IdentityNow is a subscription-based software-as-a-service (SaaS) solution for Identity Governance and Administration (IGA), and as you would expect, its subscription licenses are typically based on the identities in the system. In general, all identities in the system are typically applicable for licensing terms, normally depending on their status. For instance, only normal 'active' identities may be counted towards a subscription license.
Here are some examples:
Your subscription terms and language may vary, so check your SailPoint Subscription Terms for how this might apply to your tenant(s) or circumstances. SailPoint requires that each IdentityNow tenant be configured to reflect license status, so that a routine audit can confirm the license subscription status.
On the identity model there is a default identity attribute called License Status (licenseStatus). This attribute is a system attribute which annotates license status, and is configurable by IdentityNow administrators, implementers, or consultants. By default, it is not configured. To satisfy the auditing requirements, this attribute should be configured to contain one of the following values:
It is the customer's responsibility to determine how their identities and their data might be best mapped to these values given the data, features implemented, and the service subscription agreement.
SailPoint does provide a decent example of a common licensing transform, which can be put into the system using Transform REST APIs. This transform is as follows:
{
"id": "Determine License",
"type": "lookup",
"attributes": {
"input": {
"attributes": {
"input": {
"attributes": {
"values": [{
"attributes": {
"name": "cloudLifecycleState"
},
"type": "identityAttribute"
},
"-",
{
"attributes": {
"name": "accountType"
},
"type": "identityAttribute"
}
]
},
"type": "concat"
}
},
"type": "lower"
},
"table": {
"active-": "licensed",
"prehire-": "licensed",
"loa-": "licensed",
"inactive-": "unlicensed",
"active-bot": "light",
"active-serviceAccount": "light",
"default": "unlicensed"
}
}
}
Feel free to use this as a basis for your own project licensing accountability.
The easiest way to report on identities is to leverage IdentityNow search. As an IdentityNow administrator, go to Search and enter the following queries:
This query reports on identities who are marked as Licensed in IdentityNow.
attributes.licenseStatus:"licensed"
This query reports on identities who are marked as Unlicensed in IdentityNow.
attributes.licenseStatus:"unlicensed"
This query reports on identities who are marked as Light in IdentityNow.
attributes.licenseStatus:"light"
This query reports on identities who are not marked as Licensed or Unlicensed in IdentityNow, and includes any identities with null values.
(((NOT attributes.licenseStatus:"licensed") AND (NOT attributes.licenseStatus:"unlicensed")) AND (NOT attributes.licenseStatus:"light")) OR NOT _exists_:attributes.licenseStatus
SailPoint Customer Success Managers (CSMs) may periodically check the numbers of identities which are licensed, unlicensed, or not configured to make sure that these counts are near the subscription agreement terms. If licenses are vastly different, or possibly misconfigured, SailPoint may audit and review these more in-depth with customers to understand the details of the terms, so that proper accountability is in place.
For any questions, reach out to the SailPoint Customer Success Manager (CSM), or feel free to post in the SailPoint Compass Community.
Thanks.
Hello,
We are trying to create a transform that's specific to our organization but are not sure where do we find 'SailPoint Subscription Terms', please advise.
Thanks
Gopi Gummadi
Hi,
we have managed to create the transform as per your example above but not sure how to setup the correct identities profiles mapping - please advise. License Status attributes remains "Blank" whatever we try.
Thanks,
Miguel.
was there an answer to this. I am having the same issue where License Status attributes remains "Blank"
In the transform example, you use the identityAttribute cloudLifecycleState, but how can we ensure that that is calculated before the licenseStatus is calculated?
Could this be the cause of the field being Blank?
Does this have to be in separate Identity Profiles, and have the Identity Profile sequences so that the one that calculates the cloudLifecycleStatus happens first?
Does this information apply to IdentityIQ too? Else can you point to a similar article for IdentityIQ. We want to identify exactly which types of users are licenseable and which type are not.
Many organizations have consultants who do not come from authoritative application source, so they are not counted in the About page info.
SERI Example (About page)
Licensed Identities (Active + Correlated) 234
Thanks
Dear Supporters,
We would like to know when our sailpoint licenses expire. Could you please direct us to the option to view the expiration date?
Inactive is defined on [SailPoint Customer Agreements Definitions - SailPoint Product Documentation] as of [Last Updated: September 26, 2024].
Inactive - An Identity or Lite Identity for which, as applicable: (a) the Identity State is set to “inactive” in Identity Security Cloud or, (b) the profile is set to “archived” in Non-Employee Risk Management.
In addition to the Active Identities, Customers are entitled to store a limited number of Inactive Identities, in an amount not to exceed thirty percent (30%) of the combined total licensed Identities and Lite Identities. Inactive Identities are only applicable in the services set forth above.