Using the SailPoint Configuration Hub
The SailPoint Configuration Hub supports management of configuration objects in your SailPoint IdentityNow tenant through backup and restore operations. For example, you can back up configurations like Sources and Identity Profiles defined for your business and restore them in the event of configuration errors or loss.
Note
The Configuration Hub does not perform full system backups. It backs up configuration objects that represent your tenant settings, business systems, and access model components. For a list of supported objects in configuration backups, refer to SaaS Configurations on the SailPoint Developer site.
Accessing the Configuration Hub
Access the Configuration Hub through the SailPoint Solution Center.
-
Select the Solution Center icon
in the upper-left corner of any IdentityNow page.
-
Select Configuration Hub.
Note
You must be signed into IdentityNow as an Admin user to access the Configuration Hub.
Creating a Backup
You can manually initiate a backup of your configuration objects, retaining up to 5 manual backups at a time per tenant. When you reach this limit, you must delete one or more manual backups before you can create a new one.
-
On the Configuration Backups page of the Configuration Hub, select Create Backup.
-
Enter a name for your backup.
-
Select the checkbox beside the types of objects you want to include in this backup, or select All Objects.
You can further limit the objects included in this backup by entering the exact names of the specific objects to back up in the Objects by Name field beside a selected object type and select Enter. The names you enter in this field are case-sensitive.
If the Objects by Name field is left blank, and the checkbox beside the object type is selected, all objects of that type will be included in the backup.
-
Select Create Backup.
When your backup is complete, it will appear in the list of backups, marked as the Latest.
Select Actions
on the backup row and select View to view a summary of the object types and counts included in it.
If you added specific objects to your backup by name, those objects are listed within this summary. The Objects by Name column displays all names you entered for that type, regardless of whether or not an object was found matching that name and type. However, the number in the Count column only reflects only the names you entered that correspond with objects.
Automated Backups
In addition to your manual backups, SailPoint also automatically backs up your production tenant's configurations. Automated backups are listed as Created By: SYSTEM in the backups list, and their retention and deletion are managed by SailPoint.
- An automated backup occurs weekly. The process deletes the oldest weekly backup as necessary to retain up to 5 weekly backups at a time.
- The draft creation process also creates an automated backup to compare with the selected backup, and the most recent one of these appears in the backup list.
Deleting a Backup
Only manual backups can be manually deleted. To delete a backup:
- Go to the Configuration Backups page of the Configuration Hub, select Actions
on the backup row, and select Delete.
- Select Delete to confirm.
Restoring from a Backup
You can use an automated or manual backup from your tenant to restore configurations as they existed when that backup was generated.
To restore from a backup:
-
Create a draft to identify which objects are different between the selected backup and your live tenant.
-
(Optional) Edit the draft to choose which objects to restore or to adjust the object details.
-
Deploy the draft to update your live tenant.
Creating a Draft
A draft captures the differences between the selected backup and the live configurations in your tenant at the time the draft was prepared.
Notes
- Draft creation can be performed from backups which contain up to 30,000 objects. To enable drafts from larger backups, contact SailPoint Support.
- You can have up to 5 drafts at a time. Creating a new draft automatically deletes the oldest draft when you reach this limit.
-
Go to the Configuration Backups page of the Configuration Hub, select Actions
on the backup row, and select Prepare Draft for Deployment.
This option also exists in the backup's View overlay.
-
Specify a Draft Name that describes the intent of this draft. This is especially important if you are not deploying it immediately, as you may be working with multiple drafts at once for different purposes.
-
Select Create Draft to initiate the comparison. When that completes, the draft is automatically saved and its summary is displayed.
The Draft Summary shows how deploying the draft to your tenant will alter your tenant's configurations.
- Adds to Live represents objects in the backup that don't exist in the live tenant.
- Modifies to Live represents live objects that will be changed to match the backup's representation of the same configuration object.
- Not in Backup represents objects in the live tenant that don't exist in the backup. This is usually because these objects were created in the live environment after the backup took place.
You can also edit your draft from this summary.
Note
If problems are detected in a draft object that will prevent successful deployment, the object and its object type will be marked with Has deploy issues. In most cases, this is caused by references to other objects which do not exist in the tenant, such as an owner identity that has been deleted. You must correct these problems or exclude the object from your draft before you can deploy.
Editing a Draft
You can remove objects from the draft that you don't want to deploy to your live tenant. You can also edit object details before deploying.
Editing a draft begins at the Draft Summary of a draft you just created or of a saved draft.
-
To open a saved draft, go to the Drafts page of the Configuration Hub, select Actions
on the draft row, and select Edit.
-
To remove all configuration objects of any object type from a draft, clear the checkbox on that row of the Draft Summary table. For example, you could remove all Source objects from the draft.
-
To view or modify the list of the draft's configuration objects for any type, select Edit on that row. Objects are grouped into tabs according to whether they will be added to or modified in the live tenant when deployed.
- To remove an individual object from the draft, clear the checkbox on that object's row.
- To change details about an object, select Edit on that row, modify its JSON definition, and select Save. The JSON is validated on save to prevent JSON errors.
-
Objects in the Not In Backup column exist in the target environment, but are not in the backup. These objects will not be impacted by deploying your draft.
Important
- You cannot edit or remove the id of the object.
- Your edits will only be saved to the draft when you save your changes on the Draft Summary page.
-
When you are finished making changes to individual objects, select Back to Draft Summary to return to the summary page.
-
Select Save Changes to update your draft with any changes you have made on the summary or detail pages.
Notes
- When you save changes to your draft, any objects or object types that you removed from the draft are permanently deleted from it. If you discover you made a mistake, you must create a new draft from the backup and start again.
- The backup itself is never modified by actions you take on the draft.
To abort your changes without updating the draft, select Discard Changes.
Deploying a Draft
Deploying a draft to your live tenant adds or updates configuration objects in your tenant to match the ones in the draft.
Before deploying a draft, carefully review the new and edited objects within the draft to confirm the correct configuration is being deployed. Follow your organization's change management and approval process when deploying any draft configuration.
Note
Drafts containing up to 5,000 objects can be deployed. To enable deployment of larger drafts, contact SailPoint Support.
Important
Draft deployment does not automatically delete objects from the live tenant. The Not in Backup list is provided as a reference and includes objects that exist in the live tenant, but not in the backup. If necessary, these objects can be manually deleted within your live environment.
Deploying a draft begins at the Draft Summary of a draft you just created or edited, or of a saved draft.
- To select a saved draft, go to the Drafts page of the Configuration Hub, select Actions
on the draft row, and select Edit.
- Select Deploy Draft to update your tenant's configurations from the draft. Select Deploy to confirm.
-
When deployment finishes, review the completion status and process details. The details contain the name and ID of each deployed object along with any errors or warnings encountered.
Important
These objects require manual actions after deployment to restore their connections to other configurations.
- Password policies must be manually reconnected to sources. This includes redefining any exception policy filters.
- Service desk integrations must be manually reconnected to virtual appliances.
Reviewing Deployment Activity
You can review the results of all completed or failed backup deployments within the Configuration Hub.
To review deployment activity for your tenant:
-
Go to the Activity Log within the Configuration Hub.
You can see a list of all deployment attempts within your current tenant, the name of the user that started the deployment, and its result.
-
To see detailed information about a specific deployment event, select the View button in the Actions column.
To view audit records of draft deployments, use search to view events with the name Update Config Passed
or Update Config Failed
.