SailPoint IdentityIQ Integration Strategies
The four strategies below are the most common approaches to use when integrating SailPoint IdentityIQ (IIQ) with another application.
- Read-Only Reporting and Auditing
- Access Request with Manual Provisioning
- Access Request with Automated Provisioning
- Automated Assignment with Automated Provisioning
Strategy 1 – Read-Only Reporting and Auditing
SailPoint IIQ can provide visibility into user accounts and authorizations across an application through the generation of reports. This approach leverages a read-only connection to load the user accounts and their authorizations into SailPoint IIQ.
Benefits
- Increased visibility for improper or outdated authorizations
- Relatively simple to implement
- Read-only connection avoids risk of unintended changes to existing processes and data
Considerations
- Requires manual remediation of issues discovered with authorizations
- Does not improve access request, approval, or provisioning processes
Strategy 2 – Access Requests with Manual Provisioning
SailPoint IIQ tracks, manages, and handles approvals for authorization requests by users for themselves or others. After a request is approved, SailPoint IIQ notifies the appropriate person/group to manually provision the requested access.
Benefits
- Manual provisioning allows the use of a read-only connection which minimizes the risk of unintended changes to existing processes and data
- Creates a searchable history of all access requests and all approval decisions made for those requests
- Allows access policies to be defined to reduce instances of improper access being approved and provisioned
- Allows tracking and auditing of the requested privileges after they have been provisioned or deprovisioned
Considerations
- All provisioning and deprovisioning requires action by a human actor
- Depending on the desired roles, access policies, and other business rules, the complexity of this strategy may increase quickly
Strategy 3 – Access Requests with Automated Provisioning
SailPoint IIQ tracks, manages, and handles approvals for authorization requests submitted by users for themselves or others. After a request is approved, SailPoint IIQ grants the requested application access automatically.
Benefits
- Reduces the amount of work for administrators of the target application by automating the provisioning process
- Creates a searchable history of all access requests and all approval decisions made for those requests
- Allows access policies to be defined that reduce instances of improper access being approved and provisioned
- Allows tracking and auditing of the requested privileges after they have been provisioned or deprovisioned
Considerations
- Automated provisioning requires either direct integration between SailPoint IIQ and the target application, or the use of directory groups in TED or Active Directory
- Depending on the desired roles, access policies, and other business rules, the complexity of this strategy may increase quickly
Strategy 4 – Automated Assignment with Automated Provisioning
SailPoint IIQ automates the process of granting access to users who meet defined criteria (such as having a particular job title in a particular department). SailPoint IIQ automatically performs account and access provisioning in the target application.
Benefits
- Reduces the amount of work for administrators of the target application by automating the provisioning process
- Allows tracking and auditing of the assigned privileges after they have been provisioned
- Reduces the time required for a user to be granted the access they need
Considerations
- Automated provisioning requires either direct integration between SailPoint IIQ and the target application, or the use of directory groups in TED or Active Directory
- Depending on the desired roles and business rules, the complexity of this strategy may increase quickly
- Removes human oversight of individual changes in user access
Figure 1: SailPoint IIQ Features by Integration Strategies