assignment
IdentityNow
Requirements Gathering Wizard
This tool is designed to walk you through the documentation of your organization's business requirements. The goal is to gain a high-level understanding of the sources that are in scope for this IAM project, the access management procedures around those sources, and the expectations around your final implementation of IdentityNow.
Please understand that this is not an exhaustive list of requirements - the wizard is intended to be a data gathering tool that will guide more in-depth discussions with your SailPoint implementation team. However, we ask that you provide answers to the fullest extent possible so that the follow-up conversations you will have with your SailPoint team can be directed towards addressing any gaps or questions.
As you work through this wizard, we will automatically save your work each time you click the "Next" or "Save Progress" buttons. Once you are finished, simply click the "Send to SailPoint" button at the top of the page to generate a data file that can be downloaded and emailed to SailPoint for review.
- HR Sources
- Applications
- Authentication
- Password Management
- Joiner / Leaver
- Conversions
- Provisioning
- Roles & Access
- Certifications
- Advanced Integrations
HR Sources
Please specify the name and type of each Human Resources application that is in scope for this project. For many organizations, this is a single source of accounts for employees, contingent workers and contractors. However, if you have different applications for each type of worker, please use the "Add" link to extend this form with additional inputs for those applications.
For connectivity, if you are unsure of how you could integrate your target application with SailPoint, please review our Deciding Which Connector to Use guide on how to choose the right connector.
To get started, click the "Add Source" link below.
Applications
This section is where you can provide information about all of the downstream applications/targets that are in scope for your project (e.g., Active Directory, ServiceNow, proprietary databases, etc.). The "Data Change Freq." field is where you can specify how often IdentityNow will need to bring in data from this source, and the "Account Correlation Info" field is where you can identify what elements of the user's account within this source can be used to link it to the HR identity or person who owns it.
For connectivity, if you are unsure of how you could integrate your target application with SailPoint, please review our Deciding Which Connector to Use guide on how to choose the right connector.
To get started, click the "Add Application" link below.
Authentication
The information being requested here is in relation to how you would like your end users to sign into IdentityNow. Common options here SSO/SAML federation into IdentityNow, pass-through authentication with a source such as Active Directory or Okta, or local authentication using a SailPoint-specific username and password.
Joiner / Leaver
In IdentityNow parlance, "lifecycle states" refer to stages within an employee's tenure at your organization that result in changes to his/her access (joiner/mover/leaver). For example, if you have workers who come in from HR prior to their start date, and require certain accounts or items provisioned for them prior to their start date, this might be classified as a "prehire" state. Or, if a user were to go on leave, and that requires access to some systems to be suspended, this might be an "on leave" lifecycle state.
Similarly, you may have several types of statuses related to worker offboarding. Users might initially be "terminated" upon their employment end date being reached, but perhaps that means that accounts are only disabled for a brief period of time. It might be the case that accounts are deleted from the target system after a period of 30 days -- this could be defined as its own "deleted" state.
Most customers typically leverage three or four of the following states: Prehire, Active, On Leave / Legal Hold, and Terminated. To get started, click the "Add Lifecycle State" link below.
Password Management
IdentityNow offers various password management features such as password syncing, password recovery (both authenticated and unauthenticated flows), account unlock and local password reset support. This form allows you to specify which of those features, if any, are in scope for your project.
IdentityNow's Password Interceptor feature allows end users to change their password from their desktop devices, and still allow IdentityNow to synchronize that password change with other applications within the sync group. Our Desktop Password Reset feature allows end users who have been locked out of their local device to launch an embedded web browser from their Windows logon screen to initiate a password reset flow that will automatically update their Active Directory credentials.
Conversions
Some common conversion scenarios are when a contractor or contingent worker becomes a full-time employee, or vice versa. In such cases, it would be helpful to know which systems these workers retain access in versus which they must be deprovisioned from.
To get started, click the "Add Conversion Scenario" link below.
Provisioning
In terms of provisioning, we are largely concerned with the core set of access that users must be granted within the target system, and what logic IdentityNow must employ in order to generate a valid username and/or password for that new account. Also helpful to know here is whether any managers or source owners need to be notified upon a successful account creation.
Roles & Access
If you have a Role-Based Access Control (RBAC) program, or allow some level of requestable access from your end users, please provide some information regarding these programs below. What is important to call out are things that might drive what roles users can/cannot have as a birthright, as well as any types of approval workflows that might need to be modeled within IdentityNow.
Certifications
Certifications, or User Access Reviews, are often part of an organization-wide audit requirement. Please help us understand which of the below types of certifications we need to be able to accommodate within IdentityNow. "Ad Hoc" certs can be things such as a one-off campaign to review access whenever a user changes job titles or transitions from an employee to a contractor.
Advanced Integrations
Integrations are often add-on workflows to the IdentityNow process to handle notification or task creation of things that are not directly connected to the IdentityNow platform. For example, creating accounts in a disconnected source, or requesting computer hardware for a new hire. Oftentimes, customers would like to send these provisioning activities to an ITSM platform such as ServiceNow or Jira Service Desk. If you have any requirements around using this functionality, please describe them below.
check_box
All Done!
Thank you for taking the time to complete this wizard. Using the "Download" button below, you can download a copy of your responses in Markdown format for your records, or if you'd like to send the responses to SailPoint at a later date. Once downloaded, you will see a form for sending your selections to SailPoint immediately. This is entirely optional but, if you are working with SailPoint, clicking the "Submit" button on the form will share your answers with us directly.
We strongly suggest downloading a copy of your responses even if you choose to send an email directly to SailPoint.
IdentityNow Password Interceptor
The password interceptor is managed through a web service method and a workflow. The password interceptor client calls the web service which in turn launches the workflow to complete the password interception process (usually propagation to other systems).
Password Interceptor for Active Directory provides the mechanism by which a password change initiated by an Active Directory user is captured by the Client and sent to the IdentityIQ \ IdentityNow server.
With Active Directory, there can be multiple domain controllers in a particular domain and multiple Domains in the Domain Tree. The Password Interceptor captures a password change from only the Domain Controller where it is installed.
The Password Interceptor Client service intercepts each password change and sends it to the Password Interceptor Server configured in the server. The Client service must be installed on each Domain Controller.
The following points describe the sequence of events triggered when an Active Directory user changes password:
- A user requests a Password change on a workstation which belongs to one Domain Controller (DC) in the Domain.
- On the Domain Controller (DC), the Local Security Authority (LSA) calls the password filter that is registered on the computer. Password filters provide means to implement password policy and change notifications. When a user makes a password change request on a Domain Controller, the Local Security Authority (LSA) calls the password filters registered on the system. NOTE: Password Interceptor must be installed on every Domain Controller (that's where the LSA service runs and detects password change request for Active Directory). The DC is the only place where password can be captured in clear text, and Password Interceptor monitors the LSA service to capture the password change.
- The Password Change request is written to the Password Interceptor Client which is a Windows service running on the same computer.
- The intercepted messages containing the password data from the Password Interceptor Client are sent to the server.
IdentityNow Desktop Password Reset
This application allows end users to access any web-based password management solution and change their password - even if they have forgotten their password or are locked out of their computer. SailPoint strongly recommends using SailPoint's Password Management solution with this application as it is specially designed to ensure the security of the system. Changing the password will reset the user’s password and all the connected accounts on different Managed Systems. This application is accessed when the Forgot Password option is clicked from the Login screen on the end user’s computer. Once they change their password, their account is unlocked and they can log in normally.
SailPoint Desktop Password Reset (referred to as the Desktop Password Reset) must be deployed on the Windows computer of each end user who should have access to the product. In a large organization, the deployment process can involve many thousands of computers. Therefore, the process for setting up installation files and installing the product on each computer must be carefully planned.
Deciding Which Connector to Use
Overview
When implementing IdentityNow, one of the first things done in a project is to plan which sources that IdentityNow will be interfacing with. Key to that onboarding task, is to understand what connector or source type a source should use to interface with that source system.
This document helps document the process of deciding which connector to use, and what questions you should be asking in order to select the right connector for your target source or application.
Connector Classifications
Connectivity Methods
IdentityNow has two primary connecivity methods:
- Direct Connectivity - This is where a connector communicates directly to a system using APIs or data-sources. Some advantages of using direct connect are that you don't have to generate or transmit files, and you can be more efficient in processing only things that have changed. Some disadvantages are the they are subject to availability and downtime concerns like any connected system. They are also typically subject to advantages and disadvantages that APIs might impose as well.
- Some people also refer to this as an 'online' method of connectivity.
- File-Based Connectivity - This is where a connector reads from a snapshot of data presented in a file, rather than connecting directly to the system. Some advantages of using a file, are that files are portable, easily inspected for data issues, and not typically subject to availability. Some disadvantages are that files are usually processed in their entirety, and may require processing or transformation in order to work effectively.
- Some people also refer to this as a 'decoupled' or 'offline' method of connectivity.
Connector Implementations
In IdentityNow, independent of the connectivity methods, connectors come in the following implementations:
- Source-Specific Implementation - These are connectors built with a specific target-system in mind. These typically use specific APIs targeted to the system they are integrated with. Because the systems and APIs are known, these typically require less configurations to get working.
- Examples of these are Active Directory, Workday, Salesforce, SAP, etc.
- General Implementation - These are general-purpose connectors which can be used to connect to a variety of sources or systems. These tend to be more flexible in general, but typically do require a bit more setup and configuration to meet needs.
- Examples of these are Web Services, SCIM, JDBC, Delimited Files, etc.
- Custom Implementation - These are completely custom connectors and tailored to the system and API of your choice. This approach offers the most flexibility of all connector options, however making custom connectors is definitely a development-level activity, and is not to be taken lightly. The code written for custom connectors is maintained and supported by the customer who owns the connector.
- Examples of these are custom in-house applications, etc.
Understanding these connector implementations is important, because if a source-specific implementation isn't available, another general or custom connector implementation may be used instead.
Decision Process
The full process of deciding which connector you should use is here:
Here is some elaboration around the decision points on the document:
What connectivity method?
This basically is asking what connectivity method would you prefer. The options are to use File-Based Connectivity or Direct Connectivity, as defined earlier in this document.
File format?
If file-based connectivity method is selected, the next question is around the structure of the file format provided. If a standardized SailPoint-provided file format is needed, then select a Generic File Connector. Otherwise, a Delimited File Connector would be able to read delimited files.
Is this a known connector?
If you select a direct connectivity method, the next question is around if there is a known connector in our connector list.
SailPoint offers many source-specific connectors - such as Active Directory, Workday, Salesforce, SAP, etc. If the connector you are looking for is not in the connector list, then we'll have to see if we can leverage a general implementation of a source connector - something like a Web-Service, SCIM, JDBC, etc.
Does this have any APIs?
This is seeing if there are specific APIs to talk to the system in general, to help figure out which of the general connectors might be best poised to leverage those APIs. If the source has a SCIM 1.1 API, then leverage the SCIM 1.1 Connector. If the source has a SCIM 2.0 API, then leverage the SCIM 2.0 Connector. If the source has a REST API, then you might be able to use a Web Services Connector; otherwise a Custom Connector will be able to work, but would require a good amount of effort. If there are no APIs, then look at data sources next.
Does this have any data sources?
This is seeing what the underlying data store of the data of the source is. If the source stores information into a structured database, then a JDBC Connector is a popular option to pull in account and entitlement information. If the source is a directory, then a LDAP connector might be best poised connect to the data store. If there is a file data source available, then the implementation would move away from a direct connector method to a file-based connectivity method.
No Connector Available
If all data sources, APIs, and connectivity options are exhausted, then there isn't much SailPoint can do. SailPoint would suggest working with the source company to get some interface available. SailPoint is very partial to the SCIM standard (we helped define it), but can accomodate other interfaces through a mix of general or custom connector implementations.