Professional Documents
Culture Documents
Contents
Section 4: LCM, Workflow and Provisioning ................................................................................................................ 4
Exercise #1: Enabling Lifecycle Manager ...................................................................................................................... 5
Objective:................................................................................................................................................................................ 5
Overview: ............................................................................................................................................................................... 5
Installation of Lifecycle Manager ................................................................................................................................. 5
Exercise #2: Create and Manage Identities in IdentityIQ ....................................................................................... 6
Objective:................................................................................................................................................................................ 6
Overview: ............................................................................................................................................................................... 6
Create an Identity using LCM......................................................................................................................................... 6
Define a Provisioning Policy for Creating Identities ............................................................................................ 9
Exercise #3: Account Management with Lifecycle Manager ............................................................................... 20
Objective ............................................................................................................................................................................... 20
Overview .............................................................................................................................................................................. 20
Configure a Quicklink Population and Applications to Support Account Requests .............................. 20
Test the Configuration: Request a New LDAP Account ..................................................................................... 22
Use and Investigate a JDBC Provisioning Rule: Request a New PRISM Account .................................... 26
Request a PRISM Role for a User Who has a PRISM Account ......................................................................... 28
Request Role for a User Without a PRISM Account ............................................................................................ 31
Enable/Disable and Delete PRISM Accounts......................................................................................................... 33
Unlock Account .................................................................................................................................................................. 34
Exercise #4: Configure Group Provisioning and Create New Group in LDAP .............................................. 35
Objective ............................................................................................................................................................................... 35
Overview .............................................................................................................................................................................. 35
Configure Group Provisioning Feature of IdentityIQ......................................................................................... 35
Verify the Existing LDAP Groups ................................................................................................................................ 37
Provision a New Group in LDAP called VPN .......................................................................................................... 38
Exercise #5: Provision VPN Access Using Lifecycle Manager ............................................................................. 41
Objective:.............................................................................................................................................................................. 41
Overview: ............................................................................................................................................................................. 41
Enable Business Process (Workflow) Tracing...................................................................................................... 42
Using Lifecycle Manager, users can make requests via IdentityIQ. These requests can include the
following:
We will also explore the capabilities for Lifecycle Manager to react to changes in the identities and
take appropriate actions depending on what changes were detected. Collectively they are called
Lifecycle events:
Note that provisioning requests can occur for reasons other than Lifecycle Manager requests:
Overview:
Lifecycle Manager is installable as a separate component of IdentityIQ. In order to install and set up
Lifecycle Manager, you must stop your application server, install Lifecycle Manager and restart your
application server.
____________________________________________ ____________________________________________
c. Quit the console
4. In a command window, navigate to the
/home/spadmin/tomcat/webapps/identityiq/WEB-INF/bin directory and run the
following command:
Note: If you receive the error Service Interrupted, you can safely ignore it.
5. Start the Tomcat server using the Start Tomcat shortcut
6. Log in to IdentityIQ as spadmin/admin and confirm that Lifecycle Manager is installed: On
your home page, look for the quick links Manage User Access and Track My Requests:
Note: You will also use the identities created in this exercise for testing access requests in following
exercises.
Overview:
You will often need to create Identities in IdentityIQ. One way to create them is by using Lifecycle
Manager (LCM). LCM allows you to create and edit Identities and manage the creation and updating
of the Identities using workflows to control the creation and editing processes. You can also define
provisioning policies, which can help define the choices that are made when creating Identities in
the system. In this exercise we will create identities two ways:
• Using a provisioning policy (created by you) to help drive a user’s choices when creating a
new identity.
2. In the upper left corner, click the list to navigate to the quick link menu. Expand Manage
Identity and click Create Identity
3. Create the Identity as shown here. Use xyzzy for the password.
Note that this is a default provisioning form that ships with IdentityIQ. The fields included
are the standard identity attributes and searchable extended attributes. As you enter the
data, think about modifications that would make entering data less error prone and easier.
4. Verify that the Identity Name and the Display Name were entered with the correct format:
First.Last
5. Click Submit to submit the new Identity request.
6. From the Home page, select Track My Requests and check the status of the Create Identity
request operation.
b. Open the Access Request. List the additional Item added automatically to the
identity cube:
_________________________________________________________________________________________________
This attribute specifies the length of time that this cube will be ignored by the Prune
Identity Cubes task. Remember, the purpose of the Prune Identity Cubes task is to
delete non-authoritative Identity Cubes that house no accounts. As long as the new
identity obtains access (the Identity Cube has correlated accounts) by this date, it
won’t be pruned; if access is not obtained by this date, it will be pruned. This value
can be set in the LCM configuration.
8. Navigate to the identity: Fred.Smith and confirm that the user was created correctly in
IdentityIQ.
Note: If you are interested in seeing the form before you start, page to the end of this section for a
picture of the completed form.
b. Click Details
3. All forms must have at least one section. Ours will have two. The first section will provide
read only instructions, the second section will accept the attributes for the new user.
b. For Section 1, click the plus sign, and select Add Field
c. In Edit Options
i. Attribute: instructions
i. Name: identityAttributes
e. For Identity Attributes section, click plus, select Add Row with Columns
i. Attribute: firstname
1. Required: Checked
i. Attribute: lastname
1. Required: Checked
j. Add another row to the Identity Attributes section to collect password information
as shown. Notice the asterisks next to the items – they indicate required fields. Use
the attribute drop-down button to select the correct attribute.
k. In the Identity Attributes section, add a third row with two columns. Configure
Field 6 and Field 7 so that your form preview matches the screenshot below.
Note: Field 6 should have attribute = “name” and display name = “User Name”
4. If the form layout is wrong, fields can easily be moved. We will reorder the rows to move
Last Name before First Name.
b. Click and hold on the direction-plus to the left of Last Name, and drag Last Name
above First Name.
5. We have completed the minimum requirement to save an Identity Create Policy – our form
includes the name and password fields. Perform an interim save of the Identity Create
Policy.
c. At the top of the screen, you will see the message “Your changes have been saved
successfully”
6. Navigate to Global Settings Import from File and load the following files:
/home/spadmin/ImplementerTraining/config/Rule-AllowedValues-Location.xml
/home/spadmin/ImplementerTraining/config/Rule-AllowedValues-Region.xml
/home/spadmin/ImplementerTraining/config/Rule-Validation-EmailAddress.xml
These rules will be used for our provisioning policies. The first two generate lists of allowed
values we can use to populate drop-down lists. The last rule is used to validate that email
addresses are correctly formatted.
i. Attribute: email
i. Attribute: status
1. Value: Employee
2. Value: Contractor
i. Attribute: inactive
1. Value: False
h. Preview the form and confirm that the Identity Attributes section is as shown
a. Add the remaining fields to the provisioning policy. Place Region and Location on the
same row.
d. List the Field Edit Option you used to specify the explanatory text First.Last under
the Username field:
_________________________________________________________________________________________________
e. Save your identity provisioning policy (remember, there are two screens on which
you must save to completely save your work)
9. Now let’s see our new Identity Creation form in action. In this step, you will test your form.
a. Log in as Catherine.Simmons/xyzzy
c. Fill in the information as shown. Use xyzzy for the password. To test our email
validation rule, intentionally do not enter the correct format for an email address.
11. Note that you can further customize the creation of new Identities by the following
techniques:
a. Additional logic in your provisioning policies
i. Data validation - Detecting duplicate usernames or email addresses
ii. Precalculation of an Employee ID number
iii. Build fields from previously entered fields. For example, build Username and
Display Name from First Name and Last Name
b. Customize the out-of-the-box workflow LCM Create and Update that is responsible
for all create and edit operations that occur on Identities when using LCM
Overview
We will explore the following Account functions in this exercise:
• Requesting a role
• Unlocking accounts
b. Click the Quicklinks tab and next to Manage Accounts, click Config…
c. Turn on Allow requesting new accounts as shown here and Save the Manage
Accounts Options
b. Scroll down to Manage Accounts Options and in the drop down selection box that
says: Applications that support account only requests add LDAP and PRISM to the
list:
c. Click Save
2. Log in as Catherine.Simmons/xyzzy.
3. On the upper left, click the list icon, , to open the Quicklink sidebar. Navigate to Manage
Access Manage Accounts. You will be presented with a list that includes Catherine and
all of the users who report to Catherine.
Note: This is because out of the box, managers can only request items for themselves and
their reports. This is fully configurable through LCM.
b. If your configuration was completed successfully, under Request New Account, you
will see the two applications for which account only requests are allowed.
c. Request a new LDAP account for Fred.Smith and Submit the request.
e. Click Submit.
4. From the Home page, check the status of the Access Request under Track My Requests.
a. What is the Execution Status of the Manage Accounts request for Fred?
_________________________________________________________________________________________________
b. Expand the access request, and notice that the Approval Status is pending.
c. View Pending Interactions, and notice that the description indicates that we’re
waiting on Owner Approval.
_________________________________________________________________________________________________
5. Log out and log back in as spadmin/admin. On the Home dashboard, notice the Approvals
Quicklink card.
a. Click Approvals, and approve the account request for Fred.
b. Click Complete.
7. Check the LDAP repository and confirm that Fred.Smith has an account in the LDAP server.
Expand dc=training…ou=people[1…100], scroll until you find Fred.Smith
8. Click Fred’s account to display details. Notice that 5 values, DN, objectClass, cn, sn, and
userPassword were required to create the account.
c. Edit CN and View the Value Setting window. How is the value for CN being set?
(Circle one)
d. We are using a small amount of bean shell to provide the name of the identity as the
value for CN. If you’re interested, view how the other fields are set
Use and Investigate a JDBC Provisioning Rule: Request a New PRISM Account
To provision with the JDBC connector, the implementer must provide a provisioning rule. In this
section, we will be relying on the rule PRISM - Provision to provision this access to the JDBC
resource.
Our new employee Fred.Smith needs an account on the PRISM application. In this exercise, we will
request a PRISM account for him.
b. Scroll through the rule and list three (of five) provisioning operations handled by
this rule (the first provisioning operation is circled above):
b. Request a new PRISM account for Fred.Smith and Submit the request, which will
send it to the PRISM Application Owners workgroup (of which
Walter.Henderson is a member).
3. Log in as the approver, Walter.Henderson/xyzzy and approve the changes for the account
request on PRISM. At this time, the provisioning request for a new PRISM account uses the
PRISM - Provision rule to perform the request.
a. This Rule includes statements to print the provisioning plan, the request that was
passed in, and the final result. On your desktop, view the Tomcat Standard Out.
b. In the provisioning plan (the XML), what is the operation being requested (hint: look
for op=).
_________________________________________________________________________________________________
c. From where did IdentityIQ obtain the values for the AttributeRequest entries?
(circle one)
4. From a terminal window, login into MySQL and confirm that the account is there.
5. The default values that are created in the PRISM application are determined by the
Provisioning Policy attached to the PRISM application. Notice that the groups attribute is
empty. If desired, our default provisioning policy could be changed to grant basic User
access by provisioning the attribute groups to include User by default.
6. If you are interested in more on the Provisioning Policy and PRISM provisioning rule, as
spadmin/admin, look at the PRISM application. Investigate both the Provisioning Policy
and the PRISM - Provision rule. The provisioning policies provide the values to the plan,
and the rule executes what is specified in the plan. Understanding this basic behavior of our
provisioning capabilities is very important for understanding how the process works.
2. In Select Users, click the check-oval to select Fred.Smith, and at the top, click Manage
Access.
4. View the details for the PRISM User role: on the right, click Details.
a. Notice that Entitlement Details lists the IT roles assigned (PRISM User-IT), and the
included entitlements to be provisioned, as a result of this business role.
b. What is the entitlement attribute and value for the PRISM User-IT role?
_________________________________________________________________________________________________
5. Select the PRISM User role and at the top, click Review, and then Submit.
6. After you submit the request, look at the top of the screen.
_________________________________________________________________________________________________
_________________________________________________________________________________________________
d. All LCM requests activate a workflow. This is the step in the workflow that is
currently being processed.
8. Log out and log back in as spadmin/admin and approve the role request for Fred.Smith
a. Click Complete.
op= ___________________________________________________________________________________________
11. In your terminal window, look at the database to see the changes to Fred’s account
specifically that User has been added to the groups attribute:
1. Log in as Catherine.Simmons and, on the Home page, select Manage User Access and
request the PRISM User role for Bob.Smith
2. After you submit the request, check the Access Request to see that the request was for a role
for Bob.Smith.
4. After you approve the request, check the Access Request. You should see that our request
now includes all the account attributes and the User entitlement.
op= ___________________________________________________________________________________________
6. In your terminal window, confirm that Bob.Smith was added to the PRISM application:
6. Login as Walter.Henderson/xyzzy and approve both the disable and delete requests
7. In the terminal window, use MySQL to check the Bob.Smith and Fred.Smith accounts. Notice
that Bob.Smith’s status has been set to “I” (Inactive), which is how accounts are disabled in
PRISM. Notice that Fred.Smith no longer has an account at all.
Unlock Account
1. Walter.Henderson’s PRISM account is currently locked. Determine how to unlock it through
IdentityIQ.
c. You should see the following if you successfully unlock his account:
mysql> select locked from users where login = 'whenderson';
+--------+
| locked |
+--------+
| N |
+--------+
1 row in set (0.00 sec)
Overview
Out of the box, IdentityIQ can support provisioning groups to target applications that support
groups. In this exercise, we will use IdentityIQ to provision a group into LDAP. Once this group is
created, we will be able to add additional users to it.
Note: You do not need to use group provisioning within your IdentityIQ implementation. It is also
perfectly normal to create, edit, and delete groups directly in the native target application.
b. List the four fields required to create a new group in our instance of LDAP.
_______________________________________________ _______________________________________________
_______________________________________________ _______________________________________________
c. Edit the DN field. The definition of this field is displayed on the right. Based on the
definition, is this a required field? (circle one) Yes No
d. Expand the Value Settings. Notice that no values have been provided. This means
that later, when we create the new group, we will manually provide a value for this
field.
e. View the Value Settings for the uniqueMember field. List the value provided for the
uniqueMember field.
_________________________________________________________________________________________________
c. What is the default refresh interval for the full text search indexes? ___________________
With full text search enabled, your new group will be available when the index is
updated (hourly).
d. Disable full text search: uncheck the box next to Enable Full Text Search
Note: This allows us to use the database search rather than the full text search for
our development testing of access requests. With the database search, updated
entitlements and roles are immediately searchable. With the full text search, the
indexes must be updated prior to searching for updated entitlements and roles.
When development is complete, enable full text search for faster and more thorough
searching (unlike database search, full text search includes descriptions).
3. Click Save
a. If necessary, start LDAP (from a terminal window enter StartLDAP) and launch the
LDAP Browser (use the desktop shortcut to launch the LDAP Browser)
____________________________________________ ____________________________________________
a. Application: LDAP
c. Requestable: checked
e. Owner: Randy.Knight
a. These fields are required for defining our LDAP group. What is the name of the
application and provisioning policy that defines these fields?
_______________________________________________ _______________________________________________
a. DN: cn=VPN,ou=groups,dc=training,dc=sailpoint,dc=com
c. CN: VPN
6. Click Save
a. A message that says a workflow was started to create the VPN group. This workflow
comes out of the box, but could be customized if so desired. The workflow is called
Entitlement Update.
b. Under Applications Entitlement Catalog you should see the new entry for VPN.
Note that the new LDAP group has a Description, Owner and is Requestable
ii. Drill down and confirm that your VPN group was created:
Overview:
We just created a group in LDAP called VPN, and we made this account group requestable, meaning
that users can request it through LCM.
To test, we will login as a manager (Catherine.Simmons) and request VPN access for all of the direct
reports in her department.
This will trigger a workflow case for each user with appropriate approval steps and will eventually
(assuming all approvals are affirmative) result in a provisioning of the entitlement in LDAP.
The default workflow for entitlement requests is called LCM Provisioning. Each Lifecycle Manager
operation has a default workflow (Business Process) defined as seen here. Out of the box, the
default workflows are:
The LCM Provisioning workflow automatically checks for approval from the entitlement owner
before provisioning the user’s access. This out of the box behavior can be configured to support any
desired functionality including policy checks, approvals, notifications, etc.
3. Select the LCM Provisioning Business Process, and in the center of the screen, select the
Process Variables tab.
5. Scroll down to the very bottom, and select Trace Execution. This will trace all workflow
steps into the logs so that we can observe detailed workflow flow information.
6. Click Save.
7. Start the desktop shortcuts Tail Tomcat Standard Out and Tail Email Log.
During the request to add users to the VPN group in LDAP, we will view these logs to
observe the workflow trace and emails being sent.
b. In the Select Users list, you should see direct reports for Catherine.Simmons, and
Catherine herself. Select all of her direct reports, but not Catherine, and then select
Manage Access
d. View the VPN entry and notice that all of our configured items are showing up on
the VPN Entitlement such as Owner and Description
a. There should be seven requests in the queue, one for each subordinate employee
that had the VPN entitlement requested for them.
a. Check the output of the Email log file you should see the emails that were generated:
To: Randy.Knight@demoexample.com
Message-ID: <f6540250a97a44fba132515f41f64de3@example.com>
Subject: Changes requested to Tammy.Daniels need approval
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_Part_44_19584772.1396377798427"
X-Mailer: smptsend
------=_Part_44_19584772.1396377798427
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Application: LDAP
Account : cn=Tammy.Daniels,ou=people,dc=training,dc=sailpoint,dc=com
Operation: Add
Attribute: groups
Value(s): cn=VPN,ou=groups,dc=training,dc=sailpoint,dc=com
Priority: Normal
b. Check the Standard Out log file and see that workflow tracing has occurred. The end
of the trace shows that an approval has been requested:
6. Notice the Standard Out log file after the item is approved by Randy:
7. Now that the approval is done, confirm in the LDAP Browser that Tammy.Daniels has
correctly been added to the VPN group as shown here:
a. Once the manager requested that all 7 of her employees needed access to the VPN
group, 7 workflow cases were started (each an instance of the LCM Provisioning
workflow that is the default in IdentityIQ for Access Requests)
b. Each workflow determined that the owner of the VPN group was Randy.Knight
from the settings in the Entitlement Catalog so the workflow routed the approval for
each user to Randy.Knight
c. Randy.Knight received an email notification and had 7 items in his inbox for his
approval.
d. Once Randy.Knight approved the request, the workflow continued and provisioned
access to the LDAP resource, which involved adding Tammy.Daniels to the specific
VPN group.
9. Login as Catherine.Simmons/xyzzy
10. Navigate to Track My Requests.
a. What is the status for the Tammy.Daniels request?
____________________________________________________________________________________________
b. This task comes pre-scheduled in IdentityIQ to run once a day by default. You could
run this more often as determined by your needs
3. Run the task, and then come back and check Track My Requests and confirm that the
request for Tammy.Daniels has been marked as Completed. This can be done from
spadmin’s account.
5. View Entitlements to confirm that the VPN group is an entitlement on her cube and that
the source of the entitlement was Access Request (Note: Contrast this with earlier in the
training class, where Aggregation was the source.)
a. Click on the row (not the VPN link) to view the details
3. Select the Process Variables tab. Scroll down and find the process variable called Trace
Execution and de-select to disable tracing.
4. Click Save.
Overview:
A lifecycle event can be configured to run a business process based on identity changes. In this
exercise, we will configure a custom business process (workflow) to run whenever a user’s
department attribute changes. The business process should force a new certification for the identity
and, if the new department is the IT Department, an email should also be sent.
Note that if all we wanted to do upon department change was to trigger a certification, the simpler
choice is to use a Certification Event. However, because we want to perform additional actions
(conditionally send an email), we’re managing this event with a custom business process.
First, we will define the business process (workflow) including importing a custom email template
just for this business process. Second, we will create the lifecycle event that will monitor for the
department change and trigger the business process.
• Calculate some internal workflow variables that can be used in later steps to control
workflow behavior
_________________________________________________________________________________________________________
2. From the following list, circle the actions that are needed. These are the workflow steps:
• Create a certification
• Send an email
• Calculate the time since the last login
• Print debug information
_________________________________________________________________________________________________________
Configure a new Business Process for use with our Lifecycle Event
1. Login as spadmin
a. Navigate to Global Settings Import from File and load the following file:
/home/spadmin/ImplementerTraining/config/WorkflowTrainingEmailTemplate.xml
c. Description: Business process that will run when a department change occurs
a. Click Add A New Variable and configure the first variable as follows:
i. Name: event
Note: Because the event variable is referenced by other variables (defined next),
the save is required to ensure that the event variable is saved first in the list of
workflow variables.
d. Notice that we have turned on trace. Watch Standard Out for results.
e. Click Save to save changes to the Process Variables, and confirm that your variables
are as follows:
6. Define the Business Process graphically. Click the Process Designer tab.
b. Drag (click and drag) the five icons into a more user-friendly arrangement as
shown:
c. Right click each Generic Step icon and Edit the names and Change Icons as shown:
i. Double click the Start step and then double click the Debug Step
ii. You should now have a connection from the Start step to the Debug Step as
shown:
Note: If you double click a step and realize that you don’t want to connect it
to another step, double click on the grid to remove the arrow.
iii. Continue connecting the icons using the technique shown above
e. Once done, you should have something that looks like this. Note that a split
transition is created automatically for you since we have two transitions configured
from the Debug Step.
7. Now, we will configure each workflow step to perform specific operations as necessary.
a. Right click the Debug Step step and select Edit Step and configure:
i. Details tab
1. Action: Script
ii. View the comments in the script for an understanding of what the Debug
Step does
b. Right click the multiple transition (the diamond with the ‘X’) to the right of the
Debug Step and select Edit Transitions:
i. Edit the transition logic as shown taking care to negate the 2nd transition.
/home/spadmin/ImplementerTraining/beanshell/Workflow_Transition Logic.txt
Note: The transition logic will send us to the Send Email step if the
department we are transferring to is the “IT Management” department.
Otherwise, we will move to the Create Certification step.
c. Right click the Send Email step and select Edit Step and configure:
i. Details tab
Note: identityName and launcher are passed into the workflow by the
system and supply the name of the identity whose attribute was changed and
the name of the identity who made the change, respectively.
d. Right click the Create Certification step and select Edit Step and configure:
i. Details tab
1. Action: Script
2. Open Editor:
Copy and paste from:
/home/spadmin/ImplementerTraining/beanshell/Workflow_GenerateCertificationScript.txt
3. View the script and find the line where the Certification Name is set.
_______________________________________________________________________________
8. At the bottom of the Business Process Editor, click Save to save all work on your Business
Process. (Saves the whole workflow.)
b. Click the Department identity attribute and change the Edit Mode to Permanent.
This will make this field editable via the UI for testing purposes.
d. Select Save to save the changes to the Identity Mapping configuration for the
department attribute
2. Navigate to Setup Lifecyle Events and click Add New Lifecycle Event and configure the
new event as shown here:
d. Attribute: Department
3. Test the event, by editing the department for Aaron.Nichols and changing his department.
b. Select Edit
c. Click the certification and scroll down to confirm that the access review was
assigned to the appropriate party (Mary.Johnson)
5. Look at the email log. What are the subjects of the two emails that were sent by the
workflow?
_________________________________________________________________________________________________________
_________________________________________________________________________________________________________
6. If you check the output of Standard Out (desktop shortcut: Tail Tomcat Standard Out) you
will see the following. You can see that the department was changed to “IT Management”
and we took the path to the “Send Email” step.
=======================
Debug Step - Start
Requester = spadmin
Step Name = Debug Step
event.getCause() = Attribute 'department' changed from Executive
Management to IT Management
event.getIdentityName() = Aaron.Nichols
trigger.getAttributeName() = department
Debug Step - End
=======================
7. Test moving Aaron.Nichols from IT Management to Executive Management and back and
observe the results.
Location: ___________________________________________________________________________________________
Location: ___________________________________________________________________________________________