Skip to content

Configuring Access Applications

Access applications are used in access requests and in password management.

  • For access requests, access applications group a source's access profiles to help users find and request the access they need.
  • For password management, you must define an access application to support password changes for a source.

Note

Access applications represent access configurations in Identity Security Cloud and are different from the enterprise applications you can discover through application onboarding.

In most cases, you will define custom access applications to represent your enterprise systems, though you can also use and customize the pre-defined apps included on Admin > Applications.

Naming Access Applications

The names you choose for access applications should be the system names recognized by your end users. Often, that simply means creating an application with the same name as its source.

You can also define multiple access applications for a single source. This is common for directory systems like Active Directory, which often contain entitlements that manage access to other enterprise systems.

For example, if users are authorized to use your expense system through Active Directory groups, they would need to request AD groups to access the expense system. Since users might not realize this, you can help them by creating an access application called Expense, choosing Active Directory as its account source, and associating the relevant access profiles on AD with the expense application. Then, when users need to request expense system access in the Request Center, they search for the access profiles they need under the name they know, Expense, instead of Active Directory.

Important

Typically, when you define multiple access applications for a source, you create a primary access application that is named after and represents the source itself in addition to secondary access applications that represent other systems managed through the source. This primary access application is especially important for password management.

Creating an Access Application

Create access applications to support password management or access profile requests.

  1. Go to Admin > Applications.

  2. Select + New, provide an access application name and description, and select Continue.

    The access application name can be a maximum of 128 characters. Refer to Naming Access Applications for guidance.

  3. On the Configuration tab, set App Accounts Created By to Admin (IT).

    Note

    App Accounts Created By Users is a setting that applied only to legacy single sign-on functionality.

  4. Under Account Source, select whether this application applies to Specific Users From Source or All Users From Source, then select the source that holds the account and entitlement data for this access application.

    • If you choose Specific Users From Source, you are prompted to go to the Access tab and select which access profiles to include. Users who have an access profile associated with that access application will have the access application included in their password management list. Refer to Adding Access Profiles to Apps.
    • If you choose All Users From Source, all users associated with that access application will have the access application included in their password management list.
  5. Select Save.

    Note

    You must select Save on each tab before changing tabs or exiting the page.

  6. (Optional) Configure your access application to be used for access requests.

  7. (Optional) Configure your access application to be used for password management.

Configuring an Access Application for Access Requests

You must enable the access application for access requests and configure attributes to support requests. Then add access profiles to the access application.

  1. Go to Admin > Applications.

  2. Select an access application.

  3. On the Configuration tab, select Visible in the Request Center and Allow Access Requests to make an access application and its access profiles appear in the Request Center.

  4. Select Save.

  5. Select the Settings tab.

  6. (Optional) Under General Settings, edit the App Name and App Description as needed. These are shown to users in the Request Center.

  7. (Optional) Select the Edit icon next to App Icon to upload an image. This image is displayed with the access application name in the Request Center.

    Image Requirements

    • The image must be a PNG or JPG.
    • The image must be smaller than 5MB.
    • Use a 1:1 width:height ratio to avoid distortion in the icon.
  8. In App Owner, begin entering the name of a user in your system to select a user as the owner for the access application. The application owner can be configured as an access request reviewer for access profiles associated with this access application.

You must add access profiles to configure access requests with access applications.

Adding Access Profiles to Access Applications

You can group access profiles with access applications in the Request Center. Access profiles are also individually requestable.

  1. Go to Admin > Applications.
  2. Select an access application.
  3. Select the Access tab.
  4. Begin typing an access profile name in the Add Existing Access Profiles box to search for an access profile in your system. Select the access profile from the list. Repeat to associate more access profiles with the access application.
  5. Select Save.

    Note

    If you need to create an access profile for this access application, select + New. You will be redirected to the Access Profile creation page. When you are done defining the access profile, you can return here and select it to add it to the access application.

To make this access application visible to users in the Request Center, return to the Configuration or Settings tab, change Enable For Users to ON, and select Save. This setting also enables the access application for password management.

Editing an Access Application

  1. Go to Admin > Applications.
  2. In the search box, search for any part of the access application name to filter the list.
  3. Select the access application you want to edit.
  4. Modify the attributes as described in preceding sections, and select Save on each tab as you make changes.

Applying Changes for Applications

If you are using access profiles to constrain which users can reset passwords for your applications, you must update your users' password management applications when you change the list of access profiles associated with your applications.

On the Applications list page, select Apply Changes to initiate identity processing for all identities in your organization and update your users' password management applications.

For best system performance, wait to select Apply Changes until you are ready to apply the whole set of configuration changes to your whole set of identities. Selecting it for roles, access profiles, or applications automatically processes all three.

Hiding an Access Application

Disable an access application to temporarily remove it from the Request Center and the Password Management list.

  1. Go to Admin > Applications.
  2. Select the access application you want to edit.
  3. On the Configuration tab, set Enable For Users to OFF.
  4. Select Save.

Note

This setting overrides the Visible in the Request Center and Allow Access Requests checkboxes.

Seeing a User's Applications

You can view what access applications a user can access.

  1. Go to Admin > Identity Management > Identities.
  2. Select the identity name.
  3. Select the Applications tab to display the access applications available to the user.

If the user has an access profile associated with an access application, or if they have an account on an application that you have configured for All Users From Source, that access application will be listed.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.