Application Schemas

For every application, you must define the specific data you want to aggregate from the target system. The target system may have dozens or hundreds of attributes for each user, not all of which may be relevant for your identity governance program, and which therefore do not need to be brought into IdentityIQ. The schemas you define for the application specify which attributes to include when aggregating data from the target system.

Most connectors include predefined default schemas, which you can use as a starting point for defining the schemas you need. When a connector supports a predefined schema, you will see the attributes listed and defined for you on the Configuration > Schema tab. You can add or remove attributes from a predefined schema as needed.

Every configured application must include an account schema, which defines which data about accounts to read from the target application and identifies the accounts you want to manage.

The account schema must designate one of the attributes as the Identity Attribute, which is the unique identifier for the account on the source.

For many applications, account entitlements are memberships in groups. Many connectors also support the use of group schemas, allowing the application to aggregate additional details about the group structures from the target system.

Once a group schema is defined, you will need to connect the account schema to the group schema so IdentityIQ can recognize that the account entitlements identify group memberships. This is done by setting the Type for the entitlement attribute in the account schema to a value that matches the Native Object Type of the group schema. This value is often "group"; however, some connectors support multiple group schemas or offer more flexible options for schema definitions, so in some cases this may be a value other than "group."

Values for the entitlement attribute on accounts will be mapped to the Identity Attribute selected for the group schema to associate the groups with those users.

Some connectors support only a single group schema, and others support multiple group schemas.For more information about specific connectors, refer to the IdentityIQ Connectors documentation on SailPoint's documentation portal.