LCM Access Requests Overview

Lifecycle Manager Access Requests Overview
Fundamentals of IdentityIQ Implementation

Overview
User Driven Access Changes
• Access requests overview
• Identity change lifecycle
• Access request process
• Access request demonstration
• Access request configuration process
Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 3

Access Requests
Overview

Identity Change Lifecycle
Manager Governance/Compliance
Help Desk Processes
Self-Service Other Users Certifications, Policy Remediations
User Provisioning Requests

Change
Identities
IdentityIQ Consistent
Sustainable
Entitlements Business Level
Policy Evaluation | Audit | Risk Assessment | Change Controls |
Accounts
Approvals | Workflow | Events & Actions Controls
Data
Change Data Trigger Events

Key Considerations
User-driven Changes: Lifecycle Requests
Who can make what kinds of requests for whom?
What workflow should run to fulfill the request?

Access Request
Process

Lifecycle Manager

Access Request Types
Add or remove
roles/entitlements
Create new
Request, delete, Identity Cube
modify accounts
Edit Identity Cube

Change
passwords on
managed systems
or IdentityIQ View identity
attributes

Access Request Process
Process Flow
Request for others
(Manager, Help
Desk, Custom)
Filter
Select
Initiate options
access
access based on Plan Workflow Target
and
request requestee/ Resource
submit
requester
Expand data & roles

Evaluate policy
Obtain approvals
Applications, Activate Provisioning Broker
Roles &
Request for self Entitlements
(Self-Service)

Tracking Requests
Track My Requests
• See all access requested by you and for you
• Identity Request Admin. and System Admin. capability sees all
• Cancel requests
See complete breakdown

of Access Request

Tracking Requests
Access Request Details • Details entire request including
• What was requested
• Approvals complete/pending
• Final status of request
• Role expansions
• Error messages

Access Request Demonstration
Copyright ©© SailPoint
Copyright SailPoint Technologies,
Technologies, Inc.
Inc. 2017.
2017. All
All rights
rights reserved.
reserved. 13
Request Configuration Process
Overview
• Install LCM
• In the console: import init-lcm.xml
• Configure system wide controls (apply to all users)
• LCM Options
• Requestable Items
• Entitlement Catalog
• Roles
• Provisioning Policies (Application/Identity Create)
• Business Processes (Workflows)
• Configure Quicklink Populations
• Who can request
• For whom can they request
• What can they request
• Configure Quicklinks per Quicklink population

Knowledge Check
Technologies, Inc.
Inc. 2017.
2017. All
All rights
rights reserved.
reserved. 16
Access Requests Configurations
Overview
User Driven Access Changes
• Supporting configuration
• Configuring provisioning policies
• Associating workflows
• Configuring Quicklink populations

Provisioning Policies

Provisioning Policies
• Provide values to create, update, and delete accounts on connected applications
• Values can be provided manually by user
• Values can be provided by IdentityIQ (auto-calculated or static)
Example: Create an account on PRISM
PRISM Create Provisioning Policy

Attribute Value
First return identity.firstname; Plan

First: John
Last return identity.lastname;
Last: Jones
Login return identity.name; Login: John.Jones PRISM
Status A
Status: A
Locked: N
Locked N

Provisioning Policy Configuration
Application Provisioning Policies
• Used with Quicklinks that support application requests
• Manage User Access
• Manage Accounts
• Manage Passwords
• Support
• Account create
• Most important policy
• Often predefined with connector
• Account update, delete, enable, disable,
unlock, and password change
• Group create and update
(if groups are supported by connector)
• Create often predefined
Provisioning Policy
Form Editor

Associated
Business Processes

LCM Configuration
Associate Business Processes with Actions
Default Workflows

Knowledge Check
Technologies, Inc.
Inc. 2017.
2017. All
All rights
rights reserved.
reserved. 26
Quicklink Populations

Definition
• Flexible method to control who has access to a Quicklink
• Provide for answering the three questions:
Who can request?
For whom can they request?
What can they request?
Access:
“gear”Global SettingsQuicklink Populations

Members and Requestees
• Default Quicklink Populations
Everyone* Help Desk Manager Self-Service

Who can request? All identities Users with Help Desk Users with All identities
Personnel capability Manager Status = true
For whom can they Not All identities Direct and indirect Themselves
request? applicable reports
• Custom Quicklink Populations

• Members based on attribute match, filter, script, rule, or population
• Requestees are either everyone or specific users
• Access is cumulative
*My Tasks (Non-LCM) Quicklinks and Quicklink Cards

Manager Population Example
Who can request?

For whom can they request?

What can they request?

Specifically, what can they request?
• Availability based on requestor and/or requestee

• Configured through rules
• Multiple rule options provided
• Can create own rules

What can members request?
Example: Controlling Access with Rules and Extended Attributes
CONFIGURATION
ACCESS REQUESTS
Identity Cubes Access Options

Access
John Spy Data?Entry
Spy Super User
Security Level: 7
Rec_Sec_Level: 10
Susan Spy Super User
Spy Data Entry Spy Data?Entry
Security Level: 12
Rec_Sec_Level: 5 Spy Audit
Ian
Spy Audit
Security Level: 2 <No Spy ?Options>
Rec_Sec_Level: 10
Rule
import sailpoint.object.Filter;
return Filter.le(”rec_sec_lev”,requestee.getAttribute(“security_lev”));
Knowledge Check
Technologies, Inc.
Inc. 2017.
2017. All
All rights
rights reserved.
reserved. 35
Configuring Quicklinks:
Manage User Access
Configuration Overview
Manage User Access Quicklink
• Role requests
• Entitlement requests
• Request for self
• Request for others

Manager Quicklink Population Example
Manage User Access Quicklink Configuration

Manage User Access
Requesting for Others
• Card for each identity for which requestor can request or delete access
• Multiple cards can be selected

Entitlement Catalog
Which entitlements can be requested?
• Entitlement is requestable
through LCM
• Default = Requestable
• Displayed in LCM
• Access request approver

Requesting Access
Manage Access Options
• Select from allowed roles and

entitlements • List user’s current roles
• Listed roles and entitlements and entitlements
controlled by configuration • Delete role or entitlement

Searching Configuration
Searching by Keyword
Full Text Search (default) includes

name, attributes, and description
Add Access Page UIConfig Entry Keys:

• uiAccessItemsColumnsEntitlement
• uiAccessItemsColumnsRole
Remove Access Page UIConfig Entry Keys:
• uiCurrentAccessItemsColumnsEntitlement
• uiCurrentAccessItemsColumnsRole
Filtering Search Results
• Filter by role or entitlement information

• Searchable entitlement/role extended attributes
automatically added to search parameters
Searching by Affinity
• Search by identity match or by
population attribute matching
• Available only to those who can
request access for others
• Results show access for
requested identity or population
UIConfig controls available search options

• Entry Key: “lcmSearchIdentityAttributes”

Submitting a Request
Review and Submit
• Set access Sunrise/Sunset dates

• Default = off
• “gear”Global Settings
IdentityIQ Configuration Roles
• Clicking Submit starts Business Process

• Business Process handles policy checks,
approvals, gathering needed information, etc.
Knowledge Check
Technologies, Inc.
Inc. 2017.
2017. All
All rights
rights reserved.
reserved. 15
Configuring Quicklinks:
Remaining LCM Quicklinks
Remaining LCM Quicklinks
• Act on connected applications
• Manage Accounts
• Manage Passwords
• Act on IdentityIQ
• Edit Identity
• View Identity
• Create Identity
• All can act on only one requestee at a time

Submitting Single User Requests
Quicklink Populations: Manager, Help Desk, Custom
• Card for each identity for which requestor can perform action

Identity Details Menu
Quicklinks with Secondary Menu
Select Select single Perform selected or

Quicklink user alternative action

Configuring Identity Details Menu
Controlled by Corresponding
Quicklink Population
Add SP Right
Edit Identity SetIdentityForwarding
to capability and
assign capability to
user
View Identity
Manage Accounts
Manage Passwords Assign Password

Administrator
capability to user
Configuring
Manage Accounts
Quicklink

Manage Accounts Quicklink
• Manage existing application accounts • Request a new account
• Enable, Disable, Unlock, Delete • One account or additional account
• Configurable per application

Manage Accounts Quicklink Configuration

LCM Configuration
Supporting Account Only Requests
• Quicklink option
• Allow requesting
new accounts

LCM Configuration
Supporting Requests for Additional Account
• Quicklink option
• Allow requesting
additional accounts

LCM Configuration
Supporting Account Operations

Configuring
Manage Passwords
Quicklink

Manage Passwords Quicklink
Generate
Input synchronized synchronized or
password individual password
Input new password
All options enforce

applicable set of
password policy
criteria
Conflicting policies
identified

Manage Passwords Quicklink Configuration

Application Configuration
Password Policies (Best Practice)
• Enforce application’s password policy
• Set constraints to match application password
constraints
• Zero to multiple policies per application
• Apply to specific users or all
• Applied in reverse order of definition
• Define most generic first

Configuring
Edit Identity Quicklink

Edit Identity Quicklink

Edit Identity Quicklink Configuration

Identity Mappings Configuration
Which attributes can be edited?
• Read Only (default)

• Temporary
• Permanent

Configuring
Create Identity

Create Identity Options
Two Manual Methods
• Create Identity Quicklink
• Requestor has IdentityIQ identity
• Default or custom form presented to
requester
• New User Registration link

• Requestor has no IdentityIQ identity
• Lifecycle Manager Create Identity option
• Enable self-service registration
• Default = disabled
• Default or custom form presented to
requester

Knowledge Check
Technologies, Inc.
Inc. 2017.
2017. All
All rights
rights reserved.
reserved. 39
Next Step?
Practice
Exercises

Exercise Preview
Section 4, Exercises 1, 2, 3
• Exercise 1: Enabling Lifecycle Manager
• Exercise 2: Create and Manage Identities in IdentityIQ
• Exercise 3: Account Management with Lifecycle Manager

LCM Access Requests Overview

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

LCM Access Requests Overview

Uploaded by

Copyright:

Available Formats

Lifecycle Manager Access Requests Overview

Fundamentals of IdentityIQ Implementation

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 3

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 4

User Provisioning Requests

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 5

Who can make what kinds of requests for whom?

What workflow should run to fulfill the request?

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 6

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 7

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 8

Edit Identity Cube

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 9

Expand data & roles

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 10

See complete breakdown

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 11

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 12

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 15

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 19

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 20

Example: Create an account on PRISM

PRISM Create Provisioning Policy

First return identity.firstname; Plan

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 21

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 23

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 24

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 25

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 27

Who can request?

For whom can they request?

What can they request?

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 28

Everyone* Help Desk Manager Self-Service

• Custom Quicklink Populations

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 29

*My Tasks (Non-LCM) Quicklinks and Quicklink Cards

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 30

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 31

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 32

• Availability based on requestor and/or requestee

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 33

Identity Cubes Access Options

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 5

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 6

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 7

• Access request approver

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 8

• Select from allowed roles and

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 9

Full Text Search (default) includes

Add Access Page UIConfig Entry Keys:

• Filter by role or entitlement information

UIConfig controls available search options

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 12

• Set access Sunrise/Sunset dates

• Clicking Submit starts Business Process

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 19

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 20

Select Select single Perform selected or

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 21

Manage Passwords Assign Password

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 23

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 24