Assign User Rights/Capabilities within SailPoint IdentityIQ
During SailPoint IdentityIQ implementations, many clients have asked how to effectively manage the assignment of assign user rights or capabilities to end user and administrators within IdentityIQ. This is accomplished in the following ways:
Direct Assignment of Capabilities
The simplest way is to assign the capabilities directly to a user’s identity cube. This is simplest, but also the least flexible. If users change roles within the company, removal of user capabilities will need to be done manually.
Capabilities Within Workgroups
Another way is to assign capabilities through workgroups within IdentityIQ. Workgroups are created and assigned capabilities. The users are then assigned to the workgroups. This is an easy way to manage the capabilities in IdentityIQ, but there are some drawbacks to using approach. The addition and removal of users to a workgroup is still manual. The workgroups are also not audited nor do they have the same workflow that roles and entitlements have.
Capabilities Within Roles
The third, and most flexible, approach is to assign capabilities via roles within IdentityIQ. This approach creates roles that contain IdentityIQ capabilities and match up to AD group membership. This solution allows for most auditable and flexible approach for managing user rights within IdentityIQ. To implement this approach, perform the following steps:
In the System Setup –> Role Configuration screen, create a new role type (ex. SailPoint Roles)
In the new role type, make sure the following options are unchecked:
No automatic assignment with rule
No assignment rule
No manual assignment
Disallow Granting of IdentityIQ User Rights
Create a new role of the new role type
Assign the desired capabilities for the role
Create an assignment rule that will match the role to the desired AD group. For example: Active Directory application –> memberOf –> CN=IIQ Admins,ou=Groups, DC=idmworks,DC=com
Once the role is created, an Identity Refresh must be run to assign the role to the users. Use the following options when running the identity refresh task:
Refresh assigned and detected roles
Once the identity refresh task is complete, the roles should be correctly assigned to the identity cubes and the capabilities granted to the user.