IdentityIQ Preview

IdentityIQ Business Purpose

• Business Friendly Access Governance

- Confirming and enforcing least access across all applications
- Modeling and enforcing business and IT policies
- Auditing user’s access and the controls around that access
- Enforcing compliance
• Business Friendly Access Provisioning
- Provisioning within bounds of
• Providing and enforcing least access
• Business and IT policies
- Automating provisioning
- Providing control to the business
• Managing passwords
• Access change requests

3 .
 IdentityIQ Components

• Business need

• Business model

• Business
applications

• IT infrastructure

4 .
 SailPoint IdentityNow
Providing Single Sign-On

• IdentityIQ integrates with IdentityNow for single sign-on

• Key capabilities
- Provides seamless SSO to on-premises web, SaaS, and
“bring your own apps” (BYOA)
- Works on all devices that end users need to access
applications: PCs, laptops, tablets, and smartphones
- Enforces step-up authentication where needed
- Captures auditable “terms of use” agreements for BYOA
- Allows users to request access to new applications via a
convenient app store
- Identifies unused or unauthorized accounts and reports them

5 .
 Three Steps to Governance-based Provisioning

Step 1: Get Compliant

Step 2: Build Foundation
Understand current state
of access and establish Step 3: Manage Ongoing
a compliance baseline Define and implement Changes
governance model and
• Build Entitlement controls Configure business
Catalog processes, provisioning
• Establish responsibility • Define policy model channels and monitoring
• Perform critical • Define risk model
• Deploy request services
remediations • Implement roles
• Integrate fulfillment
• Define approvals procedures
• Establish oversight

8 .
IdentityIQ Technical
Overview
 IdentityIQ Process – Business Modeling
Entitlement • Policies
Catalog • Risk
App1 App2 Modeling • Roles
________ ________
________ ________
________ ________
________ • Identity Attributes
Roles • Application
Accounts
Role1 Role2 • Entitlements
________ ________
________ ________
________ Identity
________
________
________

Aggregation
IdentityIQ
Source
Applications

13 .
 IdentityIQ Governance Process
• Certification
Entitlement Detection • Policies
Catalog • Risk
App1 App2 Modeling • Roles
________ ________
________ ________
________ ________
________ • Identity Attributes
Roles • Application
Accounts
Role1 Role2 • Entitlements/Roles
• Policy Violations
________ ________
________ ________
________ Identity
________ • Risk Assessment
________
________
Refresh
Aggregation Revoke
IdentityIQ
Source
Applications

14 .
 IdentityIQ Provisioning Process
Entitlement • Policies
User Catalog • Risk
Requested
App1 App2 Modeling • Roles
Change ________ ________
________ ________
________ ________
________ • Identity Attributes
Roles • Application
Accounts
Role1 Role2 • Entitlements/Roles
• Policy Violations
________ ________
________ ________
________ Identity
________ • Risk Assessment
________
________
Refresh
Aggregation Provision
IdentityIQ
Source
Applications

Data
Change

15 .
 Functions Needed to Meet Biz Purpose

Biz Purpose Certification Certification Provisioning Certification

Only & Only &
Function Roles Provisioning
Aggregation Required Required Required Required
Entitlements Required Required Required Required
Catalog
Certification Required Required Required
Policy Optional Optional Optional Optional
Risk Optional Optional Optional Optional
Roles Optional Required Recommended Recommended
LCM Request Required Required
LCM Events Recommended Recommended

16 .
IdentityIQ Common
Concepts
 IdentityIQ Objects and Actors
Tasks and Business Processes

• All data is stored in IdentityIQ as objects

• Users run or schedule tasks to act on objects
- Tasks typically process data
• Business processes act on objects in response to events or user
requests
- Business processes typically interact with the user

Tasks Certifications
Roles

Risk
Business Model
Processes
Identities
Policies
Entitlement Application
Catalog Configurations
18 .
 IdentityIQ Actors – Tasks and Workflows
Execution Components

TASKS

Reports WORKFLOWS

API
Tasks IdentityIQ Workflows
• Run now or scheduled Repository • Activated in response to
by a user - User decision
• Provide a result - A task
• Reports are special type - LCM Event
of task
- API calls

19 .
 Example Task and Workflow

Tasks
Workflow

Identity

Refresh
Aggregation Provisioning
IdentityIQ
Source
Applications

20 .
 IdentityIQ Maintenance Tasks
Required for IdentityIQ Functionality

Task Purpose Default

Schedule
Perform maintenance Keeps standard systems Every 5 minutes
moving through their phases
Check expired Scans for policy & certification Daily
mitigations daily exceptions that have expired
Check expired work Scans for uncompleted Daily
items daily workitems that have expired
Perform Identity Checks for provisioning Daily
Request Maintenance completeness

21 .
 Incorporating Business Logic
Coded Rules

• Snippets of user code written to implement business logic

• IdentityIQ provides rule “hooks” throughout the product
• Common uses
- Prepare data for aggregation
- Customize data during aggregation
- Define unique business policies
- Control certification behavior
- Provide values for drop-down menus
- Provide application provisioning logic
- …and many more!
• Creation
- With IdentityIQ rule editor (user interface)
- Import from XML file

22 .
 Summary

• IdentityIQ purpose and components

- Business friendly access governance and provisioning
- Business problem is solved by IAM Solution modules
• Compliance Manager
• Lifecycle Manager
- Business policy, roles, risk are modeled in the Governance Platform
- Integration Modules leverage existing IT systems
• Basic training review
• 3-step getting started process
• Technical overview
- IdentityIQ governance process
- IdentityIQ provisioning process
• Common concepts
- Tasks & workflows are the IdentityIQ actors
- Rules are snippets of user written code inserted at pre-defined locations

23 .
 Questions?

24 .