Configuration Tab

The information displayed on the Configuration tab changes depending on the application type specified.

Note: The terms account group and application object are use interchangeably in this document but have the same meaning. Some application can have multiple application objects. An account group can be the name of one of those objects.

The Settings tab contains the information that IdentityIQ uses to connect and interact with the target system. Each application type requires different connection information and the fields on this tab are changed accordingly.

For more information on connection parameters, see Application Connection Parameters.

For more information about specific connectors, refer to the IdentityIQ Connectors documentation on SailPoint's documentation portal.

If your enterprise is going to use partitioning for account aggregations, identity refreshes, and manager certification, you must enable that function here. Each application type requires different partitioning information.

This is also where you enable an application for data merging and delta aggregation.

Enter the information on this tab as required by the application type being configured. Click Test Connection to verify the information is correct.

For most application types you see account and group object types. Certain application types, however, enable you to create multiple application object types, each with their own schema. These application object types are sometimes referred to as account groups and those term might be used interchangeably in discussion around this feature.

Click at the top of the page to add a new object type. This function is only available for if the application type is associate with a connector that is enable to handle multiple application object types, or multiple schema.

This button is also displayed if you recently upgraded your instance of IdentityIQ and the application type now supports multiple schemas. In that case you must add the supported application object type here and then run the Account Group Aggregation task to import the new information.

Multiple application object types can be directly correlated, for example an application object type is also an attribute in the schema of another, or they can be indirectly associated, for example they are both objects (schemas) in the same application. These objects and their associations are tracked throughout IdentityIQ and appear in place such as reports, policy violations, searches, and certifications.

A note is displayed at the top of this tab if the application is configured to use credential cycling. For those applications, the credentials are stored and maintained on a Privileged Access Management (PAM) module, and verification is performed using existing hook points that support the retrieval of passwords from application credential management solutions such as, CyberArk Application Identity Manager (AIM) or BeyondTrust PowerBroker Password Safe. See Privileged Account Management and Privileged Account Management Credential Cycling for more information.

Note: To enable credential cycling, BeyondTrust PowerBroker Password Safe application passwords must be configured in the JSON format:
{"bt_user":"MyUserName","bt_password":"MyPasswordValue"}

The Schema tab is used to define the attributes for each object type in the application being configured. Use the following fields to define attributes for use with the IdentityIQ application. The field content is dependent on the application being configured.

For more details on configuring schema information, see Application Schemas.

For more information about specific connectors, refer to the IdentityIQ Connectors documentation on SailPoint's documentation portal.

When initially configuring applications, click Add New Schema Attribute to define the attributes for each object. Most application types include a default set of schema attributes. For more dynamic application types (JBDC or DelimitedFile), schemas should be defined manually. Click Edit to display the Advanced Properties dialog.

Important: A schema attribute name must not duplicate any extended attribute names that have been defined in your IdentityIQ instance. If an schema attribute name matches an extended attribute name, there is a risk that attribute values will not be updated correctly during an aggregation.

The connectors for some application types enable the automatic discovery of the base schema attributes for those applications. For those application types, click Discover Schema Attributes to automatically populate your schema tables. After using the automatic discovery function you must designate the Identity Attribute and Display Attribute for the application.

Click Preview to test the respective schema configuration. A pop-up sample table displays to indicate a successful configuration. These tables automatically update when you make changes so that you can use this feature before committing your changes. Only one table can be open at one time. Failures result in an error message specifying the point of failure, for example, a file path and name.

Note: The Preview function does not apply to applications which do not support aggregation.

Fields

Descriptions

Native Object Type

LDAP default types are iNetOrgPerson and groupOfUniqeNames for groups.

This is a required field.

The type of object with which the attributes are associated. For example, User and Group for Active Directory LDAP or DBA_USER and DBA_ROLES for Oracle.

Identity Attribute

This is a required field.

Do not change the identity attribute on connectors with pre-defined schema.

The attribute that is used by the IdentityIQ application to identify the object.

Include Permissions

Select this function to automatically add directPermissions to the schema. This option is available for any application that has DIRECT_PERMISSIONS in the featureString, for example, Oracle, DelimitedFile, and sybase HR. With this option activated, IdentityIQ correctly pulls in permission data for identities.

Display Attribute

This is a required field.

The attribute that is used as the object name as it appears throughout the IdentityIQ application.

Instance Attribute

The attribute that uniquely identifies a specific instance of an application.

Instance Attributes are not supported for Managed Attributes.

Remediation Modifiable

Accounts that are remediation modifiable can have their values and permissions modified from the Certification Report page for the identity being certified.

Specify the method of modification for this attribute:

  • Select – display a select list of all possible values or permissions for this attribute.

  • Free text – display a text field in which a certifier can enter any value.

Additional Group Attributes:

Description Attribute

Used during group aggregation to indicate which of the group attributes is used to populate the corresponding ManagedAttribute description.

The value set here overwrites any set during the Account Group Aggregation task.

Group Membership Attribute

The attribute that is used by the IdentityIQ application to identify the group.

Attributes:

Name

Attribute names cannot begin with IIQ_. Attributes with names that begin with IIQ_ are considered internal, reserved attributes and are not displayed in the product.

The name of the attribute.

Description

A brief description of the attribute.

Type

The type of attribute being defined. For example, string or boolean. Select from the dropdown list.

Properties: Click Edit to open the Advanced Properties dialog to edit the attribute properties.

Managed

Specify attributes to promoted to a first-class object in the IdentityIQ database so that they can be associated with other objects with that value, for example a description or an owner. Any attribute can become managed: department, location, title, but the most common attribute to be managed is the one holding group memberships.

Managed attributes can be viewed and managed from the Entitlement Catalog page.

Entitlement

Specify attributes to be used as entitlements on this application.

Attributes specified as entitlements are used by IdentityIQ as follows:

  • As additional entitlements during certification.

  • When creating profiles based on exiting users on this application. Profiles are created on the IdentityIQ Modeler and are used to create roles.

  • In account group certifications.

  • In Lifecycle Manager.

Multi-Valued

Specify attributes for which multiple values might be returned during aggregation.

Attributes flagged as multi-valued are stored as a list. Even objects that have a single value for a multi-value attribute are stored as a single-item list.

Multi-valued attributes are used for queries throughout the product.

Before multi-valued attributes are available for use in searches, they must be mapped on the Edit Account Attribute page.

Refer to the IdentityIQ system configuration documentation for information on how to add or edit account attributes.

Correlation Key

Specify attributes that IdentityIQ can use to correlate activity discovered in the activity logs for this application with information stored in identity cubes.

For example, activity logs might contain the full name of users instead of unique account ids. Therefore, correlation between the activity discovered by an activity scan and the identity cube of the user that performed the action must key off of the user's full name.

Correlation Key is only used during activity aggregation. If activity aggregation is not being used, Correlation Key should not be selected.

Minable

Specify attributes for use during role and profile creation.
When creating roles and profiles it is possible to mine applications for attributes and permissions to use in those objects rather than manually entering the values. Only attributes designated as minable are returned by those searches.

Remediation Modifiable

Attributes that are remediation modifiable can have their values and permissions modified from the Certification Report page for the identity being certified.

Specify the method of modification for this attribute:

  • Select – display a select list of all possible values or permissions for this attribute.

  • Free text – display a text field in which a certifier can enter any value.

Provisioning Policies are used to define application object attributes that must be managed due to a Lifecycle Manager request. With a provisioning policy in place, when a role or entitlement is requested the user must input specified criteria into a generated form before the request can be completed. A policy can be attached to an IdentityIQ application object or role and is used as part of the provisioning process.

For more details on Provisioning Policies, see Provisioning Policies.

For applications that support multiple application objects, each object is displayed in a separate table containing the provisioning policies those objects support. Not all application objects support all of the provisioning policies listed below.

In order to be able to provision to a DN with a backslash (\) to an Active Directory application through the Cloud Gateway you will need to set the following properties in catalina.sh or catalina.bat on the Cloud Gateway instance:

Copy 
set CATALINA_OPTS=%CATALINA_OPTS%
-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
set CATALINA_OPTS=%CATALINA_OPTS%
-Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true

Setting the dependencies between applications and accounts implies ordering in provisioning.

IdentityIQ includes the following types of provisioning policies:

  • Create

  • Update

  • Delete

  • Enable Account

  • Disable Account

  • Unlock Account

  • Change Password

  • CreateGroup

  • UpdateGroup

Click an existing provisioning policy or click Add Policy to create a new one using the Provisioning Policy Editor or to reference an existing policy. Only one of each policy types is supported.

Use the Application Dependencies dropdown list to create the list of applications where this application is dependent for provisioning. If no account is detected on an application where this application is dependent, an account request is added to the provisioning plan and the provision policy for this application is processed as expected.

The Provisioning Policy Editor panel contains the following information:

Field Name

Description

Name

The name of your provisioning policy.

Description

A brief description of the provisioning policy.

Owner

The owner of the provisioning policy. This is determined by selecting from the following:

  • None – no owner is assigned to this provisioning policy.

  • Application Owner – identity assigned as owner of the application in which the provisioning policy resides.

  • Role Owner – identity assigned as owner of the role in which the provisioning policy resides.

  • Rule – use a rule to determine the owner of this provisioning policy.

  • Script – use a script to determine the owner of this provisioning policy

Edit Provisioning Policy Fields Panel

Use the Edit Provisioning Policy Fields panel to customize the look and function of the form fields generated from the provisioning policy.

Name

The name of the field.

Display Name

The name displayed for the field in the form generated by the provisioning policy.

Help Text

The text you wish to appear when hovering the mouse over the help icon.

Type

Select the type of field from the dropdown list. Choose from the following:

  • Boolean – true or false values field

  • Date – calendar date field

  • Integer – only numerical values field

  • Long – similar to integer but is used for large numerical values

  • Identity – specific identity in IdentityIQ field

  • Secret – hidden text field

  • String – text field

Multi Valued

Choose this to have more than one selectable value in this field of the generated form. Click the plus sign to add another value.

Read Only

Determine how the read only value is derived:

  • Value – value based on the selection from the drop-down list

  • Rule – value is based on a specified rule

  • Script – value is determined by the execution of a script

Hidden

Determine how the hidden value is derived:

  • Value – value based on the selection from the drop-down list

  • Rule – value is based on a specified rule

  • Script – value is determined by the execution of a script

Owner

The owner of this provisioning policy field. This is determined by selecting from the following:

  • None – no owner is assigned to this provisioning policy.

  • Application Owner – identity assigned as owner of the application in which the provisioning policy resides.

  • Role Owner – identity assigned as owner of the role in which the provisioning policy resides.

  • Rule – use a rule to determine the owner of this provisioning policy.

  • Script – use a script to determine the owner of this provisioning policy

Required

Choose whether or not to have the completion of this field a requirement for submitting the form.

Review Required

Choose whether or not to require the person who is approving the workflow item to approve this field.

Refresh Form on Change

Select this option to have the form associated with this policy refresh to reflex changes to this policy.

Display Only

Set this field as display only.

Authoritative

Boolean that specifies whether the field value should completely replace the current value rather than be merged with it; applicable only for multi-valued attributes

Value

Determine how the value is derived. Select from the following:

  • Literal – value is based on the information you provide

  • Rule – value is based on a specified rule

  • Script – value is determined by the execution of a script

Validation

Gives the ability to specify a script or rule for validating the user's value. For example, a script that validates that a password is 8 characters or longer.