Thursday, October 24, 2013

Birthright Provisioning in SailPoint - How to start?

Provisioning through SailPoint, I wanted to do this from quite some time. Certifications are one major requirement for customers but now lot of requests are coming in for provisioning through SailPoint, and customers are comparing Tivoli, Oracle and SailPoint suites to find the best possible provisioning solution.

In this blog I am going to write about a simple birthright provisioning solution that can be created to understand how it can be done using the workflows. 
Birthright provisioning is the scenario when every user who is present must have access to a specific application. (Could be ad/exchange or intranet site)
There are other ways also(like roles or provisioning policy etc..) which i will be explaining in future posts.
In brief what I have configured is a open DS ldap server as a application in SailPoint. and then create a new account for a user through LCM as soon as the identity is aggregate in SailPoint(BirthRight!!), and the request will be processed using a workflow which will send a custom form to the manager for approval.
LDAP connector in SailPoint supports direct provisioning hence no connector gateway configuration is required. 

 How to do that :- (Pre-requisite enable LCM and account request)
1. Once you have configured LDAP application in SailPoint, make sure it has "PROVISIONING" added in feature string.

2. Workflow attributes :- Workflow attributes are basically which will hold the required objects and values which will be passed along the different steps of workflow. (For example you wan to pass values from a form filled by manager to next step, where you want to create account  based on the attribute).
It is difficult to initially identity what all variables will be required for provisioning, you can identify the variable required once you select the existing function from the "call method" and hover the mouse over it. It is better to refer existing LCM provisioning workflow and copy the major required variables.

3. Workflow flow :- For creating the workflow in UI, drag and drop the start, setp and end steps from the UI. Make four steps (Approval, Plan, Compile plan, and execute plan).

5. Approval/Form :- In the first setp add a approval and a from, in the form add fields you want to present to user for input, these fields will be available for use in the next step. Add a condition when the form is approved then only go to next step else end. This step can be leveraged to get the necessary input from the manager to create the birthright account.

6. Plan :- In this step you need to create a plan using the ProvisioningPlan class, the identity for which the account is requested will be available as input(identityName), which can be leveraged to create plan object which will be a return variable from this step.

7. Compile and Execute steps:- In next two steps call existing functions from the workflow library compileProvisioningProject and provisionProject. Required variables needs to be added to the argument tab.

8. Trigger :- Update the existing worfklow in Lifecycle events with your new workflow. In the refresh identity cube task "Process Events" needs to be selected which will trigger the workflow for any new identity aggregated.

If everything is configured correctly then a account should be created in OpenDS. 

P.S:- I have not added lot of technical details in this post, but I am sure with the points above somebody who is trying to start with workflows can understand and do it easily.


  1. Hi abhishek how cn we add some more data to show in sailpoint in column ?

  2. This comment has been removed by the author.

  3. Hello Abhishek Chowdhury ,
    Thanks for the post. Very good details. Worked like a charm. Good directions .

    I am wondering is there any way to add a custom schema attribute to identity warehouse>Application Accounts ?

    When i check the UI Customization with UIConfig in IdentityIQ 7.2 document, i see only accountIconConfig examples.
    Customizing identity warehouse - application accounts attributes?

    Appreciate your effort for making such useful blogs and helping the community.
    Ganesh Ponna