Gartner ranked SailPoint IdentityIQ (IIQ) as one of the top IGA tools on the market. This article will look at some lightweight customization that SailPoint has built into its product you can use in your SailPoint instance.
Application Customization Rule
IIQ is reconciliation-based, which means data from connected applications is collected according to a defined schedule. This data collection is typically at least once per day, and depending on the application and usage, it could be more frequent, even hourly. The Customization Rule can make changes to application account data as accounts are pulled into IIQ. With this rule, there are all sorts of lightweight customizations that can be made to meet business use cases.
Customization Example:
Special Character Detection: Some applications will not accept special characters like Á Ã Ä. You might want these characters in the HR system, but you don’t want them in IIQ because it will cause an issue when you provide them to other applications like SAP or SalesForce.
With a customization rule, you can swap out any unwanted characters as the account comes into IIQ, preventing downstream issues. Thus, when a user’s last name is saved in the IIQ database, it is automatically changed from “Ãlma” to “Alma” because the customization rule intercepted the account and made the character change on the fly.
Application File Processing Rule
Sometimes, it isn’t possible or safe to connect an application to a database or web service directly. In these cases, IIQ can use a text or CSV file.
Customization Example:
File Manipulation: Most enterprise business applications have out-of-the-box reporting functionality, which will create a text file with the required data to integrate with IIQ. The common problem is that the format isn’t immediately compatible.
Acme Corp.
User Account Report
Sensitive Data Application
User, Access
Bob, Admin
John, Read-Only
Mary, Read-Only
Page 1.
In the example above, all the information needed is present. However, there is also irrelevant data, like page number and the title of the document. You can run a pre-processing rule to transform the text file into something compatible, making SailPoint more compatible with a range of applications.
Account Matching (Correlation) Rule
In an ideal situation, a user’s account can be easily matched to their identity in IIQ.
Customization Example:
John Smith has an email address stored in IIQ: jsmith@company.com
He also has an account in SalesForce under the same email.
IIQ has a correlation configuration that takes seconds to set up that can automatically map John Smith’s identity and accounts.
However, data isn’t often so perfectly aligned. Most commonly, the problem is stored legacy data. Assume for instance that new users have had their network name (like jsmith) put in this field, but any user older than two years has a random username (like marysmith123), which will not match the username ‘msmith’.
The logic we can implement in IIQ looks like this:
- If the username field has a match, link the account to the identity
- If the username does not match, search IIQ for an exact match on first name, last name, and location; if a single user is returned, link the identity.
We can now match the ‘marysmith123’ account to ‘msmith’ automatically with a rule with this setup. This removes the need for the application team to update their data, which is typically a complex process.