Managing Identities
In Identity Security Cloud, your organization's users are represented by identities, created when you aggregate accounts from your authoritative sources. Each identity contains attributes that provide information about the user. This could be identifying information, such as first name, last name, and email, as well as information that describes their relationship to the organization, such as manager name, department, or job title. Each identity also shows the access the user has in your enterprise through their accounts, roles, and entitlements.
Note
Your tenant may contain human and machine identities. Human identities represent employees, contractors, and outside vendors. Machine identities represent applications or services used by your organization.
Identities are the user accounts that your personnel use to access Identity Security Cloud. Your configurations determine which users can sign in and what level of access each user has to Identity Security Cloud functions and data.
Viewing Identities
You can view details about any identity in your site, view the status of your identities, and manage users' access to Identity Security Cloud and its functions.
-
To access the list of all the identities in your site, go to Admin > Identity Management > Identities.
-
Select a filter to choose which identities are displayed:
-
All Identities includes all identities, including identities with errors and incomplete identities.
-
Identities with Errors shows identities that have email configuration errors, authentication source mismatching, or provisioning issues. For more information about these errors, refer to Resolving an Error Status.
-
Incomplete Identities shows identities that are missing values for required identity attributes. These identities must be completed before they can sign in or be used in other actions like access requests and certifications.
-
-
Use the search bar to find the identities you need. Identity Security Cloud searches the account ID, username, display name, email, first name, and last name attributes for values that begin with the search term you enter.
You can switch between Cards view for a tablet-friendly display or Table view for a condensed layout.
If you need to work with your identity data offline, you can also export the list to a CSV file.
Viewing Identity Statuses
You can view each identity's account status on the Identities page. You can also use the provided queries in Search to find identities by these statuses.
Status | Description | Search Query |
---|---|---|
Active | The user has registered for Identity Security Cloud and can sign in. | status:ACTIVE |
Disabled | The user's Identity Security Cloud account is disabled, preventing sign-in and any other user actions. | status:DISABLED |
Error | The identity is in an error state due to email configuration errors, correlation problems, or other issues. Refer to Resolving an ERROR Status for details. | status:ERROR |
Incomplete | The identity is missing a UID, email, or last name. | Not applicable |
Locked | The user's account has been manually locked, usually due to security concerns. | status:LOCKED |
Not Invited | The identity hasn't been invited to Identity Security Cloud as a system user. | status:UNREGISTERED |
Pending | The user has been invited to register with Identity Security Cloud, but they haven't registered yet. | status:PENDING |
Registered | The user has been invited and has setup a password, but they haven't logged in yet. | status:REGISTERED |
Warning | The identity's invitation email failed to send. Verify their email address is correct and reinvite the identity. | Not applicable |
Note
The status:UNREGISTERED
query returns users whose identities have been reset or disabled and reenabled in addition to those who have never been invited to register.
Resolving an ERROR Status
When identities have an ERROR status, you can select the Information icon to display more details.
An ERROR status may occur because of email configuration errors, authentication source mismatching, or provisioning issues. Some errors can prevent sign in to Identity Security Cloud, so you'll need to address the error for those users to regain access.
- Email Configuration Errors: This occurs if your identity profile is configured to send an invitation only to a user's alternate email but the user does not have an alternate email configured. Check and adjust your identity profile invitation options or attribute mappings.
- Authentication Source Mismatch: This error occurs if your identity profile is configured with a Sign-in Method that uses a Directory Connection (pass-through authentication) and an identity created in that profile does not have an account on the specified authentication source. Without an account there, the user will not be able to authenticate to Identity Security Cloud to sign in. To correct this, you must correlate an account on that directory source to the identity or change the sign-in method for the identity profile.
- Provisioning Issues: If an identity has more than one account on a source system where a provisioning event is triggered, this generates an error on the identity and no provisioning occurs. This occurs when Identity Security Cloud cannot determine which account should be changed by the provisioning event.
Managing Access
You can manage users' access by completing the following actions on the Identities page:
- Invite users to register for access to Identity Security Cloud.
- Set user levels to manage their level of access to Identity Security Cloud functions and data.
- Enable or disable their identity.
- Reset the identity to clear any elevated user levels, erase their security question answers, and return them to a Not Invited status.
- Delete the identity from Identity Security Cloud.
Note
Users cannot perform these actions for their own identity.
Inviting Identities
You can manually invite identities to use Identity Security Cloud. Refer to Inviting Users Manually for more details.
Setting User Level Permissions
By default, users have end user permissions which grant them limited system access. Administrators can expand the default end-user access by granting different permissions grouped into user levels. The User Level Access Matrix summarizes the Identity Security Cloud pages and components that are accessible at each user level.
Multiple user levels can be granted to a user. The user's access is cumulative across all granted user levels.
To set user levels:
- Go to Admin > Identity Management > Identities and find the identity you want to grant user levels to.
- Select Actions > Set User Levels.
-
Enable the toggle for each user level you want to grant to the user. Disable the toggle for user levels you want to revoke from the user.
-
Select Save to save your changes. The user's new user levels will take effect the next time they sign in.
Note
User levels are managed by administrators. They are not requestable and cannot be included in Roles or Access Profiles.
Disabling Identities
Disabling an identity immediately removes Identity Security Cloud login access from the user. For example, you might want to disable the identity of a user who has left the company or who no longer has responsibilities that require access.
Notes
- This does not disable source accounts or otherwise revoke access to those systems.
- Disabled identities can't be reset or invited to Identity Security Cloud.
- If the user is signed into Identity Security Cloud when their identity is disabled, this does not end their active session.
- A user whose identity is disabled cannot change their passwords.
To disable an identity:
- Go to Admin > Identity Management > Identities and find the identity you want to disable.
- Select Actions > Disable Identity.
- Select Disable Identity to confirm.
To disable multiple users, select the checkboxes next to the identities you want to disable. Select Actions > Disable Identities at the top of the list and then select Disable Identities to confirm.
Enabling Identities
If a user has been disabled, they must be reenabled after the issue has been resolved to regain access to Identity Security Cloud.
To enable an identity:
- Go to Admin > Identity Management > Identities and find the identity you want to enable.
- Select Actions > Enable Identity.
To enable multiple users, select the checkboxes next to the identities you want to enable and select Actions > Enable Identities at the top of the list.
Notes
- User levels assigned when the identity was disabled are retained by the user.
- This returns the identity to a Not Invited status.
Resetting Identities
You may need to reset a user's identity if they have forgotten their authentication information like their answers to knowledge-based questions. Resetting an identity de-registers the user and removes any elevated user levels they have. They must be reinvited before they can access Identity Security Cloud again.
- Go to Admin > Identity Management > Identities and find the identity you want to reset.
-
Select Actions > Reset Identity.
The user's status changes to Not Invited.
-
To reinvite the user, return to that identity record, select Actions > Invite Identity.
Note
The invitation step is only necessary for users who sign in through a user name and password recorded in Identity Security Cloud directly. When they register again, they will also reset their Identity Security Cloud password.
Deleting Identities
Deleting an identity can allow you to resolve identity problems that you haven't been able to solve through more targeted actions. It removes their access to Identity Security Cloud and deletes all accounts correlated to the identity. However, it does not deprovision those accounts from their sources.
Important
Identities set as the owners of sources, roles, access profiles, or access applications cannot be deleted. Certification reviewers with active certifications also cannot be deleted. Select new owners and reassign certifications to delete these identities.
To delete an identity:
- Go to Admin > Identity Management > Identities and find the identity you want to delete.
- Select Actions > Delete Identity.
- Select Delete Identity to confirm.
To delete multiple users, select the checkboxes next to the identities you want to delete, select Actions > Delete Identities at the top of the list, and select Delete Identities to confirm.
Note
Deleting is a temporary action if the user still exists in your authoritative sources. Correct underlying problems on your source systems and reaggregate an authoritative account to create a new identity for the user. Then you can reaggregate their other accounts so they will correlate to the new identity.
To restore the user's access, the new identity must be invited and granted any elevated permissions they require since these settings were removed when the original identity was deleted.
Synchronizing Attributes
If your organization has configured attribute synchronization, you can manually synchronize an identity's attributes from the Identities page. Refer to Manually Synchronizing a Single Identity for more information.
Viewing Identity Details
You can view additional details about an identity on the Identity Details page. From Admin > Identity Management > Identities, select the identity name in Table view or select the Details button in Cards view.
Identity details include:
- Their current lifecycle state.
- Their Identity Security Cloud user level permissions.
- The identity profile they belong to.
- The dates the identity was created and last modified.
- Their identity attributes.
- Work reassignment configurations defined for them. You can also add new reassignment configurations.
From the identity details page, you can:
- Edit the identity’s lifecycle state or user levels.
- View and copy attributes.
- Pin attributes to the Overview section. The attributes display in the order they were pinned. The default attributes cannot be unpinned.
Viewing an Identity's Access
You can view the roles, access profiles, entitlements, and applications an identity has access to on the Access tab.
-
Go to Admin > Identity Management > Identities.
-
Select the identity name in Table view or select the Details button in Cards view.
-
Select the Access tab to display the access items the identity has access to.
You can switch between roles, access profiles, entitlements, and applications by selecting the tab for that type of access item.
Selecting an access item displays further information about the access. From this page, administrators can also revoke roles or entitlements.
Notes
-
A role can only be revoked if it was provisioned through an access request. You can submit an API call with the List Identities assigned a Role endpoint and check the
roleAssignmentSource
attribute to determine if the role was assigned from an access request. -
A revoked entitlement may be reassigned during the next aggregation if it was provisioned as part of a role.
Viewing Identity Events
You can view an identity's system activity, including their logins and password changes, on the Events tab. This tab displays events where the identity is the actor or the target of an action. The same information can be found for all identities through Search within Events.
The Events tab displays successful and failed actions. If an action failed, you can select the Error icon to view information about the error.
To view an identity’s events:
-
Go to Admin > Identity Management > Identities.
-
Select the identity name in Table view or select the Details button in Cards view.
-
Select the Events tab to display the identity’s events.
To export the identity’s event history to a .csv file, select the Export button.
Exporting Identities
The export option generates a zipped CSV file of the current set of identities which you can download for use offline.
- Select Export to start the file generation.
- When it finishes, the bar at the bottom of the page shows Done and you can select the arrow to expand the panel and download the file.
- Select Download to download the zip file to your local computer.
Notes
- Depending on the number of identities in your system, generating this file can take a substantial amount of time. You can leave the page while the process runs. The generated file will be retained as long as your current session is active.
- The file includes the list of identities as it existed when you started the export.
Documentation Feedback
Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.