How to Set Up Role Provisioning Policies in SailPoint IdentityIQ

Role provisioning policies are the application attribute forms that may be presented when a role is assigned to an identity. Specifically, when role assignment is causing provisioning on the application.

Setting Up Role Provisioning Policies

The role provisioning policy can be created or deleted from the role editor UI in SailPoint IdentityIQ (pictured below)

Working and Usage

Usually, the business role contains a required IT role, and the IT role contains application entitlements. The business role is assigned to the identity which in turn assigns the required IT role resulting in the provisioning of entitlements for an application.

The IT role may have some provisioning policies for entitlement applications. If such a provisioning policy exists, then during assignment for entitlement that policy form will also be presented to the requester. The requester needs to provide values for policy attributes similar to the process you would use for application provisioning policy attributes. Once the policy form is submitted the attributes will be provisioned on the application account in the target system.

Unlike application provisioning policies, the role provisioning policies are not operation specific (create, update, delete etc.). Meaning, there will be a single policy for all the provisioning operations.

Role provisioning policies can be defined for any role type. While defining one policy per application and per IT role is the most common usage, you may also define multiple policies for the same application.

As of now, role provisioning policy does not set native identity attributes. Therefore if the policy needs to be used for account creation then special care should be taken.

Apart from defining policy, flag “Provision both profiles and policies” must be checked to activate it.

Custom Workflow and Role Provisioning Policy

Often, to provision roles, custom workflows are built with provisioning plans that have assignedRole attribute for “IIQ” application. Provisioning is then executed by either calling the IdentityIQ API or by invoking the OOTB LCM Provisioning process. During execution the role provisioning policy may pop up in the plan execution step. The policy form is displayed when any attribute value is missing (i.e. if there are any attributes that are set as required and not yet populated or are set as required but also have reviewRequired set).