It is up to organizations to decide that how do they want Sailpoint IdentityIQ to be used for their business requirements.
Generally there can be two scenarios. First, requirement can be only to perform User Access Reviews so that the users access to applications are assessed on a regular basis and also so that the audit requirements can be fulfilled. Second, the requirement can be of having an end to end Identity Access Management tool, not just to perform user access reviews but also to mange Lifecycle of an Identity, manage user access, password management, provisioning etc.
Sailpoint Identity IQ has recognized these different patterns of requirements and provides features that satisfy both type of requirements.
Lets drill down a bit about both of these type of requirement.
Implementing IdentityIQ to perform only User Access Reviews using delimited connector:-
IdentityIQ started its journey as a product with its primary strength being a powerful access audit tool and then rapidly it added on various features to become a one stop solution of all IAM requirements.
The organizations who adopted this product earlier in the run preferred to implement it for User Access Reviews Only. The world is changing now.
Highlights of this type of solution
- The implementations were purely based upon Read –Only connectors, that too mainly delimited type.
- The applications for which access control through IIQ was to be implemented were on-boarded as delimited applications.
- Applications owners used to provide their user access data in form of flat csv files and this data was aggregated in IIQ and then access certifications was performed on this data.
- Easy to implement.
- The data aggregation is very fast.
- Application owners can first adopt this type of solution to judge performance of IIQ and observe user experience.
- No requirement of providing a direct online connection to applications repository of user access and permissions considering the sensitivity and criticality of application due to business importance. However this can be managed by providing a read only connection to applications repository of user access data.
- This may require a lot of data massaging and manual effort for the same.
- Manual intervention increases chances of human error and hence data may get tampered.
- User Access data may not be current and latest.
- The biggest negative aspect of this type of implementation is that close d loop remediation is not possible i.e. direct provisioning of user access cannot be done by IIQ as a read-only connector is used.
- Decisions taken as part of the user access reviews need to be sent to application teams through Excel or PDF reports or a ticketing tool and then remediation action on the target applications are manually done through application support teams.
This is represented in the diagram below:
For the second type of implementation architecture please refer to the next post.
Enjoy IAM 🙂