Today there are many products available in the market providing IDM solutions to enterprise applications. Then what is new about the Sailpoint IdentityIQ?
The answer lies in its approach to providing the solution.
Existing IDM products are IT-focused and their efficiency mostly depends upon the IT helpdesk and the IT technical team. Sailpoint aims at shifting more and more Identity & access processes from the IT technical team to the end users so that the dependency is as less as possible on the technical team. So we can say this product is more business-focused as compared to other IDM products which are IT-focused. It has a single-use interface as compared to the existing IDM products which have multiple interfaces with multiple contexts.
SAILPOINT IdentityIQ integrates ‘provisioning and compliance features’ into a single solution. Thus this IDM product is able to address all the needs related to Identity and Access management such as ‘access certifications’, ‘policy enforcement’,’ account provisioning’ and ‘user life-cycle management’.
SAILPOINT IDENTITY IQ consists of 4 major components:
Compliance Manager
Lifecycle Manager
Governance Platform
User Provisioning
COMPLIANCE MANAGER:
SailPoint IdentityIQ Compliance Manager automates the common auditing, reporting and management activities and integrates identity processes such as Access certification* and Policy enforcement*
Compliance Manager helps to prioritize the most critical compliance activities and focuses controls on the users, resources and access privileges that represent the greatest potential risk.
• It proactively detects and prevents inappropriate access and violations of corporate policies
• It ensures compliance and better manage risk during mergers and acquisitions
*Access Certifications: The periodic review of user access privileges in order to validate that access privileges align with a user’s job function and conform to policy guidelines. Access certifications are commonly used as an internal control to ensure compliance with regulations.
*Policy Enforcement: The set of preventive and detective controls that automatically ensure that defined policy is followed by the organization.
LIFE CYCLE MANAGER:
SailPoint IdentityIQ Lifecycle Manager allows business users to easily request access and reset passwords themselves from a centralized, business-friendly interface. By applying policy to all user lifecycle processes, IdentityIQ Lifecycle Manager ensures users acquire only the most appropriate levels of access for their job function.
IdentityIQ Lifecycle Manager automates change to user access, resulting from a range of identity lifecycle events (i.e., new hires, transfers, moves or terminations) through integration with authoritative sources, such as HR systems and corporate directories. When a lifecycle event is detected, Lifecycle Manager triggers the required changes by initiating the appropriate business process, including policy checking and approvals.
With Lifecycle Manager, we can:
• Empower business users to independently request and manage access
• Enable business users to proactively change and reset passwords
• Speed delivery of access using automated identity lifecycle events (i.e., hires, transfers, and terminations)
• Centralize access requests and change processes
• Streamline IT operations and offload IT and help desk
Self-service access request: Centralized access request management allows managers and end users to conveniently request new access or make changes to existing access privileges within the constraints of your pre-defined identity policy and role models. It also provides an efficient, more accurate way to view existing access and remove access as needed, as well as to create and edit identities.
*Self-Service: The process of allowing users to request access to resources using a self-service interface, which uses workflow to route the request to the appropriate manager(s) for approval.
*Password management: Automation of the process for controlling setting, resetting and synchronizing passwords across systems.
Using the same business-friendly user interface, users and/or their approved delegates can change or reset passwords across target systems. Allowing end-users to proactively manage password changes can significantly reduce help desk calls. Most importantly, centralized password management will enable us to consistently enforce strong password policies, customized for each application.
*Event-based lifecycle management: To further streamline user onboarding, off-boarding, and other job changes within the enterprise, we can add event-based lifecycle management to automatically trigger access changes based on HR or other authoritative feeds.
GOVERNANCE PLATFORM:
The SailPoint IdentityIQ Governance Platform centralizes identity data, captures business policy, models roles and proactively manages user and resource risk factors. Together, these integrated capabilities allow organizations to build preventive and detective controls that support critical identity business processes, including access certifications, access requests, lifecycle management and provisioning.
With the Governance Platform, we can:
• Centralize technical identity data across resources and transform it into rich, business-relevant information
• Create, enforce and verify role-based access across diverse enterprise applications
• Prioritize compliance and security efforts by assessing the risk of each person, application and system resource across the environment
• Define and leverage enterprise access policies for detective and preventive control
USER PROVISIONING:
SailPoint IdentityIQ Provisioning Broker acts as a bridge between compliance and user lifecycle processes, allowing consistent user interfaces and processes at the business layer that are separate from technical processes for implementing change. Provisioning Broker sends access change requests to automated provisioning systems, including IdentityIQ Provisioning Engine or third-party provisioning systems; and can also leverage manual change management processes by creating help desk tickets or manual work items to track the progress of all changes requested by the business. This seamless orchestration of changes across access delivery mechanisms unifies policy enforcement, process monitoring and auditing, and gives organizations the flexibility to provision changes to user access in any way they choose.
With User Provisioning, we can:
• Speed the provisioning of access changes to our managed resources
• Improve compliance by implementing changes according to defined policy
• Generate documentation of provisioning changes for auditors
*Provisioning: The process of granting, changing, or removing user access to systems, applications and databases based on a unique user identity.
Concept of Identity Cubes and Identity Attributes
SailPoint IdentityIQ represents users by Identity Cubes.
Identity Cubes are a correlated collection of accounts and entitlements that represent a single user in the real world.
Identity Cubes are multi-dimensional data models of identity information that offer a single, logical representation of each managed user.
Each Cube contains information about user entitlements, user activity, and associated business context.
“Cubes” are built through a discovery process from authoritative sources i.e. by bringing in user account data from Authoritative Applications and are refreshed dynamically or by running an Identity Refresh Task
Identity Attributes are used to describe Identity Cubes and hence describe the real-world user.
Identity Attributes are created by directly mapping a list of attributes from various sources or derived through rules or mappings.
Examples of Identity attributes are Name, Email, department etc
User Discovery
A multi-step process by which Identity Cubes are created and updated with account and attribute data from multiple backend systems.
One or more “authoritative sources” (HR, Corporate Directory) supply the population of unique identities and start the creation of Identity Cubes.
Connector
An IdentityIQ component that communicates with various targeted platforms, applications and systems to import application and account data. A connector is defined as part of an application. (Example: Delimited File Connector, JDBC, Active Directory, etc.)
SailPoint supports many of the industry standard databases as an Authoritative Resource. Few examples of Supported Connectors: Active Directory, DB2, Delimited File, IBM Tivoli Directory Server, IBM Tivoli Identity Manager, JDBC, LDAP, LDIF, Linux, Lotus Notes, Mainframe, MS SQL Server, MS SharePoint, Oracle DB, Oracle Apps, PeopleSoft, RACF,SAP, SAP HR, SAP Portal, Salesforce, Solaris, Sun IDM, Sybase and many more.
Account Aggregation
The process by which IdentityIQ creates and updates Identity Cubes with account, attribute and entitlement data accessed through configured Applications.
Account Aggregation is very similar to reconciliation within an identity management solution. Tasks are utilized to perform account aggregation.
Account Aggregation is achieved through defining and running reusable Account Aggregation tasks.
Hopefully its helpful..
Cheers