SailPoint IdentityNow: Extensibility Feature Integration for Access Requests

Each progressing year, IT is getting more and more complex. Organizations keep growing and subsequently more and more people come into the organization each with their own needs. These users are then provided with their own levels of access to resources. The problem that arises here is that the growing mess of systems and user access management.

IdentityNow is an IDaaS (Identity as a Service) based IAM solution, unlike IdentityIQ which is on-premise. IdentityNow also helps people get the access that they need and manage the lifecycle around it. The current blog discusses the extensibility features announced by SailPoint. These features will help make security decisions on the go very effectively.

In the following presentation, I will be providing a detailed overview of Extensibility Feature Integration with IdentityNow for Access Requests.

Overview of Extensibility Features :

Users at an enterprise level are distributed among different geographies of the world. SailPoint’s access request integration with applications such as Microsoft Teams and Slack enable the users to get the access that they need right from the tool that they use the most. SailPoint also ensures that the appropriate governance and compliance controls are enforced while providing ease of access to the users while making access requests.

Current Access Request Process :

To briefly understand the current access request process in IdentityNow below is an illustrative diagram:

Roles in IdentityNow combine provisioning to multiple sources by combining different access profiles. However, for access requests, roles can be marked as “requestable”. By doing this, the roles are then visible in the Request Center tab in IdentityNow. We can have approvals in place for this role such that any user who requests for this role, will by routed through an approval process.

Applications in IdentityNow have their own XML structure with their own password policies and account creation restrictions. For the approvals, we can define the approval hierarchy in Access Profiles itself. Once the application has been created, it should be marked as ‘visible in request center’ and ‘allow access requests’.

Users have to login to their IdentityNow tenant with their credentials. They navigate to Request Center tab to see “Applications” and “Roles” where they can make an access request from either of these. Both Roles and Applications facilitate provisioning to the target source using Access Profiles.

Applications and Integration Overview :

  1. Microsoft Teams

Microsoft teams is a chat-based collaboration platform from Microsoft. With capabilities such as documents sharing, online meetings, teams and channels, online video calling and screen sharing, messaging and many more extensible features for business communication. It is extremely user friendly and can facilitate a work environment between remote users and large businesses. Below are the benefits from this integration:

  • Ease of making access requests from within the Teams Application.
  • Users can request either for a Role or Application depending on the business needs.
  • This integration ensures seamless user experience for making access requests.

Below is the process followed post the integration with MS Teams:

  • Users will login to their Teams application using their Office365 account.
  • A SailPoint chatbot is configured which appears in the Applications tab.
  • Connect to your IdentityNow tenant and click on “Create Access Request”.
  • Find and select the Application/Role to request.
  • Select the role for himself or for others.
  • Submit the request.

2. Slack

Slack is workspace alternative communication tool just like teams which combines the functionalities for messaging, tools and files. Users can communicate over channels or Direct Messages based on their requirement and it has support for third-party application integrations and add-ins. Although the application is free to use with certain limitations, there is an enterprise level application as well. Below are the benefits from this integration:

  • Ease of making access requests from within the Slack Application.
  • Users can request either for a Role or Application depending on the business need.
  • This integration ensures seamless user experience for making access requests.

Below is the process followed post the integration with Slack:

  • A user will login to their Slack application using their work email and authenticating from it.
  • A SailPoint chatbot is configured which appears in the Applications tab.
  • Connect to your IdentityNow tenant and click on “Create Access Request” by entering a forward slash in the SailPoint’s chatbot.
  • Find and select the Application/Role to request.
  • Select the role for himself or for others.
  • Submit the request.

Access Request : From an API perspective

  • This integration is achieved using REST API’s. REST stands for Representational State Transfer.
  • It is an architectural style for the web services.
  • This architectural style helps in lesser use of bandwidth to make an application more suitable to communicate over the internet.
  • It is often regarded as the language of the internet.
  • The primary methods that the REST APIs communicate are
    • Create – POST
    • Read – GET
    • Update – PUT/PATCH
    • Delete – DELETE
  • SailPoint has developed the REST API’s for IdentityNow. The reference documentation is available at developer.sailpoint.com
  • Please note that the {api-url} below is the org name of your IdentityNow tenant.
  • The primary APIs that are used behind this integration are:
    • List of access request objects: Returns a list of requestable items for an access request.
      • GET – https://{api-url}.api.identitynow.com/v3/requestable-objects
    • Create an access request: Submits an access request to IdentityNow. This will not return any result because the request has been submitted by the system. If there are more than one identity for the access request, the JSON payload will contain a list of id’s for each identity.
      • POST – https://{api-url}.api.sailpoint.com/v3/access-requests
    • Get the access-request status: Returns a list of access request statuses based on the specified query parameters.
      • GET – https://{api-url}.api.identitynow.com/beta/access-request-status

In the following video, I will be providing a detailed demo of the access request integration with Teams and Slack.

SailPoint IdentityNow Ticketing integration with ServiceNow

Ticketing systems form an excessive part of any enterprise’s IT infrastructure. An IT ticketing software, also known as an IT ticketing system, is a software program that enables organizations to resolve their internal IT support queries by managing and streamlining the process of issue resolution.
ServiceNow is a global leader in cloud-based ticketing systems and has been playing a visionary role in ITSM and ITOM.

IdentityNow is a leader in the market for a perfect IAM solution for organizations taking the next step into cloud computing. The product is simpler to tack together than several other IAM solutions in the market, thus additional configuration can be completed without the need for specialist resources. The User interface (UI) is a lot easier to interface for end-users and needs less coaching.
IdentityNow’s Service Integration Module, or SIM integration with ServiceNow, which converts IdentityNow provisioning actions into tickets in ServiceNow.

The following presentation will give the overall idea of ServiceNow service catalog integration with SailPoint IdentityNow and explanation of the use case,

The following is the demonstration and walk through the IdentityNow integration with Servicenow and showcases the integration use case,

Governing G Suite using SailPoint Identity IQ

Identity IQ – G Suite Integration

Office productivity suites comprise the essential set of tools required for an employee’s day to day work. They offer core services to users like email, calendars, shared storage and other tools to create and consume the information. New generation productivity suites understand today’s business needs and are designed to be omnipresent and highly collaborative.

G Suite is Google’s cloud based productivity suite. Being a cloud based solution, it is omnipresent and can be accessed all possible devices. Also, it is highly collaborative in nature. Google’s most popular services like Google mail, calendar, drive, docs, sheets, hangouts are bundled into G Suite. G Suite has been received greatly by organizations of all the sizes and has recorded 5 million organizations by end of 2018. G Suite has quickly climbed up the ladder to become a leader in Gartner’s magic quadrant for 2 years consecutively.

Governing such core cloud based services containing sensitive information is of great importance.

In the following presentation, we provide a detailed overview of G Suite integration with Identity IQ.

G Suite – Identity IQ Integration

In the following video, we provide a detailed demo of this integration.

A detailed demo of G Suite governance with IDENTITY NOW is coming shortly.

Sailpoint – Service Now Integration

Ticketing systems form a great part of any enterprise’s IT infrastructure. Service Now is a global leader in cloud based ticketing systems and has been playing a visionary role in ITSM and ITOM.

Sailpoint integration with Service Now provides a great value when direct provisioning from Sailpoint is not possible.

It streamlines the manual provisioning by raising tickets on Service Now for provisioning. This provides a great visibility and accountability in the IT environments.

 

In the following presentation, we provide a detailed overview of Service Now integration with Sailpoint:

The following is a demo of various types of Service Now integrations that are supported by Sailpoint:

Sailpoint Unix Integration

Unix is the mother of all operating systems and also is the foundation for Tim Berner Lee’s invention.

Every enterprise has a huge Unix foot print spanning across thousands of servers running various legacy applications.

As part of the mammoth task of securing the IT environments, securing the Unix servers would be the first step.

At ENH iSecure, we thrive to achieve complete and impeccable solutions leaving nothing to chance.
As a part of these efforts, we are speaking about Identity Governance in Unix with the help of Sailpoint’s IIQ.

The following is a video where we speak about governance of Unix using Sailpoint’s IIQ.

The following is a demo on Unix integration with Sailpoint.

Requirements Gathering for an IDM Solution

Requirements Gathering

Understanding the AS-IS and TO BE states of the enterprise IT infrastructure is the most important key to achieve success for any Identity management. Approaching such challenge with a wonderful questionnaire would lead to a win-win situation for both the customer as well as the implementer.

At ENH iSecure, we face the challenge of requirements gathering with a strong questionnaire that helps us understand the requirements of the customer very easily. The following list comprises of some important questions during the initial requirement gathering which are part of the questionnaire:

Identity Vault establishment:

Identity vault establishment is the first step of any Identity management implementation. It involves creating a central identity store which shall be the heart of the implementation. As part of the identity vault establishment and future management, we would put up the following questions to the customer:

Initial Creation of Identity vault:

1. What are the sources that help us create the identity vault?
They can be delimited files present at the Unix location or active directory or a HRMS.
2. Are these sources distributed across multiple applications? In case they do find all the applications across which the trusted sources are distributed.

Regarding the Identity vault maintenance:

1. Are there any specific organizational requirements regarding updation of identity vault? Sometimes it is possible that such updations happen at a specific date to match the server loads and burst in server loads because of sudden peaks in usage. For example, Universities which admit many students at spring or fall.
2. How often would we want the incremental updations to happen to the identity vault? How often are complete updations expected?

Information related users:

1. What are the various types of people whom the identity management solutions monitors? For example, employees, contractors, rehires, customers and any other types of users.
2. What are the various operations that could happen to the users of the identity management system? For example, promotion or termination of employees could be operation on the user. Expiry of contract for contractors could be a situation.
3. Identity management solutions maintains users in various states. For examples most of the identity management solutions have an active, disabled or terminated states for users. How are these states expected to change with respect to various actions on the users?

Provisioning related information:

1. What are the various target applications that are present in the IT infrastructure that need to be monitored by the solution?
2. How does the communication to the applications from the identity management solutions happen? Is there a bus service that is running that needs to be passed through or can they be directly communicate to?
3. Are there any rare applications for which we do not have any prebuilt connectors to work with? In such cases we need to develop connectors for communication to happen.
4. What are the various accounts and privileges to be provided to various kinds of users with different attribute values?
5. In case there is any change is user attributes or state of the user , how to deal with the transition to new state of user? For example, in rehire kind of scenario, we temporarily disable the users. Also in case there is a state change, all the accounts that need to provisioned in the state have to be provisioned.

Requests based provisioning:

1. Is there a requirement for users to request various accounts or privileges in various applications? What are the various resources that a particular kind of user can request and what is it that they can’t request?
2. How should the various requests be processed? Is there any complex approval process that is involved? For example sometimes it is required that IT Admin as well the manager are expected to approve provisioning an account.