Blog for the love of learningLearn Quickly - implement immediately

Sailpoint Online Tutorials on Policies

Sailpoint Policies allows organisations to implement various predefined access policies across various critical and general applications in an organisation, Including separation-of-duty (SoD) policy which is critical for implementing strong application compliance controls. Sailpoint IdentityIQ makes it easy for business and IT managers to define crucial access for implementing these policies across roles and entitlements using a very easy to use interfaces within a few clicks. IdentityIQ supports a wide variety of policy types including account-level policy, activity policy and risk-based policy. These policies Helps organizations to proactively detect, change and prevent violations in any application or user/role at any point in time.

SOD Policies
  • These are roles based seperation of duties. for Example the same user in an organization should not be allowed to approve the purchase order and to purchase the goods for an organization. Or same user to apply for leave and approve their own leaves. Sailpoint Online Training on Policies Activity policies
  • You can define policies around Certain activities in sailpoint like Login, emails etc. There is no customization possible around Activity policies only OOB can be configured. A simple example for Activity policy is to monitor employee login post office hours or during weekends or restrict the logins, So a simple email notification can be configured using Activity Policy. Activity monitoring functionality can read the logs and then it can extract that information, using FTP based connections. The user have to write string manipulation code to extract text from these text file logs, no keyword search / grep etc can be done.

    Account policies
  • enforces things like you want to have multiple accounts for any particular user in an applications.

    Advanced Policies
  • In this policy Rules Set Which users are included in this policy violation, which can be done using any match list option like Filter, rule, script, etc. this says that only these users are evaluated for this policy. And then you can add dynamic conditions like this identity attribute and this value should not be present or every application attribute value is not allowed to be present. so any user having that value will be a violation. for example you have a policy set for deleting all the inactive accounts from the system but you see the inactive user value true is present, so thats a policy violation.

    Note - Tip
  • You can generate policy violations using APIs. if you have a certain case that you cant generate using these policies then you can write a rule which does that evaluation on the identities and then it can generate a violation object at the end if it finds that that condition to be true.

    Post Tags - Sailpoint online training, Sailpoint Online Tutorials on Policies

    Join Sailpoint Online Training Now