What is Sailpoint

Introduction to Sailpoint

Sailpoint is an automated version of identity management that lowers the expense and complexity of identity management for users while still granting them access. Sailpoint is a mobile device that is lightweight and easy to use. It is referred to as an identity management solution because it provides more functionality than identity management. IdentityIQ is given by Sailpoint and is known as the IdentityIQ war-file. Many of the program modules are included in this war file.

Maintaining knowledge access in today's dominant, data-driven context is a challenge that needs much more from Identity and Access Management (IAM) technologies than ever before. In the area of IAM, SailPoint is generally recognized as the industry leader. Organizations will now place IAM at the forefront of their security and IT policy by using IdentityIQ and its Open Identity Platform, allowing them to view and govern access through the enterprise, including on-premises and cloud systems and applications.

These days, Sailpoint is holding to its credibility as a pioneer. Compliance, security, and productivity all benefit from effective identity controls. SailPoint IdentityIQ is a cutting-edge identity management system that eliminates the expense and hassle of complying with regulations while still supplying users with access. Traditional identity management addresses these fields independently and often hires a variety of disjoint products.

IdentityIQ, on the other hand, offers a unified solution based on a shared identity governance system. This allows access-related practices to be implemented systematically through enterprise, security policy, role, and risk models. To simplify access certifications, policy enforcement, and end-to-end access request and provisioning procedures, IdentityIQ includes the following main components.

Want To Get SailPoint Training From Experts? Enroll Now For Free Demo SailPoint Training.

Overview of SailPoint IdentityIQ

There are many solutions on the market today that include an IDM solution for business applications. So, what's new with IdentityIQ from Sailpoint? The key is in its method of providing a solution. Existing IDM solutions are IT-centric, and their effectiveness is largely dependent on the IT helpdesk and technical team. Sailpoint needs to migrate as many identities and access procedures as possible from the IT technical team to end-users, reducing the technical team's dependence. As a whole, we may claim that this software is more business-oriented than other IDM products that are more IT-oriented. In comparison to current IDM products, which have different interfaces with various meanings, it has a single-use interface.

Sailpoint IdentityIQ is a single approach that combines provisioning and enforcement capabilities. As a matter of fact, this IDM product will handle all aspects of identity and access management, including "access certifications," "policy enforcement," "account provisioning," and "user life-cycle management."

Sailpoint Training

• Master Your Craft
• Lifetime LMS & Faculty Access
• 24/7 online expert support
• Real-world & Project Based Learning

Explore Curriculum

Components of Sailpoint Identity IQ

Sailpoint Identity IQ is made up of four main components:

1. Compliance Manager.
2. Lifecycle Manager.
3. Governance Platform.
4. User Provisioning.

1. Compliance Manager

SailPoint IdentityIQ Compliance Manager combines identity procedures such as Access certification* and Policy enforcement* and automates common auditing, monitoring, and maintenance practices.

Compliance Manager aids in the prioritization of the most important compliance tasks and focuses restrictions on the users, equipment, and access rights that pose the greatest risk.

• It tracks and prevents unauthorized access and policy breaches in real-time.
• During mergers and acquisitions, it guarantees compliance and better handles risk.

Access Certifications: User control rights are reviewed regularly to ensure that they are aligned with the user's job role and follow protocol guidelines. Internal controls such as access certifications are frequently used to ensure regulatory compliance.

Policy Enforcement: The collection of preventive and detective controls that ensure the company follows established policies automatically.

2. Lifecycle Manager

From a centralized, user-friendly interface, SailPoint IdentityIQ Lifecycle Manager enables enterprise users to seek entry and reset passwords. IdentityIQ Lifecycle Manager guarantees that users have only the most suitable standards of access for their job role by applying policies on all customer lifecycle processes.

IdentityIQ Lifecycle Manager integrates with authoritative channels such as HR applications and corporate directories to simplify changes to user access arising from a variety of identity lifecycle activities (i.e., new hires, transfers, moves, or terminations). If a lifecycle incident is observed, the Lifecycle Manager initiates the necessary business process, which involves policy checking and approvals.

We will use Lifecycle Manager to:

• Enable business users to request and handle access on their own.
• Enable business users to update and restore passwords daily.
• Automated identity lifecycle activities will help you get control quicker. (i.e., hires, transfers, and terminations)
• Processes for demanding and modifying access should be centralized.
• Offload IT and support desk activities to streamline IT operations.

Self-service access request: Under the limits of your pre-defined identity policies and role models, centralized access request management enables administrators and end-users to request new access or make improvements to current access rights. It also allows you to display current access and delete it as required, as well as build and edit identities, more effectively and accurately
.

Self-Service: The method of encouraging users to request resource access through a self-service interface, with the request being forwarded to the required manager(s) for approval using workflow.

Password management: Controlling the setting, resetting, and synchronizing of passwords through networks by automation.

Users and/or their authorized delegates will update or reset passwords across target applications using the same business-friendly user interface. Allowing end-users to manage password updates on their own will drastically minimize the number of calls to the service desk. Most notably, unified password management would help us to implement strong password policies that are customized for each application consistently.

Event-based lifecycle management: We should incorporate event-driven lifecycle management to automate access changes based on HR or other authoritative feeds to further streamline user onboarding, offboarding, and other job changes within the enterprise.

3. Governance Platform

The IdentityIQ Governance Framework from SailPoint centralizes identity data, collects corporate policies, models positions, and handles user and resource risk factors constructively. These advanced capabilities help companies to enforce protective and detective controls for essential identity business processes such as access certifications, access requests, lifecycle management, and provisioning.

We will use the Governance Platform to:

• Centralize technological identification data from various sources and turn it into rich, business-relevant data.
• Role-based access can be developed, implemented, and validated through a range of enterprise applications.
• Assess the risk of each user, program, and device resource within the ecosystem to prioritize enforcement and protection efforts.
• For detective and preventive control, define and use enterprise access policies.

4. User Provisioning

The SailPoint IdentityIQ Provisioning Broker acts as a channel between enforcement and customer lifecycle processes, allowing for consistent user interfaces and processes at the business tier that is distinct from technological change processes. Provisioning Broker sends access update requests to automatic provisioning systems, such as IdentityIQ Provisioning Engine or third-party provisioning systems, which may also use manual change control procedures to monitor the progress of any modifications demanded by the company by generating help desk tickets or manual work products. This streamlined orchestration of improvements through access management systems unifies policy compliance, workflow control, and auditing, giving organizations the freedom to adjust user access in the manner they see fit.

We can do the following with User Provisioning:

• Accelerate the pace at which access improvements to our controlled services are enforced.
• Improve enforcement by enacting changes in line with existing policies.
• Provide auditors with reports of provisioning changes.

Provisioning: User access to programs, software, and databases is granted, changed, or removed based on unique user identity.

Identity Cubes and Identity Attributes Concept

• Identity Cubes are used by SailPoint IdentityIQ to represent users.
• In the real world, Identity Cubes are a correlated set of accounts and entitlements that represent a single user.
• Identity Cubes are multi-dimensional data structures that have a logical description of each handled person.
• Each Cube includes details on user entitlements, user behavior, and the market context that affects them.
• “Cubes” are created by a discovery process based on authoritative sources, such as taking in user account data from Authoritative Applications and refreshing them automatically, or by running an Identity Refresh Task.
• Identity Attributes are used to describe Identity Cubes and hence describe the real-world user.
• Identity Attributes are generated by projecting a list of attributes from different sources directly or by using rules or mappings.
• Name, email, department, and so on are all examples of identification attributes.

User Discovery

• Identity Cubes are generated and modified with account and attribute data from various back-end systems using a multi-step technique.
• One or more "authoritative sources" (HR, Corporate Directory) have a community of specific identities and begin the process of creating Identity Cubes.

Connector

• An IdentityIQ portion that imports device and account data from a variety of targeted networks, applications, and systems. As part of an application, a connector is specified. (For instance, Delimited File Connector, JDBC, Active Directory, and so on.)
• As an Authoritative Resource, SailPoint supports all of the industry-standard databases. Supported Connectors include the following examples: Active Directory, DB2, Delimited File, IBM Tivoli Directory Server, IBM Tivoli Identity Manager, JDBC, LDAP, LDIF, Linux, Lotus Notes, Mainframe, MS SQL Server, MS SharePoint, Oracle DB, Oracle Apps, PeopleSoft, RACF, SAP, SAP HR, SAP Portal, Salesforce, Solaris, Sun IDM, Sybase and many more.

Account Aggregation

• IdentityIQ's method of building and upgrading Identity Cubes with an account, attribute, and entitlement data accessed through customized Applications.
• In an identity management solution, account aggregation is very similar to reconciliation. Account aggregation is handled by tasks.
• Account Aggregation is done by establishing reusable Account Aggregation functions and executing them.

Subscribe to our youtube channel to get new updates..!

Subscribe

When it comes to Access Governance for Sailpoint IdentityIQ, certification procedures are crucial. In general, the principles are the same as they are in every other Access Governance product, but let's take a closer look at IdentityIQ certifications.

Sailpoint IdentityIQ Certification Phases

The Certification processes enable testers, administrators, and certifiers to examine and correct user access to different tools such as applications, entitlements, profiles, and functions, among others. Certifications in IdentiyIQ are classified into groups based on the form of resources:

• Manager Certifications
• Application Owner Certifications
• Entitlement Owner Certifications
• Advanced Certifications
• Account Group Certifications
• Role Certifications
• Identity Certifications
• Event‐Based Certifications

Despite the fact that certifications are graded depending on their functionality, all of the aforementioned categories of certifications go through the same processes during their lifecycle. Some steps are optional, while others may be needed. There are the four phases:

1. Generation Phase
2. Active Phase
3. Challenge Phase
4. Sign Off Phase
5. Remediation\Revocation Phase
6. End Phase

1.Generation Phase:

Configuring certification criteria on the Basic, Lifecycle, Notifications, Behavior, and Advanced pages of the UI is part of this phase. The certification's phases are determined by the combination of these parameter values. Parameters such as certification owner, certification frequency, notification scenarios, and other related parameters are specified during this process.

2. Active Phase:

• The certifiers are expected to make their decisions during the Active process (approve\revoke).
• If any delegations or reassignments are needed, they must be done within this phase.
• The duration of the Active period is specified on the Lifecycle page.

3. Challenge Phase:

• When the Active Period ends, the Challenge Phase begins.
• A user whose access is affected by a reviewer's decision will appeal the decision during the challenge phase.
• It is only enabled if the “Enable Challenge Period” option on the Lifecycle page was selected.

4. Sign-Off Phase:

• At the end of the Challenge phase, the Sign Off phase begins.
• Reviewers will no longer make changes to Access Reviews after pressing the Sign Off button.
• The next step will be either the Revocation phase of the End phase, depending on the criteria chosen in the generation phase.

5. Remediation/Revocation Phase:

• Using the provisioning process, remediation activities (such as revocation of access rights) are done on the source application during this step (manually or automatically)
• In most cases, remediation entails writing emails and generating work items for resource owners to complete. In most cases, remediation entails writing emails and generating work items for resource owners to take action.
• When a Revocation Period is allowed, IdentityIQ keeps track of the status of remediation requests; when it isn't, remediation requests are sent for processing but aren't monitored.

6. End Phase:

• When all Phases configured for the Access Review have reached their expiration dates or when all activities needed for the procedure (as configured) have been completed, the Access Review enters its End Phase.
• Clicking Sign Off starts the End Phase if a Certification does not have a Challenge or Revocation Period enabled.
• End Phase can begin only after all remediation requests have been met or when the Revocation Period's end date has passed if a Revocation Period is activated.
  
  

There are two types of certifications available in Sailpoint IQ. The first is based on their "Time Period of Execution," and the second is based on their "functionality."

Sailpoint Certification Types

Let's start with a discussion of their designation based on their "Time period of Execution."

Certifications may be run regularly or on an ongoing basis. Periodic certifications concentrate on the frequency of which the overall credential must be performed, while continuous certifications focus on the frequency of which specific products must be accredited.

Certifications may also be set up to operate in response to events that occur during the life cycle of an identity. For example, it may be set up to automatically produce a credential when the manager of an identity changes, or when a job change occurs, or even when a new identity is created.

Periodic Certification:

Hourly, daily, weekly, yearly, quarterly, and annual certifications are all set to run regularly. These analyses include a snapshot of the identities, roles, and account groups regularly. Periodic certifications are concerned with the number of times whole institutions (identities, positions, and account groups) must be accredited.

Periodic certifications necessitate the certifier signing off on a completed access check, one in which all of the items (roles, entitlements, breaches, and account groups) have been addressed and verified.

Continuous Certification:

Continuous certifications are concerned with the frequency of which specific objects (roles, entitlements, and violations) within identification category certifications must be accredited, rather than the frequency with which the whole credential must be conducted. The sign-off approach isn't used in continuous certifications.

Let's take a look at how they're classified based on their "functionality."

Manager Certifications — Ensure that the direct reports have the privileges they need to do their jobs, and just the privileges they need to do their jobs.

Application Owner Certifications — Ensure that all identities using an application for which an Application Owner is responsible have the necessary permissions.

Entitlement Owner Certifications — Ensure that all identities accessing entitlements that an Entitlement Owner is liable for are right.

Advanced Certifications — Ensure that all identities in the population associated with the Advanced Certification have the required entitlements and responsibilities.

Account Group Certifications — Ensure the account communities for which an account user is liable to have the required approvals and membership. The owner of the application on which they reside certifies account groups that do not have owners assigned.

Role Certifications — Ensure that the positions for which a role owner is responsible are made up of the necessary roles and entitlements and that they are allocated to the appropriate identities.

Identity Certifications — certify the entitlement information for the identities chosen from the Identity Risk Score, Identity Search Results, or Policy Breach pages, which are normally for at-risk users.

Event‐Based Certifications — Certify entitlement details for the identities chosen based on IdentityIQ events.

Conclusion

Identity governance has always placed more importance on ensuring safe and compliant user access. However, identity is now inspiring companies more than ever before, due to the added intelligence of AI and machine learning. Predictive Identity from SailPoint enables people to do their best work. SailPoint identity handles the dynamic protection and enforcement problems, from provisioning users on Day 1 to automating The helpdesk requests, so your people can function freely while your applications are stable.

Related Articles

• Sailpoint Workflow
• SailPoint Integration
• Sailpoint Identity