Provisioning Overview
Provisioning is the process of changing user access to systems and data in your enterprise. It can be initiated by users through actions such as access requests, certifications, or manager requests, or through automated configurations. Automated configurations include role assignments and lifecycle states that keep user access aligned with their business requirements.
The connection for each source determines whether provisioning triggered by lifecycle states is handled automatically or manually. Sources with a direct connection are provisioned automatically while flat file sources require the source owner to complete a manual provisioning task assigned to them through the Task Manager.
Setting Up Provisioning
These configurations within Identity Security Cloud are important drivers of the provisioning process.
- For each source, review and update the Create Account specification. When access is granted to a user who does not already have an account on the source, Identity Security Cloud automatically creates an account for them using the attributes and values specified in this definition.
- Add any or all of these configurations to drive automated provisioning for your users.
- Attribute sync keeps account data in your sources in sync with identity data in Identity Security Cloud.
- Lifecycle states automatically grant or revoke access based on users' employment status in the company.
- Roles grant or remove access based on users' job functions.
- Access profiles represent bundles of access that your roles and lifecycle states can grant.
- Where identities can have more than one account on a source, you can configure access profiles to determine which account receives access in automated provisioning.
- If you have the Access Request service, enable your roles and access profiles for access requests, setting up the required approval processes for each. You can also allow entitlements to be requested individually.
Best Practice
Always test new provisioning configurations in your sandbox environment before enabling them in production.
Errors and Retries
Identity Security Cloud automatically recognizes some provisioning error messages from source connectors, such as ConnectException
and NoRouteToHostException
, as retryable errors. When Identity Security Cloud receives a retryable error during provisioning, it will retry the action once per hour, up to 3 times. Although the action is scheduled to run after 60 minutes, it may be delayed due to other work items in your tenant's queue.
Documentation Feedback
Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.