With over a decade of experience implementing SailPoint solutions like Identity Security Cloud (ISC), I've learned that some foundational components must be addressed early in any Identity Governance and Administration (IGA) project. One of the most critical yet often overlooked aspects in ISC is Identity Profile hierarchies.
Think of your ISC implementation as building a house - your Identity Profile hierarchy is the foundation. Once it's set, making changes can be complex and disruptive. While this concept isn’t visible in the UI and is embedded within the SailPoint API, it's crucial for project managers, architects, and identity practitioners to understand how it works to avoid costly rework later.
Understanding Identity Profiles in ISC
In SailPoint Identity Security Cloud, an Identity Profile defines the core attributes and behaviors of an identity. It acts as the blueprint for identity creation, determining how accounts from an authoritative source map to identity attributes, lifecycle states, and system entitlements.
Each Identity Profile:
- Has a single authoritative source (e.g., an HR system or a student information system)
- Determines attribute mapping (e.g., mapping “first_name” from the authoritative source to the ISC first name identity attribute)
- Controls identity lifecycle states (e.g., active, inactive, or terminated based on HR data or system activity)
- Handles name generation (e.g., creating unique sAMAccountNames or email addresses based on logic)
At first glance, configuring Identity Profiles seems straightforward. However, challenges arise when multiple authoritative sources exist, such as an identity being both an employee and a student, or an employee transitioning to a contractor.
Why Identity Profile Hierarchies Matter
Since each identity can only be associated with one Identity Profile, SailPoint Identity Security Cloud resolves conflicts through Identity Profile hierarchies. This means:
- When an identity has multiple authoritative sources, ISC prioritizes Identity Profiles based on a predefined hierarchy.
- The highest-priority Identity Profile dictates the identity’s lifecycle state and attributes.
- If the transition from one Identity Profile to another isn’t handled properly, identities can get stuck in the wrong lifecycle state, leading to access issues.
Example: Employee to Student Transition
Imagine an organization where individuals can be both employees and students. The HR system is typically the top authoritative source, so an identity initially enters ISC as an employee. If that employee transitions to a student-only status, the system must switch to the student Identity Profile once their employment ends.
However, if the HR system still feeds a “terminated employee” record, ISC will not recognize the student profile as active. This can create an issue where students are unable to access necessary systems despite being legitimately active in the student system.
Real-World Scenario: Identity Profile Hierarchy in Action
One of our SailPoint Identity Security Cloud clients recently faced a divestiture challenge. The organization sold a hospital but had a one-year agreement to manage user accounts. When employees from the divested hospital were terminated in the HR system, their identities needed to transition to contractor status under SailPoint Non-Employee Risk Management (NERM).
To enable this, we adjusted the Identity Profile hierarchy, prioritizing the NERM authoritative source over the HR system. This ensured that:
- Terminated employees could seamlessly transition to contractor status
- The system correctly recognized their active contractor role
- Access controls and lifecycle events were properly maintained without manual intervention
Plan Early to Avoid Rework
The best way to handle Identity Profile hierarchy challenges is to account for them early in your ISC implementation. By carefully mapping authoritative sources, defining profile precedence, and configuring transition workflows, organizations can:
- Prevent access disruptions when identities transition between populations
- Reduce technical debt by avoiding rework in SailPoint Identity Security Cloud
- Maximize the value of their ISC investment by aligning identity lifecycle logic with business needs
When designing your SailPoint ISC architecture, think beyond the immediate requirements—plan for identity transitions and multi-source scenarios from the start. Doing so will ensure a scalable, future-proof identity security program that fully leverages SailPoint’s Identity Security Cloud capabilities.
