- Products & services Products & services
- Resources ResourcesLearning
- Learning
- Identity University Get technical training to ensure a successful implementation
- SailPoint professional certifications & credentials Advance your career or validate your identity security knowledge
- SailPoint recertification program Get recertified by demonstrating ongoing learning
- Training onboarding guide Make of the most of training with our step-by-step guide
- Training FAQs Find answers to common training questions
- Community Community
- Compass
- :
- Discuss
- :
- Community Wiki
- :
- Identity Security Cloud Wiki
- :
- Best Practices: IdentityNow License Administration for Legacy Customers
- Article History
- Subscribe to RSS Feed
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Content to Moderator
Best Practices: IdentityNow License Administration for Legacy Customers
Best Practices: IdentityNow License Administration for Legacy Customers
Important: This document provides guidance on IdentityNow licensing for legacy customers who do not own the Provisioning module. For all other IdentityNow and Identity Security Cloud customers, configuration of Identity State determines licensing.
Overview
IdentityNow is a subscription-based software-as-a-service (SaaS) solution for Identity Governance and Administration (IGA). As you would expect, its subscription licenses are typically based on the identities in the system. SailPoint’s Identity Security products are singularly licensed by Identity according to the identity profiles in the SailPoint Customer Agreements Definitions and Additional Terms.
Here are some examples:
- An identity that is considered active would be considered licensed
- An identity that is considered inactive (short- or long-term) would be considered unlicensed
- An identity that is considered active, but whose access within the governed environment is limited, may be considered lite
Your subscription terms and language may vary, so check your SailPoint Subscription Terms for how this might apply to your tenant(s) or circumstances. SailPoint requires that each IdentityNow tenant be configured to reflect license status, so that a routine audit can confirm the license subscription status.
Configuration of Licensing
On the identity model there is a default identity attribute called "License Status" (licenseStatus). This attribute is a system attribute which annotates license status, and is configurable by IdentityNow administrators, implementers, or consultants. By default, it is not configured. To satisfy the auditing requirements, this attribute should be configured to contain one of the following values:
- licensed - This is used for identities which are applicable to licensing, usually because they are using or being governed by IdentityNow.
- unlicensed - This is used for inactive identities which are not applicable to licensing.
- lite - If applicable (as per your subscription terms), this is used for licensed identities that have a limited number of sources governed
It is the customer's responsibility to determine how their identities and their data might be best mapped to these values in accordance with the SailPoint Customer Agreements Definitions and Additional Terms and their data, features implemented, and service subscription agreement.
Example Licensing Transform
In order to codify business logic that dynamically determines the value of the "License Status" (licenseStatus) identity attribute (as described above), a Transform may be used, like the example below:
{
"name": "License_Status",
"type": "conditional",
"attributes": {
"expression": "$lifecycleState eq inactive",
"positiveCondition": "unlicensed",
"negativeCondition": "$licenseStatus",
"lifecycleState": {
"attributes": {
"name": "cloudLifecycleState"
},
"type": "identityAttribute"
},
"licenseStatus": {
"type": "static",
"attributes": {
"value": "#if($identity.getLinks().size()<=6)lite#{else}licensed#end"
}
}
},
"internal": false
}
Important: The above is meant solely as an example and may not be applicable in your environment, so be sure to modify it as needed.
Note: The number of links (a.k.a. accounts) is used as a proxy for sources in the determination of lite licensing in the above example, and the comparison accounts for the internal IdentityNow account that every identity has, but which should not be considered as a governed source.
The example Transform above is leveraging values in the "Lifecycle State" (cloudLifecycleState) identity attribute, whose values are presumably set via another Transform that codifies the business logic to determine if an identity is considered inactive. Legacy IdentityNow customers without the Provisioning module may still configure values for the "Lifecycle State" (cloudLifecycleState), even though those values are not then associated with provisioning logic. In fact, it is considered a best practice to do so, as it facilitates future upgrades that include the Provisioning module and it is still a useful attribute to denote the lifecycle state of an identity (which may be referenced in other parts of the implementation, such as for reporting or in other business logic, as in the case of its inclusion in the above example Transform).
Reporting on Licensing
IdentityNow search offers a convenient way to report on license statuses:
- Licensed Identities:
attributes.licenseStatus:"licensed" - Unlicensed Identities:
attributes.licenseStatus:"unlicensed" - Lite Identities:
attributes.licenseStatus:"lite" -
Identities without License Status:
(((NOT attributes.licenseStatus:"licensed") AND (NOT attributes.licenseStatus:"unlicensed")) AND (NOT attributes.licenseStatus:"lite")) OR NOT _exists_:attributes.licenseStatus
License Status Audits
SailPoint Customer Success Managers (CSMs) may conduct periodic audits to ensure the number of licensed, unlicensed, and unconfigured identities align with your subscription agreement terms.
Questions?
For any questions regarding licensing, please contact your SailPoint Customer Success Manager (CSM).
