Skip to content

Application Connection Parameters

Connection parameters define how the application will connect to and communicate with the target system. For example, for a delimited file application, you will need to specify the name and location of the delimited file, as well as what the delimiter is, and any file encoding. For a JDBC application, your connection parameters will include the database URL, the JDBC driver, and a username and password for the connection.

The required configuration parameters vary by connector, based on the specific requirements of the target system.

For more information about specific connectors, refer to the IdentityIQ Connectors(LINK IN DOC) documentation on SailPoint's documentation portal.

Application Schemas

For every application, you must define the specific data you want to aggregate from the target system. The target system may have dozens or hundreds of attributes for each user, not all of which may be relevant for your identity governance program, and which therefore do not need to be brought into IdentityIQ. The schemas you define for the application specify which attributes to include when aggregating data from the target system.

Most connectors include predefined default schemas, which you can use as a starting point for defining the schemas you need. When a connector supports a predefined schema, you will see the attributes listed and defined for you on the Configuration > Schema tab. You can add or remove attributes from a predefined schema as needed.

Account Schemas

Every configured application must include an account schema, which defines which data about accounts to read from the target application and identifies the accounts you want to manage.

The account schema must designate one of the attributes as the Identity Attribute, which is the unique identifier for the account on the source.

Group Schemas

For many applications, account entitlements are memberships in groups. Many connectors also support the use of group schemas, allowing the application to aggregate additional details about the group structures from the target system.

Once a group schema is defined, you will need to connect the account schema to the group schema so IdentityIQ can recognize that the account entitlements identify group memberships. This is done by setting the Type for the entitlement attribute in the account schema to a value that matches the Native Object Type of the group schema. This value is often "group"; however, some connectors support multiple group schemas or offer more flexible options for schema definitions, so in some cases this may be a value other than "group."

Values for the entitlement attribute on accounts will be mapped to the Identity Attribute selected for the group schema to associate the groups with those users.

Some connectors support only a single group schema, and others support multiple group schemas.For more information about specific connectors, refer to the IdentityIQ Connectors(LINK IN DOC) documentation on SailPoint's documentation portal.

Properties of Attributes in Account and Group Schemas

Attribute properties determine how attributes are used and managed in IdentityIQ. For example, you may want some attributes to support multiple values, or to be included in the Entitlement Catalog. Select Edit to open the Advanced Properties dialog to edit the attribute properties for accounts and groups.

Entitlement

Marking an attribute as an entitlement indicates that this is an access right you want to track for your identities (for example, to use in certifications). If you want this attribute to be able to be requested, to have an owner, and to have a description and display name, you must mark also mark it as Managed.

Managed

Attributes designated as Managed can be viewed and managed from the Entitlement Catalog page. Managed attributes can be made requestable, can be assigned an owner (for approvals or entitlement certifications), and can have display names and descriptions that will help users identify and understand them. They can also be used in policies and risk calculations.

When you do a group aggregation, all groups read from the aggregation are automatically included in the entitlement catalog as managed attributes.

Multi-valued

For some attributes, multiple values might be returned during aggregation (for example, an attribute indicating group membership). These should be marked as Multi-valued. Values for attributes flagged as multi-valued are stored as a list. Even objects that have a single value for a multi-value attribute are stored as a single-item list.

Correlation Key

The Correlation Key flag is only used for activity and unstructured data aggregation. If activity aggregation is not being used, Correlation Key should not be selected. This flag specifies attributes that IdentityIQ can use to correlate activity discovered in the activity logs for this application with information stored in Identity Cubes. For information about correlating aggregated accounts to existing identities, see Correlation in Application Concepts(LINK IN DOC).

For example, activity logs might contain the full name of users instead of unique account ids. Therefore, correlation of the activity discovered by an activity scan and the Identity Cube of the user that performed the action must key off of the user's full name.

Minable

Attributes that you want to use for role and profile creation should be marked as minable. This allows the Role Mining feature to mine applications for attributes and permissions when creating roles and profiles, rather than requiring manual entry of the values. Only attributes designated as minable are returned by those searches.

Remediation Modifiable

Attributes that are remediation modifiable can have their values and permissions modified as part of a certification, for the identity being certified. Options are:

Select – in the certification, display a select list of all possible values or permissions for this attribute.

Free text – in the certification, display a text field in which a certifier can enter any value.

Readonly – the value cannot be modified.

Discovering Schemas

Some connectors support the discovery of schemas. For those application types, you can select Discover Schema Attributes to automatically populate your schema information in the Schema page.

Previewing Data for a Schema

Each defined schema offers a Preview button; this is useful for checking the schema against a small sampling of the source system's data before aggregating.

Avoiding Conflicts Between Schema Attributes and Extended Attributes

If your IdentityIQ instance makes use of extended attributes, you should ensure that the names of your extended attributes names do not duplicate any attribute names in your application's schema(s). If an extended attribute name matches a schema attribute name, there is a risk that attribute values will not be updated correctly during an aggregation.

For more information on extended attributes, see Extended Attributes(LINK IN DOC).