Connecting Non-Employee Risk Management and Identity Security Cloud

You can create a source within Identity Security Cloud to manage your non-employee and assignment profiles. This allows you to use Non-Employee Risk Management as an authoritative source of your non-employee identity data. You can then correlate their accounts and access from other sources to those identities.

Notes

The Non-Employee Risk Management source within Identity Security Cloud aggregates and manages profiles, rather than user accounts. To aggregate user accounts from Non-Employee Risk Management, use a web services connector.
The Non-Employee Risk Management connector can be used to create an authoritative source using person profiles. Do not make sources that contain non-person profiles authoritative. Sources that contain non-person profiles can be used to provide supplemental attributes to identity profiles, but should not be used to create authoritative sources.
Archived profiles will not be aggregated.

You can create a Non-Employee Risk Management source in Identity Security Cloud in two different ways:

Automatically, by configuring one or more profile types in your Non-Employee tenant to be synchronized with Identity Security Cloud. When a source is created this way, all profiles are aggregated to a single source and the account schema is created automatically.
Manually, by creating a source within Identity Security Cloud and connecting it to your Non-Employee tenant. When sources are created this way, each profile type can be aggregated to a separate source, and you can create the account schemas manually.

Automatically Creating a Source From Profile Types

To start managing your non-employee data in Identity Security Cloud, you'll configure one or more person profile types to send profile data to your source.

By default, all Identity Security Cloud tenants that have an associated Non-Employee Risk Management tenant have a non-employee source created already, marked as Configuration Incomplete. This source will be configured and connected when you enable synchronization. If you deleted this source, it will also be automatically recreated when you enable synchronization with Identity Security Cloud.

Once you've aggregated your non-employee profiles and created identities for them, you can make additional configurations.

To begin aggregating person profiles to Identity Security Cloud:

Within Non-Employee Risk Management, go to Admin > System > Identity Security Cloud Connection Settings.
In the NON-EMPLOYEE tab, in the Profile Type dropdown list, select the non-employee profile type you want to manage in Identity Security Cloud.
In the Core Attributes section, choose the account attributes that should be aggregated into Identity Security Cloud.

The account attributes in the left column correspond to source attributes within Identity Security Cloud. For each account attribute you want to aggregate, select a Non-Employee Risk Management Attribute.
Important
- In addition to the attributes you configure here, Identity Security Cloud will aggregate the Non-Employee Profile ID attribute, which is a technical attribute used as a unique identifier for profiles. It will be mapped to the Employee Number identity attribute within the identity profile. This attribute will be used to create new identities within Identity Security Cloud from non-employee profiles. Refer to Managing Profile Correlation for more details.
- The following attributes must be mapped in the Core Attributes section:
  - First Name
  - Last Name
  - Business Email
If you plan to aggregate assignment profiles, map an attribute to the Assignments core attribute. This attribute must be a profile search or profile select attribute that contains an assignment profile. This attribute links your person profile type to the appropriate assignment profile type so that assignments can be correlated to the correct identity when they are aggregated.

An assignment profile can be correlated to one person profile, but a person profile can have multiple assignments correlated to it.
(Optional) To add additional attributes, in the Extended Attributes section, select Add Extended Attribute.
In the Extended Attribute column, enter the name of an attribute you would like to add to the account schema within Identity Security Cloud.
In the Non-Employee Risk Management Attribute column, select an attribute to map to the attribute you selected in the Extended Attribute column.
Select Save.
When you're finished making configurations to your profile type and mapping attributes, set Enable source syncing with Identity Security Cloud to ON.
Select Save.

If you deleted your default existing Non-Employee source in Identity Security Cloud, a new source is created. The attributes you mapped in the Core Attributes and Extended Attributes sections are added to the schema for your non-employee source. You can edit the name and description of this source as necessary.

An identity profile is also created automatically with the name of the source.
Repeat these steps for each person profile type you want to aggregate into Identity Security Cloud. All profiles are aggregated to the same source, and identities are created for each unique profile based on their Non-Employee Profile ID attribute.

This source will be automatically synced with Identity Security Cloud, and profiles that are created or updated will be added to this source automatically. You can also schedule regular aggregations of profiles to ensure that profiles are created, updated, and deleted from your source.

Managing Profile Correlation

By default, identities are created based on the non-employee profile's Non-Employee Profile ID attribute, which is mapped to the Employee Number identity attribute within Identity Security Cloud.

Because identities are only created after your source is aggregated, and the account schema is configured automatically, the process for changing the correlation for your non-employee source is unique.

Choose a different identity attribute for correlation

In Identity Security Cloud, in your non-employee source, select a new identity attribute to use for correlation.

Your identities will be uncorrelated while you configure the mappings in your identity profile.
On the identity profile associated with your non-employee source, locate the Employee Number identity attribute and remove the Non-Employee Profile ID account attribute.
Add the Non-Employee Profile ID account attribute to the Attribute field on the identity attribute you chose to use for correlation.
Save and apply your changes. Your identities are correlated again using the identity attribute you selected as their unique identifier.

Choose a new set of attributes to use for correlation

You can also use a different combination of identity and account attributes for correlation.

Caution

Because this process assigns identities a new unique identifier, duplicate identities will be created during this process and must be deleted.

In Identity Security Cloud, in your non-employee source, choose the identity attributes and account attributes you want to use for correlation.

Your identities will be uncorrelated.
On the identity profile associated with your non-employee source, map the attributes you selected in your correlation configuration.
Save and apply your changes.
In your non-employee source, delete all accounts on the source.
Run an aggregation to load in your non-employee profiles again using your new correlation configuration.

Adding Assignment Data to a Source

Once a Non-Employee Risk Management source has been created that contains person profiles, you can aggregate assignments into the same source.

Within Identity Security Cloud, these assignments are treated as additional accounts on the source, and are correlated to an identity based on the identity's assignment attribute configured above.

Within Non-Employee Risk Management, go to Admin > System > Identity Security Cloud Connection Settings.
Select the ASSIGNMENT tab.
In the Profile Type dropdown list, select the assignment profile type you want to manage in Identity Security Cloud.
In the Core Attributes section, choose the account attributes that should be aggregated into Identity Security Cloud.

For each account attribute, select a Non-Employee Risk Management Attribute.
(Optional) In the Extended Attributes section, select Add Extended Attribute.
In the Extended Attribute column, enter the name of an attribute you would like to add to the account schema within Identity Security Cloud.
In the Non-Employee Risk Management Attribute column, select an attribute to map to the attribute you selected in the Extended Attribute column.
Select Save.
When you're finished making configurations to your profile type and mapping attributes, set Enable source syncing with Identity Security Cloud to ON.
Select Save.

An aggregation begins in Identity Security Cloud that loads your assignment data into your Non-Employee source.

The data in this profile type will be aggregated every time your non-employee source within Identity Security Cloud performs an aggregation. The assignments it aggregates will be correlated to person profiles, or identities.

If the assignments you aggregate don't correlate to identities, you can navigate to the identity profile associated with your non-employee source and select Apply Changes. In some cases, this will resolve correctly-configured assignments and correlate them to the appropriate identities.
Repeat these steps for each assignment profile type you want to aggregate into Identity Security Cloud.

Creating a Source Starting in Identity Security Cloud

You can also start creating your Non-Employee Risk Management source within Identity Security Cloud. The account schema must be created before accounts can be aggregated when a source is created this way.

Any configurations in Identity Security Cloud Connection Settings do not apply to sources created manually.

Prerequisites:

Create and copy an API key from Non-Employee Risk Management to use within Identity Security Cloud.

Best Practice

Use a separate API key for each Non-Employee Risk Management source you create.
Copy the technical ID of the profile type you want to manage within Identity Security Cloud. This can be found in the URL of the profile type or using the API, and is not the same as the UID of the profile type.
Copy the UIDs of each attribute you want to aggregate.

To create a Non-Employee Risk Management Source within Identity Security Cloud:

Sign in to Identity Security Cloud and go to Admin > Connections > Sources.
Select Create New.
Under Select a source type, select Configure beside SailPoint Non-Employee Risk Management.
Enter the following:
- Source Name - Enter a name for the new source.
- Description - Enter a description for the new source to help distinguish it from similar sources.
- Source Owner - Begin typing the name of an owner. Matches appear after you type two or more letters.
- Governance Group (Optional) - Select a governance group for source management.
Select Continue.

The Base Configuration screen is displayed.
Select Configuration in the left panel.
In the API Key field, enter the API key you saved within Non-Employee Risk Management for this source.
In the Non-Employee Risk Management Tenant Domain field, enter the URL for your tenant.
In the Profile Type Id field, enter the ID of the profile type you want to manage within Identity Security Cloud that you saved within Non-Employee Risk Management.
Select Save.
Select Review and Test.
Review the configuration details and select Test Connection. A successful test is required for Identity Security Cloud to gather data for this source.

Manually Configuring an Account Schema

After creating a Non-Employee Risk Management source and connecting it, map the attributes that Identity Security Cloud will aggregate.

From the list of sources, select the source you want to edit.
In the Account Management section, select Account Schema.

Several attributes are available by default. These are the system-level attributes available for every profile within Non-Employee Risk Management.

The name and id attributes will be used as the Account Name and ID.

Note

Do not edit the attributes used for name or id after you have aggregated profiles into Identity Security Cloud. This can cause duplicate identities to be created.
Select + Add New Attribute.
Enter the following information:
- Name - Enter the UID of the attribute you want to add exactly as it appears within your Non-Employee Risk Management tenant.
- Description - Add a description for the attribute.
Notes
- The attribute type must be set to String. When attributes of other types are aggregated, their value will be converted to a string.
- Aggregating entitlements is not supported. Do not select the Entitlement checkbox under Type.
Select Save.

The attribute is added to the list of attributes within the account schema.

When profiles are aggregated into Identity Security Cloud, the Non-Employee Risk Management attributes matching the attribute names you provided will be aggregated for all profiles in the configured profile type.

You can schedule regular aggregations of profiles into Identity Security Cloud so that your data is kept up-to-date.

If you are aggregating person profiles, create an identity profile to use the profile data from Non-Employee Risk Management as an authoritative source of identities.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.