Managing Application Identities
An application identity is a type of machine identity that represents a program or service that related machine accounts are grouped within. For example, an organization might group and correlate all of their automated teller service accounts to an Automated Teller application identity. These groupings allow users to organize and oversee their organization’s service accounts, bots, and other machine accounts.
Note
This document describes application identities created through the Machine Identity Security feature. For general information on identities, refer to Managing Identities.
Creating Application Identities
Organizations may create application identities at different stages in their implementation process. For example, if your organization’s data is stored in a database, you may create application identities before classifying the machine accounts on a source.
If your organization doesn't maintain application data, you may create application identities after machine accounts have been classified on a source. When machine account attributes were mapped, the Machine Identity field might have been left unmapped, resulting in the creation of an uncorrelated application identity for each machine account.
If multiple uncorrelated application identities exist for the same program or service, you can create a single application identity to represent the program or service and correlate the related machine accounts to it. Once correlated, Identity Security Cloud deletes the uncorrelated application identities from your tenant. Manually-created application identities remain if their associated machine accounts are correlated to a different application identity.
To create an application identity:
- Go to Admin > Identity Management > Identities.
- In the Machine Identities section, select Applications.
- Select Create Application to create a new application identity.
- Enter a unique name for the application identity to help users differentiate it from others.
- In the Business Application field, enter a unique value that describes the program or service the application identity represents. If your application data is stored in an attribute, enter the value for that attribute to correlate machine accounts to this application identity.
- In the Primary Owner dropdown list, select the human identity responsible for this application identity.
-
(Optional) In the Additional Owners dropdown list, select up to 10 human identities to assume ownership of the application identity if the primary owner’s identity state changes to inactive. SailPoint recommends adding additional owners to reduce the number of unmanaged application identities.
Notes on Succession
If the primary owner’s identity is deleted or set to an inactive identity state, the ownership automatically passes to the first Active identity in the Additional Owners list.
If no additional owner is selected, the ownership passes to the manager of the primary owner. If this identity has no manager, the application will have no primary owner until one is manually added.
Identities that become inactive are automatically removed from the Additional Owners list.
After an application identity is created, you can view its primary and secondary owners on its application’s details page.
-
(Optional) In the Description field, enter a description for the application identity.
- Select Save to create the application identity.
If machine accounts have been classified for this source, ensure the machine accounts have been correlated to the correct application identities.
If you created application identities first, you can now classify machine accounts on the source.
Viewing an Application Identity's Control Panel
Like human identities, you can review additional details about application identities and track their accounts and usage from their control panel.
To access an application identity’s control panel:
-
Go to Admin > Identity Management > Identities.
-
In the Machine Identities section, select Applications.
-
Find and select an application identity to view its control panel.
From the control panel, you can perform the following actions:
-
View and copy
the application identity’s attributes in the Details tab.
-
View and update the machine accounts correlated to the application identity in the Accounts tab.
-
Review audit events in the Events tab.
-
Update or delete the application identity by selecting the Actions menu in the upper-right corner of the page.
Updating Application Identities
After a application identity has been created, you can update its name, description, and business application from the application identity’s control panel. This can be useful in cases where auto-created identities are missing attributes or require updates.
-
Go to Admin > Identity Management > Identities.
-
In the Machine Identities section, select Applications.
-
Select Actions
> Update Identity for the application identity that requires updates.
Alternatively, you can go to the application identity’s control panel and select Actions > Update Identity in the upper-right corner of the page.
-
In the new window, make the required changes and then select Save.
The application identity's control panel automatically refreshes and displays your changes.
Deleting Application Identities
When your organization decommissions a program or a service, you might need to delete the application identity representing it. After the application identity's correlated accounts have been deleted, you can delete the application identity.
Note
Uncorrelated application identities that have not been manually edited are automatically removed from the system when their correlated machine accounts are correlated to another identity.
-
Go to Admin > Identity Management > Identities.
-
Select Machine Identities from the left panel.
-
Select Actions
> Delete Identity for the application identity that requires deletion.
Alternatively, you can go to the application identity's control panel and select Actions > Delete Identity in the upper-right corner of the page.
-
Confirm the deletion. The application identity is removed from Identity Security Cloud.
Documentation Feedback
Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.