8.2 Lifecycle Manager
8.2 Lifecycle Manager
8.2 Lifecycle Manager
Version: 8.2
This document and the information contained herein is SailPoint Confidential Information
Copyright and Trademark Notices
Copyright © 2021 SailPoint Technologies, Inc. All Rights
Reserved.
All logos, text, content, including underlying HTML code, designs, and graphics used and/or depicted on these written
materials or in this Internet website are protected under United States and international copyright and trademark laws
and treaties, and may not be used or reproduced without the prior express written permission of SailPoint Tech-
nologies, Inc.
"SailPoint," "SailPoint & Design," "SailPoint Technologies & Design," "Identity Cube," "Identity IQ," "IdentityAI," "Iden-
tityNow," "SailPoint Predictive Identity" and "SecurityIQ" are registered trademarks of SailPoint Technologies, Inc.
None of the foregoing marks may be used without the prior express written permission of SailPoint Technologies, Inc.
All other trademarks shown herein are owned by the respective companies or persons indicated.
SailPoint Technologies, Inc. makes no warranty of any kind with regard to this manual or the information included
therein, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.
SailPoint Technologies shall not be liable for errors contained herein or direct, indirect, special, incidental or con-
sequential damages in connection with the furnishing, performance, or use of this material.
Restricted Rights Legend. All rights are reserved. No part of this document may be published, distributed, reproduced,
publicly displayed, used to create derivative works, or translated to another language, without the prior written consent
of SailPoint Technologies. The information contained in this document is subject to change without notice.
Use, duplication or disclosure by the U.S. Government is subject to restrictions as set forth in subparagraph (c) (1) (ii)
of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 for DOD agencies, and sub-
paragraphs (c)(1) and (c)(2) of the Commercial Computer Software Restricted Rights clause at FAR 52.227-19 for
other agencies.
Regulatory/Export Compliance. The export and re-export of this software is controlled for export purposes by the U.S.
Government. By accepting this software and/or documentation, licensee agrees to comply with all U.S. and foreign
export laws and regulations as they relate to software and related documentation. Licensee will not export or re-export
outside the United States software or documentation, whether directly or indirectly, to any Prohibited Party and will not
cause, approve or otherwise intentionally facilitate others in so doing. A Prohibited Party includes: a party in a U.S.
embargoed country or country the United States has named as a supporter of international terrorism; a party involved
in proliferation; a party identified by the U.S. Government as a Denied Party; a party named on the U.S. Department of
Commerce’s Entity List in Supplement No. 4 to 15 C.F.R. § 744; a party prohibited from participation in export or re-
export transactions by a U.S. Government General Order; a party listed by the U.S. Government’s Office of Foreign
Assets Control as ineligible to participate in transactions subject to U.S. jurisdiction; or any party that licensee knows
or has reason to know has violated or plans to violate U.S. or foreign export laws or regulations. Licensee shall ensure
that each of its software users complies with U.S. and foreign export laws and regulations as they relate to software
and related documentation.
Contents
Configure Tab 2
Special Considerations 11
Manage Accounts 21
Account Passwords 23
Track My Requests 24
Create Identity 25
Edit Identity 26
View Identity 26
Request Access 29
Remove Access 30
View Details 31
Add Attachments 32
Request Violations 34
Approval Tasks 36
Complete an Approval 36
Forward an Approval 37
View Details 37
View Attachments 38
Lifecycle Events 40
Batch Requests 48
IdentityIQ System Administrators can make any request regardless of the Lifecycle Manager Configuration
settings.
l Configure Tab
Configure Tab
Use the Configure tab to customize your Lifecycle Manager configuration. The Configure tab includes the following.
General Options
Use this option to enable requesters to set the priority level of their request. If this option is not selected, all
requests have a default “Normal” priority level.
Use this option to enable provisioning of account groups through Lifecycle Manager requests.
Use this option to enable full text searching on the Lifecycle Manager request pages. Enabling full text search-
ing might have some affect on the performance of those pages. For detailed information, see Configuring Full
Text Searching.
You must run the Full Text Index Refresh task before full-text search is available. Refer to the system admin-
istration documentation for more information.
The directory on the server in which full text index searches are stored.
Enables the automatic refreshing of the full text index at the interval specified.
Use this option to display the information such as request numbers and ID from external ticketing systems
throughout IdentityIQ.
Limit the number of items returned by an access request. Large lists are hard to scan and the search should
be narrowed or refined.
Limit the number of selectable users returned by an access request. Large lists are hard to scan and the
search should be narrowed or refined.
Use the drop-down list to specify the applications on which multiple accounts can exist or be created.
Select the role types that are available for role requests. Any options not selected are unavailable to any user
attempting to make that type of request.
When searching for roles based on population, only return roles contained by at least the following per-
centage of the population
Specify the minimum percentage of a population whose roles must match any given search criteria.
When searching for entitlements based on population, only return entitlements contained by at least the fol-
lowing percentage of the population
Specify the minimum percentage of a population whose entitlements must match any given search criteria.
Entitlement Search Results must return less than this number of identities when searching by identity
Indicate the maximum amount of identities an entitlement search result can yield.
Enables new user self-registration and creates a link for registration on the IdentityIQ login page.
3. Click the Process Variables tab. You can use the Advanced View option to view or configure all
available variables.
5. To delete the Security Officer setting, click the x icon next to it.
6. To add another setting, click the down-arrow next to the Approvers field and select another entry.
7. The default entry for the Fallback Approver is the IdentityIQ system administrator. If desired, you
can change the Fallback Approver.
8. When you are satisfied with all of the entries, click Save at the bottom of the screen.
Enter a URL to redirect the browser to the specified page after successful user registration. If this field is blank,
the user is redirected to the login page.
Select the number of days that must pass after the creation of an identity before it can be pruned. Default is 30
days.
Show Enable/Unlock decision buttons regardless of whether the account is disabled or unlocked.
Display the decision buttons on account management page for disabled or unlocked accounts.
Choose which actions are enabled for Manage Accounts requests for yourself and subordinates. Options
include the following:
Delete
Disable
Enable
Unlock
Deselected options are unavailable to a user attempting to make that type of request.
Select one or more applications from the Applications that support account only requests to specify which
applications allow Account Only requests. Select All Applications to enable this feature for all applications.
The status is automatically refreshed only for the accounts from applications that are not listed in the Disable
auto refresh account status list AND accounts that support the Enable or Unlock feature AND accounts
without the NO_RANDOM_ACESS feature.
Select applications from the drop-down list that support request for accounts that are not associated with a
role or entitlement.
Select All Applications if un-associated accounts can be request for all applications.
Choose Enable password auto-generation when requesting for others to enable passwords to be auto-generated
when requests are made on behalf of another user by an authorized user.
Select a rule from the drop-down list to used when validating password creations.
AI Services
The AI Services section appears only if the AI Services feature has been integrated and configured in IdentityIQ.
Show AI Services recommendations in access requests, to see access items that are recommended for you.
This option is available only when the user is requesting access for themself, and does not appear when the
user is requesting access for others.
Show AI Services recommendations in access requests, to see access items that are recommended for you.
This option is available only when the user is requesting access for themself, and does not appear when the
user is requesting access for others.
This option determines whether classification data is shown with access items, roles or entitlements, in access
requests. This option is provided so that you can choose whether or not to alert requesters to the fact that certain roles
or entitlements may allow access to sensitive or protected data. Classification data always appears in access
approvals, regardless of this setting.
• Create Identity
• Update identity
• Self-service Registration
If an Update provisioning policy is defined, that policy overwrites the Create policy.
You must include the criteria required by the provisioning policy in the generated form before the request can be com-
pleted. Use the Provisioning Policy Editor to customize the look and function of the form fields generated from the pro-
visioning policy.
Name
Description
Use the Edit Provisioning Policy Fields panel to customize the look and function of the form fields generated from the
provisioning policy.
Attribute
Select the attribute field from the drop-down list to display on the form generated from the provisioning policy.
Display Name
The name displayed for the field in the form generated by the provisioning policy.
Help Text
The text you wish to appear when hovering the mouse over the help icon.
Type
Select the type of field from the drop-down list. Choose from the following:
Boolean — true or false values field
Date — calendar date field
Integer — only numerical values field
Long — similar to integer but is used for large numerical values
Identity — specific identity in IdentityIQ field
Secret — hidden text field
String — text field
Choose this to have more than one selectable value in this field of the generated form. Click the plus sign to
add another value.
Read Only
Hidden
Owner
The owner of the provisioning policy. This is determined by selecting from the following:
None — no owner is assigned to this provisioning policy.
Application Owner — identity assigned as owner of the application in which the provisioning policy resides.
Role Owner — identity assigned as owner of the role in which the provisioning policy resides.
Rule — use a rule to determine the owner of this provisioning policy.
Script — use a script to determine the owner of this provisioning policy
Required
Choose whether or not to have the completion of this field a requirement for submitting the form.
Select this option to have the form associated with this policy refresh to reflex changes to this policy.
Display Only
Authoritative
Boolean that specifies whether the field value should completely replace the current value rather than be
merged with it; applicable only for multi-valued attributes
Value
Allowed Values
The value(s) which can be displayed in the field of the generated form. Choose from the following:
None — the field is blank
Literal — value is based on the information you provide
Validation
Gives the ability to specify a script or rule for validating the user's value. For example, a script that validates
that a password is 8 characters or longer.
l Keyword search — Users can search based on keywords that relate to role, entitlements and descriptions.
l Affinity search — Users can search for access based on what other users who are similar to them currently
have.
Feature /
Description Benefit
Enhancement
Guides users to the right Enables users to locate roles and entitlements by
access to request by reviewing access that others in the organization
enabling them to find have. The affinity search provides a controlled, gov-
Affinity Search roles or entitlements ernance-based approach that enables you to com-
assigned to specific pare similar access and view any areas of risk,
users or a population of such as high identity risk scores or open policy viol-
users. ations.
1. From the navigation menu bar, go to gear icon->Lifecycle Manager Configuration page. Select the Enable
Full Text Search option on the Addition Options Tab.
3. Run the Full Text Index Refresh task. Refer to the system administration documentation for more information.
The Full Text Index Refresh must run every time you make a change to roles, managed attributes, or the
FullTextIndex objects in your enterprise. The index files are only updated when this task is run. If you do not
select this option, you will have to schedule the Full Text Index Refresh to run periodically or you will have to
remember to run it manually.
When you run the Full Text Index Refresh task the first time, files for each FullTextIndex object in your IdentityIQ con-
figuration are created.
By default, after completing both steps above, you can do full text searches on the following fields:
The following example illustrates how to add a new full text searchable field (division) and indicate a location for the
index files (/tmp/indexlocation). This example is for the roles index file.
Field options:
l Analyzed -– used to index the field and for full text searching. Add analyze fields to include custom attributes in
full text search.
l Indexed – enables the field to be used in the advanced filters on the access request pages.
l Stored – enables the field to return in the search results and display on the access request pages, if the user
interface is designed to support this use.
l Ignored – sets the field to not be used in full text searching nor filtering. This field does appear in the filter
passed down from the user interface.
Special Considerations
When FullTextSearch is enabled, Bundle / Role references within filter objects in Request Object Authority rules
should include only the following indexed attributes:
l name
l displayableName
l id
l description
l owner.name
l owner.id
The only attributes that are indexed in the FullTextSearch index are listed above. If you use attributes that are
not in this list, extra Bundles are returned during search, which can result in errors in the log.
Manage Accounts
https://<hostname>/identityiq/ui/rest/redirect?rp1=/identities/identities.jsf
&rp2=quickLinks/Manage+Account
Manage Password
https://<hostname>/identityiq/ui/rest/redirect?rp1=/identities/identities.jsf
&rp2=quickLinks/Manage%20Passwords/identities
Create Identity
https://<hostname>/identityiq/ui/rest/redirect?rp1=/identities/identities.jsf
&rp2=quickLinks/Create+Identity/createIdentity
Edit Identity
https://<hostname>/identityiq/ui/rest/redirect?rp1=/identities/identities.jsf
&rp2=quickLinks/Edit+Identity
View Identity
https://<hostname>/identityiq/ui/rest/redirect?rp1=/identities/identities.jsf
&rp2=quickLinks/View%20Identity/identities
Track My Requests
https://<hostname>/identityiq/identityRequest/identityRequest.jsf
Manage Certifications
https://<hostname>/identityiq/certification/certifications.jsf#/
certifications
l Manage Certifications
https://<hostname>/identityiq/ui/index.jsf#/certifications
Your browser may require Special characters in the parameter values to be URL encoded. For example,
spaces must be replaced with %20, & must be replaced with %26, and ? must be replaced with %3F.
https://<hostname>/identityiq/ui/rest/redirect?rp1=/accessRequest/accessRequest.jsf&rp2=
accessRequest/manageAccess/add?identityName=<identity1>&filterRoleType=<roleType1>&filte
rRoleStringAttr=<roleAttrib1>
The following parameters allow you to create direct links to the page with a variety of filters already selected:
Identity
Role Filters
filterRoleType
filterRole<attribute>
Only role type and extended attributes are supported. Attributes from the bundle object are not supported.
Entitlement Filters
filterEntitlementApplication (multi)
filterEntitlementAttribute (multi)
filterEntitlementEntitlement (multi)
filterEntitlementOwner
filterEntitlement<attribute>
The (multi) params can be specified multiple times in a single URL. However, filterEntitlementOwner is NOT
multi.
If an entitlement application has only one attribute defined, the direct link can omit the entitlement attribute on
the URL and the defined attribute is used by default.
With the exception of Application, Attribute, and Value, only extended attributes are supported.
Keyword Filters
filterKeyword
If full text search indexing is enable, description is also searched for the keyword.
https://<hostname>/identityiq/ui/rest/redirect?rp1=/accessRequest/accessRequest.jsf&rp2=
accessRequest/manageAccess/add?identityName=<identity1>&filterRoleType=<roleType1>
Access Request for Single User Pre-Selected — Filtering on Role Type and Role Extended Attribute
<entAttrib1> and <entAttrib2> are the entitlement attributes (such as memberOf or groupmbr)
Specific access request review pages can be accessed through direct links using parameters. Query parameters can
be appended to the Access Request Review tab URL:
Your browser may require Special characters in the parameter values to be URl encoded. For example,
spaces must be replaced with %20, & must be replaced with %26, and ? must be replaced with %3F.
https://<hostname>:<port>/ui/rest/redirect?rp1=/ui/index.jsf&rp2=certification/<id>
The following parameters allow you to create direct links to the page with a variety of filters already selected:
Identity
Role
Entitlements
If you define only one attribute defined for an application, the entitlementAttribute can be omitted and it will be
filled in automatically. In all other cases, the attribute is required. In all cases, entitlementApplication and
entitlementValue are required for each entitlement combination.
<entAttrib1> and <entAttrib2> are the entitlement attributes (such as memberOf or groupmbr)
https://<hostname>/identityiq/ui/rest/redirect?rp1=/ui/index.jsf&rp2=accessRequest/manag
eAccess/add&identityName=<identity1>&filterEntitlementApplication=<entApp1>&filterEntitl
ementAttribute=<entAttrib1>&filterEntitlementEntitlement=<entValue1>&filterEntitlementAp
plication=<entApp2>&filterEntitlementAttribute=<entAttrib2>&filterEntitlementEntitlement
=<entValue2>
Direct Link to Pending Work Items (Mobile)
For all other types of work items, go to the desktop version of IdentityIQ and access the page associated with the work
item.
You can link directly to any open work item such as a form or a violations. To access a direct link, a user must be
logged in, have visibility to the work item and have authorization to access the item.
Some work items, such as manager access reviews, are not supported as direct links. If a direct link contains
a work item id that is not supported, a warning message displays that indicates the work item does not exist.
When you send an email with a direct link to a pending work item to a user, the email system variable must be con-
figured to match server name and path of the currently deployed instance of IdentityIQ. Click the Gear icon in the nav-
igation menu bar and go to Global Settings -> Mail tab -> Email Templates -> Server Root Path. For example, the
default is set to https://localhost:8080/IdentityIQ. However, if you deploy from /spt on port 80, you
should change the setting to https://localhost/spt.
The $spTools.formatURL() is a velocity template function that formats the url correctly in the actual email
sent to the user.
$spTools.formatURL('/ui/index.jsf#/commonWorkItem')/$item.id
IdentityIQ Lifecycle Manager manages changes to user access and automates provisioning activities in your enter-
prise environment. The Lifecycle Manager maps directly to the lifecycle of a user in an organization and the core iden-
tity business processes associated with the user lifecycle activities.
The Lifecycle Manager can be configured to enable users to make requests through IdentityIQ and control which
requests they can make.
Users
l Other users — controls requests by all users not a part of the standard groups
User Requests
l Account Management— create, manage, and delete accounts including enable, disable, and unlock, change
and reset passwords, and track current requests
Lifecycle Manager provides automated change management based on configurable identity lifecycle event triggers.
These triggers are mapped to different identity-related events in an authoritative source, typically an human resources
system. When a tracked event is detected, provisioning requests are generated. For example, when the status of an
employee changes from active to terminated, this lifecycle event can be configured to trigger a de-provisioning request
for all of the access associate with the employee. If an employee's job title changes, a trigger can launch the assign-
ment of a new business role to replace the employee’s current business role.
Lifecycle Manager leverages the IdentityIQ Governance Platform to enhance compliance performance, improve secur-
ity, and reduce risk.
SailPoint uses a combination of roles, policy, and risk to provide a framework for evaluating all requests for changes to
access against predefined business policies.
l IdentityIQ Role Model — simplifies administration of user access by providing a predefined and planned struc-
ture for requesting and validating user access based on business or IT roles.
l IdentityIQ Policy Model — evaluates your corporate access policies during the access request and pro-
visioning processes.
l IdentityIQ Risk Model — reduces operational risk by using a risk-based approach to identity governance and
provisioning by enabling organizations to modify change management processes.
Lifecycle Manager uses the IdentityIQ Provisioning Broker to manage the final change manage activities that are the
result of self-service access requests or automated lifecycle event triggers. The IdentityIQ Provisioning Broker is a key
piece of the IdentityIQ architecture that enables organizations to coordinate changes to user access across different
provisioning processes. When a provisioning change is triggered, the provisioning broker separates each request into
its component parts and determines the appropriate provisioning implementation process. Provisioning options
include:
New User Registration — a self-service feature that enables new users to request initial access to IdentityIQ. When
access is granted, a new identity cube is created for the user.
Quicklink Cards — convenient links to request and track user access from your Home page.
IdentityIQ System Administrators can make any request regardless of the Lifecycle Manager Configuration
settings.
l Request Violations
l Manage Accounts
l Account Passwords
l Track My Requests
Requests are processed based on the business process defined when IdentityIQ is configured for your organization. If
approval is not required, the roles are added or removed from the entitlements list and are available after the asso-
ciated access is granted on the required applications. If approval is required, the request must first pass the approval
process before being assigned.
l Manually
l By generating a help ticket, if your implementation is configured to work with a help desk solution
Manage Accounts
The status for the accounts listed on the Manage Accounts page are refreshed automatically based on the
conditions set during configuration.
You can use the Manage Accounts link to take action on any of the accounts assigned to a user. Based on how you
system is configured, you can:
l Disable/Enable an account
l Request an account
l Search for a user — Enter a letter or combination of letters and click the Search icon.
The Accounts section lists information about accounts associated with the selected user. Information can include:
Application
Account ID
Status
Application
Last Refresh
The status of the last provisioning operation performed though IdentityIQ. This state is not updated by actions
performed outside of IdentityIQ, so might not reflect the current state of the account.
The available actions are represented by icons defined in the legend on the page. Click an icon to perform the spe-
cified action.
If the application does not support the action, the icon is not visible. These options are only available if
configured by an administrator.
Account Passwords
If you click the Home button, exit the IdentityIQ application, or navigate away from the manage access pages
before you complete all tasks, your entries are cleared and the access request is NOT submitted.
l Change — change a specific password or generate a new password for one or more accounts.
l Generate — generate a single password for all selected accounts or generate a unique password for each
selected account.
If there are any errors associated with the manually submitted password the text fields are highlighted in red.
Information is displayed below the text field that describes why the submitted password failed and the
password policy.
3. From the application list, navigate to the row for the application with the password you want to change and click
Change.
l Manually enter a new password, re-enter the password to confirm, and click Submit.
l Or you can click Generate to generate a new password for the account.
You cannot synchronize passwords for accounts with incompatible password policies. The Synchronize
Password option is not available for self service accounts. To set up a single password for a group of
applications:
l Sync Password for All to generate a new single password for all the selected accounts.
l Or Generate Password for All to generate a new password for all the selected accounts.
Track My Requests
To track the progress of access requests you created, click Manage Access -> Track My Access Requests, use the
Track My Access Requests link on your Home page, or My Work -> Access Requests to display the Access
Request page.
Click on a item in the list to display detailed information about the requested items and any pending actions that still
need to be taken on that request.
From the detailed history panel you can navigate further into the request to expand the details view, review the actual
access request, and send messages to owners of the request reminding them that their action is required.
Access Request ID
Priority
Specifies the priority level to which the access request was designated.
Type
Description
Requester
The name of the user who assigned this work item to you.
Requestee
The name of the user to who was assigned this access request.
Request Date
Current Step
Completion Date
Execution Status
Executing — The request is going through the business process and has not completed.
Verifying — The request has finished the business process and is waiting for the Provisioning Scanner to
verify it.
l Create Identity
l Edit Identity
l View Identity
Create Identity
To create new identity cubes in IdentityIQ, use the Create Identity page. The data fields are based on the fields defined
as standard and/or searchable attributes in the IdentityIQ configuration.
Select an identity from the Available Identities list to display the Edit Identity Attributes page.
Use the search and filter features to limit the number of identities displayed.
Click Submit after all selections are completed to display the Review and Submit page.
View Identity
Use the View Identity page to view detailed information about an identity in IdentityIQ. This page can be accessed from
the Define -> Identities page.
Select an identity from the Available Identities list to display the View Identity page.
Use the search and filter features to limit the number of identities displayed.
l Attributes — lists the basic user identity information such as first name, last name, and email, as well as
enabling you to update the user password and the forwarding user.
l Accounts — lists account information for all of the applications to which the user has some level of access.
l Account Passwords — enables you to manage account passwords for one or more applications.
l Manage Recycle Bin — provides support for deleted users, groups with all their attributes, and group mem-
berships.
l Update My RSA Token PIN — provides support for updating you RSA Token PIN. See
If you are logged in and have an RSA link associated with your identity, the Update My RSA Token PIN
option is available.
To reset a PIN, click the Update My RSA Token PIN link on the Lifecycle Manager. The form displays the serial num-
bers of the tokens assigned to you. Select one of the multiple tokens (serial numbers) and type in a new PIN. The PIN
If you click the Home button, exit the IdentityIQ application, or navigate away from the manage access pages
before you complete all tasks, your entries are cleared and the access request is NOT submitted.
l Access for Others — Users request and manage access for one or more identities. This option can also be set
up to enable you to request access for yourself.
l Access for Yourself — Users request and manage access for themselves.
When removing access, only the roles and entitlements the user currently has assigned are available for
removal.
l Select Users — Displays a list of available identities. You can choose one or more identities from the list.
l Manage Access — Use Search or Filter to find available roles and entitlements, or click Browse all access
to display all available roles and entitlements. You can select Add Access to add new access. Select Remove
Access to remove access for a single user.
l Review and Submit — Displays access request information. You can verify and submit your access requests.
l Manage My Access — Use Search or Filter to find available roles and entitlements, or click Browse all
access to display all available roles and entitlements. Click the check icon for each access item you want to
add. You can also click Remove Access to see the access you currently have and select access you want to
remove.
l Recommended For You — If AI Services has been configured for your organization, the Search field includes
an option in the drop-down list to show access items that AI Services recommends for you, based on peer
group analysis. You can also click the Yes, show my recommendations button to see recommended access.
Recommendations are available only for your own access; if you are able to request access for other users
(such as your direct reports), you will not be offered recommendations for those users. See the AI Services doc-
umentation for more information.
l Review and Submit — Displays your access request information. You can verify and submit your access
requests.
l Request Access
l Remove Access
l View Details
Request Access
Based on how your system is configured, you can:
1. On the Select User tab, click the check icon next on the card for one or more identities.
To search for an identity, enter the name or first few letters of an identity in the search box and click the search
icon. To limit the number of listings, click Filters, select specific filter criteria, and then click Apply
2. Navigate to the Manage Access tab and select the Add Access tab.
To search, enter a term in the search box and click the search icon. Click the menu icon next to the search file to
change between search types: Keyword, User Access, or Populations. To limit the number of listings, click Fil-
ters, select specific filter criteria, and than click Apply.
Click Browse all access items to display the full list of access options available.
3. If a role or entitlement requires an account the identity does not have, the Select Account dialog displays. To
create the new account, select the account and click Apply.
4. After IdentityIQ validates that the user does not currently have the requested access, the number of items you
selected displays on the Add Access tab.
5. Navigate to the Review and Submit tab and review the access request information for each identity.
l Remove an access request entry — Click the X icon next to the access item.
After you click Submit, forms are issued if further information is needed before your request can be
completed.
If you are requesting access for multiple identities, the forms are sent directly to your Home page and no
popup is displayed.
7. When you have completed all your review tasks, click Submit to complete the access request.
If your system is set up to allow you to request access for yourself, a card with your identity details is the first card dis-
played on the Select User tab. This option must be configured in IdentityIQ.
To search, enter a term in the search box and click the search icon. To limit the number of listings, click Filters,
select specific filter criteria, then click Apply.
Click Browse all access items to display the full list of access options available.
2. Some roles allow related roles to be added. To add the additional roles, select the role or roles and click
Continue.
3. Navigate to the Review and Submit tab and review the access request information.
l Remove an access request entry — Click the X icon next to the access item.
5. When you have completed all your review tasks, click Submit to complete the access request.
A permitted role is generally a requested or assigned role and is not automatically granted to a user. Permitted roles
are enabled by default. When permitted roles are available, they are displayed on the following tabs:
l Add Access — When you select a role that has permits, the associated permitted roles are displayed as cards
after you complete the account selection setup.
l Review — Permitted roles are displayed below the associated assigned role.
Remove Access
The remove access feature is only available for an individual user.
1. On the Select User tab, click the arrow on the card for an identity.
2. Navigate to the Manage Access tab and select the Remove Access tab. The current access for the selected
user is displayed.
To search, enter a term in the search box and click the search icon. To limit the number of listings, click Filters,
select specific filter criteria, then click Apply. Search in the Remove Access area includes a Status filter that
allows you to filter results for Active or Requested access.
4. Click the check icon next to the access items you want to remove. The number of items you selected to be
deleted is displayed in a circle on the Remove Access tab.
5. Navigate to the Review and Submit tab and review the information about the access you want to remove for
the individual user.
l Remove an access request entry — Click the X icon next to the access item.
7. When you have completed all your review tasks, click Submit.
View Details
You can view the following information about a user:
Based on how your system is configured, you can view items such as User Name, Last Name, First, email, Location
Owner, Region, and more.
2. On the Select User tab, click the user icon on any user card.
To view user details from the Review tab, click the user name next to the user icon to return to the Select User tab and
than click the user icon on the user card.
For any role, you can view information such as the application associated with the role, the Attribute, the Name of the
role and how the role was assigned.
2. On the Manage Access tab, click Details for any role listing.
IdentityIQ does not perform file content validation or verification on attachments. It is your responsibility to
ensure that only files that do not violate security policies within your environment are included as
attachments.
Attachments are only available for single user access requests. If attachments are enabled, you will see the
attachment icon on all request items, but it will only be active on requests that support attachments.
You can add attachments to access request items using the attachments button, paper clip icon. The number next to
the icon indicates the number of files attached to that access request item. Based on how your system is configured,
you can have the ability to add attachments, for example a training certificate or notarized document of authorization,
or you might be required to add an attachment for specific items.
There might be an attachment size limit set during the configuration of IdentityIQ. If you run into issues, contact your
administrator. For information how how file attachment options are configured, see the System Configuration doc-
umentation.
If attachments are required, it will be indicated in the icon and you will receive a warning if you try to submit
the request with out an attachment.
If attachments are required for an item and you include that item in a request for multiple users, a message is
displayed instructing you to amend the request as required.
Adding any attachment will fulfill the required attachment rules. IdentityIQ does not validate to ensure the
correct item was attached.
1. On the Review and Submit tab, select the attachments icon for the request item.
2. In the attachments overlay, add attachments by dragging and dropping or uploading files.
Attachment Overlay
The information displayed on the attachment overlay is controlled using AttachmentConfig rules. Every time a user
accesses the Review and Submit tab of an access request, every AttachmentConfig rule is reviewed and the attach-
ment overlay is constructed based on that input, possibly with the names of required or suggested attachments dis-
played in a list.
Required attachment names are display with a red asterisk. All required attachments should be included in the access
request, but any attachment will satisfy the requirement rules. IdentityIQ does not validate the attached files.
Drag and drop or upload the attachments to add them to the Attached to This Item list.
The Attached to This Item list contains any files already attached to this request item. From this list you can:
l Add or edit comments — click the pencil icon to add or edit comments
Assignment notes can only be added to assigned roles. You cannot add assignment notes to permitted roles.
You can view or post comments and assignment notes to an access request using the comments button, talk bubble
icon. The number next to the icon indicates the number of comments and notes for the access request. If comments
are required for this item, the comment icon is flagged with a red asterisk. Comments can be made at the overall
request level and at the individual request item level; when comments are required, a comment at the request satisfies
the requirement for comments at the individual request item level.
When you add a comment or assignment note to an access request line item, the note icon turns green.
Before you complete and access request, you can view or post a comment to line items for entitlements and roles.
If an Assignment note is not permitted for the item, the title of the dialog is Comment.
1. On the Review and Submit tab, select the comments icon for the request item.
3. To post a new comment, type your comments in the text box and click Save.
Before you complete an access request, you can post an assignment note to line items for roles.
If an assignment note is not permitted for the item, the Assignment Notes tab is not displayed.
1. On the Review and Submit tab, select the comments icon for the request item.
2. In the Comments and Notes dialog, select the Assignment Notes tab.
Change Priority
For this feature to be available to users, the Administrator must enable the option to Allow requesters to set
request priorities.
If your system is set up to allow priorities for access requests, you can change the priority for an access request. The
default setting is NormalPriority. When you create an access request, you can change the priority to High Priority or
Low Priority.
Before you complete an access request, you can change the priority for an access request:
Sunrise and sunset dates support the temporary assignment of roles and entitlements by letting you set a
beginning (sunrise) and an end (sunset) date for access. Access is deprovisioned when the sunset date
arrives.
For this feature to be available to users, the administrator must enable the option to allow Sunrise/Sunset
dates on role assignment.
If you specify a global Sunrise/Sunset date on an entire access request, and than change the global setting,
the new global setting overrides any individual line item date settings you made.
Before you complete an access request, you can set a beginning and ending date for an:
If all the dates in access request are the same, the global date icon is green. If the dates for one or more line
items in the access request are difference, the date icon is gray.
To set the global sunrise/sunset dates for a line items in an access request:
1. On the Review tab, click the date icon for the line item in the access request.
2. In the Set Sunrise/Sunset dates dialog, type a new date in the field in the mm/dd/yyyy format or click the cal-
endar to select a date.
1. On the Review tab, click the date icon for the access request.
2. In the Set Sunrise/Sunset dates dialog, type a new date in the field in the mm/dd/yyyy format or click the cal-
endar to select a date.
Request Violations
The section only applies for single identity access requests. If a request for multiple users contains violations,
the request goes through and notifications are sent.
When you submit an access request that results in a policy violation and IdentityIQ is configured to have interactive
violation handling, a warning message appears at the top of the page with a list of the violations. Click a violation to
view details about the violation possibly including compensating controls and correction advice if they were included.
If you submit an access request that results in a policy violation and IdentityIQ is configured to reject any requests with
policy violations, the request fails. If you are notified that the request failed because of a policy violation, and you are
still on the Manage User Access page, you can:
If you submit an access request that results in a policy violation and IdentityIQ is configured to allow any requests with
policy violations, the request goes through and you are not notified.
When you continue with an access request with a violation, IdentityIQ can be configured to allow the violation
with no user interaction or require users to add a comment or sunset date.
If you submit an access request that results in a policy violation and IdentityIQ is configured to allow requests with
policy violations, and notify the requester, the request continues. When you are notified of the violation, you can:
Click the Approve Access Requests Quicklink card or select Approve Access Requests in the Quicklink menu to
access the Approvals page, which shows the access request approvals that are assigned to you. Use this page to view
and manage your approval requests. Approval items include the following types of Lifecycle Manager access
requests:
l Role Requests
l Entitlement Requests
l Account Requests
Approval items are shown in an expanded view by default, showing full details for all items in the request. Click Col-
lapse All to switch to a more compact display showing only the approval-level details, without item details. Click
Expand All to expand the listing to the detailed view.
To sort the list, click the arrow next to Sort By and select a sort type, Newest, Oldest, or Priority.
Use the Filter icon to filter the items that are displayed on the page. You can filter by Owner, Requester, or
Assignee. When you have selected your filtering criteria, click Apply. When filtering is applied, the Filter icon turns
green to alert you that you are seeing a filtered subset of your items. To clear filtering criteria and return to viewing all
items, click Filter again, and click Clear to remove your filter criteria.
Use Collapse All or Expand All to control how the items are displayed.
Use the Search field to search for approval items by Work Item ID or Requestee Name.
Click Recommendations to display the Decision Recommendation popup. The recommendations icon is only dis-
played If SailPoint AI Services was purchased and activated for your installation of IdentityIQ. See the AI Services
documentation for more information.
Approval Tasks
You can perform the following tasks:
l Complete an Approval
l Forward an Approval
l View Details
l View Attachments
Complete an Approval
A Policy Violation alert is displayed at the top of any approval that causes a violation if the request is
approved.
You can take approval actions both at the overall approval request level, or at the individual request item level.
l Make a decision on each individual approval item to Approve or Deny the request.
l Use an electronic signature to sign an approval if your installation is configured to use this feature.
If the approval request was set up to use electronic signature, the Electronic Signature dialog displays
automatically. Use the same credentials you use to sign in to the product.
The Complete Approval dialog displays when you click Approve All or Deny All for an approval, or after you click the
Approve or Deny button for the last individual item in an approval. To complete the approval, click Complete. To
change your approval decisions, click Cancel.
Forward an Approval
You can forward an approval to another identity or workgroup, to pass the responsibility for approval decisions to
them. Forwarded approvals can not be recalled, and once you forward an approval, you can no longer view inform-
atoin about it. To forward an approval:
1. Click the Forward icon in the Actions (three-line) menu for an approval.
2. Enter the name or a few letters of the name of the new owner of the approval. Alternatively, you can click the
down icon and select a name from the list.
View Details
You can view detailed information about an approval, its forwarding history, and information about any approval line
item.
For small form factors such a mobile phones, the Details button is displayed in the Actions menu.
Click the Info button for the overall approval to open the Details dialog. It shows the following items.
l Work Item Details tab— displays the work item and Access Request ID number, who made the request, who
owns the approval, when the approval was created and the priority.
l Identity Details tab — displays the attributes that the Administrator configures for the Identity Mappings and
can include attributes such as user name, first and last name for the identity, the email for the identity and the
owner of the location and region for the identity.
l Forwarding History tab — displays the name of the person who forwarded the approval, the date the approval
Click the Info button for an individual approval item to see these Details.
For Roles:
If the requestor includes an Assignment Note when an approval request for a role and an account selection is
required, the Assignment Note is displayed at the bottom of the Details tab.
l Details — displays the requested action and the name of the role. For Entitlement and account requests,
information about the account and application is displayed.
l Account Details — displays the specific role name, the account name and the application for roles requests.
l Entitlements — displays the associated applications, attributes, entitlement name, and how it was assigned.
For Entitlements:
l A single panel listing the Action, Attribute, Value, Account Name, Application, and Entitlement Owner.
View Attachments
The attachments icon, paper clip, indicates if there are attachments included with this requested item and their num-
ber. Click the icon to display the attachment overlay containing the attachment list. Download to view the attachments
from the list.
For small form factors such as mobile phones, the Comments button is displayed in the Actions menu.
Click Comments for the overall approval or an approval item to view the comments. The Comments dialog lists the
comments from the oldest to the newest with the oldest comments at the top. For each comment, the following inform-
ation is displayed:
l Posted comment
l Type your comment in the text box at the bottom on the Comments dialog.
l Click Post.
IdentityIQ can be configured to require comments for any approval and, separately, for any denial of access. This set-
ting is defined in the provisioning business process that manages approvals. The default business process for this is
the LCM Provisioning business process.
To require comments on approvals and denials, click Setup > Business Processes, and choose the
LCM Provisioning business process (or your custom provisioning business process if you have implemented one).
On the Process Variables tab, use the checkboxes to determine when comments are required: Require comments
for approval and Require comments for denial.
In the approvals UI, if comments are required for the item, the comment icon is flagged with a red asterisk. Comments
can be made at the overall approval level and at the individual approval item level; when comments are required, a
comment at the overall request level satisfies the requirement for comments at the individual approval item level. If
bulk decisions are enabled in your system, a pop-up dialog will open for the required comments when approvals or
denials are made in bulk.
You must have IdentityIQ administrative capabilities to setup this function. For information about setting up
administrative capabilities, contact your IdentityIQ administrator.
Use the Lifecycle Events page to create new events or to configure existing events in your enterprise to trigger busi-
ness process. When changes are detected during an identity refresh, IdentityIQ can be set up to launch event-based
business processes.
To access the Lifecycle Events page, navigate to Setup -> Lifecycle Events.
Name
This name is used to identify the certification event. This name is not displayed in the certifications that are cre-
ated when this event is triggered.
Type
Attribute Name
The specified attribute when the Event type is set as Attribute Change.
Owner
Disabled
Use the Lifecycle Events page to edit or create a lifecycle event and the associated event behavior.
l Lifecycle Events
l Lifecycle Events Page
Assign an intuitive name for the event. This name is used to identify the event. This name is not displayed in
the requests that are created when an event is triggered.
Description
Event Type
The fields displayed above Disabled are dependent on the Event Type specified here.
Specify an event-type:
l Manager Transfer - launch a business process when the manager changes for an identity.
l Attribute Change - launch a business process when a change is detected for the specified attribute.
l Rule - use a rule to determine when to launch a business process. To make changes to your rules,
click the “...” icon to launch the Rule Editor.
l Native Change - launch a business process when a change is detected on a native application that
was configured to pass this information to IdentityIQ.
l Rapid Setup - launch a rapid setup business process when the selected RapidSetup Process is
detected.
Attribute
Select the identity attribute from the list to associate with this event. The attribute drop-down list contains all of
the standard and extended identity attributes configured in your deployment of IdentityIQ.
IdentityIQ launches business processes only when identities are transferred from the specified manager.
IdentityIQ launches business processes only when identities are transferred from the specified manager.
IdentityIQ launches business processes only when the attribute value specified has changed.
RapidSetup Process
The RapidSetup business process context in which this lifecycle event should be evaluated.
Disabled
Rule
Include Identities
None — only the identities specified in the Included Identities list are in the population.
Match List — only identities whose criteria match that specified in the list. Add identity attributes, application
attributes and application permissions. Customize further by creating attribute groups to which this assign-
ment rule applies.
If the “Is Null” check box is selected, the associated value text box is disabled. When the “is null” match is pro-
cessed, the term matches users on the chosen application who have a null value for that attribute/permission.
Threshold Type
Business Process
The following reports provide information that is specific to the functions of Lifecycle Manager:
An identity must have IdentityIQ administrative capabilities to use this option. For information about setting
up administrative capabilities, contact your IdentityIQ administrator.
To access these report templates, navigate to Intelligence -> Reports and select a report from the list.
All reports use a set of standard properties to handle basic information, such as naming and descriptions,
and controls settings. Controls include items such as scope and required sign off. You must enter the name
before you run a report.
l Parameters — see the individual report descriptions for their unique parameters.
The report information in the detailed results format can be exported to a .csv file and used in spreadsheets.
Use the following criteria to determine the information to use in this report. You can use any combination of options to
build a report. You can use the Shift and Crtl keys to select multiple items from lists.
If you select no options from a list, all options in the list are included in the report.
Applications
Type or use the drop-down list to select the applications to include in the report.
Approvers
Type or use the drop-down list to select the approvers to include in the report.
Requesters
Type or use the drop-down list to select the requesters to include in the report.
Type or use the drop-down list to select the entitlements to include in the report.
Roles
Type or use the drop-down list to select the roles to include in the report.
Target Identities
Type or use the drop-down list to select the identities whose account is being modified to include in the report.
Status
Type or use the drop-down list to select Completed, Approved, Rejected, Pending, and Cancelled.
Specify a requested date range manually or click the calendar icon and select a date from the calendar
Specify a finished date range manually or click the calendar icon and select a date from the calendar
Use the following criteria to determine the information to use in this report. You can use any combination of options to
build a report. If you do not select options from a list, all options in the list are included in the report. You can use the
Shift and Crtl keys to select multiple items from lists.
Approvers
Select the approvers to include in the report. If no approvers are specified, all approvers are included.
Click the arrow to the right of the suggestion field to display a list of all approvers, or enter a few letters in the
field to display a list of approvers that start with those letters.
Requestors
Select the requestors to include in the report. If no requestors are specified, all requestors are included.
Click the arrow to the right of the suggestion field to display a list of all requestors, or enter a few letters in the
field to display a list of requestors that start with those letters.
Applications
Select the applications to include in the report. If no applications are specified, all applications are included.
Click the arrow to the right of the suggestion field to display a list of all applications, or enter a few letters in the
field to display a list of applications that start with those letters.
Target Identities
Select the target identity to include in the report. If no target identity are specified, all target identities are
included.
Click the arrow to the right of the suggestion field to display a list of all target identities, or enter a few letters in
the field to display a list of target identities that start with those letters.
The account approval date range. The report provides all approvals created on or after the start date and on or
before the end date.
You can enter the date manually, or click the ... icon to select a date from the calendar.
Status
Select the status to include in the report. If none are specified, all status levels are included.
Use the following criteria to determine what information to use in this report. You can use any combination of options to
build a report. If you do not select any options from a list, all options in the list are included in the report. You can use
the Shift and Crtl keys to select multiple items from lists.
Approvers
Select the approvers to include in the report. If no approvers are specified, all approvers are included.
Click the arrow to the right of the suggestion field to display a list of all approvers, or enter a few letters in the
field to display a list of approvers that start with those letters.
Requestors
Select the requestors to include in the report. If no requestors are specified, all requestors are included.
Click the arrow to the right of the suggestion field to display a list of all requestors, or enter a few letters in the
field to display a list of requestors that start with those letters.
Target Identity
Select the target identity to include in the report. If no target identity are specified, all target identities are
included.
Click the arrow to the right of the suggestion field to display a list of all target identities, or enter a few letters in
the field to display a list of target identities that start with those letters.
Status
Select the status to include in the report. If none are specified, all status levels are included.
The identity creation request date range. The report provides all requests created on or after the start date and
on or before the end date.
You can enter the date manually, or click the calendar icon to select a date from the calendar.
The identity creation finished date range. The report provides all requests the finished on or after the start date
and on or before the end date.
You can enter the date manually, or click the calendar icon to select a date from the calendar.
Use the following criteria to determine what information is used in this report. You can use any combination of options
to build a report.
If you do not select any options from a list, all options in the list are included in the report.
Applications
Select the applications to include in the report. If no applications are specified, all applications are included.
Click the arrow to the right of the suggestion field to display a list of all applications, or enter a few letters in the
field to display a list of applications that start with those letters.
Requestors
Select the requestors to include in the report. If no requestors are specified, all requestors are included.
Click the arrow to the right of the suggestion field to display a list of all requestors, or enter a few letters in the
field to display a list of requestors that start with those letters.
Roles
Type or use the drop-down list to select the roles to include in the report. If no roles are specified, all roles are
included.
Target Identity
Select the target identity to include in the report. If no target identity are specified, all target identities are
included.
Click the arrow to the right of the suggestion field to display a list of all target identities, or enter a few letters in
the field to display a list of target identities that start with those letters.
Cause
Select the cause type to include in the report. If no cause types are specified, all types are included.
Choose from the following types:
l Expired Password
l Forgotten Password
l Change Request
Status
Select the status to include in the report. If none are specified, all status levels are included.
The edit identity request date range. The report provides all requests created on or after the start date and on
or before the end date.
You can enter the date manually, or click the ... icon to select a date from the calendar.
The following criteria is used to determine what information is used in this report. You can use any combination of
options to build a report.
Approvers
Select the approvers to include in the report. If no approvers are specified, all approvers are included.
Click the arrow to the right of the suggestion field to display a list of all approvers, or enter a few letters in the
field to display a list of approvers that start with those letters.
Target Identities
Select the target identity to include in the report. If no target identity are specified, all target identities are
included.
Click the arrow to the right of the suggestion field to display a list of all target identities, or enter a few letters in
the field to display a list of target identities that start with those letters.
The edit identity request date range. The report provides all requests created on or after the start date and on
or before the end date.
You can enter the date manually, or click the ... icon to select a date from the calendar.
The edit identity request completion date range. The report provides all requests that were completed on or
after the start date and on or before the end date.
You can enter the date manually, or click the ... icon to select a date from the calendar.
Status
Select the status to include in the report. If none are specified, all status levels are included.
If the order of operations is important, create a separate file for each request type and run them sequentially.
Batch Requests enable you to generate specific types of access requests for more than one user at a time. The
required data is gathered from a prepared comma-delimited file for each request type. The batch files require comma-
delimited data that represents the individual requests. In most cases the native identity or identity name can be used to
specify the request target.
There might be an batch size limit set during the configuration of IdentityIQ. If you run into issues, contact your admin-
istrator.
To access the Batch Request option, navigate to Setup -> Batch Requests.
An identity must have IdentityIQ administrative capabilities to use this option. For information about setting
up administrative capabilities, contact your IdentityIQ administrator.
l Batch Requests Page — provides information on how to view, create, stop, or delete batch requests
l Batch Request Types and Examples — provides descriptions and examples of the types of batch requests
l Batch Request Details Page — provides information on how to view specific information about a batch request
l Create Batch Request Page — provides information on how to import prepared comma-delimited files and set
the parameters of the batch request.
l View all batch requests that are assigned to you or to one of your workgroups
l View details about a batch request — Double-click on a batch request entry in the table. See Batch Request
Details Page.
l Create a new batch request — Click New Batch Request at the top of the table. See Create Batch Request
Page.
l Stop or delete a batch request — Right-click the batch request entry in the table.
Use the search field at the top of the table to filter the results of the Batch File Name column. Double-click a batch
request line item to view the Batch Request Details page. Right-click a line item to Terminate or Delete the batch
request.
Batch File Name The file location where the batch file is originated.
l Create Identity
l Modify Identity
l Create Account
l Delete Account
l Enable/Disable Account
l Unlock Account
l Add Role
l Add Entitlement
l Remove Entitlement
l Change Password
Batch request types with similar data and columns can be mixed in the same file. The following batch request types
must be in a separate file:
To specify multiple entitlements or roles in the same request, use the pipe (|) delimiter to separate each role
or entitlement.
l Create Identity
l Modify Identity
l Change Password
l File Name
l Date Requested
l Date Launched
l Date Completed
l Status
l Total Records
l Total Completed
l Total Errors
l Total Invalid
The lower section includes the Batch Request Items table which displays information for each record in the batch
request.
Request Data
Status
Running —Requested item is still processing. This could indicate an approval or manual work item completion
is needed.
Finished —The request process completed.
Result
You must select Identity Request ID when you create the batch request.
Error handling
Determines the batch request process behavior in the event of an error. If a request item generates errors, you
can continue the tasks or stop the task after a specified number of errors.
Policy Option
Determines the batch request process behavior for policy violations. You can include policy checking or to fail
on any policy violation.
Schedule to run
Choose to run the batch request immediately or select a later date and time when the request runs.
Manual input
Determines the batch request process behavior when a request needs manual interaction. You can skip batch
requests which require additional manual input or create any necessary provisioning forms.
Work items
Determines the batch request process behavior when a request results in the generation of a work item. You
can skip the request or create any necessary work items.
Select this check box to create an identity request that can be viewed in Manage->Access Request.