Managing Policies in SailPoint's Cloud Services

Managing Policies in SailPoint's Cloud Services

When using SailPoint's Separation of Duties service, you can implement these types of policies:

  • Separation of Duties policies are intended to limit each user's involvement in important processes, and protect your organization from individuals gaining excess access.
  • General Policies are intended to help your organization maintain data integrity.

NOTE: If you had SoD policies in your org before October 6, 2020, those policies were migrated automatically to General Policies. To use future SoD functionality with these policies, migrate them to access-based policies. See Migrating Policies for more information.

 

You can use the information in this document to create these policies.

 

 

Creating a Separation of Duties Policy

The concept of separation of duties means that people shouldn't have conflicting sets of access - that all their access should be organized in a way that protects your company's assets and data.

For example, people who record monetary transactions shouldn't be able to issue payment for those transactions. Changes to major system configurations should be approved by someone other than the person requesting the change.

Using your internal security rules, you can create Separation of Duties (SoD) policies within IdentityNow to enforce and track those rules.

To create an SoD policy, you'll create two lists of access. A violation will be triggered if an identity has access found in both lists.

Prerequisites:

  • Know your company's policies and have access to your internal documentation
  • Be familiar with IdentityNow's Search syntax

Complete the following steps:

1. Sign in to IdentityNow and go to Search.

 

2. In the vertical toolbar on the left, click Policies.

 

3. Click Create New Policy.

 

4. Click Create Access Lists under Separation of Duties Policy.

Access found in one list conflicts with access found in the other list. An identity in your system will trigger a violation if they have access found in both of these lists.

 

create access lists.png

5. Enter a name for each access list. Click Next.

The Search page is displayed.

 

define conflicting access.png

6. Use Search to find entitlements that you want to add to each list. For more information about Search, see Structuring a Search.

 

7. Select the entitlements that you want to add to one of your lists.

 

8. Click the + Add button with the name of the appropriate list to add the selected entitlements to that list.

You can also click the + icon beside an individual entitlement and choose which list to add it to.

NOTES:

  • You can revise your search query if necessary to find additional entitlements.

  • Remove entitlements from each list by expanding the access lists at the bottom of the screen and selecting the X icon beside the entitlement.

When you're finished adding entitlements to your lists, click Next.

search for access.png

The Configuration page is displayed.

 

9. In the Policy Information section, enter the following:

  • Policy Name - The name of your SoD policy as you call it in your organization. This field is required.

  • Description - A description of the policy and why it's important. This field is required.

  • External Reference - A link to a reference site, such as an internal policy or a standards body, that describes this policy and its connections to stakeholders. If you'd like to be able to click the link to navigate to the site, be sure the link works when you enter it.

  • Tags - Enter any labels you'd like to assign to your policy to help define what governance processes the policy relates to. For more information, see Tagging in IdentityNow.

 

10. In the Separation of Duties Policy Owners section, enter the following:

  • Policy Owner - This user or governance group is the subject matter expert and point of contact for the policy. This field is required.

  • Violation Owner - This user or governance group:
    • Will be notified when there are violations to this policy, and will be automatically included in any subscriptions to this policy.

    • Will be assigned to all remediations and violations, when this feature becomes available.

    If you don't want a violation owner for your policy, you can select None.

If you choose to use a governance group or individual as an owner for this policy, enter the name of that entity in the field. When you click this field, the first six items of your selected type are displayed. To see more, begin typing.

 

11. In the Addressing Violations section, enter the following:

  • Mitigating Controls - Instructions on what to do if a violation is unavoidable.
  • Correction Advice - How to correct violations.

Click Next.

sod configuration.png

 

10. Review your policy.

11. Click Save Policy.

A success message is displayed.

After you've created a policy, you can edit the policy, or take action by downloading reports, enabling the policy, or disabling it.

 

Creating a General Policy

General policies are intended to keep your identity data organized.

For example, you can create a policy to verify that all employees in your org have a department code, to ensure your corporate policies are implemented. Alternatively, identify employees that don't have managers, to prevent problems with certifications.

To create a general policy, you'll start with a search query to find all identities that meet criteria that violate your organization's internal policies.

Prerequisites:

  • Know your company's policies and have access to your internal documentation
  • Be familiar with IdentityNow's Search syntax

Complete the following steps:

1. Sign in to IdentityNow and go to Search.

You can also get to this page by selecting the Layers icon in the vertical toolbar, clicking Create New Policy, and clicking Create Search Query under General Policy.

 

2. Enter a search query. This query should return identities whose data is in violation with your internal policies.

For example, you could search for identities in an error status, or who don't have a manager or a department code.

 

3. Click General Policy.

 

general policy.png

4. Click Next.

 

5. Enter the following information on the Configuration page:

  • Violation Owner - This user or governance group:
    • Will be notified when there are violations to this policy, and will be automatically included in any subscriptions to this policy.
    • Will be assigned to all remediations and violations, when this feature becomes available.

    If you don't want a violation owner for your policy, you can select None.

  • Mitigating Controls - Instructions on what to do if a violation is unavoidable.

  • Correction Advice - How to correct violations.

Click Next.

 

violation owner.png

6. Enter the following information on the Information page:

  • Business Name - The name of your SoD policy as you call it in your organization. This field is required.
  • Description - A description of the policy and why it's important. This field is required.
  • Policy Owner - This user or governance group is the subject matter expert and point of contact for the policy. This field is required.
  • External Reference - A link to a reference site, such as an internal policy or a standards body, that describes this policy and its connections to stakeholders. If you'd like to be able to click the link to navigate to the site, be sure the link works when you enter it.
  • Tags - Enter any labels you'd like to assign to your policy to help define what governance processes the policy relates to. In the future, you'll be able to search on these tags. For more information, see Tagging in IdentityNow.

Click Next.

 

7. Review your policy and click Create.

A success message is displayed.

After you've created a policy, you can edit the policy, or take action by downloading reports, enabling the policy, or disabling it.

business name.png

 

Editing Policies

Basic information about all policies can be edited. You can also edit the access lists in access-based SoD policies.

Prerequisite: One or more SoD or general policies has been created in your organization.

Complete the following steps:

1. Sign in to IdentityNow and go to Search.

2. Click the Policies icon in the vertical toolbar.

3. Click the policy you want to edit.
4. Click the Options menu and click Edit.
5. Make changes to the data about your policy on the Configuration tab.
If you need to make changes to an SoD policy's access lists, go to the Conflicting Access tab.
edit sod policy.png

 

Taking Action on Policies

After you've created a policy, you can view it in the Policies list and take action on it.

Prerequisite: One or more SoD or general policies has been created in your organization

Complete the following steps:

1. Sign in to IdentityNow and go to Search.

2. Click the Policies icon in the vertical toolbar.

You can take the following actions:

  • To get a report of violations to an individual policy, click the Get Report icon beside that policy. If this icon is disabled, ensure the policy status is set to Enforced.
  • To download a report of all violations to enabled policies in your org, click the Get All Results icon.
  • To start a certification campaign based on violations of a policy, click Create Certification beside the policy. This method always creates identity-based certification campaigns, and certifies all access for those identities.
  • To enforce or disable a policy, click the policy's name, click Options, and click Enforce Policy or Disable Policy. Violations of disabled policies don't appear in the results of bulk violation reports.
  • To delete a policy, click the policy's name, click Options, and click Delete. Deleted policies can't be recovered.
  • To receive the violations to a policy on a regular basis, click the policy's name and click the Envelope icon. For more information about subscriptions, see Using Subscriptions.

 

Policy and Violation Limits

You can have a maximum of 500 total policies, of either type, in your org. In each access-based SoD policy, you can have a maximum of 50 entitlements in each access list.

Reports on policy violations are limited to a specific number of violations. Excessive policy violations could be indicative of a larger data problem, or a sign that your policy is incorrectly constructed. Consider correcting those issues before downloading reports of your policy violations.

Your site has the following limitations on violations:

  • A report of the violations for a single policy won't show more than 2,000 violations, and a message will be displayed in the report.
  • A report of the violations for all enabled policies won't show more than 10,000 violations, and a message will be displayed in the report. Each multi-policy report will display up to 2,000 violations for a single policy before displaying violations for the next policy in the list.
  • Your site can't have more than 50,000 violations across all enabled and disabled policies. If you generate a report that exceeds this limit, you'll see a message indicating you're unable to generate additional violation reports until there are fewer violations in your site.

 

Migrating Policies

If you had separation of duties policies before Oct. 6, 2020, these policies were automatically migrated to general policies when access-based SoD policies were introduced.

This is because those legacy policies and general policies are constructed the same way, with search queries.

To use future functionality related to SoD, such as preventative SoD, you’ll need to migrate these policies to access-based SoD policies.

Labels (1)
Version history
Revision #:
19 of 19
Last update:
‎Dec 14, 2020 03:25 PM
Updated by:
 
Contributors