Provisioning is the process of changing user access to systems and data in your enterprise. It can be initiated by users through actions such as access requests, certifications, or manager requests, or through automated configurations. Automated configurations include role assignments and lifecycle states that keep user access aligned with their business requirements.
The connection for each source determines whether provisioning triggered by lifecycle states is handled automatically or manually. Sources with a direct connection are provisioned automatically while flat file sources require the source owner to complete a manual provisioning task assigned to them through IdentityNow's Task Manager.
Setting Up Provisioning
These configurations within IdentityNow are important drivers of the provisioning process.
- For each source, review and update the Create Account specification. When access is granted to a user who does not already have an account on the source, IdentityNow automatically creates an account for them using the attributes and values specified in this definition.
- Add any or all of these configurations to drive automated provisioning for your users.
- Attribute sync keeps account data in your sources in sync with identity data in IdentityNow.
- Lifecycle states automatically grant or revoke access based on users' employment status in the company.
- Roles grant or remove access based on users' job functions.
- Access profiles represent bundles of access that your roles and lifecycle states can grant.
- Where identities can have more than one account on a source, you can configure access profiles to determine which account receives access in automated provisioning.
- If you have the Access Request service, enable your roles and access profiles for access requests, setting up the required approval processes for each. You can also allow entitlements to be requested individually.
Always test new provisioning configurations in your sandbox environment before enabling them in production.
Errors and Retries
Identity Security Cloud automatically recognizes some provisioning error messages from source connectors, such as
NoRouteToHostException, as retryable errors. When Identity Security Cloud receives a retryable error during provisioning, it will retry the action. You can configure additional retry errors for a source by using a PATCH request to add the
retryableErrors field to a source within its
connectorAttributes You can also add the
provisioningMaxRetries fields to configure the retry process.
You can use these three fields to configure a source's retry errors:
retryableErrors: The retryable errors to match against. For example, retry on “Connection timed out” errors.
provisioningRetryThreshold: The retry looping threshold in minutes. One is the default and recommended value.
provisioningMaxRetries: The maximum number of retries. Three is the default and recommended value.
Some connectors do not follow these retryable error settings. For more information, refer to the connector’s documentation in IdentityNow Connector Guides.