Webservice app onboarding

Which IIQ version are you inquiring about?

8.4

Please share any images or screenshots, if relevant.

Share all details about your problem, including any error messages you may have

Hi everyone,

I’m onboarding one app into SailPoint IdentityIQ using the Web Services connector.

That app has two administrative access models:

  1. Local break-glass accounts, around 5 accounts are there please refer image which is starting with ADM which I’m able to aggregate using the /accounts API.
  2. Azure AD-backed groups (Directory Services group), where access is granted via Azure AD group membership and in entitlement catlogue those groups are tagged under azure AD.

What is the recommended IIQ design for provisioning and certification? How do you typically model this mixed access scenario in IIQ?

Hi @Richie1997,

depending on what you do, you can manage only ADM account with webservice connector (update,enable,disable,ect.) and the other with Azure. SO, you can manage it via before provsioning rule o operation rule to block the provisioning on no-admin accout.

Also, if you want something more specific for privilege account, take a look on PAM.

Hi @enistriminsait

Thanks for the info.

But app team not handling those break glass accounts through cyberark. There are just managing it locally within their system.

The expectation is they want to manage both break glass accounts and that azure ad backed accounts through iiq. And for certification they want to pull all this accounts.

@Richie1997 If there’ll be no multiple accounts for the same identity, you can have a single app for both local and azure backed accounts. As they are local breakglass accounts, you can have selective provisioning enabled in IIQ, means only allow certain groups while for regular users, you can have azure AD groups as requestable.