View Identity Page
Select an identity from Identities > Identity Warehouse, then use the View Identity page to view detailed information about each component of the identity for a selected user.
The View Identity page contains the following option:
- Attributes Tab
- Entitlements Tab
- Application Accounts Tab
- Policy Tab
- History Tab
- Risk Tab
- Activity Tab
- User Rights Tab
- Events Tab
Attributes Tab
The View Identity > Attributes tab provides the basic user identity information such as first name, last name, email, manager, and type, along with information about their role in the organization, such as job title, department, location, region, cost center, etc.
You can also update information about the user from this tab, using these options:
-
Edit - Select to modify attribute values as needed. This option is restricted based on user capabilities and is not available to every user.
-
Manager - The manager to whom the user reports directly. Select the manager's name to display the View Identity page for that user.
-
Location Owner - The owner of the location where the user reports. Select the location owner's name to display the View Identity page for that user.
-
Region Owner - The owner of the region where user reports. Select the region owner's name to display the View Identity page for that user.
-
Change Password - Set or update a password for the user. If you want to require the user to change their password the next time they log in to IdentityIQ, select the checkbox below the password confirmation field.
-
Change Forwarding User - The forwarding user is a user or workgroup to whom work items assigned to this identity can be forwarded. You can use the Start Forwarding and End Forwarding options to set a specific time period when forwarding should occur, for example, if the user is on leave.
Entitlements Tab
The View Identity > Entitlements tab lists all of the roles and entitlements for the selected user.
By default, the identity's direct access is shown. You can select the Effective Access button at the top right to see the identity's effective access. Effective Access is any indirect access that is granted through another object, such as group membership, another role, or an unstructured target.
You can use Advanced Search for both roles and entitlements, to find access based on a variety of criteria, such as how it was assigned, whether is has been requested or is pending approval, and whether it has been certified.
The entitlements tab includes two sections: Roles and Entitlements.
Roles
A list of roles that were detected or assigned to the user manually or through role assignment rules. The Acquired column indicates whether the role was assigned or detected. Assigned roles are typically business-type roles that model how users are grouped by business function, including functional hierarchies, project teams, or geographic location. Detected roles are roles that are detected by IdentityIQ during the aggregation and correlation processes based on the entitlements assigned to an identity.
If an activation or deactivation date is defined for the role it is displayed in a message box below the role name.
| Column Name | Description |
|---|---|
| Name | Name of the role. Select the name to view detailed information about the role |
| Description | Brief description of the role. |
| Classifications | If the role has a classification that categorizes it as potentially allowing access to sensitive, protected, or otherwise significant data, an icon is shown to flag the classification. |
| Assigned By | The user that assigned this role to the identity. |
| Allowed By | The assigned roles that permit a user to have this role, either directly or indirectly. A direct permission is one in which the assigned role is a member of the permitted role. An indirect permission is one in which the assigned role is on the permitted list for the assigned role. |
| Acquired | How the role was acquired: assigned or detected. |
| Application | The application associated with the role. |
| Account Name | The application account the role is mapped to. |
Entitlements
A list of the applications that have entitlements to which the identity has access. Select the entitlement or application name to view the entitlement details, if available.
When an information icon is displayed, you can hover over it to view more details.
If the entitlement has a classification that categorizes it as potentially allowing access to sensitive, protected, or otherwise significant data, an icon is shown to flag the classification
Select Show only additional entitlements to limit the list to entitlements that are not included in a role that has been assigned to or detected for the user.
Note
If any of the displayed roles or entitlements has elevated access, they will have the Elevated Access icon next to the name or entitlement. Refer to Elevated Access for more information.
Application Accounts Tab
The View Identity > Applications Accounts tab lists account information for all the applications to which the user has some level of access.
| Column Name | Description |
|---|---|
| Application | The name of the applications to which the user has some level of access. Select an application name to view detailed information. |
| Account Name | The simple name used to identify the user on the application. |
| Status | Values can include: Disabled - the account has been disabled by an admin at some point. |
| Last Refresh | Date on which the user identity information was last refreshed. |
To remove the link between the identity and the application in IdentityIQ, select the checkbox next to an account in the table and then select the Delete button. This action does not affect the user's account or entitlements on the application.
To transfer the account to a different identity, select an account and the select the Move Account button. On the Select Account Owner dialog, select an existing identity from the list or create a new identity.
To select an existing identity, enter the first few letters of the identity name to display a suggestion list, or select the arrow next to the field to display a list of all identities to which you have access. When you are finished, select Save.
Policy Tab
The View Identity > Policy tab shows policy violations for the user. The table lists the policy and rules that are violated.
Policies use rules to enforce your organization's target conditions. For example, a separation of duty rule might be defined that disallows a single user from having roles that enable them to both request and approve purchase orders.
For more information about policy violations, refer to Policies.
The Policy tab includes the following information:
| Column Name | Description |
|---|---|
| Detected | The date when the policy violation was detected. |
| Policy | The policy that is violated. |
| Policy Violation Owner | The owner of the policy. The owner is assigned during the policy definition process. |
| Rule | The specific rule that is being broken to cause the violation in the policy. Select a rule to display the following rule information: Policy Description - brief description of the violation as defined with the policy. |
| Summary | The reason for the violation. |
History Tab
The View Identity > History tab provides a history of user data. Tracking identity scores over time enables you to identity patterns or trends in the activity of a selected user.
The History tab contains two sections: Identity Snapshots and Identity Certification History.
Identity Snapshots
Snapshots are generated when a certification is run, and when the Maintain identity histories option is used in the identity refresh task.
The frequency with which snapshots are generated is set in gear > Global Settings > IdentityIQ Configuration on the Identities tab. Refer to IdentityIQ Global Settings for more information.
| Column Name | Description |
|---|---|
| Snapshot Date | The dates of the identity snapshots. Select a snapshot date from the table to view details about attributes, roles, entitlements, and application accounts in the View Identity History page. See View Identity History below. |
| Roles | A list of the IT roles assigned to this user. The snapshot does not display Business roles. |
Identity Certification History
Select any row in the Identity Certification History panel to see an overview of that specific portion's certification history.
| Column Name | Description |
|---|---|
| Decision | Displays an icon that indicates the decision made on the certification. Options include Approved, Revoked, Allowed Exception, or Delegated. For detailed descriptions of decisions, see Making Access Decisions |
| Type | The type of certification. For example, Role or Additional Entitlement. |
| Description | Brief description of the certification. |
| Application | The application to which the certification applies. |
| Account Name | The account name to which the certification applies. |
| Actor | The person who signed off on the certification. |
| Date | The date when the certification decision was made. |
| Comments | Any comments entered during the decision phase of the certification. |
View Identity History Page
Select a snapshot date from the Identity Snapshots table to view details in the View Identity History page. The View Identity History page contains user information from the specific date and time listed on the top of the page.
The View Identity History page contains four tabs:
- Attributes - the identity attributes.
- Roles - roles assigned to this user and all associated entitlements.
- Extra Entitlements - all entitlements assigned to this user that are not part of a role assigned to the user.
- Application Accounts - all applications on which this user has an active account, along with the account name, and the user's full identity.
Risk Tab
The View Identity > Risk tab provides a current composite identity risk score with a list of the raw and compensated risk score for each category used to derive the composite score. This page also provides a list of the top composite score contributors which provide further information on how the score was derived. This information helps to provide clues on the areas of highest risk. These scores are based on the latest information discovered.
IdentityIQ uses a combination of base access risk and compensated scoring to determine the overall Identity Risk Scores, or Composite Risk Score, used throughout the application.
Base access risk score is a measure of inherent user access risk. Base risk scores are set on each role, entitlement, and policy defined. This type of score ranges from 0 (lowest risk) to 1000 (highest risk).
A series of compensating factors are applied to each base risk score to calculate compensated scores. These compensated scores are then weighted using a maximum contribution percentage and combined to form an overall Composite Risk Score for each user.
The compensating factors and weighted values enable you to identify high risk users based on more than the roles they are assigned in your enterprise.
For more information about risk modeling in IdentityIQ, refer to Risk Score Management.
Activity Tab
The View Identity > Activity tab provides a list of all applications that have activity monitoring enabled and to which a user has access, including the roles associated with those applications and the activities performed.
The Recent Activities table initially lists the last ten (10) actions performed. Select See All Activities to include all of the activities stored by IdentityIQ on the table.
From this tab you can also enable activity monitoring for this user on specific applications that do not have activity monitoring enabled at the role level.
Note
Changes made to activity monitoring do not appear until identity aggregation is performed from the task page, or a scheduled identity aggregation takes place.
To enable activity monitoring for this user on the associated applications and roles, select the Activity Monitoring checkbox next to the Activities Settings table.
To display additional activity information in the Activity Details panel, select an activity entry in the Recent Activities list.
The View Identity Activity tab contains two sections: Activity Settings and Recent Activities.
Activity Settings
| Column | Description |
|---|---|
| Activity Monitoring Checkbox | Enable activity monitoring for this user on the specified application. If this box is not active, activity monitoring is already enabled at the role level or the application does not allow activity monitoring. |
| Applications | The list of applications to which this user has some level of access. |
| Activity Enabled Roles | The list of roles that are all of the following: - Assigned to this user - Associated with the application - Have activity monitoring enabled Activity monitoring is enabled when roles are defined. |
Recent Activities
| Column | Description |
|---|---|
| Date | The date on which the activity occurred. |
| Action | The activity performed on the application. For example, Login, Update, Delete. |
| Target | The specific part of the application that was targeted by the activity. For example, the name of a particular database that was updated. |
| Application | The application on which the activity was performed. |
| Result | The result of the activity. For example, Success or Failure. |
User Rights Tab
The View Identity > User Rights tab enables you to set the capabilities and define controlled scope for the user. Refer to Rights and Capabilities for Identities for more information.
Capabilities determine which features in IdentityIQ the user can access. A complete list of IdentityIQ default capabilities and their associated features is available on Compass in the IdentityIQ Rights and Capabilities - Definitions document.
Note
The scope feature MUST be enabled for the scope information to display.
| Field Name | Description |
|---|---|
| User Capabilities | The SailPoint capabilities available. The capabilities currently assigned to the user are highlighted on the list. Use the Ctrl and Shift keys to select multiple capabilities. |
| Assigned Scope | The scope the identity belongs to. |
| Can Access Assigned Scope | Select this option to manage whether the identity can access the scope to which they are assigned. - True - the user can access objects within the scope to which they are assigned. - False - the user cannot access objects within the scope to which they are assigned. - Use System Default (<value>) - the user's access is based on the value of the setting defined in the Global Settings for IdentityIQ. |
| Authorized Scopes | The scopes the user has access to. If scopes are active, identities can only see objects that are within the scopes they have access to. Assign scopes to the identity using the field at the top of the Authorized Scopes list box. - Select the arrow to the right of the field to display a list of all scopes defined. - Enter a few letters in the field to display a list of all scopes that start with that letter string. Depending on configuration, objects with no scope assigned might be visible to all users with the correct capabilities. |
| Workgroups | The workgroups to which this identity belongs |
| Indirect Rights > Capabilities Assigned by Workgroups | IdentityIQ capabilities assigned to a workgroup to which this user belongs. Workgroup members automatically have the capabilities and scopes assigned to the workgroup. |
Note
The System Administrator has access to all IdentityIQ features including Global Settings and Debug.
Events Tab
The View Identity > Events tab enables you to view events that are scheduled for the user as well as detailed access request history.
The Events tab includes two sections: Events and Access Requests.
Events
The Events list has two sections:
- Future Events shows scheduled role start and end events. Refer to Using Start and End Dates for Temporary Access for more information.
- Past Events shows Identity Triggers and role start / end events that have been executed.
Choose an event and select Delete to cancel that event and remove the schedule from the list.
| Field Name | Description |
|---|---|
| Created On | The date when the event schedule was created. |
| Created By | The identity that scheduled the event. |
| Due On | The date when the event is scheduled to occur. |
| Summary | A brief summary of the event that is pulled from the business process with which it is associated. |
Access Requests
Select an item in the list to display detailed information about requested items and any pending actions that still need to be taken on that request. From the detailed history panel, you can navigate further into the request to expand the Details view, review the actual access request, and send messages to owners of the request reminding them that their action is required.
Select the X icon to cancel a request.
To search for specific access requests, select Search to expand the search criteria. Specify the search criteria and then select Search. To clear the criteria for a new search, select Reset.
| Column Name | Description |
|---|---|
| Access Request ID | Identification number assigned to the access request. |
| Priority | Specifies the priority level to which the access request was designated. |
| Type | The type of access request. |
| Description | The a brief description of the access request. |
| Requester | The name of the user who assigned this work item to you. |
| Requestee | The name of the user who was assigned this access request. |
| Request Date | The date the request was made. |
| Current Step | Status of the request. Status levels include: Approve and Provision - request was received but no action has taken place. Approved - request was approved. Additional action may be needed to complete the request. Rejected - request was denied. Cancelled - request was cancelled. Completed Pending Verification - the manual action for this request was completed, however the verification procedure has yet to have been run. End - all actions required for this access request have been fulfilled. |
| Completion Date | The date when the work item was completed. |
| Execution Status | Status of the request execution. Status levels include: Executing - the request is going through the business process and has not been completed. Verifying - the request has finished the business process and is waiting for the Provisioning Scanner to verify it. Terminated - the request was terminated before it was completed. Completed - the request was completed and verified. |
| External Ticket ID | Identifies any external tickets related to the request. |