SailPoint IdentityNow - Separation of duties conflicting items-only certification
Fernando de los Ríos Sánchez
Advisory Solutions Consultant @ SailPoint | Technical Sales Cycle Delivery
IdentityNow integration series
Here we go again with policies. This time from a detective point of view. Keep on reading for some advice on how to easily configure more accurate policy violation reviews.
Separation of duties conflicting items-only certification
Description
This ETS integration will create a certification for those identities in violation of a particular separation of duties policy but only for the conflicting entitlements, access profiles or roles. By default, a policy allows you to create a certification for those identities in violation but you must manually select the permissions to include from all of them. With this you don’t need more manual intervention than creating a scheduled search from the SOD query and set this up.
Prerequisites
Pipedream account and an IdentityNow tenant.
Limitations?
As of this writing, policy subscriptions won’t trigger ETS, hence the need to take the query from the policy and turn it into a scheduled search. I’m thinking of creating the campaign directly from active policies on an external schedule but suggestions and ideas are welcome.
领英推荐
Configuration
1. Deploy this workflow on your Pipedream account (choose default type of trigger). Take note of the webhook url to set up your ETS subscription.
Configure the following variables using your tenant information and personal access token:
4. In IdentityNow, configure your new Schedule search subscription similar to this, using the integration URL from step 1 instead. Use whatever header you want your SOD searches to have:
5. You should be good to go. Now schedule the search as frequent as you want your campaigns to happen. You should seen new campaigns appear on that schedule, or when you test your schedule.