Identity IQ Introduction Part-3
Abdul Firoz
IdentityIQ Analytics and Reports: Understanding Advanced Analytics
🔍 What is Advanced Analytics in IdentityIQ?
Advanced Analytics in IdentityIQ is a powerful search mechanism that allows users to quickly find and analyze identity-related data within the system. It helps organizations search, filter, and report on key identity attributes to make informed decisions.
🔹 Key Features of Advanced Analytics
✅ Search IdentityIQ Database – Quickly search for identities, roles, entitlements, activities, and audit logs.
✅ Customizable Search Options – Searches can be configured based on available attributes.
✅ Save and Export Data – Search results can be:
• Viewed directly in IdentityIQ
• Saved for future searches
• Exported as a CSV file
• Generated into reports for compliance and analysis
Purpose: Helps IT teams and compliance officers quickly retrieve relevant data without manually searching through extensive records.
🔹 IdentityIQ Reports (Reference: Second Image - Reports Dashboard)
IdentityIQ offers over 50 standard reports, categorized into different sections to simplify compliance reporting and decision-making.
📌 Common Report Categories:
• Access Review & Certification Reports – Tracks access review progress.
• Account Group Reports – Analyzes account-related details.
• Activity Reports – Logs actions performed within IdentityIQ.
• Administration Reports – Details administrative activities.
• Application Reports – Shows application access data.
• Identity & User Reports – Provides user-related insights.
• Lifecycle Manager Reports – Monitors user provisioning and lifecycle events.
• Policy Enforcement Reports – Ensures compliance with access policies.
• Risk Reports – Assesses potential security risks.
• Role Management Reports – Helps in defining and maintaining roles.
Purpose: These reports provide structured insights into identity governance, helping organizations stay compliant and proactively manage security risks.
🔹 Why Are IdentityIQ Analytics and Reports Important?
✅ Enhances Compliance – Easily generate audit-ready reports for SOX, GDPR, HIPAA, etc.
✅ Improves Decision-Making – Provides visibility into access trends and risks.
✅ Reduces Security Risks – Identifies unauthorized access or unusual activity.
✅ Automates Monitoring – Eliminates manual data searches with pre-configured reports.
💡 Think of it like a Business Intelligence (BI) tool for Identity Management!
Instead of manually tracking access and compliance, IdentityIQ automates reporting and analytics, ensuring organizations always have real-time insights into their identity and access data.
Understanding Roles in IdentityIQ (Simple Explanation)
Think of roles in IdentityIQ like a combo meal at a restaurant . Instead of ordering a burger, fries, and a drink separately, you just order a meal combo that includes all of them at once.
🔹 What is a Role?
A role is a collection of one or more entitlements grouped into a single object. Instead of assigning entitlements one by one, IdentityIQ allows organizations to assign roles, making access management more efficient and secure.
Now, let’s relate this to Identity and Access Management (IAM):
🔹 Without Roles (Manual Access Requests - Left Side of Image)
Imagine a new employee joins a company. They need access to:
✅ Email (Exchange)
✅ Company Directory (Active Directory - AD)
✅ Office Badge System
If roles are not used, the employee (or manager) has to request each item separately.
📌 Problem:
• Takes more time for approval.
• Higher chance of errors (maybe they forget to request something).
• Harder to track who has what access.
🔹 With Roles (Grouped Access - Right Side of Image)
Now, imagine the company creates an “Employee Role” that already includes all these entitlements:
✅ AD
✅ Badge Access
When a new employee joins, instead of requesting each access separately, they just get assigned the “Employee Role”—and boom! They get everything at once. 🎉
📌 Benefits:
• Faster onboarding – New employees get instant access.
• Less manual work – No need to request access one by one.
• Better security – Ensures employees only get what they need.
• Easy updates – If a new tool is added to the Employee Role, everyone with that role automatically gets it!
🔹 Why Are Roles Important?
✅ Saves Time – No more requesting access piece by piece.
✅ Reduces Mistakes – Ensures users get the right access.
✅ Keeps Access Consistent – Everyone in the same role gets the same permissions.
✅ Improves Security – Prevents unauthorized access by defining who should get what.
💡 Think of it like a Gym Membership!
Instead of paying separately for gym access, swimming, and yoga classes, you just buy a Gold Membership that includes everything you need!
Reducing Risk with Roles in IdentityIQ
🔹 Why Does Managing Individual Entitlements Increase Risk?
When employees need multiple access permissions, managers may accidentally grant unnecessary access or approve something they don’t fully understand.
📌 Issues with individual entitlements:
• More manual approvals increase the risk of errors.
• Managers may not know what specific entitlements employees need.
• Employees might end up with more access than required, leading to security risks.
🔹 How Using Roles Increases Security
In the image, multiple users report to Catherine Simmons, and access is managed for each individual separately. Without roles:
• Each employee requires separate entitlement approvals.
• More decisions = higher risk of mistakes.
• Some employees might receive excessive access, creating security vulnerabilities.
📌 Solution: Using a Role-Based Approach
✅ Instead of assigning multiple individual entitlements, use a predefined role that contains all necessary access.
✅ Managers only approve the role, reducing the likelihood of over-provisioning.
✅ Easier access reviews—managers only need to check roles, not hundreds of entitlements.
🔹 Benefits of Using Roles for Security
✅ Reduces Human Errors – Prevents managers from approving unnecessary access.
✅ Prevents Over-Provisioning – Employees get only the access they need.
✅ Simplifies Access Reviews – Instead of reviewing many entitlements, managers review a single role.
✅ Improves Compliance & Security – Helps meet audit requirements by enforcing least privilege access.
💡 Think of it like a Hotel Key Card!
• Instead of giving separate keys for the room, gym, and lounge, guests get one key card that grants the correct access based on their booking.
• Roles in IdentityIQ work the same way—ensuring employees get only what they need in one secure, pre-approved package!
Understanding Automatic Role Assignment in IdentityIQ
🔹 What is Automatic Role Assignment?
Automatic role assignment in IdentityIQ ensures that users receive appropriate access based on their job role without requiring manual approvals.
✅ How It Works:
• A role assignment rule is defined based on attributes like Job Title, Department, or Location.
• If a user’s attributes match the rule, they are automatically assigned the role along with its entitlements.
• If a user’s job title or department changes, the system removes the role and entitlements automatically to prevent unauthorized access.
🔹 How Automatic Role Assignment Works
1️⃣ Correct Role Assignment
📌 Scenario: Mario is a Finance Administrator, so he is assigned the Finance Administrator Role automatically.
• The role grants entitlements like:
✅ Entitlement 1 (e.g., Financial Reports Access)
✅ Entitlement 2 (e.g., Expense Approval System)
✅ Entitlement 3 (e.g., Budget Planning Tools)
Outcome:
• Since Mario’s job title matches the rule, he is automatically provisioned with the correct access for his role.
• No manual approvals are required, making onboarding fast and secure.
2️⃣ Role Removal After Job Change
📌 Scenario: Mario gets promoted to Operations Manager, so his job title no longer matches the Finance Administrator Role assignment rule.
What Happens?
❌ IdentityIQ automatically removes the Finance Administrator Role since his job title no longer qualifies.
❌ All entitlements linked to the role are de-provisioned, preventing unnecessary access.
Why is This Important?
✅ Prevents former employees or transferred employees from keeping old access.
✅ Reduces security risks by ensuring that users only have role-based access.
✅ Eliminates manual work for IT teams by automating access changes.
🔹 Key Benefits of Automatic Role Assignment
✅ Faster Onboarding – New hires get access instantly based on their job title.
✅ Improved Security – Access is removed automatically when job roles change.
✅ Compliance & Audit Readiness – Ensures that only active employees have access.
✅ Reduces Human Error – No need for managers to manually assign or revoke access.
💡 Think of it like a Hotel Key Card System!
• When you check into a hotel as a guest, your key card grants access to your room, gym, and pool.
• If you switch rooms or check out, your old key card stops working automatically!
With IdentityIQ, role-based access works the same way—keeping access aligned with job roles and removing it when no longer needed!
Role Modeling Options in IdentityIQ
🔹 What is Role Modeling?
Role modeling is the process of creating, analyzing, and maintaining roles that define user access in an organization. Business analysts, application owners, and security teams collaborate to design these roles using various methods and tools.
🔹 Role Modeling Options
1️⃣ AI-Driven Access Modeling
🚀 Uses Artificial Intelligence (AI) to analyze existing user access patterns and recommend role structures.
✅ Automates role creation based on real access data.
✅ Reduces human effort and increases accuracy.
✅ Helps organizations build optimized roles without manual input.
2️⃣ Entitlement Analysis
🔎 Examines individual user permissions (entitlements) to identify patterns and suggest role structures.
✅ Useful for understanding existing access before defining roles.
✅ Helps detect overlapping or excessive entitlements that need cleanup.
3️⃣ IT Role Mining
💻 Analyzes IT system access (e.g., Active Directory, databases, applications) to create technical roles.
✅ Groups technical access into IT-centric roles for easier management.
✅ Helps standardize IT access across teams and departments.
4️⃣ Business Role Mining
📊 Focuses on identifying access patterns based on job functions, departments, and business needs.
✅ Helps create business-friendly roles that align with organizational structures.
✅ Useful for defining roles based on business requirements rather than IT access alone.
5️⃣ Export to CSV
📂 Allows role mining data to be exported for external analysis.
✅ Business teams can use Excel or other tools to review and refine role structures.
✅ Useful for companies that want to audit and validate roles before implementation.
6️⃣ Paper & Pencil, Spreadsheets
✍️ Some organizations still prefer brainstorming role models using traditional methods.
✅ Allows manual planning and visualization on whiteboards or paper.
✅ Useful for initial discussions before using automated tools.
🔹 Key Takeaways
✅ Automated methods (AI-Driven, IT Role Mining, Business Role Mining) speed up and optimize role creation.
✅ Entitlement analysis helps clean up existing access before defining roles.
✅ Exporting data allows external validation and manual refinement.
✅ Some businesses still prefer traditional brainstorming before implementing roles.
💡 Think of it like designing a city!
• AI-driven modeling is like an automated city planner using data to build roads and infrastructure.
• Role mining helps group people into neighborhoods based on their needs (IT access or business roles).
• Exporting data is like reviewing blueprints before construction begins.
• Paper & pencil is the initial sketch before using professional design software.
By leveraging these role modeling options, organizations can efficiently manage user access while improving security and compliance!
Extending IdentityIQ: How Extended Attributes Enhance Identity Management
IdentityIQ is a highly configurable Identity and Access Management (IAM) system designed for enterprise-level use. However, businesses often have unique and complex identity management needs that require customization beyond its default settings.
🚀 How IdentityIQ is Extended:
✅ Extended Attributes – Custom data fields like department, location, and job title that help define user identity.
✅ Rules & Branding – Custom scripts (rules) and UI branding for a tailored look and feel.
✅ Workflows – Custom workflows to automate business-specific processes.
✅ Quicklinks – Custom shortcuts that trigger workflows for specific tasks.
✅ Custom Connectors – Custom-built integrations for homegrown or specialized applications.
🔹 What Are Extended Attributes?
🔍 Standard Attributes (Default in IdentityIQ)
These attributes are predefined and automatically included for every user:
• User Name
• Manager
• Employee Type
📌 Extended Attributes (Custom Data Fields for Businesses)
Extended attributes add organization-specific details to IdentityIQ objects.
💡 Examples from the Image:
✅ Department – Used to assign roles or policies automatically.
✅ Location – Helps manage access based on geographic rules.
✅ Job Title – Ensures employees get role-based access.
✅ Employee ID – Useful for tracking identity records.
✅ Region – Helps define global policies for multinational companies.
✅ Cost Center – Used for financial approvals and tracking IT costs.
🔹 Why Are Extended Attributes Important?
✅ Enhance Automation – Used for automatic role assignment, provisioning, and compliance checks.
✅ Improve Security – Helps define access rules based on job roles, location, or department.
✅ Support Compliance – Ensures access aligns with regulations like SOX, GDPR, HIPAA.
✅ Better Reporting & Filtering – Search and filter users based on extended attributes.
💡 Example Use Case:
• A finance employee in Tokyo should have different access than an IT employee in New York.
• Extended attributes help enforce this automatically, without manual intervention.
Why Extend IdentityIQ?
By leveraging custom attributes, workflows, and integrations, organizations can:
✅ Automate Identity Management 🔄
✅ Improve Security & Compliance 🔐
✅ Customize IdentityIQ for Business Needs 🏢
💡 Think of Extended Attributes Like Employee Badges!
• A basic badge has just a name and ID (Standard Attributes).
• A customized badge includes department, job title, access level, and region (Extended Attributes).
Extending IdentityIQ with Extended Attributes & Other Customizations
IdentityIQ is highly customizable, allowing organizations to extend its functionality using extended attributes, conditional logic, and automation rules. This helps organizations enhance identity management, compliance, and security processes.
📌 Example (Application PRISM Definition)
• SOX Compliance Checkbox ✅ – Marks applications subject to SOX regulations.
• Sensitive Application Checkbox ✅ – Identifies applications containing sensitive data.
✅ Purpose: Helps organizations categorize applications based on security, compliance, and access requirements.
🔹 Where Can Extended Attributes Be Used?
Extended attributes can be added to six IdentityIQ objects:
1️⃣ Entitlements – Define additional properties for permissions.
2️⃣ Roles – Customize roles with metadata (e.g., role category, owner).
3️⃣ Applications – Store compliance tags like SOX or Sensitive Data.
4️⃣ Accounts – Track user-specific account attributes.
5️⃣ Certifications – Enhance compliance reviews with extra data.
6️⃣ Identity Cubes – Store user-specific details like location, job title, or employee type.
🔹 Extended Attributes in Action
1️⃣ Correlation & Role Assignment
🔹 How Extended Attributes Are Used:
✅ Account Correlation – Uses attributes like Employee ID to match user accounts to IdentityIQ profiles.
✅ Quicklink Populations – Filters users (e.g., only Team Leads can request access for their teams).
✅ Role Assignment Rules – Auto-assigns roles based on job titles (e.g., Tellers get Teller access).
✅ Lifecycle Event Triggers – Detects changes in Department/Job Title and triggers automated workflows (e.g., auto-start a certification).
2️⃣ Task Filtering, Rules & Custom Provisioning
🔹 How Extended Attributes Enable Advanced Logic:
✅ Task Filtering – Ensures batch jobs only process a subset of identities.
✅ Conditional Rules – Requires extra approvals for sensitive applications.
✅ Custom Provisioning – Assigns different access based on employment type (e.g., Employees vs. Contractors).
🔹 Key Benefits of Extended Attributes in IdentityIQ
✅ Enhances Automation – Enables automatic provisioning & de-provisioning based on job changes.
✅ Improves Compliance – Ensures SOX-sensitive applications have proper controls.
✅ Refines Identity Governance – Enables precise filtering & decision-making in policies, certifications, and workflows.
✅ Reduces Manual Effort – Automates identity lifecycle events based on attribute changes.
💡 Think of Extended Attributes Like Smart Filters in an Online Store! 🛒
• Instead of manually sorting items, filters like size, brand, and category help quickly find the right products.
• Extended attributes do the same in IdentityIQ—automating identity & access decisions based on stored metadata.
IdentityIQ Plugins: Extending Functionality with Add-Ons
🔹 What Are IdentityIQ Plugins?
A plugin is a software component that extends the functionality of IdentityIQ. Plugins can be used to add features, improve automation, and enhance system management.
✅ Where Do IdentityIQ Plugins Come From?
• SailPoint Compass – Official plugins from SailPoint.
• SailPoint Partners – Third-party plugins developed by SailPoint-certified partners.
🔹 Examples of IdentityIQ Plugins
1️⃣ SailPoint Support Plugin
📌 Purpose: Helps organizations collect system data for troubleshooting.
✅ Automatically gathers IdentityIQ logs and system data.
✅ Packages everything into a ZIP file for easy upload to SailPoint Support.
✅ Reduces manual effort when diagnosing technical issues.
💡 Think of it like a “Diagnostic Report” for your IdentityIQ system, just like generating a crash report on a computer! 🛠️
2️⃣ SQL Browser Tool
📌 Purpose: Allows administrators to view IdentityIQ database records in a read-only mode.
✅ Helps support teams troubleshoot database-related issues.
✅ Allows for quick data checks without needing full database access.
✅ Ensures data security by preventing unauthorized modifications.
💡 Think of it like a “Read-Only Admin Dashboard” where IT teams can see everything but not modify anything, ensuring safe monitoring of database activity! 🔍
🔹 Why Use IdentityIQ Plugins?
✅ Enhance Functionality – Adds new features without modifying the core IdentityIQ system.
✅ Improve Efficiency – Automates troubleshooting and database queries.
✅ Secure & Controlled Access – Provides limited read-only tools to prevent data corruption.
✅ Easy Installation & Updates – Can be downloaded, installed, and updated without affecting IdentityIQ’s main framework.
By using IdentityIQ plugins, organizations can extend their IAM system’s capabilities while keeping it secure and efficient!
Subscribe to my newsletter
Read articles from Abdul Firoz directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Abdul Firoz
Abdul Firoz
I am a DevOps engineer from India.