Skip to content

Managing User Access and Accounts

You can manage the access that users have to IdentityNow in a number of ways. You can grant or remove their administrative access, temporarily remove them from IdentityNow, and disable and enable user identities. Access can also be governed by disabling and unlocking user accounts.

Managing User Access

You may need to change the access levels that users have to IdentityNow. This could be because of a shift in administrative needs, concerns about compromised accounts, or errors with accessing the application.

Granting or Removing Admin Access

You can grant or remove admin privileges for users to determine who has access to the Admin interface.

Note

Before you remove access, you may want to generate a report to see which identities have admin permissions.

To grant or remove administrative privileges from a single user:

  1. In the Admin interface, select Identities > Identity List.

  2. Select the name of the user for whom you want to change access.

  3. Select the Actions icon and choose Grant Admin or Remove Admin.

This will toggle if the Admin interface is available or not.

To change admin access for multiple users simultaneously:

  1. In the Admin interface, select Identities > Identity List.

  2. Select the checkboxes next to the users for whom you want to change access.

  3. Select the Actions icon and choose Grant Admin or Remove Admin.

Note

You can also manage the Admin IdentityNow entitlements in the aggregated set of entitlements associated with that source.

Temporarily Removing a User from IdentityNow

You might need to temporarily remove a user from IdentityNow for a few reasons:

  • Their status is listed as ERROR in the Identity List and their identity details page.

  • They are having problems signing in to IdentityNow.

  • You've discovered correlation problems with their accounts.

Note

Please coordinate with your SailPoint customer support specialist for assistance with resolving these issues.

By temporarily removing users from the IdentityNow database, you can resolve the underlying problem on the source and then do a full aggregation. After their authoritative source is reaggregated, they are added to the list of identities as a new user.

For example, users with the ERROR status might have an account in the authoritative source used to create the profile, but they do not have an account in the authentication source you selected in Directory Connection.

You must resolve this issue before you can send these users invitations to register with SailPoint.

Important

Identities that are set as the owners of sourcesroles, or apps cannot be removed or disabled. You will see an error if you attempt to take these actions on an owner. Select a new owner to remove these identities.

To temporarily remove a single user from IdentityNow:

  1. In the Admin interface, select Identities > Identity List.

  2. Select the name of the identity you want to remove.

  3. Select the Actions icon and choose Remove Identity. A message appears reminding you that taking this action removes the identity from IdentityNow and re-adds it at the next full aggregation.

  4. Select Yes to remove the user identity from IdentityNow.

To temporarily remove multiple users simultaneously:

  1. In the Admin interface, select Identities > Identity List.

  2. Select the checkboxes next to the identities you want to remove.

  3. Select the Actions icon and choose Remove Identities.

    A message appears reminding you that taking this action removes the identities from IdentityNow and re-adds them at the next full aggregation.

  4. Select Yes to remove the user identities from IdentityNow.

Once you have removed the user(s), resolve any issues related to their account or authentication sources. If applicable, ensure that delta aggregation has been turned off for the related sources prior to the next aggregation.

Disabling User Identities

Disabling users allows you to immediately remove privileges for a user who has left the company if their departure has not yet been processed by the authoritative source.

Notes

Disabling an identity does not end any active sessions the user has. Before disabling their identity, consider whether it might be more appropriate to disable a user's account on a source.

Users whose identity is disabled cannot change their passwords.

To disable a single user:

  1. In the Admin interface, select Identities > Identity List. 

  2. Select the name of the user you want to disable.

  3. Select the Actions icon and choose Disable Identity.

To disable multiple users simultaneously:

  1. In the Admin interface, select Identities > Identity List. 

  2. Select the checkboxes next to the users you want to disable.

  3. Select the Actions icon and choose Disable Identities.

Note

Identities that are set as the owners of sourcesroles, or apps cannot be removed or disabled. You will see an error if you attempt to take these actions on an owner. Select a new owner to remove these identities.

Enabling User Identities

If a user has been temporarily removed or disabled because of an underlying issue, they must be reenabled after the issue has been resolved to regain access to IdentityNow.

To enable a single user:

  1. In the Admin interface, select Identities > Identity List.

  2. Select the name of the user you want to enable.

  3. Select the Actions icon and choose Enable Identity.

To enable multiple users simultaneously:

  1. In the Admin interface, select Identities > Identity List. 

  2. Select the checkboxes next to the users you want to enable.

  3. Select the Actions icon and choose Enable Identities.

Managing User Accounts

Unlike managing user access to IdentityNow, managing user accounts determines their access to a source that is aggregated to IdentityNow. You can only manage accounts that have been loaded into IdentityNow from a supported source.

Disabling a User Account

If you are a Helpdesk admin or an administrator, you might need to disable a user's account on a source. For example, if a user report suspicious activity on that account, you can disable it temporarily while investigating the problem.  

Note

This disables the user's account on the source and is different from disabling the user's access to IdentityNow.

  1. In the Admin interface, select Identities > Identity List. 

  2. Select the name of the user you want to disable.

  3. Select Accounts.

  4. Select the Actions icon on the account you want to disable and choose Disable Account.

Unlocking User Accounts

If you are a Helpdesk admin or an administrator and a user has been locked out of a source account, you can unlock them from IdentityNow. This option is available for accounts that have been loaded into IdentityNow from a supported source that allows unlocking accounts.

Notes

  • You might need to aggregate the account first to ensure that the account status in IdentityNow is accurate.
  • Users can also unlock their own IdentityNow accounts. If the account uses pass-through authentication, this will also unlock the underlying source account.
  1. In the Admin interface, select Identities > Identity List. 

  2. Select the name of the user whose account you want to unlock.

  3. Select Accounts.

  4. Select the Actions icon on the account you want to unlock and choose Unlock Account.