Provisioning is a component of Identity Governance & Administration. It enables organizations to automate the process of granting and revoking access to applications, systems, and data based on specific rules and policies. The purpose of Provisioning is to improve the accuracy and efficiency of the access management process, reduce manual errors, and ensure compliance with security policies. It supports various provisioning methods such as data-driven or automated provisioning and request-based or user-initiated provisioning. It also integrates with a variety of systems and applications to streamline the access management process.
To grant access to a user, an administrator can create a request in IdentityNow for a specific resource or application. The request can include the level of access required, such as read-only or full access, and can be sent approval for review. Once approved, the user’s account will be automatically provisioned with the necessary access.
To revoke access, an administrator can remove a user’s access to a specific resource or application by creating a request to deprovision the access. The request can also be sent through approval for the review. Once approved, the user’s access will be automatically removed from the resource or application.
IdentityNow for Provisioning:
IdentityNow Provisioning is a feature of the SailPoint IdentityNow platform that enables organizations to automate the process of granting and revoking access to applications, systems, and data.
To configure IdentityNow for provisioning, the following steps should be taken:
- Set up the IdentityNow Provisioning service: This involves creating a new provision service in IdentityNow and setting up the connection to the target systems and application.
- Define the Provision rules: This involves creating rules that define the criteria for granting and revoking access to systems and applications. The rules can be based on factors such as user role, job title, location, etc.
- Map the attributes: This involves mapping the user attributes from IdentityNow to the attributes in the target systems and applications. This step ensures that the correct data is provisioned to the correct user.
- Implement the provisioning process: This involves deploying and integrating the provisioning rules into the overall access management process. This step may involve updating existing processes or creating new ones and updating policies and procedures to align with the new provisioning process.
Two categories of actions can trigger provisioning:
Data-driven/Automated – Triggered automatically based on changes in identity data.
For instance, the account of a new employee will be aggregated into an identity now and immediately provisioned in the target system when the employee is added to an HR system. Access may be accurately and efficiently provisioned and also automatically de-provisioned as needed with the aid of data-driven provisioning.
Request-driven/User-initiated – Triggered by a user request.
For instance, an employee can use the SailPoint IdentityNow interface to seek access to a new application. Access is provisioned after the request is granted. Access should only be allowed when necessary. If the approver denies the request, access will not be granted, and request-driven provisioning can help to achieve this.
Source Account Provisioning:
Source Account Provisioning allows organizations to automate the process of creating and updating user accounts in these source systems, reducing manual errors and improving the accuracy and efficiency of the access management process.
Account Creation (Create Account)
Updating the account creation configuration in IdentityNow involves making changes to the configuration settings that determine how user accounts are created in source systems.
Below are the mapping types of create account configuration:
- Identity attribute – Use an identity attribute’s value to set the account attribute.
- Generator – Patterns can use text values and variables.
- Static – Enter a simple text value or build a value for the attribute.
- Disable – This option to omit an attribute when creating a new account.
When certain conditions are met, such as when an access review determines that a user no longer needs access to a particular system or application, SailPoint IdentityNow may automate the process of disabling accounts and de-provisioning access. This lowers the danger of illegal access by ensuring that access is terminated promptly and consistently.