Non-Employee Lifecycle Management Release Details
The ability to effectively manage access for all types of workers is more important now than ever before. To provide value to our customers as quickly as possible, we're releasing an initial version of our non-employee management feature which provides user interfaces for the most common tasks you'll perform.
This document contains details about what functionality you can expect, and how it will be made available in the first two releases.
June 2020 Release
We expect the following functionality will be available in June:
|In the User Interface||Via API|
For Org Administrators:
For Non-Employee Account Managers:
For Non-Employee Account Reviewers:
For Org Administrators:
September 2020 Release
We anticipate that when we release v2 of our non-employee lifecycle management functionality, all features previously only availble via API will be available in the user interface.
As always, don't hesitate to reach out to your CSM with any questions, or post a question in our IdentityNow Forum.
Is there any documentation / screen shots / etc that we can view? This is a feature we've been waiting on for a long time and are excited to get it implemented.
Agree with @Ian, is there any documentation/screenshots that we can view? We have a recent business use case for this feature and would love to implement.
@tylerstevens - I asked my customer success manager to get this into our sandbox ASAP. I’ll let you know if that happens. I know they’ve been testing it for awhile.
@Ian @tylerstevens We're excited for you to have your hands on our Non-Employee Lifecycle Management capabilities! We will have supporting documentation out toward the end of the month, which will also be when you can see the capabilities in your tenants.
I've been asking for access/information for months... but what's another couple of weeks I guess. : )
I see the Tile in my environment. Where can I find documentation for this?
I now see the tile in our Sandbox environment (not Production), but I don't see the source type as an option when trying to create a new source... is this release currently "In progress"? We are also closely watching for this release...
Is there any connection to the Account Password Manamgent feature for these Non-Human accounts? Any capability to share accounts between populations for passwords management?
Hey all, it is now PAST DUE "end of month" but I still do not see any documentation?
It MAY be because I am too stupid to find (n00b here!) but still? there are some lurkers here who seem to be waiting, too?
Hey All, I see some documentation in this link https://community.sailpoint.com/t5/Admin-Help/tkb-p/IDN_admin_help. However, the API end points are still not updated. It would be great to have the end points added there. Also, they are just a flag on existing endpoints, it would nice to mention the same here. https://community.sailpoint.com/t5/Admin-Help/Managing-Non-Employee-Sources-and-Accounts/ta-p/161460
The documentation for the non-employee API endpoints is actually out there now. @SandilyaKrovvidi & @wi_ing - If you navigate to the Admin-Help/Managing-Non-Employee-Sources document (second link in Sandilya's post) there is a portion that states:
"You can find all of these beta APIs under Non-Employee Lifecycle Management at api.identitynow.com." The key here is that the API endpoints are still BETA... so after navigating to apilidentitynow.com, you have to make sure to select 'beta' from the dropdown at the top right of the screen ("select definition").
Seems like functionality we've been looking for but to make sure I understand it correctly - This would be most useful if for a given non-emp source, we could create an account manager who is a non-emp themselves so that account requests can be self-serviced by an external third party rather than have to assign account managers who are internal (emps).
For example, we might contract with a third party consultant company to bring in a team of consultants who need AD access. To set this up we would create a source for their company, create an account/identity for their HR person, that person would then create access requests for each member of a consulting team and an internal (emp) Account Reviewer would be assigned to approve the requests.
Is this an intended use case or does this not work for some reason? Is there any risk to allowing this external account mgr to access our tenants?
Anyone figured out how to update the list of Account Managers or Approvers for a Non-Employee Source through API? I keep getting JSON is not supported.
Detail documentation will help a bit. Please post them. I'm also looking for both API or GUI to start testing out onboarding non-employees. Has anyone been able to get the API to work successfully?
Got API working...but API documentation is a little cryptic with little examples to help.
Here are links that might help
TIP: If you need to patch the list of approvers or account managers make sure you add Content-Type = application/json-patch+json to the header in Postman
My assessment of the Non-Employee Management Feature
When reviewing a product or feature, the main things I consider is does this save time, make us more effective or efficient, or fix a problem which then leads to saving money, reducing risk, etc. This leads to the question…
Is this better than having the manager email this information to the IAM team and have the IAM team fill out the .csv file for non-employees and upload?
- I like the fact that the business/or others outside of IAM team has an interface to put in the information directly about a contractor.
- The problem is the benefit stops there for us.
- To use this for all non-Employees we would need to train managers to use this properly
- Because we are expecting the manager to put in a unique SailPoint ID, now we are adding problems. (See #1 below for my suggestion on this)
- You also have to allow people to input individually. This is added work for the IAM team to administrate the list. Also the list uses the internal ID for the user that is not identifiable that would need to be looked up to figure out who has that access already (Not a better process)
- Approvals are singular accounts vs a group. If someone is out of the office, things don’t get approved (not a better process) (See #2 below)
- I know some things will move from API to UI but API is a real pain for high volume changes.
- The lack of good documentation or links between documentation to tell you the whole story is not good.
Suggestion to Product Team:
- From what I’ve learned, the manager requesting the account would need to know the unique Identity ID for the user. We use a sequential number patterned which managers would need to pay attention and look up to see what is the next in sequence. It would be better if this could be left off the request and added as an additional step in the process by the IAM team.
- You can fix it but it also doesn’t show up for editing until all the approvals happen. By that time it’s too late to change the SailPoint ID. It will change the SailPoint logon though so now you have SailPoint ID different then logon.
- It also would be great if you could add additional fields that only the IAM could input afterwards in the process flow, that would be locked out from the requestor. This would be helpful if these attributes are tied to roles/birthrights that the manager wouldn’t know how to choose or input correctly.
- Approvers are singular vs Groups. It would be better to be able to reference governance groups too if approver is out.
This might be a good Beta / Niche product at this point, more tied to if you have high turnover of contractors and you want a couple of contract admins to input the non-Employees directly, and then have it go through the approval process by a certain person before creating an account.
In our world, I don’t see this being a function saving us time, make us more effective or efficient, or fixing a problem until at least the 3 suggested items above are addressed.
@haven904 That's a great review for the feature. May be you should add it as idea for this feedback to be properly processed. Until the point of time this feature completely matures, just wanted to share an approach that we are taking up for contractor on-boarding.
An external user onboarding form is submitted in ServiceNow if you want a new hire to be onboarded. Submission of this form triggers an IdentityNow API which updates a flat-file source with new record in the source. Similar approach is followed for the submissions as well.
Access to this form is managed by a ServiceNow group.
FYI next Wed July 22 our first SaaS Office Hours will provide an overview of Non-Employee Lifecycle Management (NELM), which you can find here: Register Now: July 2020 SaaS Office Hours
I was trying to test and implement this feature in our sandbox env. When I try to create a non-employee source, it was asking for the owner. So I gave my ID and submitted the request. It was throwing an error stating that "Referenced Owner, approver, account manager was not found". Format seems to be in UUID for owner, approver & account Manager. What is this UUID and where I can find the same in IdentityNow environment. Please advice.
Does anyone know if this is now available in UI or tentative release date?
Please refer to the online help going forward, as the Compass article has been migrated (and will be removed).