How can we manage identity lifecycle provisioning with Identity Security Cloud?
How can we manage identity lifecycle provisioning with Identity Security Cloud?
With respect to provisioning, managing identity lifecycle in Identity Security Cloud typically involves facilitating the changes to accounts, access, and attributes. Focusing on accounts and access, there are two primary ways to configure lifecycle provisioning:
The recommend approach is to use lifecycle states for account management (i.e., enabling and disabling accounts in response to identity lifecycle events), and roles for access management (i.e., adding and removing access to accounts in response to identity lifecycle events). While lifecycle state provisioning configuration can also accommodate access management by facilitating the assignment and revocation of access profiles, it is beneficial to consolidate configuration under a single feature set and roles provide a more robust access model.
For example, for a particular identity profile, the lifecycle state identity attribute can be configured to be active or inactive based on the status recorded in the authoritative source associated with that identity profile and for each identity record. The provisioning configuration of that identity profile can be configured to enable a set of accounts in the active lifecycle state, and disable the same accounts in an inactive lifecycle state. Then a set of roles can be configured with assignment criteria based on the active lifecycle state, and encompassing a set of access that should be granted to identities in that state. When identities are not in the active lifecycle state (i.e., they are in an inactive lifecycle state), they will no longer meet the assignment criteria of these roles, and therefore the roles and underlying access will be removed.
In addition to the above, the Identity Security Cloud attribute sync feature can be leveraged to manage non-access related attribute changes required in response to identity lifecycle events, and the workflows and event triggers feature can be leveraged to facilitate complementary lifecycle event processing (whether or not provisioning is involved).
