Using Rapid Setup

Users can configure Aggregation, Joiner, Mover, and Leaver processes for applications from Applications > Rapid Setup. Note that business users can only access the Rapid Setup processes that have been enabled and configured in Rapid Setup Configuration.

Note

If you enabled Terminate Processing in your Rapid Setup Configuration, that process is accessed through the Identities > Identity Operations menu. See Identity Operations Configuration and Terminating Identities with Rapid Setup (link) for more details.

Choose an Application

Choose the application you want to configure for Rapid Setup processes. The applications you can choose from the dropdown list are applications that have been defined in your IdentityIQ instance through the Applications > Application Definition option. Before you begin, define the application schema, perform a test connection, and identify whether the application is authoritative.

See Application Configuration.

Aggregation in Rapid Setup

The Aggregation feature of Rapid Setup lets you set options for how data is aggregated into IdentityIQ for the selected application. While Rapid Setup does not introduce new aggregation functions, it approaches it in a slightly different manner.

Note

See Sample Rules for Rapid Setup for information about sample rules included with Rapid Setup.

Create Entitlements That Cannot Be Requested

Use this option if you want the aggregation process for this application to create entitlements that will not be requestable in IdentityIQ from the Entitlement Catalog or in Access Requests.

Disable Account / Lock Account

The Disable Account and Lock Account filters only display for applications that do not natively support Disable / Lock.

An Account can be Disabled / Locked with an Aggregation Customization Rule.
Filters defined here take precedence over aggregation customization rules defined elsewhere in IdentityIQ.
If the Disable Account or Lock Account filters match an account during aggregation, then the account will be marked in IdentityIQ as disabled or locked, respectively.

Account and Manager Correlation

Account Correlations determine how application accounts are assigned to identities within IdentityIQ, using account and identity information. Manager Correlations configure how managers should be matched to identities.

In Rapid Setup, you can configure only one method of correlation for accounts, and one for managers, for each application. Rapid Setup does not support multiple correlation rules for a single application.

If correlation logic has already been defined in the Application Definition for this application, that correlation logic will be populated by default in this tab. You can modify existing correlation logic as needed, or create a new correlation configuration.

Account Correlation

To create or edit account correlation logic for this application:

In the dropdown list on the left, choose the application attribute you are configuring that can uniquely identify the account on the application. The application schema that has been defined in the Application Configuration determines which attributes are available for you to select here.
Choose an operator. In most cases, your only option here is "Equals."
In the dropdown list on the right, choose the IdentityIQ attribute that uniquely defines the identity.

Manager Correlation

To create or edit manager correlation logic for this application:

In the dropdown list on the left, choose the application attribute you are configuring that identifies the manager for this identity. The application schema that has been defined in the Application Configuration determines which attributes are available for you to select here.
Choose an operator. In most cases, your only option here is "Equals."
In the dropdown list on the right, choose the IdentityIQ attribute that uniquely defines the identity. This is typically the same attribute you use to define the identity for account correlation.

Service Account and RPA Account Correlation in Rapid Setup

The correlation filters for Service Accounts and RPA (Robotic Process or "bot" Applications) let you identify service and RPA accounts in IdentityIQ, based on attributes from the application you are onboarding.

To correlate service accounts:

When the Service Account filter is true, the identity attribute Type is set to Service Account, and the Application attribute Identity_Type is set to Service.

To correlate RPA accounts:

When the RPA Account filter is true, the identity attribute Type is set to RPA / BOTS, and the Application attribute Identity_Type is set to RPA.

If you set correlation filters for both Service and RPA accounts:

When the Service Account filter and RPA Account filter are both true for the same identity, the Identity_Type will be set to Service Accounts.
When the Service Account filter is deleted, and the RPA Account filter is created, the Identity_Type is set to RPA.

You can configure only one method of correlation for service accounts, and one RPA accounts, for each application.

Joiner Processing in Rapid Setup

The Joiner section is where you configure application behavior and processes when a new user joins your organization.

Although populations, birthright roles, and provisioning policies do not have to be created at this point, for features within joiner to work effectively, the user is advised to create them before configuring joiner processing

Note

Leaver events take priority over joiner events. If an identity is eligible for both a leaver event and a joiner event, the joiner event will not be launched.

Option	Description
Perform Account-Only provisioning	Create an account for the joining identity on this application, even if no entitlements exist for the account.
Identity Selection	This option is used only if Perform Account-Only Provisioning has been enabled. Identity Selction lets you choose which identities should be provisioned with accounts only: Everyone – provision all identities with accounts only. Filter – use an XML filter to select identities for account-only provisioning. Enter the filter XML in the text box. See XML Filter Example. Script – use a BeanShell script to select identities. Enter the BeanShell source in the text box. Rule – use a rule to select identities. You can select from existing rules of type IdentitySelector. Population – use a population to select identities. Populations are defined under Intelligence > Advanced Analytics.
Automatically Start Joiner Processing for Newly Created Identities	During aggregation, if a new identity is created, automatically start joiner processing on it. This option is not available for non-authoritative accounts when the global joiner configuration is set up to Exclude Uncorrelated Identities. See Joiner Configuration.
Joiner Email Instructions	Use this field to add any application-specific instructions to the Joiner Completed notification email that is sent to the manager or workgroup responsible for the identity's access. See Joiner Configuration for more information about joiner notification emails.
Joiner Email Password Instructions	Use this field to add any application-specific instructions to the end of the Joiner Temporary Password notification email that is sent to the manager or workgroup responsible for the identity's access. See Joiner Configuration for more information about joiner temporary password emails.

XML Filter Example

You can use an XML-based compound filter in the Identity Selection box to filter identities. The filter should include property values and logical operators for selecting identities.

Here is an example of a compound filter that will select all identities in the Accounting department that are NOT in either the Europe or Americas regions:

<CompoundFilter>
<CompositeFilter operation="AND">
  <CompositeFilter operation="NOT">
    <CompositeFilter operation="OR">
      <Filter operation="EQ" property="region" value="Europe" />
      <Filter operation="EQ" property="region" value="Americas" />
    </CompositeFilter>
  </CompositeFilter>
  <Filter operation="EQ" property="department" value="Accounting" />
</CompositeFilter>
</CompoundFilter>

For more information on using compound filters, refer to these articles on Compass (login required):

Mover Processing in Rapid Setup

The mover processing that can be configured at the application level consists of certifying the changes in access that can arise when an identity moves within your organization. There are other mover behaviors that can be configured globally in Mover Configuration. At the application level, some additional certification and account creation behavior can be defined.

Note

Joiner and leaver events take priority over mover events. If an identity is eligible for a joiner event or a leaver event, the mover event will not be launched.

Option	Description
Include Additional Entitlements in a Certification for This Application	Enable this option if you want the certification to include entitlements that are not contained in a role. If certifications are not enabled globally for mover processing, this option is ignored. A message above the configuration options indicates when certifications are not globally enabled.
Include Targeted Permissions in a Certification for This Application	Enable this option if you want the certification to include the actions a user can perform on an Unstructured Target such as a file share or folder If certifications are not enabled globally for mover processing, this option is ignored. A message above the configuration options indicates when certifications are not globally enabled.
Perform Account-Only Provisioning	Create an account for the moving identity on this application, even if no entitlements exist for the account.

Leaver Processing in Rapid Setup

Note

Provisioning policies for deleting / disabling / unlocking accounts, and a password policy for password scrambling, should be created before this process is configured.

The leaver feature gives the user the option to configure the leaver plan by either using a rule or by selecting options to configure a plan. If you opt to configure your processes, you can set up separate processes for ordinary leaver events, and for terminations. If you choose to use a rule for leaver processing, you will select one rule to manage both leaver and termination processing.

To use a rule for leaver processing, select Use rule, and choose a rule from the dropdown list.
To configure a leaver plan, select Configure, and use the options below to determine leaver and termination processing behavior.

Note

No other Rapid Setup event takes priority over leaver processing. If an identity is eligible for leaver event as well as a joiner or mover event, the leaver event will be launched, and the other events will not.

Leaver Options

Leaver options are for managing identities that leave your organization in circumstances other than immediate termination. Immediate termination options are configured separately.

Option	Description
Delete Account	To delete a leaving identity's accounts, enable this option. Then choose when the accounts should be deleted: Choose Now to delete accounts immediately. Choose Later to set a number of days before accounts should be deleted. When you choose Later, you have additional options for handling accounts before they are deleted, as described below.
Disable Account	Send a request to disable the account. Choose Now to disable accounts immediately, or Later to postpone the disabling. When you choose Later, use the Days to Delay field to set the number of days to wait before disabling accounts.
Scramble Password	Scramble the value of the password account attribute. This option is used when the application does not natively perform password maintenance. Choose Now to scramble passwords immediately, or Later to postpone the action. If you choose Later, use the Days to Delay field to set the number of days to wait before the action occurs.
Move Account	This option is only used for Active Directory applications. Enter the full OU to the container where leaving identities should be moved. You can set this option to run Now or Later.
Remove Entitlements	Choose whether to remove entitlements as part of the leaver process. You can set this option to run Now or Later. If you enable this option, you can use the Entitlement Exceptions filter to choose any entitlements that you do not want to remove as part of the leaver process.
Add Comment	Add Comment lets you enter comments to be added to the application account for the leaving identity. The Comment Attribute is the attribute in the application where comments are stored. The Comment field is where you enter the comment to be stored in the Comment Attribute on the application.

Terminate Options

Use this section to configure how termination events should be processed. Termination processes are enabled, and have some global behavior configured, through Identity Operations Configuration. When termination processing is enabled and configured, terminations for individual identities are initiated through the Identities > Identity Operations menu. See Terminating Identities with Rapid Setup (link).

To configure Terminate Options that are specific to this application:

If you want termination processing to follow all the same processes you have configured for Leaver Options, choose Use the same settings as leaver options.
If you want to set up different processes for terminations than those you have configured for Leaver options, disable the Use the same settings as leaver options slider. Then you can configure termination-specific behavior; the fields for configuring termination options are identical to the ones for leaver options. Refer to the table above for information about these fields.