Configuring IdentityNow for Provisioning
Use IdentityNow Provisioning to onboard new users faster, track user employment status, and adjust each user's access accordingly. And because you configure provisioning one time for multiple users, provisioning can greatly reduce the possibility for human error and make your job easier.
It's critical that you consider the specific needs of your organization to determine how to configure provisioning to meet those needs. Before you begin, ensure all prerequisites have been met.
- Provisioning is deployed for your org.
- You have IdentityNow org-level admin permissions.
- You've completed your IdentityNow setup.
Always test new configurations in your IdentityNow sandbox before going live on your production system.
To set up IdentityNow provisioning:
- Review and update the Create Account definition for each source you want to provision to. This defines the account attribute values IdentityNow sets when provisioning requires an account to be created for the user on the source.
- Create access profiles to represent bundles of access in your organization. The access profiles ensure new accounts have the correct access.
- Configure the following provisioning methods, based on your site’s needs. Do not enable these configurations until you have tested them in your sandbox environment.
- Attribute sync, to synchronize account data on sources with the new data on IdentityNow.
- Lifecycle states, to automatically grant access based on users' employment status in the company.
- Roles, to provide access to applications and sources based on users' job functions.
- Access requests, if you have the Access Request service, to enable users to request access. Users automatically receive access after approval.
- After you’ve tested each of your provisioning methods in the sandbox, enable them in production on the configuration page for each method.
If an identity has more than one account on a source, you might need to make configurations to individual access profiles to determine which account receives access because of provisioning actions.
Verify provisioning through the Admin interface or using provisioning reports.
If provisioning to a source fails with a retryable error, IdentityNow automatically retries the action. Any provisioning attempt that returns a
ConnectException or a
NoRouteToHostException error message from the source connector is retryable. Additionally, connectors can be configured with connector-specific retryable errors.
Each type of provisioning process in IdentityNow has its own defined frequency and count for automated retries. Refer to each process's documentation for those details.