Best Practices: IdentityNow License Administration

Best Practices: IdentityNow License Administration

 

Overview


IdentityNow is a subscription-based software-as-a-service (SaaS) solution for Identity Governance and Administration (IGA), and as you would expect, its subscription licenses are typically based on the identities in the system. In general, all identities in the system are typically applicable for licensing terms, normally depending on their status. For instance, only normal 'active' identities may be counted towards a subscription license. 

Here are some examples:

  • Anyone who is in an 'active' lifecycle state would be licensable from a subscription standpoint, but someone who is 'inactive' may not be licensed.
  • Anyone who can login to the system to perform duties such as password reset, access request, or access certifications would be someone who is considered a 'licensable' identity.
  • Non-human accounts managed by the system which can still be processed by various features might be considered a "light" user

Your subscription terms and language may vary, so check your SailPoint Subscription Terms for how this might apply to your tenant(s) or circumstances.  SailPoint requires that each IdentityNow tenant be configured to reflect license status, so that a routine audit can confirm the license subscription status.

 

Configuration of Licensing


On the identity model there is a default identity attribute called License Status (licenseStatus). This attribute is a system attribute which annotates license status, and is configurable by IdentityNow administrators, implementers, or consultants. By default, it is not configured. To satisfy the auditing requirements, this attribute should be configured to contain one of the following values:

  • Licensed - This is used for identities which are applicable to licensing, usually because they are using IdentityNow, or are 'active' and available for provisioning.
  • Unlicensed - This is used for inactive identities which are not applicable to licensing.
  • Light - This is used for identities which are applicable to the light license, usually because they are non-human accounts that are still managed.

It is the customer's responsibility to determine how their identities and their data might be best mapped to these values given the data, features implemented, and the service subscription agreement.

Example Licensing Transform


SailPoint does provide a decent example of a common licensing transform, which can be put into the system using Transform REST APIs. This transform is as follows:

 

 

{
    "id": "Determine License",
    "type": "lookup",
    "attributes": {
        "input": {
            "attributes": {
                "input": {
                    "attributes": {
                        "values": [{
                                "attributes": {
                                    "name": "cloudLifecycleState"
                                },
                                "type": "identityAttribute"
                            },
                            "-",
                            {
                                "attributes": {
                                    "name": "accountType"
                                },
                                "type": "identityAttribute"
                            }
                        ]
                    },
                    "type": "concat"
                }
            },
            "type": "lower"
        },
        "table": {
            "active-": "licensed",
            "prehire-": "licensed",
            "loa-": "licensed",
            "inactive-": "unlicensed",
            "active-bot": "light",
            "active-serviceAccount": "light",
            "default": "unlicensed"
        }
    }
}

 

 


Feel free to use this as a basis for your own project licensing accountability.


Reporting on Licensing


The easiest way to report on identities is to leverage IdentityNow search. As an IdentityNow administrator, go to Search and enter the following queries:

Licensed Identities


This query reports on identities who are marked as Licensed in IdentityNow.

 

 

attributes.licenseStatus:"licensed"

 

 


Unlicensed Identities


This query reports on identities who are marked as Unlicensed in IdentityNow.

 

 

attributes.licenseStatus:"unlicensed"

 

 

Light Identities


This query reports on identities who are marked as Unlicensed in IdentityNow.

 

 

attributes.licenseStatus:"light"

 

 

 


Identities without License Status


This query reports on identities who are not marked as Licensed or Unlicensed in IdentityNow, and includes any identities with null values.

 

 

((NOT attributes.licenseStatus:"licensed") AND (NOT attributes.licenseStatus:"unlicensed")) AND (NOT attributes.licenseStatus:"light")) OR NOT _exists_:attributes.licenseStatus

 

 


License Status Audits


SailPoint Customer Success Managers (CSMs) may periodically check the numbers of identities which are licensed, unlicensed, or not configured to make sure that these counts are near the subscription agreement terms. If licenses are vastly different, or possibly misconfigured, SailPoint may audit and review these more in-depth with customers to understand the details of the terms, so that proper accountability is in place.

 

Questions?


For any questions, reach out to the SailPoint Customer Success Manager (CSM), or feel free to post in the SailPoint Compass Community.

Labels (2)
Comments

Thanks.

Hello,

 

We are trying to create a transform that's specific to our organization but are not sure where do we find 'SailPoint Subscription Terms', please advise.

 

Thanks

Gopi Gummadi

Hi,

we have managed to create the transform as per your example above but not sure how to setup the correct identities profiles mapping - please advise. License Status attributes remains "Blank"  whatever we try.

 

Thanks,

 

Miguel.

was there an answer to this.  I am having the same issue where License Status attributes remains "Blank"

In the transform example, you use the identityAttribute cloudLifecycleState, but how can we ensure that that is calculated before the licenseStatus is calculated? 

Could this be the cause of the field being Blank?

Does this have to be in separate Identity Profiles, and have the Identity Profile sequences so that the one that calculates the cloudLifecycleStatus happens first?

 

Does this information apply to IdentityIQ too? Else can you point to a similar article for IdentityIQ. We want to identify exactly which types of users are licenseable and which type are not.

 

Many organizations have consultants who do not come from authoritative application source, so they are not counted in the About page info.

SERI Example (About page)

Licensed Identities (Active + Correlated)    234

 

Version history
Revision #:
5 of 5
Last update:
‎May 14, 2021 03:08 PM
Updated by: