Scribd
Upload
431 views

Application Onboarding Introduction

Uploaded by

Saeed Nashar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
431 views

Application Onboarding Introduction

Uploaded by

Saeed Nashar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 41

Identity Cubes, Authoritative Applications, and Aggregation

Fundamentals of IdentityIQ Implementation


Overview
Identity Cubes, Authoritative Applications, and Aggregation
• Identity Cube Overview
• Authoritative Application Configuration
• Identity Mappings
• Aggregation and Refresh
• IdentityIQ User Access Management

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 2


Identity Cubes

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 3


Identity Cube
• Term to refer to each unique identity stored in IdentityIQ repository
• Stores all information known about an identity
Examples:
• Identity Attributes
• Application Accounts
• Entitlements/Roles
• History
• Risk Score
• Policy Violations
• User Rights (Capabilities/Scoping)
• Information on the cube is
• Discovered
• Requested
• Assigned
• Calculated

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 4


Identity Cube – User Interface
Tabs divide identity data
into Logical Groupings

Identity Attributes
are sourced from Authoritative
Sources or by Rules

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 5


How are Identity Cubes Created?
• Automatically through account aggregation
• Mark “system of record” application as authoritative
• Process creates authoritative Identity Cube for each account
• Identity Attributes populated from authoritative applications

• Manually using Lifecycle Manager


• Form presented to user to enter Identity Attributes

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 6


Initial Configuration
Overview
• Configure authoritative application(s)
• Configure identity attributes
• Define custom identity attributes
• For custom and standard, define how they are populated
• Define and run aggregation task(s)
• Read authoritative accounts
• Create authoritative cubes
• Run default refresh task
• Populate identity attributes
• Mark managers
• Add capabilities to appropriate users (i.e. System Administrator)
• Reset spadmin password

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 7


Knowledge Check

Copyright ©© SailPoint
Copyright SailPoint Technologies,
Technologies, Inc.
Inc. 2017.
2017. All
All rights
rights reserved.
reserved. 8
Configuring Authoritative
Applications

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 9


Applications/Connectors
• Application
• Representation of a business resource
• Configuration includes
• Meta Information: name, description,
owner, revoker
• Account Schema and optional Group Schema
• Application Type (Connector)
• Application Rules
• Connector
• Software component to connect to a target resource and read/write data
• Configuration includes
• Connection Specifics (i.e. Hostname, Port, Authentication)
• Connector Rules (for data manipulation)
• Provides normalized resource object

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 10


Application/Connector Configuration

Application Meta
Information

Authoritative
Application Type =
Indicator
Connector

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 11


Account Schema
• Represents a target resource account
• Defines what data to read
• Defines how to interpret data
• Required for each application
Application Definition
Account Schema
Account
• User Name
Application
• Email Address
• First Name
• Last Name
• Location ---------
---------
---------
Account ---------
---------
---------
• User Name ----------
---------
---------
----------
---------
• Email Address ----------
• First Name
• Last Name
• Location

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 12


Account Schema
Account Attribute Data
• Define which account attributes to collect
• Pre-defined for certain connectors
• Define how to interpret the data
• What data type (string, long, int, boolean, group reference)?

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 13


Account Schema
Schema Header

• Identify key data to IdentityIQ


• Native Object Type
• Identity Attribute
• Identifies which attribute holds unique identity id for the account
• Display Attribute
• Identifies which attribute holds display attribute
• Used for friendly display name

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 14


Manager Correlation
Authoritative Applications
• Define which application attribute defines a user’s manager
• Map the application attribute to the manager’s Identity Attribute

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 15


Application Rules

Authoritative Applications
• Manager Correlation Rule (when simple matching is not enough)
• Build and maintain manager hierarchy
• Creation Rule
• Perform customizations at cube creation time
Example: Set default IdentityIQ password
• Can be shared between applications

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 16


Knowledge Check

Copyright ©© SailPoint
Copyright SailPoint Technologies,
Technologies, Inc.
Inc. 2017.
2017. All
All rights
rights reserved.
reserved. 17
Identity Attributes and
Mappings

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 18


Identity Attributes
• Standard Attributes
• Used to support basic system
functionality
• DisplayName
• First Name
• Last Name
• Inactive
• Manager
• Email
• Searchable by default
• Extended Attributes
• Identity Attributes defined specifically for an installation
• Add as many as required to support your needs
• Searchable attributes can be specified
• Limited by number of searchable extended attributes defined in DB

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 19


Defining Identity Attributes
Identity Mappings
• Identity Mappings used to add new Identity Attributes
Example: Cost Center, Employment Status, Job Title
• Identity Mappings define source for Identity Attributes
Application Attribute Identity Cube Attribute

HR-System employeeId Identity Attribute empId

• Source for all attributes (standard and extended) must be specified


• Typically sourced from authoritative sources
• Can be sourced/modified with a rule
Example: Parse Job Code value to determine if employee is full-time or part-time

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 20


Identity Mappings Configuration

Property name for


the attribute

Value to display –
can be a message
key for localization
support
String or Identity

Read only or
editable attribute

Source of Attribute:
Application Attribute
or Rule

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 21


Identity Attribute Mappings
Utilizing the Data

• Searchable
• Correlation
• Analytics, Reporting, etc.
• Multi-valued
Example: User may belong to more than one cost center
• Group factory
• Support dynamically generated groupings of identities based on the attribute
Example: All users in each region become a group
• Groups used to filter cubes included in actions
Example: Refresh only identities from a particular region

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 22


Knowledge Check

Copyright ©© SailPoint
Copyright SailPoint Technologies,
Technologies, Inc.
Inc. 2017.
2017. All
All rights
rights reserved.
reserved. 23
Aggregation and
Refresh Tasks

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 24


Account Aggregation Tasks
• Purpose
• Read data from applications to account attributes ---------
---------
---------

• Many configuration options


----------

• Which Applications to Aggregate (required)


• Detect Deleted Accounts (best practice) Aggregation
• And many more…
• Use Application/Connector/Schema information
• Schedule frequency dependent upon
• Use case
• Compliance – prior to certification campaign (i.e. quarterly)
• Provisioning – often daily
• Importance of source application (i.e. authoritative, sensitive/risky)

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 25


Identity Refresh Tasks
• Purpose
• Update identity attributes from the application ----
----- ---------
---------
account attributes, and through calculations ----
----- ---------
----- ----------

• Many configuration options


• Promote account attributes to identity attributes (per identity mappings) Refresh
• Mark manager status for each identity
• Update role assignments/detections
• Promote entitlements to a certifiable state
• Look for policy violations
• And many more…
• Run against all identities (default)
• Run after aggregations are complete or when cube data needs re-calculation
• Schedule frequency dependent upon
• Aggregation schedules
• Data calculation needs

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 26


Identity Cube Creation Process

Application
Schema Authoritative Resources
----
----- ---------
Rules
---- ---------
----- ---------
----- ---------- Creation ---------

Rule Connector ---------


---------
---------
---------
---------
Configuration ----------
---------
---------
----------
Rules ---------
----------

----
----- --------- Aggregation Task
---- ---------
----- ---------
----- ----------

1. Authoritative resource contains accounts


2. Application/Connector defines schema and how to connect to
resource
3. Aggregation task runs Account
• User Name
4. Connector reads accounts
• Email Address
5. IdentityIQ creates authoritative cubes • First Name
6. Identity Mappings define the creation of Identity Attributes • Last Name
• Location

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 27


Knowledge Check

Copyright ©© SailPoint
Copyright SailPoint Technologies,
Technologies, Inc.
Inc. 2017.
2017. All
All rights
rights reserved.
reserved. 28
Managing IdentityIQ
User Access

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 29


Access Rights for Identities
• Identities can possess Capabilities and Scope (if configured)
• Together, these define what a user can do in the system

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 30


Capabilities – Definition
• Default User Rights include
• Home page
• Quicklinks
• My Work

• Capabilities
• Define what additional rights a user
has within IdentityIQ
• Control which menu options are
available

• See the Capabilities Matrix


for details

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 31


Scoping – Definition
• Scoping
• The act of subdividing data into logical groups and granting access based on those
subdivisions
• Scopes control the objects a user can see and act upon

Bob

authorized
Bill Americas Europe John
Scope Scope

App 1 App 3
App 2

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 32


Workgroups – Definition
• Workgroup
• Set of identities treated as a single IdentityIQ identity
Example:
Group: Active Directory Application Owners
Members: John Smith, Sue Jones
• Workgroups are used for
• Sharing of IdentityIQ responsibilities
• Team based work via work items
• Ownership of objects (best practice)
• Applications, Certifications, Roles, Entitlements, Policies, etc.
• Assigning access to IdentityIQ
• Assignment of capabilities
• Assignment of scope

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 33


Workgroups – Configuration
• Setup Groups  Workgroups Tab

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 34


Workgroups – Configuration
Name, Owner and
Description

Assigned Scope for the


Workgroup

Notification Parameters
Email Address and Settings

Capabilities for the


Workgroup

Authorized Scopes for the


Workgroup

Add/Remove Identities

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 35


Assigning Capabilities, Scopes, & Workgroups
• Manual (user interface)
• Tedious
• Slow
• Error-prone
• Automatically (rules)
• Creation or Customization Rule
Example: A user’s AD group membership defines the workgroup (or capabilities or scope)
Example: A user’s department defines the workgroup (or capabilities or scope)

Runs only during


Identity Cube creation
Runs with each
aggregation
Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 36
Summary
• Identity Cubes
• Represent users within IdentityIQ
• Store all information regarding a user
• Created by loading data from Authoritative sources or from the UI
• Applications define target resources
• Applications specify how to connect to the resource by defining a Connector
• Schemas define the data to be read from the resource
• Aggregation Tasks control how and when data is read from the target resource
• Identity Mappings control how Identity Attributes are “sourced”
• Capabilities/Scoping and Workgroups control an Identities’ access to IdentityIQ

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 37


Knowledge Check

Copyright ©© SailPoint
Copyright SailPoint Technologies,
Technologies, Inc.
Inc. 2017.
2017. All
All rights
rights reserved.
reserved. 39
Next Step?

Practice
Exercises

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 40


Exercise Preview

Section 1, Exercise 4

Systems of Record
• Installed and configured IdentityIQ
Employee • Populating Identity Cubes
• Loading authoritative data
• Define Identity Mappings
File
(HR)
Contractor

File
(Contractor Maintenance)

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 41

You might also like