Skip to content

Lifecycle Manager Configuration

Use Lifecycle Manager Configuration to customize the availability of tools and functionality based on end user needs.

To configure Lifecycle Manager click the gear icon > Lifecycle Manager.

The Lifecycle Manager configuration is divided into the following sections:

Note

IdentityIQ System Administrators can make any request regardless of the Lifecycle Manager Configuration settings.

  • Configure Tab

  • Business Processes Tab

  • Identity Provisioning Policies Tab

Configure Tab

Use the Configure tab to customize your Lifecycle Manager configuration. The Configure tab includes the following.

General Options

Enable requesters to set request priorities
Use this option to enable requesters to set the priority level of their request. If this option is not selected, all requests default to Normal priority level.

Enable Account Group Management
Use this option to enable provisioning of account groups through Lifecycle Manager requests.

Enable Full Text Search
Use this option to enable full text searching on the Lifecycle Manager request pages. If this option is selected, the search is performed using contains. Enabling full text searching might have some affect on the performance of those pages. For detailed information, see Configuring Full Text Searching .

You must run the Full Text Index Refresh task before full-text search is available. Refer to the system administration documentation for more information.

Base directory path used to store full text index files
The directory on the server in which full text index searches are stored.

Enable automatic index refresh
Enables the automatic refreshing of the full text index at the interval specified.

Enable Searching by Population when requesting access
Enable the use of populations as a search filter.

Enable Searching by Identity when requesting access
Enable the use of identities as a search filter.

Allow opt-in to viewing request access search result details
Use this option to limit the amount of information displayed for each item on the Manage Access and Set Dates, Finalize and Submit panel and add a View Details button on each item to show the complete information. This feature enables more items to display on each table.

Show external service request details
Use this option to display the information such as request numbers and ID from external ticketing systems throughout IdentityIQ.

Maximum number of results returned in a Request Access search
Limit the number of items returned by an access request. Large lists are hard to scan and the search should be narrowed or refined.

Maximum number of selectable users in Request Access
Limit the number of selectable users returned by an access request. Large lists are hard to scan and the search should be narrowed or refined.

Applications that support additional account requests
Use the dropdown list to specify the applications on which multiple accounts can exist or be created.

Select All Applications to include all applications in your environment.

Request Role Options

Request Role Options
Select the role types that are available for role requests. Any options not selected are unavailable to any user attempting to make that type of request.

When searching for roles based on population, only return roles contained by at least the following percentage of the population
Specify the minimum percentage of a population whose roles must match any given search criteria.

Request Entitlement Options

When searching for entitlements based on population, only return entitlements contained by at least the following percentage of the population
Specify the minimum percentage of a population whose entitlements must match any given search criteria.

Entitlement Search Results must return less than this number of identities when searching by identity
Indicate the maximum amount of identities an entitlement search result can yield.

Create Identity Options

Require password on all identity creation requests.
Require a password on all identity creation requests.

Enable self-service registration
Enables new user self-registration and creates a link for registration on the IdentityIQ login page.

The securityOfficerName variable must be configured within the LCM Registration process variable before the self-service registration functionality is fully enabled. This is done using the Compliance Manager (Link). The default securityOfficername is the IdentityIQ system administrator.

Follow these steps to setup self-service registration:

  1. From the navigation menu bar, go to Setup > Business Processes.

  2. In the Edit An Existing Process panel, select LCM Registration.

  3. Select the Process Variables tab. You can use the Advanced View option to view or configure all available variables.

  4. The default setting for the Approvers field is Security Officer. To delete the Security Officer setting, click the X icon next to it.

  5. To add another setting, select the down arrow next to the Approvers field and select another entry.

  6. The default entry for the Fallback Approver is the IdentityIQ system administrator. If desired, you can change the Fallback Approver.

  7. When you are satisfied with all of the entries, select Save at the bottom of the screen.

URL of action button after successful registration
Enter a URL to redirect the browser to the specified page after successful user registration. If this field is blank, the user is redirected to the login page.

Prevent pruning of new identities for this many days
Select the number of days that must pass after the creation of an identity before it can be pruned. Default is 30 days.

Manage Account Options

Show Enable / Unlock decision buttons regardless of whether the account is disabled or unlocked.
Display the decision buttons on account management page for disabled or unlocked accounts.

Manage Account Actions
Choose which actions are enabled for Manage Accounts requests for yourself and subordinates. Options include the following: Delete Disable Enable Unlock Deselected options are unavailable to a user attempting to make that type of request.
Select one or more applications from the Applications that support account only requests to specify which applications allow Account Only requests. Select All Applications to enable this feature for all applications.

Disable auto refresh account status
The status is automatically refreshed only for the accounts from applications that are not listed in the Disable auto refresh account status list AND accounts that support the Enable or Unlock feature AND accounts without the NO_RANDOM_ACESS feature.

Deactivate auto refresh for account status. By default, accounts from all applications support this feature.

Applications that do not support auto refresh account status
Select one or more applications to deactivate auto refresh.

Applications that support account only requests
Select applications from the dropdown list that support request for accounts that are not associated with a role or entitlement.
Select All Applications if unassociated accounts can be request for all applications.

Manage Password Options

Choose Enable password auto-generation when requesting for others to enable passwords to be auto-generated when requests are made on behalf of another user by an authorized user.

Password Validation Rule
Select a rule from the dropdown list to used when validating password creations.

AI-Driven Identity Security
The AI-Driven Identity Security section appears only if the AI-Driven Identity Security feature has been integrated and configured in IdentityIQ. See Integrating SailPoint AI-Driven Identity Security for more information.

Enable AI-Driven Identity Security Access recommendations on approvals
Show AI-Driven Identity Security access recommendations for approval decisions in access reviews.

Enable AI-Driven Identity Security Access recommendations on access requests
Show AI-Driven Identity Security access recommendations in access requests, to see access items that are recommended for you. This option is available only when the user is requesting access for themself, and does not appear when the user is requesting access for others.

Batch Request Approver

Require an approval before granting batch requests.

Manage Classifications Options

This option determines whether classification data is shown with access items, roles or entitlements, in access requests. This option is provided so that you can choose whether or not to alert requesters to the fact that certain roles or entitlements may allow access to sensitive or protected data. Classification data always appears in access approvals, regardless of this setting.

Manage Elevated Access Options
This option determines whether elevated access is shown on roles and entitlements in access requests.

Business Processes Tab

Use the Business Process tab on Lifecycle Manager Configuration to determine which business process is used when performing specified Lifecycle Manager actions.

For more information on working with Business Processes, see Business Processes (Link).

Identity Provisioning Policies Tab

Identity Provisioning Policies are used to define identity attributes that must be set when creating an identity from a Lifecycle Manager request.

The following types of Identity Provisioning Policies are available:

  • Create Identity

  • Update identity

  • Self-service Registration

Note

If an Update provisioning policy is defined, that policy overwrites the Create policy.

You must include the criteria required by the provisioning policy in the generated form before the request can be completed. Use the Provisioning Policy Editor to customize the look and function of the form fields generated from the provisioning policy.

Name
The name of your provisioning policy.

Description
A brief description of the provisioning policy.

Provisioning Policy Editor

Use the Edit Provisioning Policy Fields panel to customize the look and function of the form fields generated from the provisioning policy.

Attribute
Select the attribute field from the dropdown list to display on the form generated from the provisioning policy.

Display Name
The name displayed for the field in the form generated by the provisioning policy.

Help Text
The text you wish to appear when hovering the mouse over the help icon.

Type
Select the type of field from the dropdown list. Choose from the following:
Boolean – true or false values field
Date – calendar date field
Integer – only numerical values field
Long – similar to integer but is used for large numerical values
Identity – specific identity in IdentityIQ field
Secret – hidden text field
String – text field

Multi Valued
Choose this to have more than one selectable value in this field of the generated form. Click the plus sign to add another value.

Read Only
Determine how the read only value is derived:
Value – value based on the selection from the dropdown list
Rule – value is based on a specified rule
Script – value is determined by the execution of a script

Hidden
Determine how the hidden value is derived:
Value – value based on the selection from the dropdown list
Rule – value is based on a specified rule
Script – value is determined by the execution of a script

Owner
The owner of the provisioning policy. This is determined by selecting from the following:
None – no owner is assigned to this provisioning policy.
Application Owner – identity assigned as owner of the application in which the provisioning policy resides.
Role Owner – identity assigned as owner of the role in which the provisioning policy resides.
Rule – use a rule to determine the owner of this provisioning policy.
Script – use a script to determine the owner of this provisioning policy

Required
Choose whether or not to have the completion of this field a requirement for submitting the form.

Refresh Form on Change
Select this option to have the form associated with this policy refresh to reflex changes to this policy.

Display Only
Set this field as display only.

Authoritative
Boolean that specifies whether the field value should completely replace the current value rather than be merged with it; applicable only for multi-valued attributes.

Value
Determine how the value is derived. Select from the following:
Literal – value is based on the information you provide
Rule – value is based on a specified rule
Script – value is determined by the execution of a script

Allowed Values
The value(s) which can be displayed in the field of the generated form. Choose from the following:
None – the field is blank
Literal – value is based on the information you provide
Rule – value is based on a specified rule
Script – value is determined by the execution of a script

Validation
Gives the ability to specify a script or rule for validating the user's value. For example, a script that validates that a password is 8 characters or longer.