Section - 4

Section 4 - 1
Section Four: LCM, Workflow and Provisioning
Fundamentals of IdentityIQ Implementation

Training for SailPoint IdentityIQ Version 7.1
11305 Four Points Drive

Bldg 2, Suite 100
Austin, TX 78726
www.sailpoint.com
Copyright © 2017 SailPoint Technologies – All Rights Reserved – VERSION 7.1b

Section 4 - 2
Contents
Section 4: LCM, Workflow and Provisioning ................................................................................................................ 4
Exercise #1: Enabling Lifecycle Manager ...................................................................................................................... 5
Objective:................................................................................................................................................................................ 5
Overview: ............................................................................................................................................................................... 5
Installation of Lifecycle Manager ................................................................................................................................. 5
Exercise #2: Create and Manage Identities in IdentityIQ ....................................................................................... 6
Objective:................................................................................................................................................................................ 6
Overview: ............................................................................................................................................................................... 6
Create an Identity using LCM......................................................................................................................................... 6
Define a Provisioning Policy for Creating Identities ............................................................................................ 9
Exercise #3: Account Management with Lifecycle Manager ............................................................................... 20
Objective ............................................................................................................................................................................... 20
Overview .............................................................................................................................................................................. 20
Configure a Quicklink Population and Applications to Support Account Requests .............................. 20
Test the Configuration: Request a New LDAP Account ..................................................................................... 22
Use and Investigate a JDBC Provisioning Rule: Request a New PRISM Account .................................... 26
Request a PRISM Role for a User Who has a PRISM Account ......................................................................... 28
Request Role for a User Without a PRISM Account ............................................................................................ 31
Enable/Disable and Delete PRISM Accounts......................................................................................................... 33
Unlock Account .................................................................................................................................................................. 34
Exercise #4: Configure Group Provisioning and Create New Group in LDAP .............................................. 35
Objective ............................................................................................................................................................................... 35
Overview .............................................................................................................................................................................. 35
Configure Group Provisioning Feature of IdentityIQ......................................................................................... 35
Verify the Existing LDAP Groups ................................................................................................................................ 37
Provision a New Group in LDAP called VPN .......................................................................................................... 38
Exercise #5: Provision VPN Access Using Lifecycle Manager ............................................................................. 41
Objective:.............................................................................................................................................................................. 41
Overview: ............................................................................................................................................................................. 41
Enable Business Process (Workflow) Tracing...................................................................................................... 42
Copyright © 2017 SailPoint Technologies – All Rights Reserved –VERSION 7.1b

Section 4 - 3
Test Provisioning to the New VPN Group............................................................................................................... 43

Confirm VPN Entitlement Assignment and Complete the Access Request ............................................... 47
Disable Business Process (Workflow) Tracing .................................................................................................... 49
Exercise #6: Use Lifecycle Manager to Create a Lifecycle Event ....................................................................... 50
Objective:.............................................................................................................................................................................. 50
Overview: ............................................................................................................................................................................. 50
Design the Business Process ........................................................................................................................................ 50
Configure a new Business Process for use with our Lifecycle Event .......................................................... 51
Configure Lifecycle Event and Test ........................................................................................................................... 58
Extension Exercise (Optional) ..................................................................................................................................... 63

Section 4 - 4
Section 4: LCM, Workflow and Provisioning

In this section, we will explore using the Lifecycle Manager functionality and how it relates to
workflow and provisioning.
Using Lifecycle Manager, users can make requests via IdentityIQ. These requests can include the
following:
• Requesting new access (entitlement and roles)

• Creating, managing (enable/disable/unlock) and deleting accounts
• Creating and editing identities
These requests are initiated by a user clicking the appropriate Quicklink. Who has access to the
Quicklinks is controlled by Quicklink Populations. We can create our own populations of users or
use the default populations. The default Quicklink Populations used to determine who can make
different types of requests are:
• The user themselves (designated as Self Service)

• Manager (make requests for direct reports)
• Help Desk (users with help desk capability who can request items for populations)
• Everyone (control what can be done by all users not fitting into the above categories)
Often, as the result of these requests, we must provision the appropriate accounts and entitlements
to the target systems.
We will also explore the capabilities for Lifecycle Manager to react to changes in the identities and
take appropriate actions depending on what changes were detected. Collectively they are called
Lifecycle events:
• Cube creation (Joiner)

• Change in the inactive attribute (Leaver)
• Attribute change or change in manager (Mover)
• Custom detected change (Rule Based)
An integral part of Lifecycle Manager and Provisioning is our workflow engine. Workflows within
IdentityIQ are called Business Processes. All Lifecycle Manager provisioning requests and Lifecycle
Events initiate a workflow. In this section we will create a custom workflow.
Note that provisioning requests can occur for reasons other than Lifecycle Manager requests:
• Revocation of access during a certification access review

• Remediation of an SOD policy violation (role or entitlement)
• Assignment of a role that requires IT access

Section 4 - 5
Exercise #1: Enabling Lifecycle Manager

Objective:
In this exercise, we will enable Lifecycle Manager functionality.
Overview:
Lifecycle Manager is installable as a separate component of IdentityIQ. In order to install and set up
Lifecycle Manager, you must stop your application server, install Lifecycle Manager and restart your
application server.
Installation of Lifecycle Manager

1. Stop the Tomcat server using the Stop Tomcat shortcut
2. Launch the IIQ console using the IIQ Console shortcut

3. Install Lifecycle Manager by typing the following into the IIQ console:
> import init-lcm.xml
a. Notice the types of objects being imported into IdentityIQ
b. List two that you are familiar with:
____________________________________________ ____________________________________________
c. Quit the console
4. In a command window, navigate to the
/home/spadmin/tomcat/webapps/identityiq/WEB-INF/bin directory and run the
following command:
./iiq patch 7.1p1
Note: If you receive the error Service Interrupted, you can safely ignore it.
5. Start the Tomcat server using the Start Tomcat shortcut
6. Log in to IdentityIQ as spadmin/admin and confirm that Lifecycle Manager is installed: On
your home page, look for the quick links Manage User Access and Track My Requests:
7. Track My Request is supported by Identity Request Objects. These need to be periodically

purged from the database.
a. Navigate to the Perform Identity Request Maintenance task
b. Set Max age (in days) for Identity Request Objects to 90 days. Save the task.

Section 4 - 6
Exercise #2: Create and Manage Identities in IdentityIQ

Objective:
Learn how to manage creating Identities and editing them using IdentityIQ, both with and without
Identity Provisioning Policies.
Note: You will also use the identities created in this exercise for testing access requests in following
exercises.
Overview:
You will often need to create Identities in IdentityIQ. One way to create them is by using Lifecycle
Manager (LCM). LCM allows you to create and edit Identities and manage the creation and updating
of the Identities using workflows to control the creation and editing processes. You can also define
provisioning policies, which can help define the choices that are made when creating Identities in
the system. In this exercise we will create identities two ways:
• Using the out of the box configuration
• Using a provisioning policy (created by you) to help drive a user’s choices when creating a
new identity.
Create an Identity using LCM

1. Log out and log in as Catherine.Simmons/xyzzy.
2. In the upper left corner, click the list to navigate to the quick link menu. Expand Manage
Identity and click Create Identity

Section 4 - 7
3. Create the Identity as shown here. Use xyzzy for the password.
Note that this is a default provisioning form that ships with IdentityIQ. The fields included
are the standard identity attributes and searchable extended attributes. As you enter the
data, think about modifications that would make entering data less error prone and easier.

Section 4 - 8
4. Verify that the Identity Name and the Display Name were entered with the correct format:
First.Last
5. Click Submit to submit the new Identity request.
6. From the Home page, select Track My Requests and check the status of the Create Identity
request operation.
a. List the execution status: ___________________________________________________________________

Since Catherine is the manager, no approval is generated. By default, the newly
created cube is a non-authoritative cube.
b. Open the Access Request. List the additional Item added automatically to the
identity cube:
_________________________________________________________________________________________________
This attribute specifies the length of time that this cube will be ignored by the Prune
Identity Cubes task. Remember, the purpose of the Prune Identity Cubes task is to
delete non-authoritative Identity Cubes that house no accounts. As long as the new
identity obtains access (the Identity Cube has correlated accounts) by this date, it
won’t be pruned; if access is not obtained by this date, it will be pruned. This value
can be set in the LCM configuration.
7. Log out and log in as spadmin/admin
8. Navigate to the identity: Fred.Smith and confirm that the user was created correctly in
IdentityIQ.

Section 4 - 9
Define a Provisioning Policy for Creating Identities

As you probably could see, the form presented by the default provisioning policy provided a tedious
(and potentially error-prone) approach to creating an identity. In this section, we will use the Form
Editor to create a provisioning policy that will allow us to present our own form to the user. We will
provide for entering the same information, but our provisioning policy will make creating an
identity easier and provide nice features like allowed value dropdown selections, and data
validation.
Note: If you are interested in seeing the form before you start, page to the end of this section for a
picture of the completed form.
1. Navigate to  Lifecycle Manager  Identity Provisioning Policies and next to

Create Identity, select Add Policy
2. Configure the provisioning policy header information.
a. Form Name: Identity Create Policy
b. Click Details
i. Title: Create New Identity
ii. Click Details
3. All forms must have at least one section. Ours will have two. The first section will provide
read only instructions, the second section will accept the attributes for the new user.
a. Click Add Section, in Edit Options, expand Settings

Note: We will leave the default section name, Section 1, as we do not want a name
displayed on the form.
i. Read Only: True

Section 4 - 10
ii. For the section, select Apply

Note: The screen will show no change
b. For Section 1, click the plus sign, and select Add Field
c. In Edit Options
i. Attribute: instructions
ii. Display Name: Instructions
iii. Expand Type Settings
1. Display Only: Checked
iv. Expand Value Settings
1. For Value, select Value
2. Enter: Input values to create new user.
v. For the field, click Apply
d. At the top, click Add Section, in Edit Options
i. Name: identityAttributes
ii. Label: Identity Attributes
iii. Click Apply

Section 4 - 11
e. For Identity Attributes section, click plus, select Add Row with Columns
i. In Edit Options, select 2 columns and Apply
f. For Field 2, click the pencil, in Edit Options
i. Attribute: firstname
ii. Display Name: First Name
1. Required: Checked
iv. Click Apply
g. For Field 3, click the pencil, in Edit Options
i. Attribute: lastname
ii. Display Name: Last Name
1. Required: Checked
iv. Click Apply
h. Click Preview Form and confirm that your form is as shown
i. Click Back to Edit

Section 4 - 12
j. Add another row to the Identity Attributes section to collect password information
as shown. Notice the asterisks next to the items – they indicate required fields. Use
the attribute drop-down button to select the correct attribute.
k. In the Identity Attributes section, add a third row with two columns. Configure
Field 6 and Field 7 so that your form preview matches the screenshot below.
Note: Field 6 should have attribute = “name” and display name = “User Name”
4. If the form layout is wrong, fields can easily be moved. We will reorder the rows to move
Last Name before First Name.
a. Click Back to Edit
b. Click and hold on the direction-plus to the left of Last Name, and drag Last Name
above First Name.
c. Confirm that Row 1 is now ordered as shown

Section 4 - 13
5. We have completed the minimum requirement to save an Identity Create Policy – our form
includes the name and password fields. Perform an interim save of the Identity Create
Policy.
a. At the top right of the Form Editor, click Save
b. On the Lifecycle Manager page, click Save

Note: This second save is very important. Without saving in both places, you will
lose your work.
c. At the top of the screen, you will see the message “Your changes have been saved
successfully”
6. Navigate to  Global Settings  Import from File and load the following files:
/home/spadmin/ImplementerTraining/config/Rule-AllowedValues-Location.xml
/home/spadmin/ImplementerTraining/config/Rule-AllowedValues-Region.xml
/home/spadmin/ImplementerTraining/config/Rule-Validation-EmailAddress.xml
These rules will be used for our provisioning policies. The first two generate lists of allowed
values we can use to populate drop-down lists. The last rule is used to validate that email
addresses are correctly formatted.
7. Add additional rows to the Create Identity provisioning policy.
a. Navigate back to  Lifecycle Manager  Identity Provisioning Policies
b. Select Identity Create Policy
c. Add a row with a single field to the Identity Attributes section
d. Configure Field 8, Edit Options
i. Attribute: email
ii. Display Name: Email
iii. Type Settings: Required: Checked
iv. Value Settings: Validation: Rule
1. Rule: Validation – Email Field
e. Add a row with two columns to the Identity Attributes section

Section 4 - 14
f. Configure Field 9, Edit Options
i. Attribute: status
ii. Display Name: Status
iii. Value Settings: Value: Contractor
iv. Value Settings: Allowed Values: Value
1. Value: Employee
2. Value: Contractor
g. Configure Field 10, Edit Options
i. Attribute: inactive
ii. Display name: Inactive
iii. Type: Boolean
iv. Value Settings: Value: Value
1. Value: False

Section 4 - 15
h. Preview the form and confirm that the Identity Attributes section is as shown
8. Complete the Create Identity provisioning policy.
a. Add the remaining fields to the provisioning policy. Place Region and Location on the
same row.
Attribute Display Name Required Value Settings Value Properties
empId Employee ID checked

region Region checked Allowed Values Rule: AllowedValues-Region
location Location checked Allowed Values Rule: AllowedValues-Location
manager Manager checked

Section 4 - 16
b. Confirm that the form looks as shown:
c. If your form differs, correct your form to match.
d. List the Field Edit Option you used to specify the explanatory text First.Last under
the Username field:
_________________________________________________________________________________________________
e. Save your identity provisioning policy (remember, there are two screens on which
you must save to completely save your work)

Section 4 - 17
9. Now let’s see our new Identity Creation form in action. In this step, you will test your form.
a. Log in as Catherine.Simmons/xyzzy
b. On the quick link sidebar, navigate to Manage Identity  Create Identity
c. Fill in the information as shown. Use xyzzy for the password. To test our email
validation rule, intentionally do not enter the correct format for an email address.
d. Click Submit to submit the new Identity request.

Section 4 - 18
e. Confirm that the email validation rule is working
f. Correct the email address: bob.smith@example.com

g. Click Submit
10. Logout and login as spadmin/admin and confirm that Bob.Smith has an Identity Cube.
Note that this Identity Cube has no entitlements or accounts. Currently it is just a shell cube.

Section 4 - 19
11. Note that you can further customize the creation of new Identities by the following
techniques:
a. Additional logic in your provisioning policies
i. Data validation - Detecting duplicate usernames or email addresses
ii. Precalculation of an Employee ID number
iii. Build fields from previously entered fields. For example, build Username and
Display Name from First Name and Last Name
b. Customize the out-of-the-box workflow LCM Create and Update that is responsible
for all create and edit operations that occur on Identities when using LCM

Section 4 - 20
Exercise #3: Account Management with Lifecycle Manager

Objective
The objective of this section is to manage account access using Lifecycle Manager.
Overview
We will explore the following Account functions in this exercise:
• Creating a new account (without associated entitlements)
• Requesting a role
• Requesting a role that will cause a new account request to occur
• Enabling and disabling accounts
• Unlocking accounts
Configure a Quicklink Population and Applications to Support Account Requests

1. Configure the Manager Quicklink population to allow account only requests.
a. Navigate to  Global Settings  Quicklink Populations and open the Manager

population
b. Click the Quicklinks tab and next to Manage Accounts, click Config…

Section 4 - 21
c. Turn on Allow requesting new accounts as shown here and Save the Manage
Accounts Options
d. Save the Quicklink Population
2. Configure the applications that allow account only requests.
a. Navigate to  Lifecycle Manager
b. Scroll down to Manage Accounts Options and in the drop down selection box that
says: Applications that support account only requests add LDAP and PRISM to the
list:
c. Click Save

Section 4 - 22
Test the Configuration: Request a New LDAP Account

1. If necessary, start LDAP. From a terminal window enter StartLDAP.
2. Log in as Catherine.Simmons/xyzzy.
3. On the upper left, click the list icon, , to open the Quicklink sidebar. Navigate to Manage
Access  Manage Accounts. You will be presented with a list that includes Catherine and
all of the users who report to Catherine.
Note: This is because out of the box, managers can only request items for themselves and
their reports. This is fully configurable through LCM.
a. Select Fred.Smith, and click Request Account.
b. If your configuration was completed successfully, under Request New Account, you
will see the two applications for which account only requests are allowed.
c. Request a new LDAP account for Fred.Smith and Submit the request.
d. Click Confirm, and verify the access that was requested.
e. Click Submit.
4. From the Home page, check the status of the Access Request under Track My Requests.
a. What is the Execution Status of the Manage Accounts request for Fred?
_________________________________________________________________________________________________

Section 4 - 23
b. Expand the access request, and notice that the Approval Status is pending.
c. View Pending Interactions, and notice that the description indicates that we’re
waiting on Owner Approval.
d. List the approver for this request
_________________________________________________________________________________________________
5. Log out and log back in as spadmin/admin. On the Home dashboard, notice the Approvals
Quicklink card.
a. Click Approvals, and approve the account request for Fred.
b. Click Complete.
6. Use the desktop shortcut to launch the LDAP Browser
a. Only double-click it once… it will take a few seconds to start.
b. In the Connections window, select Training and click Open Connection

Section 4 - 24
7. Check the LDAP repository and confirm that Fred.Smith has an account in the LDAP server.
Expand dc=training…ou=people[1…100], scroll until you find Fred.Smith
8. Click Fred’s account to display details. Notice that 5 values, DN, objectClass, cn, sn, and
userPassword were required to create the account.

Section 4 - 25
9. Compare the LDAP entry with the LDAP Provisioning Policy.
a. Navigate to Applications  Application Definition  LDAP  Configuration 

Provisioning Policies and open the account creation provisioning policy
b. How many fields are defined in the provisioning policy? ________________________________
c. Edit CN and View the Value Setting window. How is the value for CN being set?
(Circle one)
Value Rule Script Dependent
d. We are using a small amount of bean shell to provide the name of the identity as the
value for CN. If you’re interested, view how the other fields are set
e. Close the Provisioning Policy

Section 4 - 26
Use and Investigate a JDBC Provisioning Rule: Request a New PRISM Account
To provision with the JDBC connector, the implementer must provide a provisioning rule. In this
section, we will be relying on the rule PRISM - Provision to provision this access to the JDBC
resource.
Our new employee Fred.Smith needs an account on the PRISM application. In this exercise, we will
request a PRISM account for him.
1. Login as spadmin/admin and investigate the PRISM application provisioning rule.

a. Navigate to the PRISM application, select Rules, and view the JDBC Provision Rule:
PRISM - Provision
b. Scroll through the rule and list three (of five) provisioning operations handled by
this rule (the first provisioning operation is circled above):
_______________________________ _______________________________ ________________________________
2. Now you’ll request a PRISM account. Log in as Catherine.Simmons/xyzzy
a. Open the Quicklink sidebar. Navigate to Manage Access  Manage Accounts.
b. Request a new PRISM account for Fred.Smith and Submit the request, which will
send it to the PRISM Application Owners workgroup (of which
Walter.Henderson is a member).

Section 4 - 27
3. Log in as the approver, Walter.Henderson/xyzzy and approve the changes for the account
request on PRISM. At this time, the provisioning request for a new PRISM account uses the
PRISM - Provision rule to perform the request.
a. This Rule includes statements to print the provisioning plan, the request that was
passed in, and the final result. On your desktop, view the Tomcat Standard Out.
b. In the provisioning plan (the XML), what is the operation being requested (hint: look
for op=).
_________________________________________________________________________________________________
c. From where did IdentityIQ obtain the values for the AttributeRequest entries?
(circle one)
User entered PRISM Identity Policy PRISM Provisioning Policy
4. From a terminal window, login into MySQL and confirm that the account is there.
[spadmin@training ~]$ mysql -u root -p

Enter password: root
mysql> use prism
mysql> select * from users where login = 'Fred.Smith';
5. The default values that are created in the PRISM application are determined by the
Provisioning Policy attached to the PRISM application. Notice that the groups attribute is
empty. If desired, our default provisioning policy could be changed to grant basic User
access by provisioning the attribute groups to include User by default.
6. If you are interested in more on the Provisioning Policy and PRISM provisioning rule, as
spadmin/admin, look at the PRISM application. Investigate both the Provisioning Policy
and the PRISM - Provision rule. The provisioning policies provide the values to the plan,
and the rule executes what is specified in the plan. Understanding this basic behavior of our
provisioning capabilities is very important for understanding how the process works.

Section 4 - 28
Request a PRISM Role for a User Who has a PRISM Account

1. Log in as Catherine.Simmons/xyzzy, on the Home page, click Manage User Access.
2. In Select Users, click the check-oval to select Fred.Smith, and at the top, click Manage
Access.
3. Search for the PRISM User role.
4. View the details for the PRISM User role: on the right, click Details.
a. Notice that Entitlement Details lists the IT roles assigned (PRISM User-IT), and the
included entitlements to be provisioned, as a result of this business role.
b. What is the entitlement attribute and value for the PRISM User-IT role?
_________________________________________________________________________________________________
5. Select the PRISM User role and at the top, click Review, and then Submit.
6. After you submit the request, look at the top of the screen.
a. What warning is displayed? Why?
_________________________________________________________________________________________________
_________________________________________________________________________________________________
7. Once you submit the request, look at the Access Request.
a. Enter the Application for the request: _____________________________________________________

Section 4 - 29
b. This is because with business roles, provisioning is performed to IdentityIQ. Notice

also that the approver is The Administrator.
c. Enter the Current Step: _____________________________________________________________________
d. All LCM requests activate a workflow. This is the step in the workflow that is
currently being processed.
8. Log out and log back in as spadmin/admin and approve the role request for Fred.Smith
a. Click Complete.

Section 4 - 30
Understanding what happens:

When a role is requested, IdentityIQ will follow the path we discussed in the Provisioning section of
the training presentation. The flow is:
b. Add the requested business role to the Identity Cube.
c. Determine from the business role being requested what IT roles are required by this
role. In this case PRISM User – IT.
d. From the IT role, determine what entitlements are needed. In this case groups = User
within the PRISM application
e. Does the user have an application account for the application? If yes, we provision the
entitlement to grant the user the appropriate access that was requested. If no, we
expand the request to also request an account to be created on the PRISM application
(more on this in a few pages.)
f. The request is handed to the PRISM - Provision rule to handle the request.
g. In our case, Fred.Smith already has an account, so we will just be adding the
entitlement (groups = User) to his account on PRISM.
9. Once the role request has been approved, we can check the Access Request and see that the
role request was expanded into the actual entitlement.
a. On the Home page, click Track My Requests, open the new request, and click the
View Complete Details link. Notice that administrators have access to view all
requests.
b. Notice that the request includes the Requested role, which will be provisioned to
IdentityIQ, and the Expansion, which will be provisioned to PRISM.

Section 4 - 31
10. In Tomcat Standard Out, view the provisioning plan.

a. What is the operation specified for this plan?
op= ___________________________________________________________________________________________
11. In your terminal window, look at the database to see the changes to Fred’s account
specifically that User has been added to the groups attribute:

+------------+-------------+-------+-------+--------+--------+---
-----+-----------+
| login | description | first | last | groups | status |
locked | lastLogin |
+------------+-------------+-------+-------+--------+--------+---
-----+-----------+
| Fred.Smith | NULL | Fred | Smith | User | A | N
| NULL |
+------------+-------------+-------+-------+--------+--------+---
-----+-----------+
1 row in set (0.00 sec)
Request Role for a User Without a PRISM Account

In this next request, we will be requesting a role for a user who does not have a PRISM account.
This will cause the role to be expanded into an entitlement request AND an account request.
1. Log in as Catherine.Simmons and, on the Home page, select Manage User Access and
request the PRISM User role for Bob.Smith
2. After you submit the request, check the Access Request to see that the request was for a role
for Bob.Smith.
3. Log in as spadmin/admin and approve the role request

Section 4 - 32
4. After you approve the request, check the Access Request. You should see that our request
now includes all the account attributes and the User entitlement.
5. In Tomcat Standard Out, view the provisioning plan.

a. What is the operation specified for this pan?
op= ___________________________________________________________________________________________
6. In your terminal window, confirm that Bob.Smith was added to the PRISM application:
mysql> select * from users where login = 'Bob.Smith';

Section 4 - 33
Enable/Disable and Delete PRISM Accounts

1. Login as Catherine.Simmons and from the Quicklinks sidebar, select Manage Accounts.
2. Select Bob.Smith and disable the PRISM account:
3. Submit the request and then check the Access Request
Enter the Operation: _________________________________________________________________________________
4. Back at the Quicklinks sidebar, select Manage Accounts.
5. Select Fred.Smith and delete the PRISM account.
Submit the request and then check the Access Request.
Enter the Operation: _________________________________________________________________________________
6. Login as Walter.Henderson/xyzzy and approve both the disable and delete requests
7. In the terminal window, use MySQL to check the Bob.Smith and Fred.Smith accounts. Notice
that Bob.Smith’s status has been set to “I” (Inactive), which is how accounts are disabled in
PRISM. Notice that Fred.Smith no longer has an account at all.
mysql> select * from users where login = 'Bob.Smith';
Empty set (0.00 sec)

Section 4 - 34
Unlock Account
1. Walter.Henderson’s PRISM account is currently locked. Determine how to unlock it through
IdentityIQ.
a. There are multiple ways to do this.

Hint: Will it be self-service, manager or other user driven? Depending on how you
decide to do it, the Quicklink Populations may need to change in order to allow
different actions within LCM. However you perform this action, remember that the
Access Request lists the approver.
b. Confirm in the terminal window by using MySQL command:
mysql> select locked from users where login = 'whenderson';
c. You should see the following if you successfully unlock his account:
mysql> select locked from users where login = 'whenderson';
+--------+
| locked |
+--------+
| N |
+--------+
1 row in set (0.00 sec)

Section 4 - 35
Exercise #4: Configure Group Provisioning and Create New

Group in LDAP
Objective
Turn on the IdentityIQ Group Provisioning feature and use IdentityIQ to provision groups to LDAP.
Overview
Out of the box, IdentityIQ can support provisioning groups to target applications that support
groups. In this exercise, we will use IdentityIQ to provision a group into LDAP. Once this group is
created, we will be able to add additional users to it.
Note: You do not need to use group provisioning within your IdentityIQ implementation. It is also
perfectly normal to create, edit, and delete groups directly in the native target application.
Configure Group Provisioning Feature of IdentityIQ

In order to enable group provisioning, two items must be configured: a group provisioning policy
for the application and Lifecycle Manager. We will confirm that both are ready for us to create the
new LDAP group.
1. Log in as spadmin/admin and investigate the LDAP provisioning policy.
a. Open the LDAP application definition and navigate to Configuration 

Provisioning Policies. Scroll down and click on the group create provisioning
policy.
b. List the four fields required to create a new group in our instance of LDAP.
_______________________________________________ _______________________________________________
_______________________________________________ _______________________________________________
c. Edit the DN field. The definition of this field is displayed on the right. Based on the
definition, is this a required field? (circle one) Yes No
d. Expand the Value Settings. Notice that no values have been provided. This means
that later, when we create the new group, we will manually provide a value for this
field.
e. View the Value Settings for the uniqueMember field. List the value provided for the
uniqueMember field.
_________________________________________________________________________________________________
f. Close the provisioning policy.

Section 4 - 36
2. Navigate to  Lifecycle Manager Configure.
a. Confirm that Enable Account Group Management is selected
b. While you’re in Lifecycle Manager configuration, look at the next option
c. What is the default refresh interval for the full text search indexes? ___________________
With full text search enabled, your new group will be available when the index is
updated (hourly).
d. Disable full text search: uncheck the box next to Enable Full Text Search
Note: This allows us to use the database search rather than the full text search for
our development testing of access requests. With the database search, updated
entitlements and roles are immediately searchable. With the full text search, the
indexes must be updated prior to searching for updated entitlements and roles.
When development is complete, enable full text search for faster and more thorough
searching (unlike database search, full text search includes descriptions).
e. Your configuration should look as follows:
3. Click Save

Section 4 - 37
Verify the Existing LDAP Groups

1. View the existing LDAP groups.
a. If necessary, start LDAP (from a terminal window enter StartLDAP) and launch the
LDAP Browser (use the desktop shortcut to launch the LDAP Browser)
b. In the Connections window, select Training and click Open Connection
c. If necessary, expand dc=training,dc=sailpoint,dc=com, then expand the groups
d. List the existing groups:
____________________________________________ ____________________________________________

Section 4 - 38
Provision a New Group in LDAP called VPN

1. In IdentityIQ, navigate to the Applications  Entitlement Catalog
2. Click Add New Entitlement to create a new account group.
3. On the Standard Properties tab, configure the new group as:
a. Application: LDAP
b. Display Value: VPN
c. Requestable: checked
d. Description: This group controls access to the corporate VPN.
e. Owner: Randy.Knight
4. View the Object Properties tab.
a. These fields are required for defining our LDAP group. What is the name of the
application and provisioning policy that defines these fields?
_______________________________________________ _______________________________________________
5. On the Object Properties tab, configure the following:
a. DN: cn=VPN,ou=groups,dc=training,dc=sailpoint,dc=com
b. Description: This group controls access to the corporate VPN.

Section 4 - 39
c. CN: VPN
6. Click Save
7. If you configured everything successfully you should see the following:
a. A message that says a workflow was started to create the VPN group. This workflow
comes out of the box, but could be customized if so desired. The workflow is called
Entitlement Update.
b. Under Applications  Entitlement Catalog you should see the new entry for VPN.
Note that the new LDAP group has a Description, Owner and is Requestable

Section 4 - 40
c. Check LDAP to see that the group was created
i. Close and reopen the Training connection to force a reread of LDAP
ii. Drill down and confirm that your VPN group was created:

Section 4 - 41
Exercise #5: Provision VPN Access Using Lifecycle Manager

Objective:
The objective of this exercise is to allow managers to request VPN access for their users via
Lifecycle Manager.
Overview:
We just created a group in LDAP called VPN, and we made this account group requestable, meaning
that users can request it through LCM.
To test, we will login as a manager (Catherine.Simmons) and request VPN access for all of the direct
reports in her department.
This will trigger a workflow case for each user with appropriate approval steps and will eventually
(assuming all approvals are affirmative) result in a provisioning of the entitlement in LDAP.
The default workflow for entitlement requests is called LCM Provisioning. Each Lifecycle Manager
operation has a default workflow (Business Process) defined as seen here. Out of the box, the
default workflows are:
The LCM Provisioning workflow automatically checks for approval from the entitlement owner
before provisioning the user’s access. This out of the box behavior can be configured to support any
desired functionality including policy checks, approvals, notifications, etc.

Section 4 - 42
Enable Business Process (Workflow) Tracing

1. Log in as spadmin/admin
2. Navigate to Setup  Business Processes
3. Select the LCM Provisioning Business Process, and in the center of the screen, select the
Process Variables tab.
4. On the Process Variables tab, notice the Approval configuration.
a. Who is the default approver? ___________________________________________
b. List the other standard configuration options for approver:
_______________________________ _______________________________ _______________________________
5. Scroll down to the very bottom, and select Trace Execution. This will trace all workflow
steps into the logs so that we can observe detailed workflow flow information.

Section 4 - 43
6. Click Save.
7. Start the desktop shortcuts Tail Tomcat Standard Out and Tail Email Log.
During the request to add users to the VPN group in LDAP, we will view these logs to
observe the workflow trace and emails being sent.
Test Provisioning to the New VPN Group

To confirm that our VPN group was successfully created, we’ll login as a manager and request VPN
access for a set of employees
1. Log out of IdentityIQ and log in as Catherine.Simmons/xyzzy
2. Request the VPN access.
a. Select Manage User Access
b. In the Select Users list, you should see direct reports for Catherine.Simmons, and
Catherine herself. Select all of her direct reports, but not Catherine, and then select
Manage Access
c. On the Manage Access screen, search for and select VPN
d. View the VPN entry and notice that all of our configured items are showing up on
the VPN Entitlement such as Owner and Description

Section 4 - 44
e. Select Review and, if everything looks okay, click Submit
3. On the Home page, click on Track My Requests.
a. There should be seven requests in the queue, one for each subordinate employee
that had the VPN entitlement requested for them.
b. What is the status for the Tammy.Daniels request?
Execution Status: ____________________________________________________________________________
4. Observe the current status of the workflow in the log files.
a. Check the output of the Email log file you should see the emails that were generated:
To: Randy.Knight@demoexample.com
Message-ID: <f6540250a97a44fba132515f41f64de3@example.com>
Subject: Changes requested to Tammy.Daniels need approval
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_Part_44_19584772.1396377798427"
X-Mailer: smptsend
------=_Part_44_19584772.1396377798427
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Catherine.Simmons is requesting the following changes for 'Tammy.Daniels'
Application: LDAP
Account : cn=Tammy.Daniels,ou=people,dc=training,dc=sailpoint,dc=com
Operation: Add
Attribute: groups
Value(s): cn=VPN,ou=groups,dc=training,dc=sailpoint,dc=com
Priority: Normal
b. Check the Standard Out log file and see that workflow tracing has occurred. The end
of the trace shows that an approval has been requested:

Section 4 - 45
Starting step Start

Ending step Start
Starting step Approval
Starting approval group in mode parallel
Starting approval group in mode parallelPoll
Starting approval for Randy.Knight
Opening work item: Owner Approval - Account Changes for
User: Tammy.Daniels
5. Log out and log in as Randy.Knight/xyzzy
a. On the Home page, in Approvals, click the approval for Tammy.Daniels.
b. Handle the approval by selecting Approve and then Complete.
c. Leave the remaining six approvals for completion at a later time.
6. Notice the Standard Out log file after the item is approved by Randy:
Ending step Complete Identity Request

Skipping conditional step Update Ticket On Complete
Starting step end
Ending step end
Ending workflow Identity Request Finalize
Ending step Finalize
Ending workflow LCM Provisioning

Section 4 - 46
7. Now that the approval is done, confirm in the LDAP Browser that Tammy.Daniels has
correctly been added to the VPN group as shown here:
8. Just to review what occurred:
a. Once the manager requested that all 7 of her employees needed access to the VPN
group, 7 workflow cases were started (each an instance of the LCM Provisioning
workflow that is the default in IdentityIQ for Access Requests)
b. Each workflow determined that the owner of the VPN group was Randy.Knight
from the settings in the Entitlement Catalog so the workflow routed the approval for
each user to Randy.Knight
c. Randy.Knight received an email notification and had 7 items in his inbox for his
approval.
d. Once Randy.Knight approved the request, the workflow continued and provisioned
access to the LDAP resource, which involved adding Tammy.Daniels to the specific
VPN group.
9. Login as Catherine.Simmons/xyzzy
10. Navigate to Track My Requests.
a. What is the status for the Tammy.Daniels request?
Execution Status: ____________________________________________________________________________

b. A status of Verifying indicates that we’re ready to check that all provisioning is
complete. That is, compare the originally requested access with the access now held
by the identity.

Section 4 - 47
Confirm VPN Entitlement Assignment and Complete the Access Request

We can move the status of requests from Verifying to Complete by running the task: Perform
Identity Request Maintenance. This task is responsible for checking access requests and
confirming that the changes have been made. If all of the changes from the request are not
represented on the Identity Cube for whom the request was made, the status will remain as
verifying.
1. Log out and back in as spadmin/admin

2. Navigate to Scheduled Tasks
a. When is the Perform Identity Request Maintenance task next scheduled to run in
your environment?
____________________________________________________________________________________________
b. This task comes pre-scheduled in IdentityIQ to run once a day by default. You could
run this more often as determined by your needs
3. Run the task, and then come back and check Track My Requests and confirm that the
request for Tammy.Daniels has been marked as Completed. This can be done from
spadmin’s account.

Section 4 - 48
4. Check Tammy.Daniel’s LDAP account to verify her VPN access.
5. View Entitlements to confirm that the VPN group is an entitlement on her cube and that
the source of the entitlement was Access Request (Note: Contrast this with earlier in the
training class, where Aggregation was the source.)
a. Click on the row (not the VPN link) to view the details

Section 4 - 49
Disable Business Process (Workflow) Tracing

Trace is very verbose and should be used selectively. It is a good practice to turn it off once you are
through using the output.
1. Navigate to Setup  Business Processes.
2. Select the LCM Provisioning Business Process.
3. Select the Process Variables tab. Scroll down and find the process variable called Trace
Execution and de-select to disable tracing.
4. Click Save.

Section 4 - 50
Exercise #6: Use Lifecycle Manager to Create a Lifecycle

Event
Objective:
The objective of this exercise is to use Lifecycle Manager to recognize and respond to data changes
on the Identity Cubes. You will learn to configure a Lifecycle Event to monitor for change and
trigger a business process, and you will use the Business Process Editor to create the business
process that the Lifecycle Event will trigger.
Overview:
A lifecycle event can be configured to run a business process based on identity changes. In this
exercise, we will configure a custom business process (workflow) to run whenever a user’s
department attribute changes. The business process should force a new certification for the identity
and, if the new department is the IT Department, an email should also be sent.
Note that if all we wanted to do upon department change was to trigger a certification, the simpler
choice is to use a Certification Event. However, because we want to perform additional actions
(conditionally send an email), we’re managing this event with a custom business process.
First, we will define the business process (workflow) including importing a custom email template
just for this business process. Second, we will create the lifecycle event that will monitor for the
department change and trigger the business process.
The Business Process will show how to perform the following:
• Print out some debug data from within a workflow
• Calculate some internal workflow variables that can be used in later steps to control
workflow behavior
• Send an email from within a workflow
• Generate a certification for the user whose department is changing
Design the Business Process

1. From the above Overview, what will initiate the workflow?
_________________________________________________________________________________________________________
2. From the following list, circle the actions that are needed. These are the workflow steps:
• Create a certification
• Send an email
• Calculate the time since the last login
• Print debug information

Section 4 - 51
3. What will determine if an email should be sent?
_________________________________________________________________________________________________________
Configure a new Business Process for use with our Lifecycle Event
1. Login as spadmin
2. Import an email template to be used with our new Business Process
a. Navigate to  Global Settings  Import from File and load the following file:
/home/spadmin/ImplementerTraining/config/WorkflowTrainingEmailTemplate.xml
3. Navigate to Setup  Business Processes
4. Click New and configure as follows:
a. Name: Department Attribute Value Change
b. Type: Identity Lifecycle
c. Description: Business process that will run when a department change occurs
d. Click Save and OK
5. Click the Process Variables tab to configure the workflow variables.
a. Click Add A New Variable and configure the first variable as follows:
i. Name: event
ii. Input: checked
b. Click Save and OK
Note: Because the event variable is referenced by other variables (defined next),
the save is required to ensure that the event variable is saved first in the list of
workflow variables.

Section 4 - 52
c. Add the remaining variables as shown:
Name Input Initial Value Value or Source

trigger Checked
trace Checked String true
identityDisplayName Checked Script event.getIdentityFullName();
attribute_cause Checked Script event.getCause();
d. Notice that we have turned on trace. Watch Standard Out for results.
e. Click Save to save changes to the Process Variables, and confirm that your variables
are as follows:

Section 4 - 53
6. Define the Business Process graphically. Click the Process Designer tab.
a. Add 5 steps by clicking on the Add a Step and clicking:
i. Start – one time
ii. Generic Step – three times

(these are the steps you identified when designing the business process)
iii. Stop – one time
b. Drag (click and drag) the five icons into a more user-friendly arrangement as
shown:

Section 4 - 54
c. Right click each Generic Step icon and Edit the names and Change Icons as shown:
d. Now, connect the steps to reflect the required transitions.
i. Double click the Start step and then double click the Debug Step
ii. You should now have a connection from the Start step to the Debug Step as
shown:
Note: If you double click a step and realize that you don’t want to connect it
to another step, double click on the grid to remove the arrow.
iii. Continue connecting the icons using the technique shown above
1. Debug Step to Send Email
2. Debug Step to Create Certification
3. Send Email to Create Certification
4. Create Certification to Stop

Section 4 - 55
e. Once done, you should have something that looks like this. Note that a split
transition is created automatically for you since we have two transitions configured
from the Debug Step.
7. Now, we will configure each workflow step to perform specific operations as necessary.
a. Right click the Debug Step step and select Edit Step and configure:
i. Details tab
1. Action: Script
2. Source: click Open Editor
3. Edit Script for Action: Copy and paste from:
/home/spadmin/ImplementerTraining/beanshell/Workflow_Debug Step Script.txt
ii. View the comments in the script for an understanding of what the Debug
Step does
iii. Select Save, and then Save again.
b. Right click the multiple transition (the diamond with the ‘X’) to the right of the
Debug Step and select Edit Transitions:

Section 4 - 56
i. Edit the transition logic as shown taking care to negate the 2nd transition.
Copy and paste the transition logic from:
/home/spadmin/ImplementerTraining/beanshell/Workflow_Transition Logic.txt
Note: The transition logic will send us to the Send Email step if the
department we are transferring to is the “IT Management” department.
Otherwise, we will move to the Create Certification step.
ii. Click Save

Section 4 - 57
c. Right click the Send Email step and select Edit Step and configure:
i. Details tab
1. Action: Call Method
2. Call Method: sendEmail
ii. Arguments tab
Create three variables using Add a New Argument
Argument Name Value Value/Source

template String Training Workflow Email Template
to Script getEmail(identityName)
cc Script getEmail(launcher)
Note: identityName and launcher are passed into the workflow by the
system and supply the name of the identity whose attribute was changed and
the name of the identity who made the change, respectively.
iii. Click Save

Section 4 - 58
d. Right click the Create Certification step and select Edit Step and configure:
i. Details tab
1. Action: Script
2. Open Editor:
Copy and paste from:
/home/spadmin/ImplementerTraining/beanshell/Workflow_GenerateCertificationScript.txt
3. View the script and find the line where the Certification Name is set.
4. What will the certification be named?
_______________________________________________________________________________
ii. Click Save twice (Saves this step)
8. At the bottom of the Business Process Editor, click Save to save all work on your Business
Process. (Saves the whole workflow.)
Configure Lifecycle Event and Test

1. Before we can configure a Lifecycle event, we need to configure the department attribute to
be editable so that we can change the department and kick off a workflow to process the
change.
a. Navigate to  Global Settings  Identity Mappings
b. Click the Department identity attribute and change the Edit Mode to Permanent.
This will make this field editable via the UI for testing purposes.
c. Additionally, check the Searchable checkbox as shown here:
d. Select Save to save the changes to the Identity Mapping configuration for the
department attribute

Section 4 - 59
2. Navigate to Setup  Lifecyle Events and click Add New Lifecycle Event and configure the
new event as shown here:
a. Name: Department Transfer
b. Description: This lifecycle event will trigger whenever the Department

attribute on the identity is changed.
c. Event Type: Attribute Change
d. Attribute: Department
e. Business Process: Department Attribute Value Change
f. Click Save to save your Lifecycle event configuration
3. Test the event, by editing the department for Aaron.Nichols and changing his department.
a. Navigate to Identities  Identity Warehouse and choose Aaron.Nichols
b. Select Edit

Section 4 - 60
c. Change the Department value from Executive Management to IT Management

and Save. This will trigger the department change workflow.
4. Confirm that a certification was created:
a. Navigate to Setup  Certifications
b. See if there is a department transfer certification created for Aaron.Nichols

Section 4 - 61
c. Click the certification and scroll down to confirm that the access review was
assigned to the appropriate party (Mary.Johnson)
5. Look at the email log. What are the subjects of the two emails that were sent by the
workflow?
_________________________________________________________________________________________________________
_________________________________________________________________________________________________________

Section 4 - 62
6. If you check the output of Standard Out (desktop shortcut: Tail Tomcat Standard Out) you
will see the following. You can see that the department was changed to “IT Management”
and we took the path to the “Send Email” step.
Starting step Start

Ending step Start
Starting step Debug Step
=======================
Debug Step - Start
Requester = spadmin
Step Name = Debug Step
event.getCause() = Attribute 'department' changed from Executive
Management to IT Management
event.getIdentityName() = Aaron.Nichols
trigger.getAttributeName() = department
Debug Step - End
=======================
Ending step Debug Step

Starting step Send Email
Ending step Send Email
Starting step Create Certification
Change requested by spadmin
Building certification for Aaron.Nichols
Certification will be done by Mary.Johnson
Ending step Create Certification
Starting step Stop
Ending step Stop
Ending workflow Department Attribute Value Change
7. Test moving Aaron.Nichols from IT Management to Executive Management and back and
observe the results.

Section 4 - 63
Extension Exercise (Optional)

1. You previously listed the subjects of the two emails sent by this workflow. Determine where
each of these values are being set and list the locations here:
Email subject: Changes to your Identity were processed
Location: ___________________________________________________________________________________________
Email subject: New access certification: Department Transfer for

Aaron.Nichols: assigned to Mary.Johnson
Location: ___________________________________________________________________________________________
This concludes Section 4.

Section - 4

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Section - 4

Uploaded by

Copyright:

Available Formats

Section 4 - 1

Section Four: LCM, Workflow and Provisioning

Fundamentals of IdentityIQ Implementation

11305 Four Points Drive

Copyright © 2017 SailPoint Technologies – All Rights Reserved – VERSION 7.1b

Copyright © 2017 SailPoint Technologies – All Rights Reserved –VERSION 7.1b

Test Provisioning to the New VPN Group............................................................................................................... 43

Copyright © 2017 SailPoint Technologies – All Rights Reserved –VERSION 7.1b

Section 4: LCM, Workflow and Provisioning

• Requesting new access (entitlement and roles)

• The user themselves (designated as Self Service)

• Cube creation (Joiner)

• Revocation of access during a certification access review

Copyright © 2017 SailPoint Technologies – All Rights Reserved –VERSION 7.1b

Exercise #1: Enabling Lifecycle Manager

Installation of Lifecycle Manager

2. Launch the IIQ console using the IIQ Console shortcut

./iiq patch 7.1p1

7. Track My Request is supported by Identity Request Objects. These need to be periodically

Copyright © 2017 SailPoint Technologies – All Rights Reserved –VERSION 7.1b

Exercise #2: Create and Manage Identities in IdentityIQ

• Using the out of the box configuration

Create an Identity using LCM

Copyright © 2017 SailPoint Technologies – All Rights Reserved –VERSION 7.1b

Copyright © 2017 SailPoint Technologies – All Rights Reserved –VERSION 7.1b

a. List the execution status: ___________________________________________________________________

7. Log out and log in as spadmin/admin

Copyright © 2017 SailPoint Technologies – All Rights Reserved –VERSION 7.1b

Define a Provisioning Policy for Creating Identities

1. Navigate to  Lifecycle Manager  Identity Provisioning Policies and next to

2. Configure the provisioning policy header information.

a. Form Name: Identity Create Policy

i. Title: Create New Identity

ii. Click Details

a. Click Add Section, in Edit Options, expand Settings

i. Read Only: True

Copyright © 2017 SailPoint Technologies – All Rights Reserved –VERSION 7.1b

ii. For the section, select Apply

ii. Display Name: Instructions

iii. Expand Type Settings

1. Display Only: Checked

iv. Expand Value Settings

1. For Value, select Value

2. Enter: Input values to create new user.

v. For the field, click Apply

d. At the top, click Add Section, in Edit Options

ii. Label: Identity Attributes

iii. Click Apply

Copyright © 2017 SailPoint Technologies – All Rights Reserved –VERSION 7.1b

i. In Edit Options, select 2 columns and Apply

f. For Field 2, click the pencil, in Edit Options

ii. Display Name: First Name

iii. Expand Type Settings

iv. Click Apply

g. For Field 3, click the pencil, in Edit Options

ii. Display Name: Last Name

iii. Expand Type Settings

iv. Click Apply

h. Click Preview Form and confirm that your form is as shown

i. Click Back to Edit

Copyright © 2017 SailPoint Technologies – All Rights Reserved –VERSION 7.1b

a. Click Back to Edit

c. Confirm that Row 1 is now ordered as shown

Copyright © 2017 SailPoint Technologies – All Rights Reserved –VERSION 7.1b

_______________ _ __________________