How can we provide SailPoint IIQ read-only access, and AD read-only access

IdentityIQ (IIQ) IIQ Discussion and Questions
, , ,
1

SailPoint IIQ 8.4

How can we provide SailPoint IIQ read-only access, and AD read-only access through a role request in ServiceNow, based on AD access groups instead of assigning individual user capabilities? Additionally, how should this be configured in SailPoint and Active Directory? Your guidance on a possible approach would be highly appreciated.

2

first you need to create custom capability with view permission , then you need to create workgroup in IIQ with this capability . Then you need configure a loop back connector for IIQ where you can provision on created workgroup based on AD group membership. or you can call configure Service Now also for provisioning on the work group.

Try this, it may help you

3

Loopback connector should be a good approach here.
But another approach could be this:

  1. create custom capability in SP with view only permission
  2. create workgroup and assign the capability to this workgroup
  3. create a read-only group in AD and it will be aggregated in sailpoint.
  4. A logic can be setup in Before-Provisioning rule - whenever user request for this group then assign workgroup for this user.
    This way you have 1 AD group which can give read-only access to both sailpoint and AD.

NOTE: Remember to put logic in Remove Access as well if you have that in your system, to remove workgroup.

4

Hi @pmr542 ,

In Sailpoint IIQ, there are OOTB Capabilities which are made of “SPRight” object(s)

Based on your requirements, you can use these capabilities.

If OOTB capabilities not sufficient to achieve requirement, you can create custom capabilities by configuring specific SPRight inside it.

You can check each Capability and SPRight in debug page. Also you can get more info in Sailpoint documentation for Capabilities.

As per my knowledge, “SPRight” is most granular object beyond which we cannot go deeper and we cannot create new SPRight object.

Hope this helps.

1 Like
5

I would recommend this approach.

6

@pmr542 You can also try this:

  • Configure Lookback connector in IIQ this will allow capabilities and workgroups to be available in IIQ Roles and for Access Request.
  • Create an AD group, you need to coordinate with AD team to define the necessary policies and permissions to grant read only access to AD for any member of the group.
  • Aggregate it to IIQ.
  • IIQ already has read only capability: DebugPagesReadOnlyAccess
  • Run the Group aggregation in Loopback connector.
  • Configure a business and IT role having entitlements : AD group + Capability:DebugPagesReadOnlyAccess
  • Mark this role as requestable, enable approvals.

Whenever user requests for the role, they will get read only access to both AD and IIQ.

Note: Found a fix?Help the community by marking the comment as solution. Feel free to react(:heart:,:+1:, etc.)with an emoji to show your appreciation or message me directly if your problem requires a deeper dive.

7

If you want to automate the assignment of user capabilities, then you can use Loopback Connector.

1 Like