SailPoint Identity Security Cloud Loopback Connector

Problem:

In SailPoint Identity Security Cloud, we often face challenges in managing and governing user level permissions and governance group membership effectively, which may lead to unauthorized access and audit failures. Governing access inside Identity Security Cloud is important.

Current blog helps govern access in Identity Security Cloud using Identity Security Cloud loopback connector.

Solution – Loopback connector:

The purpose of loopback connector is used to manage Identity Security Cloud user levels and governance groups as entitlements.

Users can request for elevated user levels permissions and governance groups as entitlements through request center. Once that is approved user will get required higher permission or governance group membership based on requested entitlement.

Supported Operations:

Below are the supported operations in loopback connector:

  • Account Aggregation
  • Governance Groups Aggregation
  • User levels Aggregation
  • Provisioning
  • Add Entitlement
  • Remove Entitlement

Operations and APIs

Below is the list of endpoints we used for each operation in loopback connector:

S. NoOperationsEndpoints
1Account Aggregation/v3/accounts
2Governance Group Aggregation/beta/workgroups
3Provisioning/v3/accounts
4Authentication/oauth/token
5Add Entitlement for User Levels/v3/auth-users/:id
6Add Entitlement for Governance Groups/v3/workgroups/accessId/members/bulk-add

In this blog, we will be discussing about the Identity Security Cloud Loopback Connector in detail. The following are the key topics that are discussed as part of the blog.

  1. Problem statement
  2. What is loopback connector and what we can achieve from that?
  3. Use cases we can achieve using loopback connector
  4. What are the supported operations?
  5. End points used for each operation.

In the video blog of SailPoint Identity Security Cloud Loopback Connector, we will be discussing above mentioned topics.

Video:

Detailed demo on developing & testing loopback connector is present in the following video.

Video:

All the mentioned technical components are only available for internal use. However, refer to the below table for an overview on different technical components, which can be used to develop the loopback connector.

S. NoComponent NameUse
1Java ProgramThis program is used to take details like tenant id, client id, client secret and source id and update all rules with provided input data.
2Account Aggregation RuleThis is Webservice After Operation Rule. Users can build this rule in such a way, where they can read all the available accounts from the respective tenant.
3User Levels Aggregation RuleThis is Webservice After Operation Rule. Users can build this rule in such a way, where they can read all user levels available from the respective tenant.
4Governance Groups Aggregation RuleThis is Webservice After Operation Rule. Users can build this rule in such a way, where they can read all the available governance groups from the respective tenant..
5Add EntitlementThis is Webservice Before Operation Rule. Users can build this rule in such away, upon entitlement request, respective governance group membership or elevated permissions are assigned to users
6Remove EntitlementThis is Webservice Before Operation Rule. Users can build this rule in such away, respective governance group membership or elevated permissions are removed from users.

Oracle Fusion Integration with SailPoint IdentityIQ

About Oracle Fusion: Oracle Fusion Cloud HCM is a complete cloud solution that connects every human resource process and every person across the enterprise.

Benefits of Oracle Fusion:

  • Oracle HCM cloud enables HR leaders by delivering an end-to-end solution to manage every stage of the employee lifecycle.
  • Human capital management transforms the traditional administrative functions of human resource departments – recruiting, training, payroll, compensation, and performance management into opportunities to drive engagement, productivity, and business value.
  • It also offers Data Efficiency by preserving history of changes made to the attributes of some objects. As a Professional user, you can retrieve and edit past and future versions of an object.
  • Many HCM objects, including person names, assignments, benefits-plans, grades, jobs, locations, payrolls, and positions are date-effective. Date-effective objects include one or more physical records. Each record has effective start and end dates. One record is current and available to transactions. Others are past or take effect in the future. Together, these records constitute the logical record or object instance.

Integration with SailPoint IdentityIQ

Here, Oracle Fusion application is integrated with SailPoint using Webservices connector. Let us have a quick overview of basic configuration parameters of SailPoint IdentityIQ Webservices Connector

Webservices connector application configuration
  • Base URL: The base URL is used to connect to the web service managed system.
  • Authentication Method: Authentication methods that is supported are: OAuth2, API Token, Basic Authentication and No/Custom Authentication
  • Schema Attribute for Account Enable status: Attribute name and value required to be provided to check the Enable status. For example: status=Active
  • Username: Username of the resource owner
  • Password: Password of the resource owner
  • Grant Type: We can select the type of Grant from below: Refresh Token, JWT, Client Credentials, Password and SAML Bearer Assertion
  • Client Id: (Optional for JWT and SAML Bearer Assertion) Client Id for OAuth2 authentication.
  • Client Secret: (Optional for JWT and SAML Bearer Assertion) Client Secret for OAuth2 authentication.
  • Token URL: URL for generating access token.

Basically, connecting SailPoint to your Web Services allows you to configure any web service supported managed system which can read and write on the managed system using the respective managed system’s Web Services. Web Services supports JSON and XML for read and write.

Oracle Fusion Integration with SailPoint IdentityIQ

Now, let us have a look at the Oracle Fusion REST APIs used in the Integration process. Below is the list of APIs used for integrating Oracle Fusion to SailPoint:

  • Get all Workers API: This fetches all the worker records as of the specified date. Worker types include employee, contingent worker, and pending worker. By default, the current date is retained.
  • Get all User Accounts API: This fetches all the userAccounts. We may need to manage user accounts for the workers to assign or revoke Fusion Roles
  • Get all Roles API: This is used the get the roles assigned to the user accounts.
  • Create Employee API: This is used to create an Employee record in Oracle Fusion.
  • Update Employee API: This is used to update an Employee record in Oracle Fusion.
  • Terminate Worker API: This is used to Disable a Worker record in Oracle Fusion.
  • Role Revoke API: This is used to revoke an assigned role.
  • Rehire Employee API: This is used to Enable an Employee record in Oracle Fusion.

And here, we will be using Basic Authentication in the Integration Process where we have used Username and Password of the resource owner to from connection between Oracle Fusion and SailPoint IdentityIQ

Prerequisites for integrating Oracle Fusion with SailPoint

  1. Oracle Fusion REST APIs
  2. Oracle Fusion instance
  3. Base URL of the Oracle Fusion instance
  4. As we are using Basic Authentication, we need username and password for the APIs

Now, let us discuss the use cases involved in the integration process.

Use Cases

1. Joiner/Create account Process

Joiner Process starts with the creation of account in Truth Source application. Then that account will be brought to SailPoint through a scheduled aggregation task.

Joiner/Create Account Process

Then through a Scheduled Refresh Identity Cube task and using a configured Business Role and Assignment Rule, two conditions are checked.

  1. Identity or Account in Truth Source is Active
  2. Business Unit is XXXX

If these two conditions are satisfied. Then the account creation process for Oracle Fusion application gets triggered. As part of the Joiner or Account creation process, Basic access will be provisioned to the newly created account from the Fusion end automatically.

2. Leaver/Disable Account Process:

Leaver process starts when the Last working day attribute of account is populated in Truth Source application.

Leaver/Disable Account Process

Then that Last working day for that account will be updated in SailPoint through a scheduled aggregation task. Then through a Scheduled Refresh Identity Cube task, it is checked that if that Last working day is equal to Today’s date. In other words, it is checked that if the Last working day has reached.

If the Last working day has reached, then the account disable process for Oracle Fusion application gets triggered.

As part of the Termination process, all the Roles which that account has, will be de-provisioned.

3. Rehire/Enable Account Process:

Rehire Process starts by enabling the account in Truth Source application. Then that is updated in SailPoint through a scheduled aggregation task.

Rehire/Enable Account Process

Then through a Scheduled Refresh Identity Cube task, the account enable process for Oracle Fusion application gets triggered.

As part of the Rehire/Enable account process, another new Assignment is created for that account with AssignmentName and AssignmentNumber appended with “R”. And Basic access will be assigned to that enabled account as we saw in the create account use case.

Advantages of Integrating Oracle Fusion with Sailpoint IdentityIQ:

  1. In this integration, we have automated the creation of account in Oracle Fusion. Whereas before the integration, Oracle Fusion team had to create an account in Oracle Fusion manually for the new Joiners
  2. In this integration, we have also automated the Disabling and Role Revoke operations. Actually, when the Last Working Date of the user has reached, then the Oracle Fusion account of this leaver will be disabled and Oracle Fusion Roles assigned to this leaver will Revoked, by Sailpoint. Whereas, before the integration, Oracle Fusion team had to disable the account and Revoked Roles in Oracle Fusion manually for the leavers.
  3. In this Integration, we have also automated the update operation as well. From Sailpoint, we are updating the attributes such as LegalEmployerName, Department, Job, Grade, FirstName, LastName, DisplayName, etc. Whereas, before the integration, Oracle Fusion team had to handle these updates manually which will be a tedious task to do.
  4. We have also automated the Rehire Process. When a user got rehired, then for that user, Oracle Fusion account will be enabled and a new work relationship will be created from Sailpoint.

When a user got Rehired, only the Basic access will be given, not the access that user had before Leaver process for that user initiated.
The detailed discussion of Oracle Fusion introduction, Oracle Fusion TEST APIs, use cases and integration approach is discussed in the following video:

Now, let us a have a demo on integration of Oracle Fusion with SailPoint IdentityIQ in the following video: