SailPoint IdentityNow - Approval & certification delegation management system

SailPoint IdentityNow - Approval & certification delegation management system

Fernando de los Ríos Sánchez Fernando de los Ríos Sánchez

Fernando de los Ríos Sánchez

Advisory Solutions Consultant @ SailPoint | Technical Sales Cycle Delivery

发布日期: 2022年5月24日
+ 关注

IdentityNow integration series

This is the first article of a series about how to implement common business use cases leveraging IdentityNow's API and Event Trigger Service. The purpose of this series is helping SailPoint partners, customers and prospects alike finding ways to implement their business processes within IdentityNow's paradigm, a very different one compared to IdentityIQ. This is sometimes challenging for SailPoint IdentityIQ professionals who often try to apply the same strategies to IdentityNow and frustrate themselves. But don't worry, once you get the hang of it you'll discover a lot of possibilities you didn't know were there.

Approval & certification delegation management system

Description

This integration allows users to request a delegate for a period of time to forward their approvals and certifications to. The concept behind this integration is leveraging request on behalf IdentityNow feature to request a delegation entitlement for the delegate in question, for a period of time. This allows the requester to select the recipient of the delegation and a period of time for it. The underlying system, instead, will assign an auxiliary account with an entitlement to the requester to identify it as a delegation requester for a scheduled task to forward this identity’s pending approvals and certifications to the delegate, for as long as the delegation is valid.

The system uses IdentityNow Request Center and delegation data is self-contained. Externally, two Pipedream workflows support delegation request and approval forwarding.

Let me introduce you to the components of the system:

  • Delegates source (Delimited Text): stores delegation requests. Each account holds delegate and expiration date information for the requester identity. It only stores one single generic entitlement for request, although the system assigns accounts the delegate name instead, never the generic entitlement.
  • Current delegate transform: calculates the current delegate name from the delegates source in the delegate identity attribute. The transform takes the account’s expiration date and compares it to current date. If greater, it returns the name of the current delegate. If not, returns nothing. This is used to dynamically disable a delegate when delegation expires, without introducing changes to the source itself.
  • Approval delegation management system subscription (idn:access-request-post-approval): ETS subscription to pick up delegation requests and invoke Pipedream Set approval delegate workflow.
  • Pipedream Set approval delegate workflow: Pipedream workflow that picks up delegation requests and updates requester Delegates source account with delegate and expiration date information. Additionally, it completes the manual task created by this delimited text source request to close the whole process, although the work item is not there all the time (Poltergheist or race condition, who knows).
  • Pipedream Process approval delegations workflow: scheduled Pipedream workflow that will forward all pending approvals for those identities with a delegate identity attribute.

The system has two main blocks:

  • Delegation request: the user requests the delegate entitlement from Delegates source, wrapped up in an access profile, on behalf of the delegate for the desired period (defaults to 7 days if sunset date not selected). ETS kicks in and calls Pipedream workflow that updates Delegates source accordingly.

No alt text provided for this image

  • Delegation processing: scheduled job picks up all pending approvals for those with a delegate and forward them to the assigned delegate.

No alt text provided for this image

Note there’s no need to remove the delegation at all, the transform will return nothing when the delegation expires.

Prerequisites

Pipedream account and an IdentityNow tenant.

Limitations?

There’s no easy way to remove a delegation other than selecting a closer delegation date or selecting yourself as your own delegate.

Configuration

1. Create the Delegates Delimited Text source as follows:

No alt text provided for this image

2. Import delegate.csv as entitlement into the source (below). 

id,name,displayName,created,description,modified,entitlements,groups,permission
delegate,delegate,Delegate,,Request on behalf of the delegate for as long as you want your approvals to be delegated,,,,s

3. Create the corresponding access profile and application for the previous entitlement. You better choose a dedicated owner for the access profile so you can properly filter requests later on:

No alt text provided for this image
No alt text provided for this image

4. Create this transform: 


{
    "name": "Current delegate",
    "type": "dateCompare",
    "attributes": {
        "firstDate": {
            "type": "firstValid",
            "attributes": {
                "values": [
                    {
                        "type": "accountAttribute",
                        "attributes": {
                            "sourceName": "Delegates",
                            "attributeName": "expirationDate"
                        }
                    },
                    "2022-01-01T00:00:00.000Z"
                ]
            }
        },
        "secondDate": {
            "type": "dateMath",
            "attributes": {
                "expression": "now",
                "roundUp": true,
                "input": {}
            }
        },
        "operator": "gt",
        "positiveCondition": {
            "type": "accountAttribute",
            "attributes": {
                "sourceName": "Delegates",
                "attributeName": "delegate"
            }
        },
        "negativeCondition": "",
        "requiresPeriodicRefresh": true
    },
    "internal": false
}

5. Extend identity schema with delegate attribute and set the previous transform:

No alt text provided for this image

6. Create an Access Request Decision subscription to point to Pipedream Set approval delegate workflow. You cannot finish the configuration until you deploy the workflow later on. For now, set this filter. Change it if you named your access profile differently: $.requestedItemsStatus[?(@.name == 'Delegate')]

7. Configure the following variables using your tenant information and personal access token:

No alt text provided for this image

8. Deploy Pipedream Set approval delegate workflow.

9. You need to adapt the following variables to match your needs:

  • steps.input[“SourceId”]: Delegates source ID. You can figure it out on your own.
  • steps.input[“OwnerId”]: Delegates source owner ID. Likewise.
  • steps.input[“DefaultRemoveDays”]: default expiration number of days for requests without sunset date.

10. Go back to step 4 subscription and fill out the integration URL with the workflow trigger URL:

No alt text provided for this image

11. Deploy Pipedream Process approval delegations workflow.

12. You need to adapt the following variables to match your needs:

  • steps.input[“SourceId”]: Delegates source ID.

You should be good to go. Try creating a new delegation request, have some pending approvals and trigger the Process approval delegations workflow to see those approval delegated for you.

Demonstration

要查看或添加评论,请登录

Fernando de los Ríos Sánchez的更多文章