This site requires JavaScript to be enabled
Welcome Guest|
Recent searches

Group and Role Management Functionality

Number of views : 25
Article Number : KB0016337
Published on : 2021-03-31
Last modified : 2021-03-31 19:24:27
Knowledge Base : IT Public Self Help


The Identity and Access Management Modernization Program (IAMMP) has been organized into three phases. The initial SailPoint IIQ implementation during Phase 1 will focus on building and deploying the fundamental functionality of Group and Role Management. Phase 2 will build upon that foundation and expand this functionality on campus along with introducing access certifications. Phase 3 will continue to expand the Group and Role Management functionality enterprise-wide and fully integrate with ServiceNow for access requests.

Figure 1: Group and Role Management Functionality by Phase


The following functionality is being introduced as part of Group and Role Management:

  • Managing Access via Identity Lifecycle Events
    • Joiner represents a new identity joining the University or an identity being reactivated (e.g., new hire, reinstated employee, etc.). This typically will include the addition or reactivation of role assignments, related application accounts, and group memberships for basic services provided to all identities with similar affiliations and job functions.
    • Mover represents an identity moving between departments or job functions. This typically will include the removal of roles, entitlements, application accounts, and group memberships associated with the previous affiliations or job functions. Then the identity is assigned the roles, entitlements, application accounts, and group memberships associated with the new affiliations or job functions.
    • Leaver represents an identity leaving the University (e.g., termination, retirement, etc.). This typically will include removal or deactivation of roles, entitlements, related application accounts, and group memberships associated with the previous affiliation of an identity.
  • Managing Access via Requests is used when an individual, or a delegate, makes a request for assignment of a role or entitlement to his/her profile. Access requests may necessitate approvals by specific individuals, policy checks, and notifications to interested parties (depending on the access requested).
  • Role Maintenance is the ability to request that a role or entitlement which is associated with permission(s) in an application be created, updated, and deleted. This includes the administrative functionality of creating, updating, and deleting the actual role and entitlement in SailPoint IIQ and directory services.
  • Reconciliation is the correlation and refresh of identities within SailPoint IIQ based on current authorization information imported from an application. This functionality finds additional or modified entitlement assignments for an identity in the application that were made outside of SailPoint IIQ. Any updates to role or entitlement assignments are applied to the identity and access policies are reviewed to verify that the assignments are permissible. If any violations are found, an exception is raised and a waiver approval is launched. This may require changes to the identity’s access permissions in the application.
  • Reporting is the ability to generate access reports on a scheduled or ad-hoc basis. Reports are delivered to identities via email. Some standard reports contain information on identity access, role membership, and access requests.
  • Certification provides (1) a complete list of all user accounts that exist for an application or (2) the complete list of roles and entitlements within the hierarchy of a role. The certification is sent to the application owner or role owner to approve the user accounts or role composition, respectively. If any changes are required, a remediation process will either deprovision the user account in the application or the role will be modified to reflect the approved composition.




Thank You! Your feedback has been submitted.