in the panel. Click Refresh to view the reconfigured information. Click the arrow to the right of an access review to display the Forward Access Review dialog and forward the access review to a different certifier. the Location attribute might be assigned a value for every city in which your enterprise has an office. Location.The full page view displays the current chart options and enables you to change them as needed. Value The list of values assigned to the attributes that define groups. A snapshot of your organization’s identity information is taken periodically based on a time interval set when IdentityIQ is configured. IdentityIQ User’s Guide . Line. See Access Review Details on page 11. Note: Current displays information from the most current snapshot of your enterprise. Current. or Stackedarea. Use the configuration options at the top of the panel to modify the display.  Each chart type displays the same information. Area. Online Tutorials Online mini-tutorials that walk through the steps involved in some of the most common operations in IdentityIQ. 3 Months. Each snapshot is represented by a date on the Policy Violations chart. or 1 Year. Bar. click configure. Department. 6 Months. Manager and Organization. Date Range The date range from which the snapshot information should be pulled. The Global group contains all users in IdentityIQ. Click configure again to hide the selection boxes. To display the configuration options. Clicking on any of the access reviews listed displays the Access Review Details page. just in a different format. Policy Violations Chart A historical look at the number/count of policy violations for the specified group over time.

Stackedbar. Use the configuration options at the top of the panel to modify the display. Click Expand Chart to view a full page version of this chart. Line. Policy Name of the policy being violated. Note: The person who owns the violation can also view it.The full page view displays the current chart options and enables you to change them as needed. Click Refresh to view the reconfigured information. Each snapshot is represented by a date on the Risk Score chart. Bar. The Risk Score dashboard panel configuration options are: Table 174—Dashboard Risk Score Options Option Type Description The type of chart to display in the panel. Use the drop-down list to select the number of line items to display per page. IdentityIQ User’s Guide 365 . or Stackedarea. click configure.Policy Violation Status Policy Violation Status A searchable table of the identities who directly report to you and have a violation. Click Back to Dashboard to return to the dashboard view. over time. broken into score bands. The Policy Violation Status panel contains the following information: Table 173—Policy Violation Status Panel Field Descriptions Field Description Identity Name of the person in violation. Click configure again to hide the selection boxes.  Each chart type displays the same information. Last Detected The most recent date and time the policy violation was detected. just in a different format. You can also type in the desired page in the page number field. The table is presented in a paged format with navigation tools located at the bottom of the table. A snapshot of your organization’s identity risk information is taken periodically based on a time interval set when IdentityIQ is configured. Move forward or backward one page at a time or skip to the beginning or end of the table using the arrow buttons. Area. Risk Score Chart A historical look at the number/count of risk scores for the specified group. Click on an identity to launch the “Policy Violations” on page 453 page. Use the refresh button to update the table. To display the configuration options. Rule The specific rule that is being broken to cause the violation of the policy.

Click the Dashboard tab to display your IdentityIQ dashboard. Use the following procedure to edit your Dashboard: Procedure 1. the Location attribute might be assigned a value for every city in which your enterprise has an office. Use the search options to limit the number of items displayed in the list. You choose the layout of the page and decide what information is displayed. Manager and Organization. Department. Groups are defined by values assigned to the following identity attributes. Click on a sign off item to display the work item with which it is associated. Customize the layout of the components to optimize the space on the page and prioritize the information as it appears on your screen. For example. 2. You can alter the appearance of your Dashboard as often as you need. The information displayed refreshes automatically and you do not need to restart the application. Panel order becomes important if you select one of the formats with columns of different width as some panels lend themselves to narrow columns and others do not. Select and drag dashboard components from the Available Content list to the Your Content list. See Step 6 below. Add content to your Dashboard. Value The list of values assigned to the attributes that define groups. Click on a page layout at the top of the page. 3. How to Edit the Dashboard The appearance of your SailPoint IdentityIQ Dashboard is completely configurable. 4. Note: Current displays information from the most current snapshot of your enterprise. 366 IdentityIQ User’s Guide . The Global group contains all users in IdentityIQ. You can arrange the layout of your Dashboard after you save your changes. 6 Months. Note: The Available Content list is populated based on the authorization level associated with your IdentityIQ user ID. Click Edit Dashboard to display the Add Dashboard Content page. The selected page layout is highlighted. Group The group from which to draw snapshot information. Signoff Status A list view of the sign off status for tasks and reports on which sign off is required. Current. 3 Months. or 1 Year.Signoff Status Table 174—Dashboard Risk Score Options Option Date Range Description The date range from which the snapshot information should be pulled. Location.

 Identity — the top-level items that make up a certification.How to Edit Your User Preferences Hold your cursor over the question mark icon on each component for a brief description. Review Grid View Worksheet — the individual line items that are assigned to the identities within identity-type certifications. Note: The password options are displayed by clicking Change Password. The Edit Preferences page contains the following information: Table 175—Edit Preferences Field Descriptions Field Description Forwarding User Enter the name of another IdentityIQ user to whom all work items assigned to you will be forwarded. List — open the grid view. Detailed — open the Access Review Decisions tab associated with the first item in the access review. 5. Enter the first letter or letters of a name to display a selection list of all valid IdentityIQ users and select a name from the list. Initial Access Review View Select the view displayed when access review reports are initially accessed. if you are a manager you might have a designated Compliance or Security Officer that handles all certification issues. and set the default view of identity-type certification requests. Start Forwarding The date on which forwarding work items should begin. account groups. to customize the layout. Additional Information IdentityIQ Dashboard on page 355 How to Edit Your User Preferences Use the Edit Preferences page to change the password you use to log in to IdentityIQ. For example. 6. If no date is defined and a forwarding user is specified. Default Access Select the grid view to display for all identity-type certification report list pages. Click Save to save your changes and return to the Dashboard view. If no date is specified work item forwarding begins when a Forwarding User is specified. Individual user preferences can override configuration settings. work items will continue to be forwarded to that identity indefinitely. End Forwarding The date on which forwarding work items should end. either the worksheet or list view. or roles. Individual user preferences can override configuration settings. identities. IdentityIQ User’s Guide 367 . left or right. Optionally: Select and drag the components of your Dashboard up or down. set up a user to whom all work items assigned to you are forwarded.

it is forwarded to that user’s manager or supervisor. • Action Buttons — the buttons that commit any action taken on the work item. Revocation — requests to remove specific user access to applications on which you have the authority 368 IdentityIQ User’s Guide . Default Entitlement Display Mode Select your preference for the way in which entitlement names are displayed throughout IdentityIQ. If no manager is listed. Entitlement Description: the more verbose or intuitive description of the entitlement. there are popup windows that provide helpful information. Edit Authentication Questions Displayed when “Enable Forgot Password” is enabled in the Login Configuration section of System Setup. These are Up Windows enabled by default. Confirm Password Re-enter the password to confirm. the work item is assigned to the IdentityIQ administrator. See Action Buttons on page 370. After a work item is completed or rejected you are returned to the previous page and the work item is removed from your work item list. Completion and rejection comments are saved in reports. Escalation rules are created and set during the configuration and implementation of the product. If a work item is created for a user that is no longer active in IdentityIQ. View or add comments in this section.View Work Item Page Table 175—Edit Preferences Field Descriptions Field Description Show Helpful Pop In certifications. See Summary on page 369. Use escalation rules to determine the proper escalation path for orphaned work items. New Password Enter a password for IdentityIQ. The View Work Item page contains the following sections: • Summary — administrative information about the work item. Use the drop-down lists to select authentication questions and fill in the fields with the corresponding answers. you are taken to the View Work Item Page. Entitlement Name: the base name of the entitlement. Orphaned work items are discovered and identified during the Perform Maintenance task. View Work Item Page Use the View Work Item page to complete all work items other than full certifications. When you click a certification from the Work Items Inbox. This password must adhere to any password policy in place at your enterprise. but can be hidden. the Certification Report page for that certification opens. For all other work items. See Comments on page 369. This button re-enables all of these helpful pop up windows. See How to Complete Delegated Access Reviews on page 68. • Comments — any comments associated with the work item beyond the summary information. The Work Item page might contain any of the following work item types: Delegation — work items that have been delegated to you from another user’s certification requests or policy violations. • Details — detailed information about the action required to close this work item. See Details on page 369.

or entitlement requiring certification or revocation. View the details and approve or reject the changes. Summary The summary section contains the following: Field Name Description Requestor The name of the IdentityIQ user that assigned this work item to you. Reassigned or Forwarded — work items that have been forwarded or reassigned to you by another user. The information displayed is dependent on the type of work item being viewed. including previous owner history. Reassigned work items are labeled reassigned. Impact Analysis — impact analysis has been performed on a change to a role or profile. Description A brief description of the work item.View Work Item Page to grant or remove privileges. forwarded work items contain the forwarding user’s name in the description. Date The date the work item was assigned. See How to Approve Role Changes on page 278. for example. See How to Complete Reassigned or Forwarded Access Reviews on page 70. role. Expiration The date by which the work item must be completed. These comments can be viewed by the creator of the work item. if applicable. History The history of this work item. Severity Severity of the work item. Sign off — there are report or task results that are pending your sign off. The Comments section can also be used to retain a work history for the work item. See How to Complete Revocation Work Items on page 69. either by the requestor. View the results of the report or task and sign off. Details The Details section contains detailed information about the work item. reject or Forward the sign off request. Or. the identity. When comments are added to a work item. Comments The Comments section contains comments added to the work item. the owner. See. an email notification is sent to both the requestor and the owner of the work item and can be used to communicate back and forth. See How to Perform Impact Analysis on page 278. Or an access change request was generated from the Access Request Manager. Click the Add Comment button to add additional comments to this work item. How to Create a Role From a Role Creation Request on page 273. a candidate role requires your approval before it can become active in the modeler. or by you. Review the report and apply or discard the pending changes. IdentityIQ User’s Guide 369 .  Approval — changes to a role or profile are pending your approval.

enter them on this dialog and click Approve to complete the work item. Changes made to the work item while it was delegated are removed when a work item is rejected. If comments are required. enter them on this dialog and click Complete to mark the work item as completed.View Work Item Page Action Buttons Use the following buttons to take action on the work item displayed on the View Work Item page.The work item is removed from your inbox and the status of the report or task results is updated. These buttons vary according to the work item type: • Complete — Click Complete to display the Completion Comments dialog. • Cancel — Click Cancel to cancel any work done on this work item and return to the previous page. If comments are required. • Forward — Click Forward to display the Forward Work Item dialog. Owner history is maintained in the work item history. • Reject — Click Reject to display the Rejection Comments dialog. • Apply — Click Apply to apply the changes covered by this work item. 370 IdentityIQ User’s Guide . Enter comments as required and click Reject to return this work item to the requestor. • Approve — Click Approve to display the Approval Comments dialog. Enter comments as required and click Signoff to complete the work item. • Sign off — Click Signoff to display the Signoff Approval Comments dialog. • Discard — Click Discard to close this work item and discard any changes to which it applies. Enter comments as required and click Forward to forward this work item to another IdentityIQ user.

Talk to your system administrator if you need access to additional components. Note: Click any of the column titles to sort the table alphabetically by the entries in that column. IdentityIQ provides the following Identity Cube components: • Identities Page on page 385 — basic user information for every user in your organization as discovered by IdentityIQ. logical representation of each managed user. or combination of letters. Click on a tab to display a list of all of the users that fall into that risk level.Identities Page Chapter 16: IdentityIQ Identity Cube Management Use the Identity pages to create. Identities Page The Identities table contains basic user information for every user discovered during the latest aggregation process. Select Identities from the Define tab to access the Identities page. Click the title again to sort the table reverse-alphabetically. view and edit individual identity cube risk information. • Manual Correlation of Identity Cubes on page 419 — correlate the IdentityIQ identity cubes created when identity aggregation was performed on your identity authoritative source with any user accounts discovered while performing aggregations on other applications. Enter a letter. Use filtering to limit the number of identities displayed. • Identity Risk Scores on page 61 — displays one tab for each risk level defined in IdentityIQ. • View Identity Page on page 387 — displays detailed information for one individual identity. associated business context and historical records of user access configurations and activity. • Schedule an Identity Certification on page 127 — schedule identity access certifications for any or all users. Each Cube contains information about user entitlements. and click Filter to display users that have that letter combination in their name. The Identities table contains the following information: IdentityIQ User’s Guide 371 . Access to components is controlled by IdentityIQ Capabilities and scope. • Identity Search on page 455— generate searches on specific attributes of the users in your enterprise. Identity Cubes are multi-dimensional data models of identity information that offer a single.

See View Identity Page on page 387 View Identity Page Access to components within IdentityIQ is controlled by IdentityIQ Capabilities. Risk score is determined by numerous factors defined during configuration. First Name Full first name of the user. The View Identity page contains the following tabs: • View Identity Attributes Tab on page 389. Last Name Full last name of the user. • View Identity Entitlements Tab on page 391. • View Identity Application Accounts Tab on page 393 • View Identity Policy Tab on page 395 • View Identity History Tab on page 397 • View Identity Risk Tab on page 399 • View Identity Activity Tab on page 401 • View Identity User Rights Tab on page 403 • View Identity Events Tab on page 417 View Identity Attributes Tab The Attributes tab provides the basic user identity information such as manager and email. Composite Score The composite risk score for the user. If you need access to additional components talk to your system administrator. Last Refresh The date of the last identity refresh. The information displayed on this tab depends on your IdentityIQ capabilities. Role A complete list of all roles assigned to the user. Click on a user to display the View Identity page. as well as enabling you to update the user password. 372 IdentityIQ User’s Guide . Manager The manager to whom the user reports directly.View Identity Page Table 176—Identities Column Descriptions Column Name Description Name The user’s account ID or login name. Use the View Identity page to drill down to detailed information about each component of the Identity Cube for a selected user.

but by default that function is disabled and typically handled using the tasks. Note: Changes made on this tab are not save until you click the Save button at the bottom of the page. Click the manager name to display the View Identity page for that user. click the Add Role button and select a role from the Add New Role dialog. use the Activate and Deactivate fields to specify a time period during which this user will have access to the role being added. Table 177—Identity Attributes tab Field Descriptions Field Name Description Username The user’s account ID or login name. The identity attributes displayed on the tab you are viewing might not match those listed in the table. If you click to a different tab or page any changes you have made are lost. Only assigned roles can be deleted from this page. If enabled. Email The user’s email address.  Select the check-box below the password confirmation field to require the user to change their password the next time they log in to IdentityIQ. Provisioning can be set to occur immediately from this page during the deployment and configuration of IdentityIQ.View Identity Page Identity attributes are defined during configuration. View Identity Entitlements Tab The Entitlements tab lists all of the user’s roles and additional entitlements and enables you to assign roles and delete assigned roles. First Name Full first name of the user. Attributes might also be configured so that they can be modified from this tab. To assign a role. Change Password Set or update a password for the user. If the role you added contains required roles that were not detected for this identity. or automatically provisioned. a red x is displayed to the right of that role name on the Permitted and Required Roles tab in the role detail information. The required access can be requested. Change Forwarding User Change the user to whom work items assigned to this identity should be forwarded. Click Edit at the top of the identity attribute list and modify the attributes as necessary. The View Identity Entitlements tab contains the following information: IdentityIQ User’s Guide 373 . Manager The manager to whom the user reports directly. Optionally use the Start Forwarding and End Forwarding options to set a specific time period in which forwarding should occur. during the next certification of this identity or through the Synchronize Roles or Identity Refresh tasks. Last Name Full last name of the user. You must confirm any password changes in the Confirm Password field.

 Assigned By — the user that assigned this role to the identity being viewed. either directly or indirectly. Description — brief description of the role. or geographic location. To select an existing identity enter the first few letters of the identity name to display a suggestion list. Select an account and click Move to transfer the account to a different identity.View Identity Page Table 178—Identity Entitlements tab Field Descriptions Field Name Description Assigned Roles A list of roles that were assigned to the user manually or through role assignment rules. project teams. but. Description — brief description of the role. either select an existing identity from the list or create a new identity. Name — name of the role. View Identity Application Accounts Tab The Application Accounts tab lists account information for all of the applications to which the user has some level of access. Click the name to view detailed information about the role. This does not affect the user’s account or entitlements on the application. An indirect permission is one in which the permitted role is on the permitted list for the assigned role. If an activation or deactivation date is defined for the role it is displayed in a message box below the role name. Click on an application name to view the entitlement details. Click on an application name to view detailed information. that do not combine to form a role. Additional Entitlements A list of the applications that have entitlements to which the identity has access. including functional hierarchies. Permits — the detected roles for this user that are permitted by this assigned role but that are not directly assigned to this user. Detected Roles A list of roles that were detected through the aggregation and correlation processes. Assigned roles are typically business-type roles that model how users are grouped by business function. Click the name to view detailed information on the entitlements that make up the role. or click the arrow to the right of the field to display a list of all identities to which you have access. Select an account in the table and click Delete to remove the link between the identity and the application in IdentityIQ. On the Select Account Owner dialog. Name — name of the role. Permitted By — the assigned roles that permit this role. The View Identity Application Accounts tab contains the following information: 374 IdentityIQ User’s Guide . A direct permission is one in which the assigned role is a member of the permitted role.  Detected roles typically model the IT privileges required to perform a specific function within an application or other target system.

The table contains the policy and rules being violated. Summary The reason for the violation. Policy The policy that is being violated. Correction Advice — advice on how to correct the violation as entered when the rule was created. Policies are comprised of rules used to enforce your organizations policies. The View Identity Policy tab contains the following information: Table 180—Identity Policy tab Column Descriptions Column Name Description Detected The date on which this policy violation was detected. a separation of duty rule might be defined that disallows a single user from having roles that enable them to both request and approve purchase orders. Click on a rule to display the following rule information: Description — brief description of the rule from the rule definition page. See System Setup on page 321 Click on a shapshot date from the table to display the View Identity History page. A snapshot of identity information is taken at the interval set on the Configure System Settings page. Account Name The simple name used to identify the user on the application.View Identity Page Table 179—Identity Attributes tab Column Descriptions Column Name Description Application The name of the applications to which the user has some level of access. Last Refresh Date on which the user identity information was last refreshed. Tracking identity scores over time enables you to spot patterns or trends in a user’s activity. Policy — the policy in which the rule is contained. Rule The specific rule that is being broken to cause the violation in the policy. View Identity History Tab The History tab provides a history of user data. Click on an application name to view detailed information. View Identity Policy Tab The Policy tab lists policy violations for the user. See View Identity History Page on page 376 IdentityIQ User’s Guide 375 .  Compensating Control — any compensating controls associated with this rule. Score Weight —the risk score weight assigned to this rule and used to calculate identity risk scores in IdentityIQ. For example.

to someone else with certification authority. View Identity History Page The View Identity History page contains user information from the specific date and time listed on the top of the page. for this identity. those items are not revoked. Application Th