Delegated administration

Identity Security Cloud (ISC) ISC Discussion and Questions
1

Hi! We are facing a migration from other IAM tool that has delegated adinistration. I know ISC does not have, but does exists some way to achieve similar behaviour?

For example, User A goes on vacation. User B is designated to cover all task in User A abscence. How this process should be emulated, and how User B should inherite User A tasks? (for example, reviewing certifications, pending approvals, manual tasks, etc).

2

Here’s how you can emulate delegated administration and handle a vacation scenario in SailPoint ISC for various tasks:

1. Delegation (Absence Management)

This is the primary way to handle vacation coverage.

  • How it Works: Users can set up a “delegate” who will receive and act on their behalf for certain tasks while they are absent.
  • Configuration:
    • An end-user (User A) would go into their Preferences or Settings in ISC.
    • They would typically find an “Absence Management” or “Delegates” section.
    • Here, User A can specify User B as their delegate, define the start and end dates of their absence, and select the types of tasks User B should take over.
  • What can be delegated:
    • Approvals: All pending and future access requests, role assignments, or policy violation approvals.
    • Certifications: Review and sign-off on access certifications.
    • Manual Work Items/Tasks: Any manual work items assigned to User A, although the exact behavior might depend on how these tasks are configured in workflows.
  • How User B sees tasks: When User B logs into ISC, they will see tasks that were assigned to User A and delegated to them. Often, there’s a clear indication that they are acting as a delegate for User A.

Emulating User A’s tasks with Delegation:

  • Certifications: When User A goes on vacation and has certifications pending or coming due, if User B is set as the delegate for certifications, User B will see and be able to complete those certifications on User A’s behalf.
  • Pending Approvals: Any approval requests (e.g., for access, roles) routed to User A will instead be routed to User B if User B is configured as the delegate for approvals. User B can then approve or deny as needed.
  • Manual Tasks: This depends on the specific workflow. If manual tasks are routed to a user’s inbox in ISC, delegation can often forward these. If manual tasks are outside of the ISC inbox (e.g., in an external system triggered by an ISC workflow), additional workflow logic might be needed.

2. Workflow Configuration (for advanced scenarios)

For very specific or complex delegation scenarios, you might need to customize workflows.

  • Approval Workflows:
    • When designing approval workflows, you can incorporate logic to check for active delegates. If a user has a delegate configured, the workflow can dynamically route the approval to the delegate instead of the original approver. SailPoint’s out-of-the-box delegation functionality often handles this automatically.
    • You could also build “escalation paths” in workflows. If User A doesn’t act on a task within a certain timeframe, the task could automatically escalate to User B or a manager.
  • Manual Tasks: For manual tasks that don’t automatically respect the delegation settings (less common if they route through the ISC inbox), you might need to build custom workflow logic to reassign tasks based on delegation status.