SailPoint IdentityNow Provisioning Process

Date Posted:

19 Jun 2025

Category:

Security

SailPoint IdentityNow Provisioning Process

Date Posted:

19 Jun 2025

Category:

Security

SailPoint IdentityNow Provisioning Process

Date Posted:

19 Jun 2025

Category:

Security

Introduction Of SailPoint IdentityNow Provisioning

Provisioning involves granting, updating, or revoking user access to various systems, applications, and databases, ensuring that users have the appropriate permissions based on their roles and needs.

Provisioning Steps

1.     Provisioning can be triggered automatically through lifecycle changes and role assignments, or manually via access requests, certifications, and manager revocations.

2.     This request is packaged into a provisioning plan that outlines the necessary data and operations.

3.     IdentityNow then fulfills the request either directly through connected systems, by notifying external ticketing systems, or via manual intervention.

4.     Once the request is fulfilled, the system re-aggregates data to verify that the changes were successfully applied.

Provisioning Plan

Provisioning Plan Process

The provisioning process begins with the creation of a Provisioning Plan triggered by various events such as user lifecycle changes (joiner, mover, leaver), role assignments or removals, access request submissions, or certification review outcomes.

1. Creation

This is the initial stage of the provisioning process. In this phase, the system identifies and gathers all necessary information to determine the required access changes.

A Provisioning Plan is generated, which includes:

  • Target system

  • Provisioning action (create, update, delete, disable)

  • Attribute values and entitlements.

2. Compilation

In this phase, IdentityNow compiles the provisioning plan into detailed actions:

  • Maps roles to entitlements

  • Resolves identity attributes using mappings or transforms

  • Prepares connector-specific operations

  • Applies provisioning rules for dynamic value generation (if configured)

3. Expand

The compiled actions are expanded into multiple application-specific instructions:

  • Each target application receives its own set of instructions

  • Helps in managing multi-app provisioning through a single role or plan

Example: A single “Role” might expand into instructions for Workday, Active Directory, and ServiceNow.

4. Partition

IdentityNow partitions the provisioning instructions:

  • Group tasks by system or connector type

  • Enables parallel execution for efficiency

  • Ensures proper sequencing (e.g., account creation before entitlement assignment)

IdentityNow filters out already-assigned access during provisioning to avoid redundant actions. Only new or missing access is executed. This step is vital for performance optimization in large environments.

5. Policy Check

Before executing any change, IdentityNow performs policy checks to enforce security and compliance.

Types of Policies Checked:

  • Provisioning Policy: Ensures mandatory fields like email, username are populated correctly.

  • Identity Policy: Validates uniqueness (e.g., no duplicate usernames) and required attributes.

  • SOD Policy: Checks for entitlement conflicts or conditions (SoD violations).

If a policy fails:

  • Provisioning may be blocked

  • An approval or remediation process may be triggered

6. Execution

The execution step in provisioning is where the planned access changes are applied to the target systems. This involves using various methods such as out-of-the-box connectors, IQService for on-premise systems, Web Service connectors through REST or SOAP APIs and custom scripts or rules. Execution may be:

Immediate: Actions are performed in real-time as soon as the plan reaches this stage.

Conditional: Execution waits for specific approvals, triggers, or business rules before proceeding.

Manual: Some actions may require administrators to perform them directly, especially in disconnected or legacy systems.

Execution status (success, failed, pending) is recorded and can be tracked via the UI or logs.

Post-Provisioning Steps

1. Account Aggregation

  • Re-collects the account from the target system to verify that changes are applied.

  • Helps reconcile state and keep the identity warehouse accurate.

2. Audit and Logging

  • All provisioning events are logged.

  • Includes who initiated the action, what was changed, when, and the outcome.

  • Logs are available for compliance, audits, and troubleshooting.

3. Notifications and Workflows

  • IdentityNow can send emails or trigger additional workflow steps, such as:

    • Notify a manager of successful account creation

    • Route to ServiceNow for approval/ticketing

    • Alert admin on provisioning failure

Stay tuned to our blog to see more posts about

Sailpoint products implementation and its related updates.

Stay tuned to our blog to see more posts about

Sailpoint products implementation and its related updates.

Category:

Security

Stay tuned to our blog to see more posts about

Sailpoint products implementation and its related updates.

Stay tuned to our blog to see more posts about

Sailpoint products implementation and its related updates.

Category:

Category:

Security

Security

Get your

Tailored Quote for your

Organisation

Get your

Tailored Quote for your

Organisation

Introduction Of SailPoint IdentityNow Provisioning

Provisioning involves granting, updating, or revoking user access to various systems, applications, and databases, ensuring that users have the appropriate permissions based on their roles and needs.

Provisioning Steps

1.     Provisioning can be triggered automatically through lifecycle changes and role assignments, or manually via access requests, certifications, and manager revocations.

2.     This request is packaged into a provisioning plan that outlines the necessary data and operations.

3.     IdentityNow then fulfills the request either directly through connected systems, by notifying external ticketing systems, or via manual intervention.

4.     Once the request is fulfilled, the system re-aggregates data to verify that the changes were successfully applied.

Provisioning Plan

Provisioning Plan Process

The provisioning process begins with the creation of a Provisioning Plan triggered by various events such as user lifecycle changes (joiner, mover, leaver), role assignments or removals, access request submissions, or certification review outcomes.

1. Creation

This is the initial stage of the provisioning process. In this phase, the system identifies and gathers all necessary information to determine the required access changes.

A Provisioning Plan is generated, which includes:

  • Target system

  • Provisioning action (create, update, delete, disable)

  • Attribute values and entitlements.

2. Compilation

In this phase, IdentityNow compiles the provisioning plan into detailed actions:

  • Maps roles to entitlements

  • Resolves identity attributes using mappings or transforms

  • Prepares connector-specific operations

  • Applies provisioning rules for dynamic value generation (if configured)

3. Expand

The compiled actions are expanded into multiple application-specific instructions:

  • Each target application receives its own set of instructions

  • Helps in managing multi-app provisioning through a single role or plan

Example: A single “Role” might expand into instructions for Workday, Active Directory, and ServiceNow.

4. Partition

IdentityNow partitions the provisioning instructions:

  • Group tasks by system or connector type

  • Enables parallel execution for efficiency

  • Ensures proper sequencing (e.g., account creation before entitlement assignment)

IdentityNow filters out already-assigned access during provisioning to avoid redundant actions. Only new or missing access is executed. This step is vital for performance optimization in large environments.

5. Policy Check

Before executing any change, IdentityNow performs policy checks to enforce security and compliance.

Types of Policies Checked:

  • Provisioning Policy: Ensures mandatory fields like email, username are populated correctly.

  • Identity Policy: Validates uniqueness (e.g., no duplicate usernames) and required attributes.

  • SOD Policy: Checks for entitlement conflicts or conditions (SoD violations).

If a policy fails:

  • Provisioning may be blocked

  • An approval or remediation process may be triggered

6. Execution

The execution step in provisioning is where the planned access changes are applied to the target systems. This involves using various methods such as out-of-the-box connectors, IQService for on-premise systems, Web Service connectors through REST or SOAP APIs and custom scripts or rules. Execution may be:

Immediate: Actions are performed in real-time as soon as the plan reaches this stage.

Conditional: Execution waits for specific approvals, triggers, or business rules before proceeding.

Manual: Some actions may require administrators to perform them directly, especially in disconnected or legacy systems.

Execution status (success, failed, pending) is recorded and can be tracked via the UI or logs.

Post-Provisioning Steps

1. Account Aggregation

  • Re-collects the account from the target system to verify that changes are applied.

  • Helps reconcile state and keep the identity warehouse accurate.

2. Audit and Logging

  • All provisioning events are logged.

  • Includes who initiated the action, what was changed, when, and the outcome.

  • Logs are available for compliance, audits, and troubleshooting.

3. Notifications and Workflows

  • IdentityNow can send emails or trigger additional workflow steps, such as:

    • Notify a manager of successful account creation

    • Route to ServiceNow for approval/ticketing

    • Alert admin on provisioning failure

Next Blog

Next Blog

Next Blog