Skip to content

Getting Started in Non-Employee Risk Management

Before Using the System

Before you use Lifecycle, make sure your browser is supported and learn more about the terminology used in Non-Employee Risk Management.

Supported Browsers

Use the following table to verify that your browser is supported:

Browser Version
Firefox Latest Version
Chrome Latest Version
Edge Chromium Latest Version
Internet Explorer Not Supported

Earlier versions of the above browsers may experience mixed results for display and functionality as they may interpret HTML, CSS, and JavaScript differently.

Understanding the System

To understand how to use Lifecycle it is important to first understand the terminology and relationship between the system components.

Profile Types and Profiles

In the Identity and Access Management (IAM) space, identity refers to the body of information about an individual, organization, or thing (e.g., electronic device) that exists. Within the Non-Employee Risk Management Identity Suite, identities are referred to as profiles. A profile within the application is the collection of data that forms an identity. A profile type, like a category, is used for grouping like profiles.

Profiles

There is an infinite number of profiles that can be created within the Identify Suite. Below are some of the examples of the most used profiles:

  • People: The profile data for a person will contain personal information, data that is unique to that individual. Some examples of profile data for a person might be: first name, last name, address, and phone number.

  • Entities: The profile data for an entity will contain data that is unique to that entity. An example of an entity may be your Vendors, Partners or Clients. Some examples of profile data for an entity might be: Company Name, Company Address, Company Contact E-Mail.

  • Things: Items can also have profiles, for example, a laptop. In this case, profile data might include make, model, serial number, etc.

  • Areas within an Organization: Areas within a company can also have profiles, for example a department. In this case, profile data might include department name, department number, manager, location, etc.

Profile Types

Profile types, like a category, are used for grouping similar profiles. Like profiles, there are an infinite amount of profile types that can be created within the Identify Suite. Using the example above, the following are examples of commonly used profile types:

  • Non-Employee: This profile type is used to classify the group of people who are considered Non-Employees.

  • Vendor: This profile type is used to classify external entities that provide services to your organization.

  • Laptop: This profile type is used to classify laptops used throughout your organization. Related profile types could be desktops, cell phones or even software.

  • Department: This profile type is used to classify departments throughout your organization.

The advantage of organizing data into different profile types is that distinct owners and contributors can be assigned to each profile type, allowing each profile type and its lifecycle to be managed independently of each other.

Workflows

A workflow is a series of sequential tasks that are executed based on Lifecycle administrator defined rules, tasks, data and/or conditions, to perform various actions, tasks, or trigger notifications within the Identity Suite. Users are presented with a workflow button to initiate the required action; however, the actual components of a workflow are not visible to general users of the system. Workflows are defined by Lifecycle administrators and discussed in depth in the Lifecycle Admin guide.

There are 4 types of workflows in Lifecycle:

  • Create: are viewable from the dashboard and are used to create new profiles in the system.
  • Update: are viewable when looking at a profile and are used to update the profile that users are currently viewing.
  • Automated: are date triggered by attribute on existing profiles and run automatically.
  • Batches: are viewable from the dashboard. Batches start with a filter tool that allows a user to search and select multiple profiles to run an update action against.

Relationships within the Identity Suite

Between Profiles and other Profiles

As described above in the Profiles section, profiles can include information about people or information about other identities such as vendors, departments, laptops, etc. Profiles can have relationships to one another, such as, a person profile can have a relationship to a vendor profile, department profile and a laptop profile.

As the number of relationships grows exponentially, the Identity Suite allows organizations to efficiently identify and manage all these relationships. The most effective method to manage these relationships, is defining a relationship between the various profile types.

For example, your organization creates a profile type named Vendors and populates it with all the third-party profiles that provide the organization with non-employees. Next the organization creates a profile type named Non-Employees and populates it with all the applicable people profiles. Organizations can now identify each Non-Employee and the Vendor from which they originate by linking the third-party profile to the people profile, thus creating a relationship between that individual and their organization. This allows management of all the data related to third-party profiles to be performed independently from a person’s profile. For instance, if a third-party’s address changes, only the third-party’s profile requires an update and not a field in every related person’s profile. This is also effective because system users who manage vendor data may be different than those who manage non-employees.

As another example, one of your organization’s third parties has multiple non-employees providing services where each person is issued a mobile device. If the relationship with that vendor is terminated, you need to retrieve all issued company mobile phones that were issued to these non-employees. By tracking and maintaining these relationships within the Identity Suite, it is easy to keep business processes on track.

Between Users and Profiles

User-to-Profile relationships exist to identify the responsible owner who will manage a profile. There are two types of User-to-Profile management options: “Owner” and “Contributor”. These User-to-Profile relationships control what profiles a user can see and act against. The exception to this, is when an Administrator is granted permission that overrides this relationship.

  • Owner: Every profile should have an Owner. The owner is the individual ultimately responsible for the profile and associated relationships which they are assigned ownership. An owner is limited to one user.

  • Contributor: Contributors are users and/or groups with the responsibility to assist with the management of a profile. Unlike owners there can be several contributors. User Roles can also be set as contributors so that many users with shifting roles will always maintain appropriate profile access.

For example: Human Resources may be a contributor in the management of a group of non-employees, but the owner is the business unit responsible for the relationship with the vendor for which those non-employees work.

Between Users and Users

User-to-User relationships may be imported via the Non-Employee API to mimic the management structure of your organization. These relationships may be leveraged within workflows to direct approval and fulfillment actions.

Users and User Roles

The Identity Suite requires user accounts and roles to establish authentication and determine access to specific resources in the application.

Users

Users are internal employees of the organization who are responsible for administering the Identity Suite or managing various components of the system and its processes. The system is designed to import user data from an SSO provider as users log in to the system. In addition, user records can be pre-loaded into the application via the API.

User Roles

User roles tie application access to entitlements associated to a user account by the SSO provider.

Identifying and Managing Risk

A key component of managing third parties is identifying, evaluating, and acting upon identified risks.

Risk Scoring

A risk scoring model allows organizations to individually identify key criteria and assign different values to characteristics, that are applicable to their own specific situation. The Identity Suite provides robust risk scoring capabilities that allows organizations to identify and address risks that are posed to an organization by assigning a risk scale to profiles and profile types within the application. For example, organizations can evaluate risk associated with all their Non-Employees. Risk scores are categorized into configurable risk levels (i.e. High, Medium, Low etc.) and risk levels can trigger actions or workflows such as additional approvals, policy driven action and escalations.

Risk Categories

Risk categories are a specific way to group risks under a common area which provides a structured and systematic approach in identifying risks to a consistent level of detail. For example, the human resource department may choose to evaluate non-employee risk including demographic information such as citizenship and location, while the information security department may choose to evaluate vendor risk including what data the vendor has access to and the security controls they have in place to protect that data. Risk categories in combination with the Identity Suite’s robust risk scoring offers organizations the ability to improve the effectiveness and quality of the risk identification, analysis, and mitigation processes.

Mitigating Controls

Mitigating controls are put in place to reduce either the probability or consequences of a threat. For risk mitigation to be effective organizations need to take immediate action to reduce human and financial consequences later. The Identity Suite allows mitigating controls to be defined and assigned to identified risks within the system providing the organization a true measurement of posed risks.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.