Selecting Profile Users
For each EAM profile, you can define the users who will serve as the Profile Owners, Requesters, Approvers, and Reviewers for elevated access requests associated with the profile.
Note
Any Access Risk Management users that have been deleted from your tenant will automatically be removed from the profile since they are no longer valid to be assigned to a profile. You can view these deletions in the profile change logs, along with any other changes that have been made.
Profile Owners
Profile Owners maintain and update profiles by managing entitlements and request participants. Profile Owners can also submit requests for Requestors, perform troubleshooting actions to restart processes, and export change logs of profiles they own.
-
Select + Add Users.
-
Select the + icon next to a user to add the user as an owner. Select Add All + to add all users.
Notes
-
You must include at least one Profile Owner for each profile.
-
While a Profile Owner can submit requests for Requesters, they cannot submit a request for their own User ID.
-
Requestors
Requestors are users who require temporarily elevated access. Requestors can only submit requests for themselves. If Requestors finish their tasks before their access ends, they can terminate their access early.
Note
A Requester's Access Risk Management ERP User ID field must be populated with their ERP User ID, so the system knows which user should get the access. Refer to Adding Users for more information.
-
Select + Add Users.
-
Select the users who can request elevated access within the application. You can add users individually by selecting the + icon or add all users by selecting Add All +.
Notes
-
You must include at least one Requestor for each profile.
-
A Requestor cannot be added to another role within the same profile. This prevents users from bypassing the process to obtain elevated access. If you select Add All +, you'll receive a list of users who could not be added due to such conflicts .
-
-
(Optional) Select the Pre-Approved checkbox to skip the approval stage for giving access to those requesters. The review step will still be required to ensure those privileges are not abused.
Note
If a requestor is added to an EAM profile and an EAM request is created prior to a new security extract being completed, the requestor's utilization report will show all actions as Elevated on the Reviewer report dashboard. This is because the system does not yet know the updated actions available to that user as part of their standard assigned entitlements.
You can select Schedule Jobs > Security Extract > Submit to trigger a security extract job to populate the user's standard permissions.
Approvers
Approvers approve or reject individual requests by email or within the EAM Dashboard. Approvers can also restart provisioning or deprovisioning if the initial attempt fails.
-
Select + Add Users.
-
Select the users who can approve elevated access requests within the application. You can add users individually by selecting the + icon or add all users by selecting Add All +.
Notes
-
You must select at least one Approver for each profile.
-
If multiple Approvers are assigned, all approvers will receive an email notification when a request is submitted. However, the decision will be based on the first Approver who responds.
To prevent inappropriate access, Approvers can reject a request, even after approval and up until the elevated entitlements have been provisioned. They can also immediately revoke a Requestor's access to elevated entitlements.
-
Reviewers
Reviewers examine the appropriateness of an approved Requestor's activity. They will receive an email notification to approve or contest the user's activity using the EAM Reviewer Dashboard. During the review process, Reviewers can leave comments asking the Requestor to clarify why they took specific actions while they had elevated access.
-
Select + Add Users.
-
Select users who will review the user's activity. You can add users individually by selecting the + icon or add all users by selecting Add All +.
If multiple Reviewers are assigned, all Reviewers will receive an email notification when an activity report has been generated for an EAM Request. However, the decision will be based on the first Reviewer to perform the review.
Documentation Feedback
Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.