Managing Non-Employee Sources and Accounts
Contractors, interns, consultants, and other non-employees in your organization might require special governance treatment. You can use IdentityNow to track these users' access and activity by creating and maintaining a non-employee source. You can have up to 50 non-employee sources in your org.
By using our Non-Employee Lifecycle Manager, you agree to the following:
- SailPoint is not responsible for storing sensitive data. You may only add account attributes to non-employee identities that are necessary for business operations and are consistent with your contractual limitations on data that may be sent or stored in IdentityNow.
- You are responsible for regularly downloading your list of non-employee accounts for all sources you create and storing this list in a managed location to maintain an authoritative system of record and backup data for these accounts.
Use the processes below to create a non-employee source and add accounts.
Creating a Non-Employee Source
-
Sign in to IdentityNow and go to the Admin interface. Go to Connections > Sources.
-
Click New.
-
In the Source Type field, choose Non-Employee and specify the following:
- A source name
- A description of the source
- An individual owner for the source
- Optionally, a governance group to manage this source. This allows source sub-admins in this governance group to access and manage this source. These sub-admins will not be able to manage accounts on this source.
Click Continue.
The non-employee source's configuration page is displayed.
-
Optionally, choose up to ten account managers in the field Who should manage these accounts?.
These users can request new accounts on this non-employee source. They do not have to be administrators in your org.
-
Optionally, choose up to 3 account reviewers in the fields in Who should review account requests?.
These users review all account requests made by the account managers. Each reviewer will review the request in the order you choose here, and if any one reviewer denies the account request, the account won't be created. These users also don't have to be administrators.
Click Save.
You can review the attributes for this source, configure the non-employee source's identifying attributes, and add new attributes if necessary.
Important!
Once accounts have been aggregated from a non-employee source, their unique identifier (or user name) should not be edited. Because this identifier is used to create identities, editing this attribute will create additional identities instead of updating existing ones. If you need to update the unique identifier for a source, delete all old accounts on that source prior to doing so.
Adding Custom Attributes to a Source
You can add custom attributes to your non-employee source to represent important information about these identities.
To add a new attribute to your source:
-
From the Sources list, go to the non-employee source you want to edit.
-
In the sidebar, click Account Schema.
-
Click Add New Attribute.
-
Add the following information for each attribute you want to add:
- Name - Enter a unique name for this attribute. The Technical Name is generated automatically.
- Description - Optionally provide a description for this attribute. This information helps account managers provide accurate attribute data when requesting new non-employees.
- Hint Text - Optionally enter hint text. This text will display inside of the attribute's text box and can be used to give account managers additional information.
Choose whether the attribute should be required for accounts on this source.
Important
- If an attribute you configure here is used in account correlation, it should be marked as required. This prevents errors that may occur if an account is missing a required identity attribute.
- Make sure you've added all required attributes to this source before adding accounts. If you add more required attributes after accounts have been created, you'll be unable to update existing accounts or upload account CSV files unless you include values for that attribute.
If you want to add another new attribute after saving this one, check the Add Another checkbox.
Click Save.
You can add up to 10 custom attributes to your source.
Adding Accounts
To manage non-employees in IdentityNow, you'll need to create accounts for them. You can add accounts individually or in bulk. Each non-employee source can have a maximum of 20,000 accounts.
Uploading a List of Accounts
Before uploading a list of non-employee accounts, you will need to export the CSV template using the Export button on the Accounts page. Uploaded account files must follow this template.
To add a set of accounts:
-
From the Sources list, go to the non-employee source you want to edit.
You can also reach this page from the Manage Non-Employees widget on the user dashboard.
-
In the sidebar, click Accounts.
-
Select + Add Accounts and click Bulk Upload.
This option won't be available if there's already a bulk upload in progress.
-
Choose the CSV file you want to upload.
When you initiate the upload, you'll see a success notification.
Creating a Single Account
Org admins can directly create new accounts on the Accounts list following the steps below. These accounts do not go through a review process. Alternatively, admins can request a new account on the Account Requests tab.
To add a single account:
-
From the Sources list, go to the non-employee source you want to edit.
You can also reach this page from the Manage Non-Employees widget on the user dashboard.
-
In the sidebar, click Accounts.
-
Click + Add Accounts and click Add Account.
-
Enter the following information, depending on which attributes you have marked as required:
- Unique Identifier - Enter a unique identifier that will serve as the identity's user name. The non-employee will use this to sign in.
- First Name - Add the non-employee's first name.
- Last Name - Add the non-employee's last name.
- Phone - Enter a phone number for the non-employee, including the country code.
- Email - Enter an email address for the account.
- Manager - Choose a manager from the drop-down list, or start typing to see names that match the characters you've added.
- Start Date - Select the anticipated start date for this non-employee.
- End Date - Select an anticipated end date for this non-employee.
If you want to add another new account after saving this one, check the Add Another checkbox.
Click Add.
Important!
You are responsible for regularly downloading your non-employee information to create an authoritative backup of their account information.
Org administrators can edit any attribute on the accounts on non-employee sources by going to the Accounts list and clicking the name of the account to edit. Account managers can edit the end date for non-employees on sources they manage.
Creating an Identity Profile
Creating an identity profile allows you to generate identities from the non-employee accounts you create on this source. Identities are composite sets of data and access, which gives you you a comprehensive view of each user.
Use the steps in Creating Identity Profiles to begin.
Important!
By default, non-employee source attributes are not mapped to identity profile attributes. In order for correlation to work and identities to be created, you must manually map non-employee source attributes to the required identity attributes for this profile.
Managing Non-Employees
After these identities have been created, you can manage them as you would any other identity. You can provision accounts on other sources for them, or include them in certification campaigns.
Note
Because non-employee sources don't support entitlements, source owner certifications created for this non-employee source will move directly to Completed, and won't go through a review process.
Account Managers and Account Reviewers
You can see more information about what non-employee account managers and non-employee account reviewers can do by reviewing additional documentation.
- Non-employee account managers can request new accounts and modify the end dates for existing accounts. See Requesting and Updating Non-Employee Accounts for details.
- Non-employee account reviewers review requests for non-employee accounts made by non-employee account managers. See Reviewing Non-Employee Account Requests for details.
Email Templates
Several events related to non-employee management generate emails in IdentityNow. Like other IdentityNow email templates, these emails can be modified to suit your business's needs.
- Non-Employee Account Request - When a non-employee account manager requests a new account for a non-employee, they receive this email to confirm that their request was submitted.
- Non-Employee Account Request Decision - When all applicable account reviewers have made a decision about a non-employee account, the account manager receives this email to confirm that their account request was either approved or denied.
- Non-Employee Account Review - After a new non-employee account request is submitted, this email is sent to the account reviewers to notify them that a request needs their attention.
- Non-Employee End Date Reminder - This email is sent to the account managers for a non-employee source when one or more of the non-employees on that source has an end date in 7 days.
Audit Reports
You can find information on account requests and modifications using Search. Use the query type:NON_EMPLOYEE to find audit events related to non-employee management. See Audit Reports and Monitoring in IdentityNow for more information about audit reports.