Description

We’re excited to announce that starting at the end of August, we’re migrating the source configuration pages to our new user experience!

Updated pages include:

• Account and Entitlement Aggregation
• Attribute Sync
• Account Correlation
• Create Account (*edited)
• Password Settings
• Accounts
• Entitlements
• Access Profiles
• Connections

Both old and new experiences will be maintained until September 30th, after which the old experience will no longer be available.

Who is affected?

• All ISC customers.
• Users who are Admin and Source Admins.

Action Required

Customers are encouraged to try the new experience by navigating to sources and clicking Try New Experience to review the new pages. Functionality is primarily the same as the old pages, with some exceptions:

Enhancements (new and not available in the old experience):

• Uncorrelated filter allows for easy filtering.

Known issues (available in the old experience and pending future development):

• Account Totals.

Important Dates

Staging: August 19th, 2024

Production: Week of September 3rd, 2024

Feedback Period: September 2024

Switch Between Experiences: September 2024

Removal of old experience: October 1st, 2024

What is Next Up?

We will be tracking and monitoring any items that arise during the feedback period.

I see you mention provisioning policies plural, but you only talk about the create provisioning policy, what about the ones for update, enable, disable, delete, et cetera? Right now we still have to create, update and delete these provisioning policies through the API. The ability to manage those through the UI or to even see their existence in the UI is not possible.

You have mentioned Attribute Sync and creating provisioning policies, as @angelo_mekenkamp stated. We are currently using APIs for creating and removing Attribute Sync; only the sync, enabling, and disabling can be managed through the user interface. Can we expect any of these functionalities to be manageable via the UI after this update?

Hi Angelo, sorry that page should have been listed as “Create Account”, I corrected it.

Also to answer your question, functionality remains the same as the old experience, provisioning policy actions still needs to be done via API.

IMO it would be great if “Accounts” and “Entitlements” were the top 2 items on the left, above “Source Setup”, as those are often the most common pages.

It would make it a lot easier to navigate.

At the moment, you need to scroll down to ‘Account Management’ > ‘Accounts’ and ‘Entitlement Management’ > ‘Entitlements’ respectively.

Apart from that, it looks good!

We observe that the account aggregation details missing the information about no. of accounts created/deleted in the new UI. It’s a very important details to track the creation and deletion of accounts during aggregation/sync.

New-UI577×710 8.56 KB

Old-UI749×384 7.31 KB

For my initial impression, I can’t say that the new experience is an improvement, and find it harder to use. I agree with @jrossicare that by moving the “Accounts” and “Entitlements” so far away and splitting them up, that it makes the new page would be harder to navigate. His suggestion for moving them to the top would help alleviate that to some degree, although there are other pages I would move too. I would argue the previous page was actually well laid out, with each tab clearly visible at the top, and the primary activity you would want to do was the first page shown when the tab was selected.

With Sources, my experience has shown that there are 2 distinct ways that admins use the existing pages: Regular Activities and Configuration.

The following I would consider Regular Activities:

• View Accounts
• View Entitlements
• View Access Profiles
• View Aggregation progress/history
• View Entitlement Aggregation progress/history
• View number of Uncorrelated accounts.

The Following I would consider Configuration:

• Correlation
• Password Settings
• Account Schema
• Anything under Source Setup (Differs by Connector)
• Create Account
• Update/Enable/Disable/Delete Provisioning Policies (as @angelo_mekenkamp mentioned)
• Attribute Sync
• Native Change Detection
• Connections (This could really go in either)
• Delete Source

The way that I differentiate these two groups is by what pages am I likely to look at on a regular interval, and what I am likely to look at/configure then not touch once the source is considered set up. Almost all of the items in the Configuration group are only accessed regularly while the source is being set up, and then only updated as needed. These items do not need to be on the primary page, and invites admins to make accidental changes easier.

On the other hand, the Regular Activities are things that an admin might check often to see the state of the source. For instance, they could check the status of the aggregations for the week, looking at the Account Creation/Deletion details that @shilpa_nc mentions above. An admin may also need to kick off a manual aggregation to pull in a new account or entitlement that was added by the Source Team. Similarly, when working to resolve the Uncorrelated accounts, it is often necessary to view the list of them and work through them.

I thought the direction that the changes were headed, moving the configuration items (Correlation, Account Schema, Create Account) under the Edit Configuration button, while leaving the others in the existing UI, was the right way to go. This move was starting to place the configuration items together, while leaving the reference items and actions on the main page.

If you are able to separate the source into Regular Activities and Configurations like this, it also opens up the option of having a Management Source Admin, who can view accounts and run aggregations, and a Full Source Admin, who can also handle updating the configurations as well. This separation I think would be beneficial to many clients who want users to be able to run and view aggregation details, but do not want them making changes.

Suggestion for an improvement to the Accounts page:

Screenshot 2024-09-04 at 5.52.04 PM1224×529 26.2 KB

Suggestion for Account Aggregation Page:

Modify this so on wide screens these shift right linearly, providing better use of the screen realestate:

Screenshot 2024-09-04 at 5.56.53 PM2190×1063 157 KB

Suggestion for Account Aggregation (And Entitlement Aggregation)

Manual Unoptomized aggregation (Useful for one off)

Screenshot 2024-09-04 at 6.01.26 PM1148×496 32.6 KB

Or a Checkbox to turn on Unpotomized for that manual run, and have it get cleared out after

Oof, I just tried the new experience, and unfortunately I agree with @gmilunich as I experience this as the opposite of an improvement as well.

I like how he distinguishes regular activities and configuration, and to me that is spot on. Although I have to add that it would be nice to see on the perform account aggregation page to see if delta aggregation is turned on or off. With perhaps a button to do a one time full aggregation without having to go to the configuration, turning off delta, go to the account aggregation tab again, performing a manual aggregation, then going back to the configuration and turning on delta aggregation again.

Also a way to distinguish who can run aggregations and who can delete the source is a really good idea! This falls within the general need for granular authorization management within ISC itself. But I don’t think this is achievable only by putting the operations on different pages and then map user level to which page is visible. Instead the same page should be visible, but certain operations would be either omitted from the tabs/lists/dropdowns or grayed out when the user doesn’t have the capability to read the information or perform the action.

To me, the attention that SailPoint is giving this UI change should be used as opportunity to add buttons like performing ad hoc unoptimized aggregations and the other provisioning policies. Currently we are still dependent on the API for these changes. Was there an in discovery session for updating this layout? Unless I missed it, I recommend to have these and allow us to give feedback early on to prevent getting updates that are undesired.

The button to perform account aggregation should be in the same color as the save buttons for the schedule (the color it shows after making a change and before saving it). It should specify “Start Manual Aggregation” for clarity and I would like to see all latest account aggregations on this page, not just the latest one.

Viewing entitlements, accounts and access profiles should be tabs close to each other as is with the current layout.

I do notice that I have to scroll a lot on the several screens to find the buttons I need and at the same time a lot of my screen is blank. I think I have to click more, scroll more and hover my mouse from one corner of the screen to the other more often than desired to perform the tasks I want.

I believe that there are many different things that can be improved regarding UI, on different parts of ISC. Things that are generally way smaller than a complete makeover such as this, but would have bigger impacts on user friendliness. I would be happy to have a call to share my suggestions.

Kind regards,
Angelo

I second this suggestion and I would replace the “All” “Correlated” “Uncorrelated” filters a few rows down, by making those numbers clickable.

A strange behavior is for Delimited File sources, after starting an account aggregation, when you click to go to a different page it will prompt if you want to discard changes.

This is not right, as nothing changed (except for uploading the accounts file to aggregate).

Angelo has a very good point on “bang for your buck” UI changes, where small changes can deliver big returns.

Thanks all for the great feedback so far, we continue to review them as they come and will plan future improvements.

What is the reasoning for the “Aggregation History and Connections” section?

It seems like these should under the “Additional Settings”. The previously mentioned section is oddly named, and it also includes “Access Profiles”, which is not included in the section name, like the other two items.

Additionally, with the “Connection” section, if you click on details for the Cluster as shown below, it will take you to the details of the cluster. However, if you X out of the details, it takes you back to the Virtual Appliance screen, not back to the configuration. To get back, you need to navigate back to the source again from the main window.

Screenshot 2024-09-11 at 10.09.58 AM1164×823 60.5 KB

Thinking about how my clients use this, I would make the following suggestion for reorganizing the sections and pages. The original is on the left and my suggestion is on the right.

Screenshot 2024-09-11 at 10.35.50 AM765×635 23.5 KB

I think the Accounts and Uncorrelated accounts could be the same page if included with my previous suggestion of showing the numbers, and then making the box clickable to switch the grid, as @eabedrapo1 suggested.

Additionally, when you export the “Accounts” csv, can it also include a column for “Correlated” or “Uncorrelated”? This would be helpful for reviewing the accounts and determining who they belong to.

Use Case:
Admin is working to manually correlate the accounts. They download the Uncorrelated accounts list, which has the Account ID of “9123129” and the Account Name of “9123129” since both were set to the same. However, there is a First Name, Last Name, and email attached to the source that could be used for referencing and quickly correlating those accounts. The issue is that to get that data, the Admin needs to download both the Accounts Export and the uncorrelated account correlation file, then manually link them in excel, or look at the entry in the uncorrelated file then look up the value in the Accounts export to check the additional details. If the system, which has the information already, could do that, it would be helpful.

Alternately, if there was a second option on the Uncorrelated Accounts screen to Download the Correlation File WITH account details, that might actually be preferred. Something similar to the “Include Access Details” option that the Generate Report button in the search has could trigger this.

Today I had a connection issue with a Source that was failing. Previously, the process was to go to the source, then press the “Test Connection” button.

When I tried the New experience, this button is no longer on the main window. The user now needs to navigate to “Review and Test” and then locate the Test Connection button. This has introduced additional steps needed for a common task.

Screenshot 2024-09-13 at 10.17.07 AM1173×968 91.9 KB

Additionally, the Error State notification for the source is now Less Noticeable and easier to overlook.

Current Experience:

Screenshot 2024-09-13 at 10.38.46 AM1239×292 33.4 KB

New Experience:

Screenshot 2024-09-13 at 10.38.59 AM1264×292 21.8 KB

Notice on the new experience that the visibility is much less due to the size of the error box, and there are less details available to the user (without clicking on the info icon.) The current state provides an Admin better visibility that something is wrong and how long it has been going on, without additional clicking.

For testing, if you have a tenant with Demo Data, change the Test Connection Query in PRISM to point to a non-existent table, such as “select * from usersERROR”

I 100% agree with Geoff’s thoughts on the new experience, it is a downgrade from the current setup and could be better organized.

Happy to be the odd-one out here. There are so many improvements in the new UI,

What I love:

• Reunification of the source experience. Having config & operational info on one page eliminates the “where was that screen” effect.
• Click directly to user account pages in the source (not through identity)

I’ll add that I’ve been building sources like crazy since the new experience launched - it does seem to favor the source creator over the source operator in its arrangement.

When I think about the most common source operational activities, I can agree with some of the comments that the order of items on the left could possibly be improved - or simplified.

Our operations team would be amazed if there was a section at the top which looked like:

Source Operations

• Accounts - add an “Aggregate Button”
• Entitlements - add an “Aggregate All Types” button
• Account Aggregation - existing page
• Entitlement Aggregation - existing page
• Aggregation History - existing page

The “Actions” dropdown could include Reset Accounts and Reset Entitlements - we use those far more often than delete

The spacing of the items on the left is a little too much. For the small number of items, it would be nice if I didn’t have to scroll.

In the future, it would be amazing for our operations teams and source owners if a source dashboard page appears first showing the basic operational info like

Source Name
Description
Source Owner
Source Governance Group
Most Recent Aggregation Failures (date/errors)
Most Recent Provisioning Failures (date, account, entitlement, errors)
Last 5 aggregation history

But again, for me and our team, what we see today is a big improvement and we love it.