Monday, May 13, 2013

Scopes in SailPoint IIQ

There is very common requirement in any IDM project that a manager should be able to see the users only who are his direct reports, could be very easily achievable in some tools like in Sun IDM or Tivoli IDM. But in some tools it is really hard to configure like CA IDM, or Aveksa.
In this post I will talk about configuring this feature in SailPoint. 
I will try to explain a simple configuration using an example of department. Let's say there are two departments Banking, and Media, and a banking manager should only see his people in Banking department. 
  • Go to System Setup -> Scopes
  • Enable scoping
  • Select the attribute in Scope identity attribute, which contains the value of department
  • Scope correlation is required if you do not have a specific scope attribute like department, or multiple attribute contains scope values.(not required for this example)
  • Scope selection rule is required in case scope has to be decided in case of multiple scopes returned from the above rule. (not required for this example)
  • Unscoped Objects Globally Accessible, as the name suggests if you want the unassigned scope objects to be accessible.(for example who doesn't have department attribute and no scope is assgined to it).(not required for this example)
  • Identity Controls Assigned Scope , this is also not required for this example. This basically allows all users within the scope to manage users within the same scope, but this will only happen with the combination of correct user capabilities.(not required for this example).
  • Run the refresh task to create the required scopes.
  • The task will create scopes of all departments, and you can view them in scopes option in System Setup.
  •  Not go to identities and identify a user in Banking department, who will be managing all the users in Banking.
  • Go to User Rights tab and in Authorized scopes, select Banking, and assign appropriate user capabilities.
  • Now login with the user you just modified, you will be able to see only those users are under the same scope.
  • A lot complex scope can be created using multiple attributes for scoping and using the custom scoping rule.
Done!! :)

1 comment:

  1. Thanks. We need to do this in IIQ and your post may help.