Translate

Thursday, October 24, 2013

Birthright Provisioning in SailPoint - How to start?

Provisioning through SailPoint, I wanted to do this from quite some time. Certifications are one major requirement for customers but now lot of requests are coming in for provisioning through SailPoint, and customers are comparing Tivoli, Oracle and SailPoint suites to find the best possible provisioning solution.

In this blog I am going to write about a simple birthright provisioning solution that can be created to understand how it can be done using the workflows. 
Birthright provisioning is the scenario when every user who is present must have access to a specific application. (Could be ad/exchange or intranet site)
There are other ways also(like roles or provisioning policy etc..) which i will be explaining in future posts.
In brief what I have configured is a open DS ldap server as a application in SailPoint. and then create a new account for a user through LCM as soon as the identity is aggregate in SailPoint(BirthRight!!), and the request will be processed using a workflow which will send a custom form to the manager for approval.
LDAP connector in SailPoint supports direct provisioning hence no connector gateway configuration is required. 

 How to do that :- (Pre-requisite enable LCM and account request)
1. Once you have configured LDAP application in SailPoint, make sure it has "PROVISIONING" added in feature string.

2. Workflow attributes :- Workflow attributes are basically which will hold the required objects and values which will be passed along the different steps of workflow. (For example you wan to pass values from a form filled by manager to next step, where you want to create account  based on the attribute).
It is difficult to initially identity what all variables will be required for provisioning, you can identify the variable required once you select the existing function from the "call method" and hover the mouse over it. It is better to refer existing LCM provisioning workflow and copy the major required variables.

3. Workflow flow :- For creating the workflow in UI, drag and drop the start, setp and end steps from the UI. Make four steps (Approval, Plan, Compile plan, and execute plan).

5. Approval/Form :- In the first setp add a approval and a from, in the form add fields you want to present to user for input, these fields will be available for use in the next step. Add a condition when the form is approved then only go to next step else end. This step can be leveraged to get the necessary input from the manager to create the birthright account.

6. Plan :- In this step you need to create a plan using the ProvisioningPlan class, the identity for which the account is requested will be available as input(identityName), which can be leveraged to create plan object which will be a return variable from this step.

7. Compile and Execute steps:- In next two steps call existing functions from the workflow library compileProvisioningProject and provisionProject. Required variables needs to be added to the argument tab.

8. Trigger :- Update the existing worfklow in Lifecycle events with your new workflow. In the refresh identity cube task "Process Events" needs to be selected which will trigger the workflow for any new identity aggregated.

If everything is configured correctly then a account should be created in OpenDS. 

P.S:- I have not added lot of technical details in this post, but I am sure with the points above somebody who is trying to start with workflows can understand and do it easily.

7 comments:

  1. Hi abhishek how cn we add some more data to show in sailpoint in column ?

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
  3. Hello Abhishek Chowdhury ,
    Thanks for the post. Very good details. Worked like a charm. Good directions .

    I am wondering is there any way to add a custom schema attribute to identity warehouse>Application Accounts ?

    When i check the UI Customization with UIConfig in IdentityIQ 7.2 document, i see only accountIconConfig examples.
    Customizing identity warehouse - application accounts attributes?

    Appreciate your effort for making such useful blogs and helping the community.
    Obrigado,
    Ganesh Ponna

    ReplyDelete
  4. Hello Abhishek,

    Thanks for the post. Very good details. Worked like a charm. Good directions.

    I am wondering is there any way to add a custom schema attribute to identity warehouse>Application Accounts ?

    When I check the UI Customization with UIConfig in IdentityIQ 7.2 document, I see only accountIconConfig examples.

    Customizing identity warehouse - application accounts attributes?

    Appreciate your effort for making such useful blogs and helping the community.

    Obrigado,
    Irene Hynes

    ReplyDelete
  5. Hi Bru,
    Thanks for the post. Very good details. Worked like a charm. Good directions.

    Just to add I have found using the delete certification command would do the trick and you would then also need to delete its associated certificationgroup. However the delete certification command will not work when there are two certifications that have the same name. I have since tested in our development environment that this can all be done via the debug mode however when I attempt to make the change in our production environment and select the certification to delete it pauses for close to a minute then throws up "The system had encountered a serious error while processing your request. Please see your system administrator." error message.
    Sailpoint tutorial
    I have restarted the tomcat service and tried again to no avail. Has anyone experienced this behaviour?



    Anyways great write up, your efforts are much appreciated.

    Thanks,
    Ajeeth

    ReplyDelete
  6. Hello Abhi,

    That’s really cool…. I followed these instructions and it was like boom… it worked well..
    I have added the username and password in the rule directly from debug. Missed that to copy here.
    - Is there any issue with Add-type -path Util.dll ?
    - How to test with a sample powershell command in native urle where the user does not have permissions to execute ps1 files?
    I have tried to execute the ps1 file after login into the system with AD connection params Sailpoint tutorial , Not able to execute the ps1 file but able to execute basic commands in ps command prompt.

    Appreciate your effort for making such useful blogs and helping the community.

    Best Regards,
    Preethi.

    ReplyDelete
  7. Hi Abhishek,

    Thanks for the tip, appreciate it. Your article definitely helped me to understand the core concepts.
    I’m most excited about the details your article touch based! I assume it doesn’t come out of the box, it sounds like you are saying we’d need to write in the handlers ourselves.
    Is there any other articles you would recommend to understand this better?

    You can delete the sailpoint tutorialCertification Group object from iiq console using certification id, if the certifications has same name.
    Command syntax (to be run on iiq console):-
    >delete Certification Group
    Similarly you can delete Certification object.. just specify the type of object as Certification.
    Very useful article, if I run into challenges along the way, I will share them here.

    Best Regards,
    Abhiram

    ReplyDelete