Skip to content

Creating Emergency Access Profiles

In order for users to request temporary emergency access, Emergency Access Profile Administrators must create and maintain EAM profiles.

These profiles define what elevated access users can be granted and assigns users to the EAM request participant roles (Profile Owners, Approvers, Requestors, and Reviewers) that determine who can select the profile when creating an access request, who will approve requests, and who will review a user's activity after they complete their tasks. EAM profile request participant roles also determine what actions are available to users on their EAM Dashboard as the request progresses.

To get started, you must enter the name and details for your new EAM profile.

Setting Profile Details

To configure the available permissions and request participants:

  1. Select the Menu icon menu icon and choose EAM PROFILES NEW.

  2. Select + New to create a new profile.

  3. Enter a meaningful profile name and description to differentiate the profile from others.

  4. Select the rulebook associated with this emergency access. You may want to create more granular, profile-specific rulebooks to help reviewers determine which transactions should be considered sensitive. For more information, refer to Managing Rulebooks.

  5. Set the maximum amount of time the Requestor can request emergency access for. You can set the maximum duration for up to 7 days.

  6. Select the Profile is enabled checkbox to enable the profile. You must enable a profile before it can become available to Requestors.

After you've entered the profile's details, you can set the attestors for the new profile.

Setting Attestors

You can define which users will serve as attestors for each profile.

Attestors are generally security administrators or compliance personnel who can attest if access was deprovisioned correctly in the event of automated deprovisioning failure, or whether a Requestor used permissions when a utilization extract is blank.

Under the Who can attest? section, select the checkboxes next to Owner, Approver, or Reviewer to enable those roles to attest. You can enable multiple roles to attest, and all users in the assigned roles will become attestors.

Note

You must select at least one role to become an attestor.

You can now select the entitlements for the profile.

Selecting Profile Entitlements

You can use profile entitlements to control the elevated access that users temporarily receive from approved requests.

Warning

Entitlements that are included as part of a profile can not be assigned to users as part of their standard access. The system will automatically deprovision entitlements from the user that are part of a profile.

To add profile entitlements:

  1. Select + Add Entitlements.

  2. Add entitlements individually by selecting the + icon next to an entitlement. Select Add All + to add all entitlements to the profile.

    You can also add entitlements by entering entitlement names separated by commas or lines and selecting + Add.

    To remove an entitlement from the profile, select the Delete icon Delete icon next to the entitlement on the Emergency Access Profile Details page.

Important

If an entitlement is updated, these changes will only apply to future requests. Existing requests must be retracted or rejected to reflect the updated entitlements.

Selecting Profile Users

For each EAM profile, you can define the users who will serve as the Profile Owners, Requesters, Approvers, and Reviewers for elevated access requests associated with the profile.

Profile Owners

Profile Owners maintain and update profiles by managing entitlements and request participants. Profile Owners can also submit requests for Requestors, perform troubleshooting actions to restart processes, and export change logs of profiles they own.

  1. Select + Add Users.

  2. Select the + icon next to a user to add the user as an owner. Select Add All + to add all users.

    Notes

    • You must include at least one Profile Owner for each profile.

    • While a Profile Owner can submit requests for Requesters, they cannot submit a request for their own User ID.

Requestors

Requestors are users who require temporarily elevated access. Requestors can only submit requests for themselves. If Requestors finish their tasks before their access ends, they can terminate their access early.

Note

A Requester's Access Risk Management ERP User ID field must be populated with their ERP User ID, so the system knows which user should get the access. Refer to Adding Users for more information.

  1. Select + Add Users.

  2. Select the users who can request elevated access within the application. You can add users individually by selecting the + icon or add all users by selecting Add All +.

    Notes

    • You must include at least one Requestor for each profile.

    • A Requestor cannot be added to another role within the same profile. This prevents users from bypassing the process to obtain elevated access. If you select Add All +, you'll receive a list of users who could not be added due to such conflicts.

    3. (Optional) Select the Pre-Approved checkbox to skip the approval stage for giving access to those requesters. The review step will still be required to ensure those privileges are not abused.

Note

If a requestor is added to an EAM profile and an EAM request is created prior to a new security extract being completed, the requestor's utilization report will show all actions as Elevated on the Reviewer report dashboard. This is because the system does not yet know the updated actions available to that user as part of their standard assigned entitlements.

You can select Schedule Jobs > Security Extract > Submit to trigger a security extract job to populate the user's standard permissions.

Approvers

Approvers approve or reject individual requests by email or within the EAM Dashboard. Approvers can also restart provisioning or deprovisioning if the initial attempt fails.

  1. Select + Add Users.

  2. Select the users who can approve elevated access requests within the application. You can add users individually by selecting the + icon or add all users by selecting Add All +.

    Notes

    • You must select at least one Approver for each profile.

    • If multiple Approvers are assigned, all approvers will receive an email notification when a request is submitted. However, the decision will be based on the first Approver who responds.

    To prevent inappropriate access, Approvers can reject a request, even after approval and up until the elevated entitlements have been provisioned. They can also immediately revoke a Requestor's access to elevated entitlements.

Reviewers

Reviewers examine the appropriateness of an approved Requestor's activity. They will receive an email notification to approve or contest the user's activity using the EAM Reviewer Dashboard. During the review process, Reviewers can leave comments asking the Requestor to clarify why they took specific actions while they had elevated access.

  1. Select + Add Users.

  2. Select users who will review the user's activity. You can add users individually by selecting the + icon or add all users by selecting Add All +.

    If multiple Reviewers are assigned, all Reviewers will receive an email notification when an activity report has been generated for an EAM Request. However, the decision will be based on the first Reviewer to perform the review.

Submitting Profiles

After you've finished selecting the appropriate users for each category, select Submit to create the EAM profile.

Note

You'll receive an error message if a user has conflicting access. For example, a user cannot be set as both a Requestor and Profile Owner within the same profile. You must fix any conflicting access before you can create the EAM profile.

After you've configured your EAM Profiles, your assigned Requestors, Approvers, Reviewers, Owners, and Attestors will be able to view the request as it moves through each stage on their EAM Dashboard. To access your EAM Dashboard, select EMERGENCY ACCESS NEW from the navigation menu.

Managing Profiles

After you have created an EAM profile, you can complete the following actions from the Emergency Access Profiles page:

  • Add another profile by selecting the + New button.

  • Edit an existing profile by selecting the Edit icon Edit icon.

  • Delete an existing profile by selecting the Delete icon Delete icon.

    Warning

    You cannot retrieve a deleted profile. SailPoint recommends deactivating the profile instead, which will prevent new requests for the profile. To deactivate a profile, clear the Enabled checkbox on the EAM profile page.

  • Export profile Change Logs.

  • Create or manage Reason Codes.

Creating and Maintaining Reason Codes

Emergency Access Profile Administrators can create a predefined list of Reason Codes. Reason Codes serve as the rationale or purpose for why a specific EAM Profile needs to be used. You can use reason codes to quickly filter requests on your EAM Dashboard or to classify requests for later reporting purposes.

  1. Select Manage Reason Codes > New Reason + to create a new reason code.

  2. Enter a meaningful name and description for the reason code to differentiate it from others.

  3. Select Submit to create the reason code.

Requestors will now use this reason code when they submit requests. If Requestors need to include more information for why they need elevated access, they can add additional text to the Intention box of new requests. After a request is submitted, they can include additional explanation by selecting the Comment icon Comment icon on the Reviewer Dashboard or within each tab on the EAM Dashboard next to each request on the page.

You can also manage or edit this reason code by selecting the Manage Reason Codes button on the Emergency Access Profile page. Select the Edit icon Edit icon next to the appropriate reason code in the Manage Reason Codes window.