Description
We are pleased to announce that Non-Employee Risk Management Sources in Identity Security Cloud (Sources configured to use the SailPoint Non-Employee Risk Management connector) will now support Attribute Sync operations.
New Capabilities
- Support for Attribute Sync operations using Non-Employee Risk Management Sources
Problem
As non-employee identity access is managed and governed in Identity Security Cloud, certain attribute values need to be updated on profiles in NERM based on actions taken or data collected in ISC. An example would be company email addresses that are issued as part of the Non-Employee identity’s Joiner action in ISC.
Solution
The NERM connector in ISC will now support Attribute sync options. This will be configured in Identity Security Cloud on the Source configuration, using the existing ISC Attribute Sync process outlined here.
This applies to both existing Non-Employee Risk Management Sources that were configured manually for individual profile types, as well as NERM Sources that were configured automatically using the Automated Source and Schema creation from NERM. Regardless of how the NERM Source was configured in ISC, Attribute Sync will always be configured in ISC.
Note: Identity Attributes which contain identity values (such as a Manager) cannot be synced back to NERM at this time.
Who is affected?
All NERM implementers
All NERM-ISC Customers
Action Required
In order to enable Attribute Sync, follow the guidelines in the ISC Attribute Sync Documentation for your NERM Source.
Note on Account Correlation:
As the automatically-configured NERM Source in ISC depends on a preconfigured account correlation, customers and implementers need to be careful with that attributes they choose to sync back to NERM.
The pre-populated NERM Sources that use the Identity Security Cloud Connection Settings config in ISC use the Employee Number attribute to correlate accounts. By default, the Employee Number attribute is correlated to the Non-Employee Profile ID from NERM. This is what correlates the accounts created for Assignment profiles to the accounts created for Non-Employee Profiles, with the latter being promoted to ISC Identities by virtue of the attributes’ inclusion on the Non-Employee Identity Profile.
If a customer was to configure attribute sync on the Employee Number Identity attribute, to overwrite the value of the NE Profile ID attribute in NERM that is used to correlate Assignments to Non-Employees, this could un-correlate all assignment accounts in ISC and create extraneous Identities.
To address this issue, NERM is introducing a new core attribute in the Identity Security Cloud Connection Settings configuration.
This Core attribute is called “Correlation Attribute”. It should be mapped to the attribute on your Non-Employee and Assignment profiles that you want to use as a means of correlating the Non-Employee and Assignment accounts in ISC.
It is not required to use this attribute. Correlation will be defined automatically using the Employee Number identity attribute in ISC, mapped to the Profile ID in NERM. However, if you wish to sync an Employee Number from a different ISC Source back to NERM, we recommend defining and setting the “Correlation Attribute” in NERM. Product Documentation will provide guidance for this configuration, found under Connecting Non-Employee Risk Management and Identity Security Cloud - SailPoint Non-Employee Risk Management Admin Help
Important Dates
Now available!