I’m working on onboarding applications into SailPoint Identity Security Cloud (ISC) for full lifecycle management, including provisioning and deprovisioning. However, I’ve encountered several applications in our environment that do not have their own identity stores or provisioning interfaces. Instead, they rely entirely on Active Directory (AD) for access control typically through group membership or organizational unit (OU) placement.
I’m wondering whether it is technically possible or even meaningful to onboard such applications directly into ISC for end-to-end provisioning. Is AD-based provisioning considered the only viable method in this scenario? Are there any best practices or supported methods to represent these applications in ISC for governance purposes, such as access reviews or certifications, even if direct provisioning isn’t feasible? Any insights, connector strategies, or real-world implementation advice would be greatly appreciated.
hi if your applications access is relying on AD group membership then you can design like this.
Create access profiles for those groups.
Add them to the Application with name as the app name which you want
Enable them for request to users
You can also add approvals based on the design
This way access request can be done by first selecting the application and selecting the group when approved the provisioning will be automatic and user will get access to the application. Assuming the setup is already done like when a particular group is assigned then user get certain access.
Coming to cert you can create a campaign for the access profiles. For this you may have to consider creating the access profiles with certain app name. So that you find them and add only those. So, you can achieve these use cases
@jalad10 Along with Uday mention approach implement segmentation concept as best practice
Thanks Uday for the help. Actually i have done that by creating access profile but that’s out of scope for our process because there are 100s of entitlements. But i want some technical explanation why it cannot be on boarded as an app in connection - sources in ISC like does not have capability or not support apps who govern through AD
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.