Application onboarding and Certifications

Identity Security Cloud (ISC) ISC Discussion and Questions
1

Hello everyone,

I need some suggestions and guidance. Our company is new to IdentityNow, and we want to onboard applications or sources for auditing purposes. What are the best practices we should follow?

Do we need to create access profiles? Additionally, what are the best practices for conducting certifications?

Thank you!

2

Hi @vxs12263

A deep understanding of your company’s requirements would be necessary for a meaningful answer, but I could help add a few generic pointers that you can use as thumb rules. Please note that there’s a lot of additional considerations apart from what I add here that will need to be made:

  1. For onboarding apps, come up with an internal prioritization framework in collaboration with the key stakeholders within your company to identify the order in which the apps in your company need to be onboarded.
  2. Depending on the number of apps, consider a phased onboarding approach where you bring in early demonstration of the value of having ISC to be the IGA platform.
  3. There usually are some very common apps that will have to be onboarded early on, like HR systems, IDPs like Active Directory or Azure AD, Ticketing systems like ServiceNow or Jira. Figure out what those core apps are for your company and consider onboarding them first.
  4. Go through SailPoint’s connector documentation: Identity Security Cloud Connectors - Identify if there are applications within your company that could use direct connectors and get up and running without much customization.

For access profiles, I’d recommend reading up on the latest info provided by SailPoint here: SailPoint Identity Services - SailPoint Identity Services. While access profiles are not mandatory to be created, you may need them depending on the use case you have in mind.

Use the same link above to know more about certification features available on SailPoint ISC, and after discussions with your key stakeholders, identify the kind of campaigns you may need to periodically review access within the company. Access Reviews go hand in hand with an access request framework: So if you haven’t already, consider RBAC implementation via automated and requestable roles.

Talk to your Customer Success Manager for an in-depth analysis on how you can best utilize SailPoint ISC.

3 Likes
3

Thank you, Kulkarni, for your detailed explanation. We are now considering onboarding the SOX application primarily for audit purposes.

As we move forward, we want to create certifications for the accounts within these applications. Our focus is on certifying access profiles rather than granular elements like entitlements.

Which type of certification would be the most suitable for our needs? We appreciate your insights on this matter.

4

Hi @vxs12263 ,

As by default when the Entitlements are certified, the Access Profiles that the entitlements are tied to will automatically be included in the certification campaign, but if you want to specifically certify Access Profiles, you can use Search query based Certification and select the respective Access Profiles you want to certify and create a campaign out of the result.

Screenshot 2024-10-17 at 2.30.07 PM
Screenshot 2024-10-17 at 2.30.07 PM1465×570 37.2 KB

Hope this helps!!

5

Hi @vxs12263 ,
You can also schedule or generate as per the requirement using the search query based certifications, which gives you more flexible way of filtering the data & scheduling the campaigns!!

Hope this helps!

6

Hi Prasanth,

When a manager certification is created for an individual identity, does it include everything associated with their birthright role, or only the additional access profiles and entitlements that fall outside of the birthright role?

I appreciate your insights on this!

Thank you!

7

@vxs12263 I would recommend you to tag the sox entitlements to a specific tag and based on that you can run a search based campaign with certifier as the users manager .This will ensure the all sox entitlements are certified

8

We are working on creating a manager certification for access profiles. First, we onboard the SOX application, then group the entitlements into access profiles and attach them to the Birthright roles.

My question is: since access profiles are linked to the Birthright roles, will they still appear under access profiles when the certification is created?

9

In my experience, if you create an access item campaign for a specific access profile, any users assigned that access profile via birthright roles will not be visible in the certification, only users assigned the access profile directly.

See my topic on this. I ended up having to include the roles in the certification as well

10

Hi Mark,

Thank you for your reply!

I’d like to explain the process we’re currently following in our organization. We do not utilize request-based provisioning; instead, we focus on onboarding applications that are part of disconnected systems.

Once onboarding is complete, we create access profiles for the specific application and attach these profiles to the associated birthright roles.

My main question is: when the certification is generated, we do not want to certify these access profiles. Our intention is to simply acknowledge the roles since the access profiles are part of the birthright. However, I noticed that when I created the certification, the access profiles were still coming up for review.

What are your thoughts on this? I appreciate your insights!

11

Hi Shantanu,

Thank you for your reply!

I’d like to explain the process we’re currently following in our organization. We do not utilize request-based provisioning; instead, we focus on onboarding applications that are part of disconnected systems.

Once onboarding is complete, we create access profiles for the specific application and attach these profiles to the associated birthright roles.

My main question is: when the certification is generated, we do not want to certify these access profiles. Our intention is to simply acknowledge the roles since the access profiles are part of the birthright. However, I noticed that when I created the certification, the access profiles were still coming up for review.

What are your thoughts on this? I appreciate your insights!

12

Hi Prashanth

Thank you for your reply!

I’d like to explain the process we’re currently following in our organization. We do not utilize request-based provisioning; instead, we focus on onboarding applications that are part of disconnected systems.

Once onboarding is complete, we create access profiles for the specific application and attach these profiles to the associated birthright roles.

My main question is: when the certification is generated, we do not want to certify these access profiles. Our intention is to simply acknowledge the roles since the access profiles are part of the birthright. However, I noticed that when I created the certification, the access profiles were still coming up for review.

What are your thoughts on this? I appreciate your insights!

13

Hi Kulkarni

Thank you for your reply!

I’d like to explain the process we’re currently following in our organization. We do not utilize request-based provisioning; instead, we focus on onboarding applications that are part of disconnected systems.

Once onboarding is complete, we create access profiles for the specific application and attach these profiles to the associated birthright roles.

My main question is: when the certification is generated, we do not want to certify these access profiles. Our intention is to simply acknowledge the roles since the access profiles are part of the birthright. However, I noticed that when I created the certification, the access profiles were still coming up for review.

What are your thoughts on this? I appreciate your insights!

14

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.