It is up to organizations to decide how they want Sailpoint IdentityIQ to be used for their business requirements.
Generally, there can be two scenarios. First, the requirement can be only to perform User Access Reviews so that the user's access to applications is assessed on a regular basis and also so that the audit requirements can be fulfilled. Second, the requirement can be to have an end-to-end Identity Access Management tool, not just to perform user access reviews but also to manage the Lifecycle of an Identity, manage user access, password management, provisioning etc.
Sailpoint Identity IQ has recognized these different patterns of requirements and provides features that satisfy both type of requirements.
Let us drill down a bit about both of these types of requirements.
Implementing IdentityIQ to perform only User Access Reviews using delimited connector:-
IdentityIQ started its journey as a product with its primary strength being a powerful access audit tool and then rapidly it added on various features to become a one-stop solution of all IAM requirements.
The organizations that adopted this product earlier in the run preferred to implement it for User Access Reviews Only. The world is changing now.
Highlights of this type of solution
The implementations were purely based upon Read–only connectors, which too mainly delimited type.
The applications for which access control through IIQ was to be implemented were on-boarded as delimited applications.
Applications owners used to provide their user access data in the form of flat CSV files and this data was aggregated in IIQ and then access certifications were performed on this data.
Pros
Easy to implement.
The data aggregation is very fast.
Application owners can first adopt this type of solution to judge the performance of IIQ and observe user experience.
No requirement to provide a direct online connection to the application repository of user access and permissions considering the sensitivity and criticality of the application due to business importance. However, this can be managed by providing a read-only connection to the application repository of user access data.
Cons
This may require a lot of data massaging and manual effort for the same.
Manual intervention increases the chances of human error and hence data may get tampered with.
User Access data may not be current and latest.
The biggest negative aspect of this type of implementation is that closed-loop remediation is not possible i.e. direct provisioning of user access cannot be done by IIQ as a read-only connector is used.
Decisions taken as part of the user access reviews need to be sent to application teams through Excel or PDF reports or a ticketing tool and then remediation action on the target applications is manually done through application support teams.
This is represented in the diagram below: