How are you handling resource owner arbitrarily manages access to resource in ISC?

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Looking for advice from others on how they have approached a gradual transition from legacy forms of group membership management to ISC/IDN forms.

This is documented:

Allow Role owners to Manage Role identity | SailPoint Ideas Portal

but didn’t get any votes, so I’m thinking I missed something.

Today, our organization has some amount of arbitrary group membership in AD.

  • We have made our resource owners, AD Group owners for the groups that are mapped to their particular resources.
  • We have trained our slightly technical resource owners to use tools like “Active Directory Users and Computers” to manage the membership in their respective groups. It’s not awesome but works.
  • We are switching to ISC/IDN and would like to use it as much as possible.
  • We’d like to eventually transition a majority of these memberships to roles/calculated membership but cannot do so now due to not having master data to do so. (And in some cases, membership calculations will never be possible).
  • We are experiencing difficulty in switching from that resource owner manages membership directly, to a resource owner approves request model. (today, a resource owner can control when a member is added, and ensure all members are added; but loses that capability when you switch to a request model, we are seeing people not request at all when they should, or requests trickle in over weeks).
  • We looked at Role Identity list, but it turns out that Role owner is a Source wide permission. We are not able to make these resource owners Role Owners, this would give them control of ALL roles on the source.
  • We also don’t want to make busy work for someone else to manage the list on behalf of the resource owner. The resource owner is the decision maker. Everything is better when the resource owner performs this action (audit, effort, etc.). They successfully do this today.

For these sorts of scenarios, people are suggesting the old way (non ISC/IDN) is easier/better.

Is there no way to have an equivalent solution within IDN to “AD Group owner manages membership directly” without giving that granular resource owner control of ALL roles on that source?

This feels like a gap. How are others addressing it?

2

Hi Chad,

For access addition, We follow a access request model. If requester requests, then it goes for approval. If access profile owner requests, it is auto approved.

For access removal, there is option in ServiceNow Catalog to remove access for any user.
In ISC, managers can raise access removal request for their reportees.

For critical applications, periodic access reviews are performed so that group membership is reviewed and certified. Frequency depends on the nature of the application.

Segregation of duties can be implemented for Sensitive apps.

All groups are removed a few days after access termination.

For Dynamic Dls - Role based provisioning can be used. Sometimes if there is a data change in HR due to re-org, then it can cause issues. Powershell scripts or activeroles can be a backup.

Agreed: There is no mapping that is present in ISC with the use case that you described. IN IIQ, custom forms can be built along with workflows to achieve this.

Regards
Arjun

3

As mentioned, the request model is failing us. Unless we physically stop (like during a meeting) and make everyone request at the same time, resource consumers are trickling the requests in or not making the request. In some cases where the resource has different levels of access, resource consumers are requesting the wrong type of access for this resource.

We really just want the resource owner to directly manage the access to their resource. I’m completely surprised that this is not an option. I would expect it to be a starting point in an IAM platform.

I cannot make this person a role owner on the source. They should not have the ability to edit all resource access lists on the source. just the list of people that can access their specific resource on that source.

And delegating the membership management to another human is a waste.

in these scenarios, moving to SailPoint has increased effort/time over what we were doing in the past with out of the box (free) Microsoft tools.

So, I continue to think that I am missing something here.