Scribd
Upload
100 views62 pages

IIQ70 - 04 FII Exercises

This document provides a comprehensive training guide for implementing Lifecycle Manager (LCM) and provisioning in SailPoint IdentityIQ Version 7.0. It includes exercises on enabling LCM, creating and managing identities, account management, and configuring group provisioning. The guide emphasizes the integration of workflows and lifecycle events in managing user access and identity provisioning processes.

Uploaded by

Karthikeya Abhijith
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
100 views62 pages

IIQ70 - 04 FII Exercises

This document provides a comprehensive training guide for implementing Lifecycle Manager (LCM) and provisioning in SailPoint IdentityIQ Version 7.0. It includes exercises on enabling LCM, creating and managing identities, account management, and configuring group provisioning. The guide emphasizes the integration of workflows and lifecycle events in managing user access and identity provisioning processes.

Uploaded by

Karthikeya Abhijith
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 62

Section 4 - 1

Section Four: LCM, Workflow and Provisioning

Fundamentals of IdentityIQ Implementation


Training for SailPoint IdentityIQ Version 7.0

11305 Four Points Drive


Bldg 2, Suite 100
Austin, TX 78726
www.sailpoint.com

Copyright © 2016 SailPoint Technologies – All Rights Reserved – VERSION 7.0a1


Section 4 - 2

Contents
Section Four: LCM, Workflow and Provisioning ......................................................................................................... 1
Fundamentals of IdentityIQ Implementation .............................................................................................................. 1
Section 4: LCM, Workflow and Provisioning ................................................................................................................ 4
Exercise #1: Enabling Lifecycle Manager ...................................................................................................................... 5
Objective:................................................................................................................................................................................ 5
Overview: ............................................................................................................................................................................... 5
Installation of Lifecycle Manager ................................................................................................................................. 5
Exercise #2: Create and Manage Identities in IdentityIQ ....................................................................................... 6
Objective:................................................................................................................................................................................ 6
Overview: ............................................................................................................................................................................... 6
Create an Identity using LCM......................................................................................................................................... 6
Define a Provisioning Policy for Creating Identities ............................................................................................ 9
Exercise #3: Account Management with Lifecycle Manager ............................................................................... 16
Objective ............................................................................................................................................................................... 16
Overview .............................................................................................................................................................................. 16
Configure a Quicklink Population and Applications to Support Account Requests .............................. 16
Test the Configuration: Request a New LDAP Accunt ....................................................................................... 18
Use and Investigate a JDBC Provisioning Rule: Request a New PRISM Account .................................... 21
Request a PRISM Role for a User Who has a PRISM Account ......................................................................... 25
Request Role for a User Without a PRISM Account ............................................................................................ 28
Enable/Disable and Delete PRISM Accounts......................................................................................................... 30
Unlock Account .................................................................................................................................................................. 32
Exercise #4: Configure Group Provisioning and Create New Group in LDAP .............................................. 33
Objective ............................................................................................................................................................................... 33
Overview .............................................................................................................................................................................. 33
Configure Group Provisioning Feature of IdentityIQ......................................................................................... 33
Verify the Existing LDAP Groups................................................................................................................................ 35
Provision a New Group in LDAP called VPN .......................................................................................................... 36
Exercise #5: Provision VPN Access Using Lifecycle Manager ............................................................................. 39
Objective:.............................................................................................................................................................................. 39

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 3

Overview: ............................................................................................................................................................................. 39
Enable Business Process (Workflow) Tracing...................................................................................................... 40
Login as a Manager and Request VPN Access for Employees ........................................................................ 41
Confirm VPN Entitlement Assignment and Complete the Access Request ............................................... 47
Disable Business Process (Workflow) Tracing .................................................................................................... 48
Exercise #6: Use Lifecycle Manager to Create a Lifecycle Event ....................................................................... 49
Objective:.............................................................................................................................................................................. 49
Overview: ............................................................................................................................................................................. 49
Design the Business Process ........................................................................................................................................ 49
Configure a new Business Process for use with our Lifecycle Event .......................................................... 50
Configure Lifecycle Event and Test ........................................................................................................................... 57
Extension Exercise (Optional) ..................................................................................................................................... 62

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 4

Section 4: LCM, Workflow and Provisioning


In this section, we will explore using the Lifecycle Manager functionality and how it relates to
workflow and provisioning.

Using Lifecycle Manager, users can make requests via IdentityIQ. These requests can include the
following:

 Requesting new access (entitlement and roles)


 Creating, managing (enable/disable/unlock) and deleting accounts
 Creating and editing identities
These requests are initiated by a user clicking the appropriate Quicklink. Who has access to the
Quicklinks is controlled by Quicklink Populations. We can create our own populations of users or
use the default populations. The default Quicklink Populations used to determine who can make
different types of requests are:

 The user themselves (designated as Self Service)


 Manager (make requests for direct reports)
 Help Desk (users with help desk capability who can request items for populations)
 Everyone (control what can be done by all users not fitting into the above categories)
Often, as the result of these requests, we must provision the appropriate accounts and entitlements
to the target systems.

We will also explore the capabilities for Lifecycle Manager to react to changes in the identities and
take appropriate actions depending on what changes were detected. Collectively there are called
Lifecycle events:

 Cube creation (Joiner)


 Change in the inactive attribute (Leaver)
 Attribute change or change in manager (Mover)
 Custom detected change (Rule Based)
An integral part of Lifecycle Manager and Provisioning is our workflow engine. Workflows within
IdentityIQ are called Business Processes. All Lifecycle Manager provisioning requests and Lifecycle
Events initiate a workflow. In this section we will create a custom workflow.

Note that provisioning requests can occur for reasons other than Lifecycle Manager requests:

 Revocation of access during a certification access review


 Remediation of an SOD policy violation (role or entitlement)
 Assignment of a role that requires IT access

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 5

Exercise #1: Enabling Lifecycle Manager


Objective:
In this exercise, we will enable Lifecycle Manager functionality.

Overview:
Lifecycle Manager is installable as a separate component of IdentityIQ. In order to install and set up
Lifecycle Manager, you must stop your application server, install Lifecycle Manager and restart your
application server.

Installation of Lifecycle Manager


1. Stop the Tomcat server using the Stop Tomcat shortcut

2. Launch the IIQ console using the IIQ Console shortcut


3. Install Lifecycle Manager by typing the following into the IIQ console:
> import init-lcm.xml
a. Notice the types of objects being imported into IdentityIQ
b. List two that you are familiar with:

____________________________________________ ____________________________________________
c. Quit the console
4. In a command window, navigate to the
/home/spadmin/tomcat/webapps/identityiq/WEB-INF/bin directory and run the
following command:

./iiq patch 7.0p1

Note: If you receive the error Servicer Interrupted, you can safely ignore it.
5. Start the Tomcat server using the Start Tomcat shortcut
6. Log in to IdentityIQ as spadmin/admin and confirm that Lifecycle Manager is installed: On
your home page, look for the quick links Manage User Access and Track My Requests:

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 6

Exercise #2: Create and Manage Identities in IdentityIQ


Objective:
Learn how to manage creating Identities and editing them using IdentityIQ, both with and without
Identity Provisioning Policies.

Note: You will also use the identities created in this exercise for testing access requests in following
exercises.

Overview:
You will often need to create Identities in IdentityIQ. One way to create them is by using Lifecycle
Manager (LCM). LCM allows you to create and edit Identities and manage the creation and updating
of the Identities using workflows to control the creation and editing processes. You can also define
provisioning policies, which can help define the choices that are made when creating Identities in
the system. In this exercise we will create identities two ways:

 Using the out of the box configuration

 Using a provisioning policy (created by you) to help drive user’s choices when creating a
new identity.

Create an Identity using LCM


1. Log out and log in as Catherine.Simmons/xyzzy.

2. In the upper left corner, click the list, , to navigate to the quick link menu. Expand
Manage Identity and click Create Identity

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 7

3. Create the Identity as shown here. Use xyzzy for the password.

Note that this is a default provisioning form that ships with IdentityIQ. As you enter the
data, think about modifications that would make entering data less error prone and easier.

4. Verify that the Identity Name and the Display Name were entered with the correct format:
First.Last
5. Click Submit to submit the new Identity request.

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 8

6. We will be presented with the confirmation screen, but since we are the manager as well, no
approval is generated. Confirm the changes and click Submit again.

7. From the Home page, select Track My Requests and check the status of the Create Identity
request operation.

a. List the execution status: ___________________________________________________________________


By default, the newly created cube is a non-authoritative cube.

b. Open the Access Request. List the additional Item added automatically to the
identity cube:
_________________________________________________________________________________________________

This attribute specifies the length of time that this cube will be ignored by the Prune
Identity Cubes task. Remember, the purpose of the Prune Identity Cubes task is to
delete non-authoritative Identity Cubes that house no accounts. As long as the new
identity obtains access (the Identity Cube has correlated accounts) by this date, it
won’t be pruned; if access is not obtained by this date, it will be pruned. This value
can be set in the LCM configuration.

8. Log out and log in as spadmin/admin

9. Navigate to the identity: Fred.Smith and confirm that the user was created correctly in
IdentityIQ.

10. As you probably could see, this was a tedious (and potentially error-prone) approach to
entering an identity. In the next section, we will create a provisioning policy that will allow

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 9

us to make creating an identity easier and provide nice features like allowed value
dropdown selections, and data validation.

Define a Provisioning Policy for Creating Identities


1. Navigate to  Global Settings  Import from File and load the following files:

/home/spadmin/ImplementerTraining/config/Rule-AllowedValues-Location.xml

/home/spadmin/ImplementerTraining/config/Rule-AllowedValues-Region.xml

/home/spadmin/ImplementerTraining/config/Rule-Validation-EmailAddress.xml

These rules will be used for our Provisioning Policies. The first two generate lists of allowed
values we can use to populate drop-down lists. The last rule is used to validate that email
addresses are correctly formatted.

2. Navigate to  Lifecycle Manager  Identity Provisioning Policies and next to


Create Identity, select Add Policy

3. Configure the provisioning policy as shown:

a. Name: Identity Create Policy

b. Select Add Field

i. Attribute: region

ii. Display Name: Region

iii. Required: checked

iv. Scroll down to the Value Properties box.

v. Allowed Values: Rule

1. Rule: AllowedValues-Region

vi. For the field, select Save

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 10

c. Using the same method as previously shown, add the following fields:

Attribute Display Name Help Text Value Required Value Properties


location Location checked Allowed ValuesRule:
AllowedValues-Location
name Username First.Last checked
password Password checked
passwordConfirm Password checked
Confirmation

d. Perform an interim save of the Identity Create Policy

i. At the bottom right of the Provisioning Policy Editor, click Save

ii. Click Save to save the Identity Provisioning Policies. At the top of the screen,
you will see the message “Your changes have been saved successfully”.

Note: The Create Identity policy requires certain fields (i.e. name and password) to
be defined before a save is allowed.

e. Navigate to the Quicklink side bar ( ) and click Manage Identity  Create
Identity to view an identity creation form that reflects the interim version of your
policy

f. Navigate back to  Lifecycle Manager  Identity Provisioning Policies

g. Select Identity Create Policy

h. Add the remaining fields to the provisioning policy:

Attribute Display Type Required Value Value Properties


Name Properties
firstname First Name checked
lastname Last Name checked
email Email checked Value: ValidationRule:
Enter valid Validation - Email Field
email address
manager Manager checked
displayName Display Name checked
inactive Inactive Boolean checked Value: False
empId Employee ID checked
status Status checked Value: Allowed ValuesValue:
Contractor Add Contractor and
Employee to the list

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 11

Note: To fully save your Provisioning Policy, you will perform three consecutive saves:
at the field level, policy level, and configuration level.

i. Confirm that the entire Provisioning Policy looks like this:

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 12

j. Select Save to save the Identity Provisioning Policy

4. Select Save to save the provisioning configuration:

5. Log out and log in as Catherine.Simmons/xyzzy

6. On the quick link sidebar, navigate to Manage Identity  Create Identity and observe the
new Create New Identity page:

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 13

7. Without entering any data at all, click Submit and observe that our email validation rule
and required fields will warn the user about any data entry issues:

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 14

8. Fill in the information as shown. Use xyzzy for the password.

9. Click Submit to submit the new Identity request.


10. When you see the confirmation page, review and Submit the request.

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 15

11. Logout and login as spadmin/admin and confirm that Bob.Smith has an Identity Cube.
Note that this Identity Cube has no entitlements or accounts. Currently it is just a shell cube.

12. Note that you can further customize the creation of new Identities by the following
techniques:
a. Additional logic in your provisioning policies
i. Data validation - Detecting duplicate usernames or email addresses
ii. Precalculation of an EmployeeId number
b. Customizing the out-of-the-box workflow LCM Create and Update that is
responsible for all create and edit operations that occur on Identities when using
LCM

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 16

Exercise #3: Account Management with Lifecycle Manager


Objective
The objective of this section is to manage account access using Lifecycle Manager.

Overview
We will explore the following Account functions in this exercise:

 Creating a new account (without associated entitlements)

 Requesting a role

 Requesting a role that will cause a new account request to occur

 Enabling and Disabling accounts

 Unlocking Accounts

Configure a Quicklink Population and Applications to Support Account Requests


1. Configure the Manager Quicklink population to allow account only requests.

a. Navigate to  Global Settings  Quicklink Populations and open the Manager


population

b. Click the Quicklinks tab and next to Manage Accounts, click Config…

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 17

c. Turn on Allow requesting new accounts as shown here and Save the Manage
Accounts Options

d. Save the Quicklink Population

2. Configure the applications that allow account only requests.

a. Navigate to  Lifecycle Manager

b. Scroll down to the Manage Accounts Options and in the drop down selection box that
says: Applications that support account only requests add LDAP and PRISM to the
list:

c. Click Save

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 18

Test the Configuration: Request a New LDAP Account


1. If necessary, start LDAP. From a terminal window enter StartLDAP.

2. Log in as Catherine.Simmons/xyzzy.

3. On the upper left, click the list icon, , to open the Quicklink sidebar. Navigate to Manage
Access  Manage Accounts  For Others. You will be presented with a list that includes
all the users who report to Catherine.

Note: This is because out of the box, managers can only request items for their reports. This
is fully configurable through LCM.

4. Select Fred.Smith.

5. If your configuration was completed successfully, under Request New Account, you will see
the two applications for which account only requests are allowed.

6. Request a new LDAP account for Fred.Smith and Submit the request.

7. After you submit the request, look at the top of the screen.

a. What warning is displayed? Why?

_____________________________________________________________________________________________

_____________________________________________________________________________________________

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 19

8. Check the status of the Access Request under Track My Requests.

a. Determine who is the approver

9. Log out and log back in as spadmin/admin and Approve the account request for Fred.

10. Click Complete.

11. Use the desktop shortcut to launch the LDAP Browser

a. Only double-click it once… it will take a few seconds to start.

b. In the Connections window, select Training and click Open Connection

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 20

12. Check the LDAP repository and confirm that Fred.Smith has an account in the LDAP server.
Expand dc=training…ou=people[1…100], scroll until you find Fred.Smith

13. Click Fred’s account to display details. Notice that 5 values, DN, objectClass, cn, sn, and
userPassword were required to create the account.

14. Compare the LDAP entry with the LDAP Provisioning Policy.

a. Navigate to Applications  Application Definition  LDAP  Configuration 


Provisioning Policies and open the account creation provisioning policy

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 21

b. How many fields are defined in the provisioning policy? ________________________________

c. Click CN and in the Edit Provisioning Policy Fields window, scroll down to the
Value Properties pane. How is the value for CN being set? (Circle one)

Value Rule Script Dependent

d. We are using a small amount of bean shell to provide the name of the identity as the
value for CN. If you’re interested, view how the other fields are set

e. Close the Provisioning Policy

Use and Investigate a JDBC Provisioning Rule: Request a New PRISM Account
To provision with the JDBC connector, the implementer must provide a provisioning rule. In this
section, we will be relying on the rule PRISM - Provision to provision this access to the JDBC
resource.

Our new employee Fred.Smith needs an account on the PRISM application. In this exercise, we will
request a PRISM account for him.

1. Login as spadmin/admin and investigate the PRISM application provisioning rule.


a. Navigate to the PRISM application, select Rules, and view the JDBC Provision Rule:
PRISM - Provision

b. Scroll through the rule and list three (of five) provisioning operations handled by
this rule (the first provisioning operation is circled above):

_______________________________ _______________________________ ________________________________

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 22

2. Log in as Catherine.Simmons/xyzzy

3. Open the Quicklink sidebar. Navigate to Manage Access  Manage Accounts  For
Others.

4. Request a new PRISM account for Fred.Smith and Submit the request, which will send it to
the PRISM Application Owners workgroup (of which Walter.Henderson is a member).

Remember, there are two submits -- the first two make the request, the second to confirm
the request.

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 23

5. Log in as the approver, Walter.Henderson/xyzzy and approve the changes for the account
request on PRISM. At this time, the provisioning request for a new PRISM account is sent to
the PRISM - Provision Rule. This Rule includes some print statements that inform the user
of the request that is passed in and the final result. In this case, the following information is
printed to the Standard Out log:

****************************************
Entering Provisioning Rule for PRISM
Current Time = Fri Feb 26 11:54:08 CST 2016
****************************************
***
The Provisioning Plan being passed in =
***
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE ProvisioningPlan PUBLIC "sailpoint.dtd"
"sailpoint.dtd">
<ProvisioningPlan nativeIdentity="Fred.Smith"
targetIntegration="PRISM">
<AccountRequest application="PRISM" nativeIdentity="Fred.Smith"
op="Create">
<AttributeRequest name="first" op="Add" value="Fred"/>
<AttributeRequest name="last" op="Add" value="Smith"/>
<AttributeRequest name="status" op="Add" value="A"/>
<AttributeRequest name="locked" op="Add" value="N"/>
</AccountRequest>
<Attributes>
<Map>
<entry key="identityRequestId" value="0000000018"/>
<entry key="requester" value="Catherine.Simmons"/>
<entry key="source" value="LCM"/>
</Map>
</Attributes>
<Requesters>
<Reference class="sailpoint.object.Identity"
id="ff8080813ade1e61013ae1068df1042d" name="Catherine.Simmons"/>
</Requesters>
</ProvisioningPlan>

****************************************
Account Request Operation = Create
Preparing to execute:
org.apache.commons.dbcp.DelegatingPreparedStatement@1a30be6
****************************************
****************************************
Exiting Provisioning Rule for PRISM.
Result=
<ProvisioningResult status="committed"/>

****************************************

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 24

a. In the provisioning plan above, circle the operation being requested (hint: look for
op=).

b. From where did IdentityIQ obtain the values for the AttributeRequest entries?
(circle one)

User entered PRISM Identity Policy PRISM Provisioning Policy

6. From a terminal window, login into MySQL and confirm that the account is there.

[spadmin@training ~]$ mysql -u root -p


Enter password: root
mysql> use prism

mysql> select * from users where login = 'Fred.Smith';


+------------+-------------+-------+-------+--------+--------+---
-----+-----------+
| login | description | first | last | groups | status |
locked | lastLogin |
+------------+-------------+-------+-------+--------+--------+---
-----+-----------+
| Fred.Smith | NULL | Fred | Smith | | A | N
| NULL |
+------------+-------------+-------+-------+--------+--------+---
-----+-----------+
1 row in set (0.00 sec)

7. The default values that are created in the PRISM application are determined by the
Provisioning Policy attached to the PRISM application. Notice that the groups attribute is
empty. If desired, our default provisioning policy could be changed to grant basic User
access by provisioning the attribute groups to include User by default.

8. If you are interested in more on the Provisioning Policy and PRISM provisioning rule, log in
as spadmin/admin and look at the PRISM application. Investigate both the Provisioning
Policy and the PRISM - Provision rule. The provisioning policies provide the values to the
plan, and the rule executes what is specified in the plan. Understanding this basic behavior
of our provisioning capabilities is very important for understanding how the process works.

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 25

Request a PRISM Role for a User Who has a PRISM Account


1. Log in as Catherine.Simmons/xyzzy, on the Home page, click Manage User Access.

2. In Select Users, click the check-oval to select Fred.Smith, and at the top, click Manage
Access.

3. Search for the PRISM User role.

4. View the details for the PRISM User role: on the right, click Details.

a. Notice that Entitlement Details lists the IT roles assigned (PRISM User-IT) as a
result of this business role.

b. What is the entitlement attribute and value for the PRISM User-IT role?

_________________________________________________________________________________________________

5. Select the PRISM User role and at the top, click Review, and then Submit.

6. Once you submit the request, look at the Access Request.

a. Enter the Application for the request: _____________________________________________________

b. This is because with business roles, provisioning is performed to IdentityIQ. Notice


also that the approver is The Administrator.

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 26

7. Log out and log back in as spadmin/admin and approve the role request for Fred.Smith

8. Click Complete.

Understanding what happens:


When a role is requested, IdentityIQ will follow the path we discussed in the Provisioning section of
the training presentation. The flow is:
a. Add the requested business role to the Identity Cube.
b. Determine from the business role being requested what IT roles are required by this
role. In this case PRISM User – IT.

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 27

c. From the IT role, determine what entitlements are needed. In this case groups = User
within the PRISM application
d. Does the user have an application account for the application? If yes, we provision the
entitlement to grant the user the appropriate access that was requested. If no, we would
expand the request to also request an account to be created on the PRISM application
(more on this in a few pages.)
e. The request is handed to the PRISM - Provision rule to handle the request.
In our case, Fred.Smith already has an account, so we will just be adding the entitlement
(groups = User) to his account on PRISM.

9. Once the role request has been approved, we can check the Access Request and see that the
role request was expanded into the actual entitlement.
a. On the Home page, click Track My Requests, open your new request, and click the
View Complete Details link.
b. Notice that the request includes the Requested role, which will be provisioned to
IdentityIQ, and the Expansion, which will be provisioned to PRISM.

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 28

10. In your terminal window, look at the database to see the changes to Fred’s account
specifically that User has been added to the groups attribute:

mysql> select * from users where login = 'Fred.Smith';


+------------+-------------+-------+-------+--------+--------+---
-----+-----------+
| login | description | first | last | groups | status |
locked | lastLogin |
+------------+-------------+-------+-------+--------+--------+---
-----+-----------+
| Fred.Smith | NULL | Fred | Smith | User | A | N
| NULL |
+------------+-------------+-------+-------+--------+--------+---
-----+-----------+
1 row in set (0.00 sec)

Request Role for a User Without a PRISM Account


In this next request, we will be requesting a role for a user who does not have a PRISM account.
This will cause the role to be expanded into an entitlement request AND an account request.

1. Log in as Catherine.Simmons and, on the Home page, select Manage User Access and
request the PRISM User role for Bob.Smith

2. After you submit the request, check the Access Request to see that the request was for a role
for Bob.Smith.

3. Log in as spadmin/admin and approve the role request

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 29

4. After you approve the request, check the Access Request. You should see that our request
now includes all the account attributes and the User entitlement.

5. In your terminal window, confirm that Bob.Smith was added to the PRISM application:

mysql> select * from users where login = 'Bob.Smith';


+-----------+-------------+-------+-------+--------+--------+----
----+-----------+
| login | description | first | last | groups | status |
locked | lastLogin |
+-----------+-------------+-------+-------+--------+--------+----
----+-----------+
| Bob.Smith | NULL | Bob | Smith | User | A | N
| NULL |
+-----------+-------------+-------+-------+--------+--------+----
----+-----------+
1 row in set (0.00 sec)

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 30

Enable/Disable and Delete PRISM Accounts


1. Login as Catherine.Simmons and from the Quicklinks sidebar, select Manage Accounts
and For Others

2. Select Bob.Smith and disable the PRISM account:

3. Submit the request and then check the Access Request

4. Back at the Quicklinks sidebar, select Manage Accounts and For Others

5. Select Fred.Smith and delete the PRISM account:

6. Submit the request and then check the Access Request

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 31

7. Login as Walter.Henderson/xyzzy and approve both the disable and delete requests

8. In the terminal window, use MySQL to check the Bob.Smith and Fred.Smith accounts. Notice
that Bob.Smith’s status has been set to “I” (Inactive), which is how accounts are disabled in
PRISM. Notice that Fred.Smith no longer has an account at all.

mysql> select * from users where login = 'Bob.Smith';


+-----------+-------------+-------+-------+--------+--------+----
----+-----------+
| login | description | first | last | groups | status |
locked | lastLogin |
+-----------+-------------+-------+-------+--------+--------+----
----+-----------+
| Bob.Smith | NULL | Bob | Smith | User | I | N
| NULL |
+-----------+-------------+-------+-------+--------+--------+----
----+-----------+

mysql> select * from users where login = 'Fred.Smith';

Empty set (0.00 sec)

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 32

Unlock Account
1. Walter.Henderson’s PRISM account is currently locked. Determine how to unlock it.

a. There are multiple ways to do this.


Hint: Will it be self-service, manager or other user driven? Depending on how you
decide to do it, the Quicklink Populations may need to change in order to allow
different actions within LCM. However you perform this action, remember that the
Access Request lists the approver.

b. Confirm in the terminal window by using MySQL command:

mysql> select * from users where login = 'whenderson';

c. You should see the following, if you successfully unlock his account:
mysql> select locked from users where login = 'whenderson';
+--------+
| locked |
+--------+
| N |
+--------+
1 row in set (0.00 sec)

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 33

Exercise #4: Configure Group Provisioning and Create New


Group in LDAP
Objective
Turn on the IdentityIQ Group Provisioning feature and use IdentityIQ to provision groups to LDAP.

Overview
Out of the box, IdentityIQ can support provisioning groups to target applications that support it. In
this exercise, we will use IdentityIQ to provision a group into LDAP. Once this group is created, we
will be able to add additional users to it.

Note: You do not need to use group provisioning within your IdentityIQ implementation. It is also
perfectly normal to create, edit, and delete groups directly in the native target application.

Configure Group Provisioning Feature of IdentityIQ


In order to enable group provisioning, two items must be configured: a group provisioning policy
for the application, and Lifecycle Manager. We will confirm that both are ready for us to create the
new LDAP group.

1. Log in as spadmin/admin and investigate the LDAP provisioning policy.

a. Open the LDAP application definition and navigate to Configuration 


Provisioning Policies . Scroll down and click on the group create provisioning
policy.

b. List the four fields required to create a new group in our instance of LDAP.

_______________________________________________ _______________________________________________

_______________________________________________ _______________________________________________

c. Click on the DN field. The definition of this field is displayed on the right. Based on
the definition, is this a required field? (circle one) Yes No

d. Scroll down to the Value Properties box. Notice that no values have been provided.
This means that later, when we create the new group, we will manually provide a
value for this field.

e. View the Value Properties entry for the uniqueMember field. List the value provided
for the uniqueMember field.

_________________________________________________________________________________________________

f. Close the provisioning policy.

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 34

2. Navigate to  Lifecycle Manager Configure tab

a. Confirm that Enable Account Group Management is selected

b. While you’re in Lifecycle Manager configuration, look at the next option.

c. What is the default refresh interval for the full text search indexes? ___________________
With full text search enabled, your new group will be available when the index is
updated.

d. Disable full text search: uncheck the box next to Enable Full Text Search

Note: This allows us to use the database search rather than the full text search for
our development testing of access requests. With the database search, updated
entitlements and roles are immediately searchable. With the full text search, the
indexes must be updated prior to searching for updated entitlements and roles.
When development is complete, enable full text search for faster and more thorough
searching (unlike database search, full text search includes descriptions).

e. Your configuration should look as follows:

3. Click Save

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 35

Verify the Existing LDAP Groups


1. View the existing LDAP groups.

a. If necessary, start LDAP (from a terminal window enter StartLDAP) and launch the
LDAP Browser (use the desktop shortcut to launch the LDAP Browser)

b. If necessary, expand dc=training,dc=sailpoint,dc=com, then expand the groups

c. List the existing groups:

____________________________________________ ____________________________________________

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 36

Provision a New Group in LDAP called VPN


1. In IdentityIQ, navigate to the Applications  Entitlement Catalog

2. Click Add New Entitlement to create a new account group.

3. On the Standard Properties tab, configure the new group as:

a. Application: LDAP

b. Display Value: VPN

c. Requestable: checked

d. Description: This group controls access to the corporate VPN.

e. Owner: Randy.Knight

4. View the Object Properties tab.

a. These fields are required for defining our LDAP group. What is the name of the
application and provisioning policy that defines these fields?

_______________________________________________ _______________________________________________

5. On the Object Properties tab, configure the following:

a. DN: cn=VPN,ou=groups,dc=training,dc=sailpoint,dc=com

b. Description: This group controls access to the corporate VPN.

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 37

c. CN: VPN

6. Click Save

7. If you configured everything successfully you should see the following:

a. A message that says a workflow was started to create the VPN group. This workflow
comes out of the box, but could be customized if so desired. The workflow is called
Entitlement Update.

b. Under Applications  Entitlement Catalog you should see the new entry for VPN.
Note that the new LDAP group has a Description, Owner and is Requestable

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 38

c. Check LDAP to see that the group was created

i. Close and reopen the Training connection to force a reread of LDAP

ii. Drill down and confirm that your VPN group was created:

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 39

Exercise #5: Provision VPN Access Using Lifecycle Manager


Objective:
The objective of this exercise is to allow managers to request VPN access for their users via
Lifecycle Manager.

Overview:
We just created a group in LDAP called VPN, and we made this account group requestable, meaning
that users can request it through LCM.

To test, we will login as a manager (Catherine.Simmons) and request VPN Access for all of the direct
reports in her department.

This will trigger a workflow case for each user with appropriate approval steps and will eventually
(assuming all approvals are affirmative) result in a provisioning of the entitlement in LDAP.

The default workflow for entitlement requests is called LCM Provisioning. Each Lifecycle Manager
operation has a default workflow (Business Process) defined as seen here. Out of the box, the
default workflows are:

The LCM Provisioning workflow automatically checks for approval from the entitlement owner
before provisioning the user’s access. This out of the box behavior can be configured to support any
desired functionality including policy checks, approvals, notifications, etc.

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 40

Enable Business Process (Workflow) Tracing


1. Navigate to Setup  Business Processes

2. Select the LCM Provisioning Business Process, and in the center of the screen, select the
Process Variables tab.

3. On the Process Variables tab, notice the Approval configuration.

a. Who is the default approver? ___________________________________________

b. List the other standard configuration options for approver:

_______________________________ _______________________________ _______________________________

4. Scroll down to the very bottom, and select Trace Execution. This will trace all workflow
steps into the logs so that we can observe detailed workflow flow information.

5. Click Save.

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 41

6. Start the desktop shortcuts Tail Tomcat Standard Out and Tail Email Log.
During the request to add users to the VPN group in LDAP, we will view these logs to
observe the workflow trace and emails being sent.

Login as a Manager and Request VPN Access for Employees


1. Log out of IdentityIQ and log in as Catherine.Simmons/xyzzy

2. Select Manage User Access.

3. In the Select Users list, you should see direct reports for Catherine.Simmons, and
Catherine herself. Select all of her direct reports, but not Catherine, and then select Manage
Access.

4. On the Manage Access screen, search for and select VPN.

5. View the VPN entry and notice that all of our configured items are showing up on the VPN
Entitlement such as Owner and Description.

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 42

6. Select Review and, if everything looks okay, click Submit.

7. Navigate back to Home.

8. Click on Track My Requests.

9. There should be seven requests in the queue, one for each subordinate employee that had
the VPN entitlement requested for them. Click any request to see the current status of the
request.

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 43

10. Observe the current status of the workflow in the log files.

a. Check the output of the Email log file you should see the emails that were generated:
To: [email protected]
Message-ID: <[email protected]>
Subject: Changes requested to Tammy.Daniels need approval
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_Part_44_19584772.1396377798427"
X-Mailer: smptsend

------=_Part_44_19584772.1396377798427
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

Catherine.Simmons is requesting the following changes for 'Tammy.Daniels'

Application: LDAP
Account : cn=Tammy.Daniels,ou=people,dc=training,dc=sailpoint,dc=com
Operation: Add
Attribute: groups
Value(s): cn=VPN,ou=groups,dc=training,dc=sailpoint,dc=com
Priority: Normal

b. Check the Standard Out log file and see that workflow tracing has occurred. The end
of the trace shows that an approval has been requested:

Starting step Approval


Starting approval group in mode parallelPoll
Starting approval for Randy.Knight
Opening work item: Owner Approval - Account Changes for
User: Tammy.Daniels

11. Log out and log in as Randy.Knight/xyzzy

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 44

12. On the Home page, in Latest Approvals, click the approval for Tammy.Daniels.

a. Handle the approval by selecting Approve and then Complete.

13. Leave the remaining six approvals for completion at a later time.

14. Notice the Standard Out log file after the item is approved by Randy:

Ending step Complete Identity Request


Skipping conditional step Update Ticket On Complete
Starting step end
Ending step end
Ending workflow Identity Request Finalize
Ending step Finalize
Ending workflow LCM Provisioning

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 45

15. Once the approval is done, you can check in the LDAP Browser and confirm that
Tammy.Daniels has correctly been added to the VPN group as shown here:

16. Just to review what occurred:

a. Once the manager requested that all 7 of her employees needed access to the VPN
group, 7 workflow cases were started (each an instance of the LCM Provisioning
workflow that is the default in IdentityIQ for Access Requests)

b. Each workflow determined that the owner of the VPN group was Randy.Knight
from the settings in the Entitlement Catalog so the workflow routed the approval for
each user to Randy.Knight

c. Randy.Knight received an email notification and had 7 items in his inbox for his
approval.

d. Once Randy.Knight approved the request, the workflow continued and provisioned
access to the LDAP resource, which involved adding Tammy.Daniels to the specific
VPN group.

17. Log out and back in as Catherine.Simmons/xyzzy

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 46

18. Navigate to Track My Requests and see that the status for the Tammy.Daniels has changed
to Verifying.

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 47

Confirm VPN Entitlement Assignment and Complete the Access Request


1. Log out and back in as spadmin/admin
2. Note that we can move the status of requests from Verifying to Complete by running the
task: Perform Identity Request Maintenance. This task is responsible for checking access
requests and confirming that the changes have been made.
a. This task automatically runs once a day by default. You could run this more often as
determined by your needs. When is the Perform Identity Request Maintenance
task next scheduled to run in your environment?

____________________________________________________________________________________________

3. Run the task, and then come back and check Track My Requests and confirm that the
request for Tammy.Daniels has been marked as Completed.

4. Check Tammy.Daniel’s LDAP account to verify her VPN access.

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 48

5. View Entitlements to confirm that the VPN group is an entitlement on her cube and that
the source of the entitlement was Access Request (Note: Contrast this with earlier in the
training class, where Aggregation was the source.)

a. Click on the row (not the VPN link) to view the details

Disable Business Process (Workflow) Tracing


Trace is very verbose and should be used selectively. It is a good practice to turn it off once you are
through using the output.

1. Navigate to Setup  Business Processes.

2. Select the LCM Provisioning Business Process.

3. Select the Process Variables tab. Scroll down and find the process variable called Trace
Execution and de-select to disable tracing.

4. Click Save.

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 49

Exercise #6: Use Lifecycle Manager to Create a Lifecycle


Event
Objective:
The objective of this exercise is to use Lifecycle Manager to recognize and respond to data changes
on the Identity Cubes. You will learn to configure a Lifecycle Event to monitor for change and
trigger a business process, and you will use the Business Process Editor to create the business
process that the Lifecycle Event will trigger.

Overview:
A lifecycle event can be configured to run a business process based on identity changes. In this
exercise, we will be configuring a custom business process to run whenever a user’s department
attribute changes. The business process should force a new certification for the identity and, if the
new department is the IT Department, an email should also be sent.

Note that if all we wanted to do upon department change was to trigger a certification, the simpler
choice is to use a Certification Event. However, because we want to perform additional actions
(conditionally send an email), we’re managing this event with a custom business process.

First, we will define the business process (workflow) including importing a custom email template
just for this business process. Second, we will create the lifecycle event that will monitor for the
department change and trigger the business process.

The Business Process will show how to perform the following:

 Print out some debug data from within a workflow

 Calculate some internal workflow variables that can be used in later steps to control
workflow behavior

 Send an email from within a workflow

 Generate a certification for the user whose department is changing

Design the Business Process


1. What will trigger the workflow?

_________________________________________________________________________________________________________

2. From the following list, circle the actions that are needed. These are the workflow steps:

 Create a certification
 Send an email
 Calculate the time since the last login
 Print debug information

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 50

3. What will determine if an email should be sent?

_________________________________________________________________________________________________________

Configure a new Business Process for use with our Lifecycle Event
1. Login as spadmin

2. Import an email template to be used with our new Business Process

a. Navigate to  Global Settings  Import from File and load the following file:

/home/spadmin/ImplementerTraining/config/WorkflowTrainingEmailTemp
late.xml

b. This will import a new email template that we will use later in our Business Process.

3. Navigate to Setup  Business Processes

4. Click New and configure as follows:

a. Name: Department Attribute Value Change

b. Type: Identity Lifecycle

c. Description: Business process that will run when a department change occurs

d. Click Save

5. Click the Process Variables tab to configure the workflow variables.

a. Click Add A New Variable and configure the first variable as follows:

i. Name: event

ii. Input: checked

b. Click Save

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 51

Note: Because the event variable is referenced by other variables (defined next),
the save is required to ensure that the event variable is saved first in the list of
workflow variables.

c. Add the remaining variables as shown:

Name Input Initial Value Value or Source


trigger Checked
trace Checked String true
identityDisplayName Checked Script event.getIdentityFullName();
attribute_cause Checked Script event.getCause();

d. Notice that we have turned on trace. Watch Standard Out for results.

e. Click Save to save changes to the Process Variables, and confirm that your variables
are as follows:

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 52

6. Define the Business Process graphically by clicking on the Process Designer tab.

a. Add 5 steps by clicking on the Add a Step and clicking:

i. Start – one time

ii. Generic Step three times

iii. Stop – one time

b. Drag (click and drag) the five icons into a more user-friendly arrangement as
shown:

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 53

c. Right click each Generic Step icon and edit the names and icons as shown:

d. Now, connect the icons to reflect the required transitions.

i. Double click the Start icon and then double click the Debug Step

ii. You should now have a connection from the Start icon to the Debug Step as
shown:

iii. Continue connecting the icons using the technique shown above

1. Debug Step to Send Email

2. Debug Step to Create Certification

3. Send Email to Create Certification

4. Create Certification to Stop

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 54

e. Once done, you should have something that looks like this. Note that a split
transition is created automatically for you since we have two transitions configured
from the Debug Step.

7. Now, we will configure each workflow step to perform specific operations as necessary.

a. Right click the Debug Step step and select Edit Step and configure:

i. Details tab

1. Name: Debug Step

2. Action: Script

3. Source: click Open Editor

4. Edit Script for Action: Copy and paste from:

/home/spadmin/ImplementerTraining/beanshell/
Workflow_Debug Step Script.txt

ii. Select Save, and then Save again.

b. Right click the multiple transition (the diamond with the ‘X’) to the right of the
Debug Step and select Edit Transitions:

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 55

i. Edit the transition logic as shown taking care to negate the 2nd transition.

Copy and paste the transition logic from:


/home/spadmin/ImplementerTraining/beanshell/
Workflow_Transition Logic.txt

Note: The transition logic will send us to the Send Email step if the
department we are transferring to is the “IT Department” otherwise, we will
move to the Create Certification step.

ii. Click Save

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 56

c. Right click the Send Email step and select Edit Step and configure:

i. Details tab

1. Name: Send Email

2. Action:

a. Call Method: checked

b. Call Method: choose sendEmail

ii. Arguments tab

Create three variables using Add a New Argument

Argument Name Value Value/Source


template String Training Workflow Email Template
to Script getEmail(identityName)
cc Script getEmail(launcher)

Note: identityName and launcher are passed into the workflow by the
system and supply the name of the identity whose attribute was changed and
the name of the identity who made the change, respectively.

iii. Click Save

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 57

d. Right click the Create Certification step and select Edit Step and configure:

i. Details tab

1. Name: Create Certification

2. Action: Script

3. Open Editor:
Copy and paste from:
/home/spadmin/ImplementerTraining/beanshell/Workflow_G
enerateCertificationScript.txt

ii. Click Save (Saves this step)

8. At the bottom of the Business Process Editor, click Save to save all work on your Business
Process. (Saves the whole workflow.)

Configure Lifecycle Event and Test


1. Before we can configure a Lifecycle event, we need to configure the department attribute to
be editable so that we can change the department and kick off a workflow to process the
change.

a. Navigate to  Global Settings  Identity Mappings

b. Click the Department identity attribute and change the Edit Mode to Permanent.
This will make this field editable via the UI for testing purposes.

c. Additionally, check the Searchable checkbox as shown here:

d. Select Save to save the changes to the Identity Mapping configuration for the
department attribute

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 58

2. Navigate to Setup  Lifecyle Events and click Add New Lifecycle Event and configure the
new event as shown here:

a. Name: Department Transfer

b. Description: This lifecycle event will trigger whenever the Department


attribute on the identity is changed.

c. Event Type: Attribute Change

d. Attribute: Department

e. Business Process: Department Attribute Value Change

f. Click Save to save your Lifecycle event configuration

3. Test the event, by editing the department for Aaron.Nichols and changing his department.

a. Navigate to Identities  Identity Warehouse and choose Aaron.Nichols

b. Select Edit

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 59

c. Change the Department value from Executive Management to IT Management


and Save. This will trigger the department change workflow.

4. Confirm that a certification was created:

a. Navigate to Setup  Certifications

b. See if there is a department transfer certification created for Aaron.Nichols

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 60

c. Click the certification and scroll down to confirm that the access review was
assigned to the appropriate party (Mary.Johnson)

5. Look at the email log. What are the subjects of the two emails that were sent by the
workflow?

_________________________________________________________________________________________________________

_________________________________________________________________________________________________________

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 61

6. If you check the output of Standard Out (desktop shortcut: Tail Tomcat Standard Out) you
will see the following. You can see that the department was changed to “IT Management”
and we took the path to the “Send Email” step.

Starting step Start


Ending step Start
Starting step Debug Step

=======================
Debug Step - Start
Requester = spadmin
Step Name = Debug Step
event.getCause() = Attribute 'department' changed from Executive
Management to IT Management
event.getIdentityName() = Aaron.Nichols
trigger.getAttributeName() = department
Debug Step - End
=======================

Ending step Debug Step


Starting step Send Email
Ending step Send Email
Starting step Create Certification
Change requested by spadmin
Building certification for Aaron.Nichols
Certification will be done by Mary.Johnson
Ending step Create Certification
Starting step Stop
Ending step Stop
Ending workflow Department Attribute Value Change

7. Test moving Aaron.Nichols from IT Management to Executive Management and back and
observe the results.

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1


Section 4 - 62

Extension Exercise (Optional)


1. You previously listed the subjects of the two emails sent by this workflow. Determine where
each of these values are being set and list the locations here:

Email subject: Changes to your Identity were processed

Location: ___________________________________________________________________________________________

Email subject: New access certification: Department Transfer for


Aaron.Nichols: assigned to Mary.Johnson

Location: ___________________________________________________________________________________________

This concludes Section 4.

Copyright © 2016 SailPoint Technologies – All Rights Reserved –VERSION 7.0a1

You might also like