Skip to content

Privileged Task Automation

Overview

Identity Security Cloud’s Privileged Task Automation leverages the power of SailPoint’s Workflows engine to facilitate the automation of privileged tasks.

Privileged Task Automation helps you:

  • Automate complex IT and privileged processes across systems.
  • Enhance security by removing standing privileges.
  • Reduce the need for specialized technical knowledge and manual intervention.

Privileged tasks are tasks for which users require privileged credentials to access an application and execute a series of commands to perform an action. Privileged Task Automation offers the ability to elevate a user's privilege while keeping an application's privileged credentials hidden from the user. This allows admins to delegate the execution of privileged tasks enabling non-privileged users to perform privileged tasks.

Privileged Task Automation workflows can be:

  • Created using a pre-built workflow template - Configure pre-built Privileged Task Automation templates to meet your needs.
  • Started with the Workflow visual builder - Create a Privileged Task Automation workflow by adding a Privileged Action.
  • Uploaded using an existing JSON File - Upload a JSON file or reuse the JSON from another workflow and add a Privileged Task Automation Action to meet the requirements for a Privileged Task Automation workflow.

For information on building a workflow, refer to Building Privileged Task Automation Workflows.

Privileged Task Automation workflows can either be initiated on a schedule or when an event triggers the workflow, or they can be manually initiated by a user through the use of an Interactive Trigger.

A Privileged Task Automation workflow can be run:

  • Without user interaction - A privileged task that does not require any input from the user can run completely behind the scenes with no user interaction. After this workflow is enabled, it operates automatically based upon the selected trigger.

  • With user interaction - A privileged task that requires user input in order to be executed must start with an Interactive Trigger to create an Interactive Process. The Interactive Process allows users to supply information via an Interactive Form within the workflow, and Interactive Messages are displayed to keep a user notified of the progress of the workflow.

After building a Privileged Task Automation workflow using an Interactive Trigger, the workflow must be delegated to a user for the privileged task to be completed. Delegating the workflow requires a Launcher and an Entitlement.

A Launcher is an object that allows a user to initiate the workflow and Interactive Process. Launchers are created through the Interactive Trigger within the workflow. When a Launcher is created, an Entitlement is automatically created for the Launcher. The Launcher’s entitlement can then be assigned to users through regular governance practices enabling the users to manually initiate a privileged task via the Launchpad.

Getting Started

Before you can begin creating and automating privileged tasks, you’ll need to set up your site.

Credential Provider

Privileged credentials are required to access an application and execute a series of commands to perform an action. A Credential Provider is used to provide the privileged credentials. To add a Credential Provider in SailPoint, go to Admin > Connections > Credential Providers. For more information about credential providers, refer to Identity Security Cloud Connectors Credential Providers.

Authentication details for privileged credentials are configured within a Privileged Task Automation workflow as secrets, and are used to authenticate on to the target application and allow the Privilege Gateway virtual appliance to interact with the target application. The credentials are encrypted and never visible to the administrator configuring the workflow or the user running the privileged task, while enabling a non-privileged user with the correct entitlement to perform the privileged task.

Privilege Gateway

SailPoint uses virtual appliances in a Privilege Gateway virtual appliance cluster to connect your tenant to target applications and process privileged actions.

To create a VA with a Privilege Gateway cluster go to Admin > Connections > Virtual Appliances. For more information about how to create a VA with the Privilege Gateway cluster type, refer to Identity Security Cloud Creating Virtual Appliances.

The role of the Privilege Gateway is to:

  • Allow a privileged action to read from the target application and pass back information to the workflow.
  • Facilitate a Privileged Action to execute commands on the target application.

Target Application

The target applications are where the Privileged Task Automation Action will be performed. Privileged Task Automation workflows define which Privileged Task Automation Action commands are needed to communicate and interact with the target application, allowing information to be retrieved and the privileged actions to be executed.

Building Privileged Task Automation Workflows

After you have completed the initial setup, you can start building your Privileged Task Automation workflow.

SailPoint offers pre-built Privileged Task Automation workflow templates to assist in getting started with Privileged Task Automation. These templates must be configured to meet your needs. You can also build a Privileged Task Automation workflow using the visual builder or using JSON by adding a Privileged Task Automation Action to your workflow.

Interactive Trigger

An Interactive Trigger allows the workflow to be manually initiated by a user and creates an Interactive Process within the workflow enabling users to provide input into the workflow and receive messages about the progress of the workflow.

The Interactive Trigger also enables the creation of a Launcher that shares a name and description with the current workflow. A Launcher can be created using the Interactive Trigger's Create Launcher button within a workflow or on the Launchers page. An Entitlement is automatically created for this Launcher.

Privileged Task Automation Actions

To create a workflow for a Privileged Task, you must add a Privileged Task Automation Action. Privileged Task Automation Actions have commands that make the action act in a specific way.

Interactive Process

The Interactive Process is a process in a workflow where Interactive Messages are displayed to an Identity Security Cloud user and information is supplied by an end user via Interactive Forms. A user manually initiates this process using a Launcher. As the workflow runs, any Interactive Forms or Interactive Messages will display to the user and await user input before continuing.

To create a workflow with an Interactive Process, you must start with an Interactive Trigger. If the Privileged Task Automation task requires the user to supply information and messages to display to keep the user notified as to the progress of the workflow, add Interactive Form and Interactive Message Actions.

Interactive Process Actions

Interactive Form

The Interactive Form action allows an admin to create a form within a workflow. This form displays to the user as part of the Interactive Process. When the Interactive Process requires user input, an Interactive Form is provided explaining what information is required from the user. The user must provide details or make selections before the action is executed on the application.

Interactive Message

The Interactive Message action allows an admin to create a message within a workflow. This message displays to the user as part of the Interactive Process. Messages keep the user notified as to the progress of the workflow.

Delegating Privileged Task Automation Workflows

After building a Privilege Task Automation workflow using an Interactive Trigger, the workflow must be delegated to a user for the privileged task to be completed. Delegating the workflow requires a Launcher and an Entitlement.

Launcher

A Launcher is an object that allows a user to initiate the workflow and the Interactive Process. Launchers are created through the Interactive Trigger within a workflow and can be created and managed via the Launchers page. The Launcher shares the name and description with the current workflow and an entitlement is automatically created for the Launcher. Launchers allow an interactive process to be initiated by a user.

Note

To initiate the Privileged Task Automation workflow through a Launcher, the associated workflow must be enabled.

Entitlement

When a launcher is created, an Entitlement is automatically created for the Launcher. The Launcher's Entitlement can then be delegated to a user by an admin or requested from the request center by a user. To allow users to request an entitlement, you will need to configure the access requests for the entitlement. After the entitlement has been assigned to the user, the user launches the Interactive Process from the Launchpad.

Launching a Privileged Task

When you delegate an Entitlement associated with a Launcher to a user, the associated Interactive Process is present on the user's Launchpad page. The Launchpad page allows a user to launch Interactive Processes that have been delegated to them and view the status of previously launched Interactive Processes.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.