As with any major piece of software, there is a fairly extensive security model behind the scenes controlling what people can and can't do or see. IdentityIQ is no exception, having a collection of SPRight and Capability objects governing what can be done. SailPoint typically provides a capabilities matrix for each version of IdentityIQ. In other cases, users in the community have assembled this matrix and posted it for those looking for more information. This matrix has become an invaluable tool for those responsible for mapping out what access to grant different types of users.
While this spreadsheet is a great resource, it falls short in a couple of key areas...
- It lacks any description around what these various SPRight assignments actually do.
- While great for giving detail around out of box rights/capabilities, it doesn't help customers who have created their own rights/capabilities.
- Building and maintaining this matrix is primarily a manual task.
Given this information is all (mostly) available within IdentityIQ, why not utilize a rule to retrieve this information from a live system? Doing so allows us to address all 3 bullet points above (grab descriptions where available, include custom rights/capabilities, and avoid doing it manually)! So we decided to give it a try... The initial version of that effort is attached. The rule is designed to export this information in a format similar to the capabilities matrix we use today.
A few notes:
- At this point it just returns the CSV formatted data as a result of running the rule. At some point in the future I will add dumping it to file directly.
- Many SPRight descriptions are missing as they are not defined anywhere within IdentityIQ. Hopefully something like this will help SailPoint realize how important this data is and will go add good descriptions (hint hint) moving forward!
Hope this helps!
