SailPoint ISC - Evaluating NELM's Capability to Address Complex Requirements

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

Hi Community,
I’m currently engaged in a project focused on managing Non-Employees using SailPoint’s “Non-Employee Lifecycle Management” (NELM) module. The client has presented a set of intricate requirements, and I’m exploring whether the NELM connector is capable of addressing them comprehensively.

We are aware that many, if not all, of these use cases could potentially be addressed using SailPoint’s “Non-Employee Risk Management” (NERM) module (I believe that only point 5 below cannot be managed in any way through SailPoint, correct?). However, we are aiming to avoid its use and instead focus on leveraging the capabilities of the NELM module.

Here are the key challenges we’re aiming to solve:

  1. Reuse and update existing digital identities based on “Tax Code” and “User Type.”
  2. Seamless integration with certified data sources for value lists (e.g., Place of Birth, Document Country Code, etc.).
  3. Management of mandatory attributes such as Company Identifier, User Type, First Name, Last Name, etc.
  4. Implementation of workflows for explicit consent to personal data processing (GDPR compliance).
  5. Advanced business logic for identity verification, including methods like selfies with displayed documents.
  6. Handling attributes related to location, contacts, contracts, and expiration dates.
  7. Configuration of attributes during account creation to be selectable from drop-down lists, with values either static or dynamically retrieved from external data sources.
  8. Application of validation logic on specific fields to prevent the entry of unauthorized values into designated account attributes.

I’m particularly interested in understanding:

  • Whether the NELM connector can fully support these requirements.
  • Any technical or functional limitations that might arise.
  • Best practices or lessons learned from similar implementations.

If you’ve worked on similar use cases or have insights into leveraging SailPoint’s NELM module effectively, I’d greatly appreciate your input.

Thanks in advance for your support.

Best regards,
Paolo

2

Here is my 2cents:

Reuse and update existing digital identities based on “Tax Code” and “User Type.” -
- Yes, you can do that, however you can’t do any validation on the UI Form during creation and modification.

Seamless integration with certified data sources for value lists (e.g., Place of Birth, Document Country Code, etc.).
**- I don’t think you can have drop down or list values in the UI Form. Most of them are going to be static. You can however use transform to correct the values, for example, if someone enter USA AND You want country code to be US, then you can do that and using help text might help too. **

Management of mandatory attributes such as Company Identifier, User Type, First Name, Last Name, etc.

You can create such attribute, but I know there is a limit to how many you can create.

Implementation of workflows for explicit consent to personal data processing (GDPR compliance).
**You can create workflows if you can identify the trigger point, like creation of non-employee should trigger a workflow. **

Advanced business logic for identity verification, including methods like selfies with displayed documents.

NELM as such doesn’t provide anything like this, so any such integration would be custom and done via workflows. You should be able to do this via workflows but unfortunately, I can’t confirm that.

Handling attributes related to location, contacts, contracts, and expiration dates.

Yes, you can handle these.

Configuration of attributes during account creation to be selectable from drop-down lists, with values either static or dynamically retrieved from external data sources.

You can have static values, drop down list is not possible. However, you might be able to leverage FORMS, for example which support dropdown list or such.

Application of validation logic on specific fields to prevent the entry of unauthorized values into designated account attributes.

That’s not possible on UI, you will have to handle it somewhere else, fields which need additional validation, collect them using separate process via Forms instead of collecting during creation. Not the best solution and user experience but it’s a limitation.