Configuration Tab
The information displayed on the Configuration tab changes depending on the application type specified.
Note
The terms account group and application object are use interchangeably in this document but have the same meaning. Some application can have multiple application objects. An account group can be the name of one of those objects.
Settings Tab
The Settings tab contains the information that IdentityIQ uses to connect and interact with the target system. Each application type requires different connection information and the fields on this tab are changed accordingly.
For more information on connection parameters, see Application Connection Parameters.
For more information about specific connectors, refer to the IdentityIQ Connectors documentation on SailPoint's documentation portal.
If your enterprise is going to use partitioning for account aggregations, identity refreshes, and manager certification, you must enable that function here. Each application type requires different partitioning information.
This is also where you enable an application for data merging and delta aggregation.
Enter the information on this tab as required by the application type being configured. Click Test Connection to verify the information is correct.
Adding Object Types
For most application types you see account and group object types. Certain application types, however, enable you to create multiple application object types, each with their own schema. These application object types are sometimes referred to as account groups and those term might be used interchangeably in discussion around this feature.
Click at the top of the page to add a new object type. This function is only available for if the application type is associate with a connector that is enable to handle multiple application object types, or multiple schema.
This button is also displayed if you recently upgraded your instance of IdentityIQ and the application type now supports multiple schemas. In that case you must add the supported application object type here and then run the Account Group Aggregation task to import the new information.
Multiple application object types can be directly correlated, for example an application object type is also an attribute in the schema of another, or they can be indirectly associated, for example they are both objects (schemas) in the same application. These objects and their associations are tracked throughout IdentityIQ and appear in place such as reports, policy violations, searches, and certifications.
Credential Cycling
A note is displayed at the top of this tab if the application is configured to use credential cycling. For those applications, the credentials are stored and maintained on a Privileged Access Management (PAM) module, and verification is performed using existing hook points that support the retrieval of passwords from application credential management solutions such as, CyberArk Application Identity Manager (AIM) or BeyondTrust PowerBroker Password Safe. See Privileged Account Management(LINK IN DOC) and Privileged Account Management Credential Cycling(LINK IN DOC) for more information.
Note
To enable credential cycling, BeyondTrust PowerBroker Password Safe application passwords must be configured in the JSON format:
{"bt_user":"MyUserName","bt_password":"MyPasswordValue"}
Schema Tab
The Schema tab is used to define the attributes for each object type in the application being configured. Use the following fields to define attributes for use with the IdentityIQ application. The field content is dependent on the application being configured.
For more details on configuring schema information, see Application Schemas(LINK IN DOC).
For more information about specific connectors, refer to the IdentityIQ Connectors documentation on SailPoint's documentation portal.
When initially configuring applications, click Add New Schema Attribute to define the attributes for each object. Most application types include a default set of schema attributes. For more dynamic application types (JBDC or DelimitedFile), schemas should be defined manually. Click Edit to display the Advanced Properties dialog.
Important
A schema attribute name must not duplicate any extended attribute names that have been defined in your IdentityIQ instance. If an schema attribute name matches an extended attribute name, there is a risk that attribute values will not be updated correctly during an aggregation.
The connectors for some application types enable the automatic discovery of the base schema attributes for those applications. For those application types, click Discover Schema Attributes to automatically populate your schema tables. After using the automatic discovery function you must designate the Identity Attribute and Display Attribute for the application.
Click Preview to test the respective schema configuration. A pop-up sample table displays to indicate a successful configuration. These tables automatically update when you make changes so that you can use this feature before committing your changes. Only one table can be open at one time. Failures result in an error message specifying the point of failure, for example, a file path and name.
Note
The Preview function does not apply to applications which do not support aggregation.
| Fields | Descriptions |
| Native Object Type | LDAP default types are iNetOrgPerson and groupOfUniqeNames for groups. This is a required field. The type of object with which the attributes are associated. For example, User and Group for Active Directory LDAP or DBA_USER and DBA_ROLES for Oracle. |
| Identity Attribute | This is a required field. Do not change the identity attribute on connectors with pre-defined schema.The attribute that is used by the IdentityIQ application to identify the object. |
| Include Permissions | Select this function to automatically add directPermissions to the schema. This option is available for any application that has DIRECT_PERMISSIONS in the featureString, for example, Oracle, DelimitedFile, and sybase HR. With this option activated, IdentityIQ correctly pulls in permission data for identities. |
| Display Attribute | This is a required field. The attribute that is used as the object name as it appears throughout the IdentityIQ application. |
| Instance Attribute | The attribute that uniquely identifies a specific instance of an application. Instance Attributes are not supported for Managed Attributes. |
| Remediation Modifiable | Accounts that are remediation modifiable can have their values and permissions modified from the Certification Report page for the identity being certified. Specify the method of modification for this attribute, either Select: display a select list of all possible values or permissions for this attribute or Free text: display a text field in which a certifier can enter any value. |
| Additional Group Attributes: | |
| Description Attribute | Used during group aggregation to indicate which of the group attributes is used to populate the corresponding ManagedAttribute description. The value set here overwrites any set during the Account Group Aggregation task. |
| Group Membership Attribute | The attribute that is used by the IdentityIQ application to identify the group. |
| Attributes: | |
| Name | Attribute names cannot begin with IIQ_. Attributes with names that begin with IIQ_ are considered internal, reserved attributes and are not displayed in the product. The name of the attribute. |
| Description | A brief description of the attribute. |
| Type | The type of attribute being defined. For example, string or boolean. Select from the dropdown list. |
| Properties: | Click Edit to open the Advanced Properties dialog to edit the attribute properties. |
| Managed | Specify attributes to promoted to a first-class object in the IdentityIQ database so that they can be associated with other objects with that value, for example a description or an owner. Any attribute can become managed: department, location, title, but the most common attribute to be managed is the one holding group memberships. Managed attributes can be viewed and managed from the Entitlement Catalog page. |
| Entitlement | Specify attributes to be used as entitlements on this application. Attributes specified as entitlements are used by IdentityIQ as additional entitlements during certification, in account group certifications, in Lifecycle Manager, or when creating profiles based on exiting users on this application. Profiles are created on the IdentityIQ Modeler and are used to create roles. |
| Multi-Valued | Specify attributes for which multiple values might be returned during aggregation. Attributes flagged as multi-valued are stored as a list. Even objects that have a single value for a multi-value attribute are stored as a single-item list. Multi-valued attributes are used for queries throughout the product. Before multi-valued attributes are available for use in searches, they must be mapped on the Edit Account Attribute page. Refer to the IdentityIQ system configuration documentation for information on how to add or edit account attributes. |
| Correlation Key | Specify attributes that IdentityIQ can use to correlate activity discovered in the activity logs for this application with information stored in identity cubes. For example, activity logs might contain the full name of users instead of unique account ids. Therefore, correlation between the activity discovered by an activity scan and the identity cube of the user that performed the action must key off of the user's full name. Correlation Key is only used during activity aggregation. If activity aggregation is not being used, Correlation Key should not be selected. |
| Minable | Specify attributes for use during role and profile creation. When creating roles and profiles it is possible to mine applications for attributes and permissions to use in those objects rather than manually entering the values. Only attributes designated as minable are returned by those searches. |
| Remediation Modifiable | Attributes that are remediation modifiable can have their values and permissions modified from the Certification Report page for the identity being certified. Specify the method of modification for this attribute, either Select, display a select list of all possible values or permissions for this attribute, or Free text, display a text field in which a certifier can enter any value. |
Provisioning Policies Tab
Provisioning Policies are used to define application object attributes that must be managed due to a Lifecycle Manager request. With a provisioning policy in place, when a role or entitlement is requested the user must input specified criteria into a generated form before the request can be completed. A policy can be attached to an IdentityIQ application object or role and is used as part of the provisioning process.
For applications that support multiple application objects, each object is displayed in a separate table containing the provisioning policies those objects support. Not all application objects support all of the provisioning policies listed below.
In order to be able to provision to a DN with a backslash () to an Active Directory application through the Cloud Gateway you will need to set the following properties in catalina.sh or catalina.bat on the Cloud Gateway instance:
set CATALINA_OPTS=%CATALINA_OPTS%
-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
set CATALINA_OPTS=%CATALINA_OPTS%
-Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true
Setting the dependencies between applications and accounts implies ordering in provisioning.
IdentityIQ includes the following types of provisioning policies:
-
Create
-
Update
-
Delete
-
Enable Account
-
Disable Account
-
Unlock Account
-
Change Password
-
CreateGroup
-
UpdateGroup
Click an existing provisioning policy or click Add Policy to create a new one using the Provisioning Policy Editor or to reference an existing policy. Only one of each policy types is supported.
Use the Application Dependencies dropdown list to create the list of applications where this application is dependent for provisioning. If no account is detected on an application where this application is dependent, an account request is added to the provisioning plan and the provision policy for this application is processed as expected.
The Provisioning Policy Editor panel contains the following information:
| Field Name | Description |
|---|---|
| Name | The name of your provisioning policy. |
| Description | A brief description of the provisioning policy. |
| Owner | The owner of the provisioning policy. This is determined by selecting from the following: |
| Edit Provisioning Policy Fields Panel | |
| Use the Edit Provisioning Policy Fields panel to customize the look and function of the form fields generated from the provisioning policy. | |
| Name | The name of the field. |
| Display Name | The name displayed for the field in the form generated by the provisioning policy. |
| Help Text | The text you wish to appear when hovering the mouse over the help icon. |
| Type | Select the type of field from the dropdown list. Choose from the following: |
| Multi Valued | Choose this to have more than one selectable value in this field of the generated form. Click the plus sign to add another value. |
| Read Only | Determine how the read only value is derived: |
| Hidden | Determine how the hidden value is derived: |
| Owner | The owner of this provisioning policy field. This is determined by selecting from the following: |
| Required | Choose whether or not to have the completion of this field a requirement for submitting the form. |
| Review Required | Choose whether or not to require the person who is approving the workflow item to approve this field. |
| Refresh Form on Change | Select this option to have the form associated with this policy refresh to reflex changes to this policy. |
| Display Only | Set this field as display only. |
| Authoritative | Boolean that specifies whether the field value should completely replace the current value rather than be merged with it; applicable only for multi-valued attributes |
| Value | Determine how the value is derived. Select from the following: |
| Validation | Gives the ability to specify a script or rule for validating the user's value. For example, a script that validates that a password is 8 characters or longer. |