8 0 2 SailPoint Integration Guide

SailPoint
Version 8.0-2
Integration Guide
Copyright © 2019 SailPoint Technologies, Inc., All Rights Reserved.
SailPoint Technologies, Inc. makes no warranty of any kind with regard to this manual, including, but not limited to,
the implied warranties of merchantability and fitness for a particular purpose. SailPoint Technologies shall not be
liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with
the furnishing, performance, or use of this material.
Restricted Rights Legend. All rights are reserved. No part of this document may be published, distributed, reproduced,
publicly displayed, used to create derivative works, or translated to another language, without the prior written
consent of SailPoint Technologies. The information contained in this document is subject to change without notice.
Use, duplication or disclosure by the U.S. Government is subject to restrictions as set forth in subparagraph (c) (1) (ii)
of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 for DOD agencies, and
subparagraphs (c) (1) and (c) (2) of the Commercial Computer Software Restricted Rights clause at FAR 52.227-19 for
other agencies.
Regulatory/Export Compliance. The export and re-export of this software is controlled for export purposes by the
U.S. Government. By accepting this software and/or documentation, licensee agrees to comply with all U.S. and
foreign export laws and regulations as they relate to software and related documentation. Licensee will not export
or re-export outside the United States software or documentation, whether directly or indirectly, to any Prohibited
Party and will not cause, approve or otherwise intentionally facilitate others in so doing. A Prohibited Party includes:
a party in a U.S. embargoed country or country the United States has named as a supporter of international terrorism;
a party involved in proliferation; a party identified by the U.S. Government as a Denied Party; a party named on the
U.S. Government's Specially Designated Nationals (SDN) List; a party prohibited from participation in export or
re-export transactions by a U.S. Government General Order; a party listed by the U.S. Government's Office of Foreign
Assets Control as ineligible to participate in transactions subject to U.S. jurisdiction; or any party that licensee knows
or has reason to know has violated or plans to violate U.S. or foreign export laws or regulations. Licensee shall ensure
that each of its software users complies with U.S. and foreign export laws and regulations as they relate to software
and related documentation.
Copyright and Trademark Notices. Copyright © 2019 SailPoint Technologies, Inc. All Rights Reserved. All logos, text, content,
including underlying HTML code, designs, and graphics used and/or depicted on these written materials or in this Internet web site
are protected under United States and international copyright and trademark laws and treaties, and may not be used or
reproduced without the prior express written permission of SailPoint Technologies, Inc.
“SailPoint Technologies & Design,” “SailPoint,” “IdentityIQ,” “IdentityNow,” “SecurityIQ” “IdentityAI” “AccessIQ,”
“Identity Cube,” “Managing the Business of Identity” are registered trademarks of SailPoint Technologies, Inc.
“Identity is Everything” and “The Power of Identity” are trademarks of SailPoint Technologies, Inc. None of the
foregoing marks may be used without the prior express written permission of SailPoint Technologies, Inc. All other
trademarks shown herein are owned by the respective companies or persons indicated.
Table of Contents
Chapter 1: Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
What is SailPoint IdentityIQ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
SailPoint Integration Guide Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Section I: SailPoint IdentityIQ Infrastructure Modules . . . . . . . . . . . . . . . . . 5

Access Management Infrastructure Modules . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Chapter 2: IdentityIQ for Okta . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Supported Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Prerequisite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Additional Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Schema Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Account Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
Group Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Application Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Provisioning Policy Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Create Account Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Enable/Delete Account Provisioning Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Disable Account Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Create Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Additional Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Aggregation Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Supported Aggregation Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Account Status Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Upgrade Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Delta Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Provisioning of Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Security Information And Event Management Infrastructure Modules 25

Chapter 3: IdentityIQ for ArcSight IT Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Supported Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Supported Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Configuration to Export IdentityIQ Data to ArcSight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Configuration to Import HP ArcSight CEF Flat File to SailPoint IdentityIQ . . . . . . . . . . . . . . . . . . . . . .32
IT Service Management Infrastructure Modules . . . . . . . . . . . . . . . . . . . . . .35

Chapter 4: IdentityIQ for Service Desk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Basic Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Basic Flow of Service Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Basic Configuration of Service Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Configuring IdentityIQ to Integrate with ServiceNow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Retryable Mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Chapter 5: IdentityIQ for MicroFocus Service Manager Service Desk . . . . . . . . . . . . . .45
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Configuring HP Service Manager (Micro Focus) for IdentityIQ Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Verifying Connectivity between IdentityIQ and HP Service Manager (Micro Focus) . . . . . . . . . . . . . . .56
Creating New Service Request Catalog Item . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Exporting user details from HP Service Manager (Micro Focus) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Importing user details from HP Service Manager (Micro Focus) to IdentityIQ . . . . . . . . . . . . . . . . . . . .58
Chapter 6: IdentityIQ for BMC Remedy Service Desk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Administrator Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Basic Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Configuring BMC Remedy AR System for IdentityIQ Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Configuring IdentityIQ for BMC Remedy Action Request System Integration . . . . . . . . . . . . . . . . . . . . . . . . . . 65
BMC Remedy Action Request System Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Creating Multiple Tickets in Remedy System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
Verifying Connectivity between IdentityIQ and BMC Remedy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70
Sample Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Enterprise Mobility Management Infrastructure Modules . . . . . . . . . . . .73

Chapter 7: IdentityIQ for AirWatch Enterprise Mobility Management . . . . . . . . . . . . . . 1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Supported Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Application Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Operation Specific Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Provisioning Infrastructure Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Chapter 8: IdentityIQ for Oracle Identity Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Installing the OIM Integration Web Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Authentication for Web Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Testing the OIM Integration Web Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Properties that can be defined in xellerate.properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Configuration for OIM Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Testing the OIM Integration Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Aggregating from OIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Known/Open Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Chapter 9: IdentityIQ for IBM Security Identity Manager . . . . . . . . . . . . . . . . . . . . . . . . .13
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
General Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Configuration for Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Configuration for Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
IaaS - Infrastructure-As-A-Service Module . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Chapter 10: IdentityIQ for Amazon Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
IdentityIQ for Amazon Web Services Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
IdentityIQ for Amazon Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Supported Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Service IAM User Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Administrator Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Schema Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Provisioning Policy Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
(Optional) Upgrade Consideration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
IdentityIQ for Amazon Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Section II: SailPoint IdentityIQ Application Modules . . . . . . . . . . . . . . . . . .39

Enterprise Resource Planning Application Modules . . . . . . . . . . . . . . . . . .41
Chapter 11: IdentityIQ for SAP ERP - SAP Governance Module . . . . . . . . . . . . . . . . . . . .43
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Supported Managed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Schema Extension and Custom Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Create Account Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
Entitlement Validity Period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
CUA Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
Entitlement Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
Password Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
Logon and Communication Language Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
Delta Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
Partitioning Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Chapter 12: IdentityIQ for SAP ERP - S/4HANA Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
Chapter 13: IdentityIQ for Oracle ERP – Oracle E-Business Suite . . . . . . . . . . . . . . . . . .73
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Create Group Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
Support for Oracle Security Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
User Editions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Support of provisioning of Start Date, End Date and Justification Attributes . . . . . . . . . . . . . . . . . . . . . .85
Last_Updated_By Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
Chapter 14: IdentityIQ for SAP ERP – SAP Portal - User Management Web Service .89
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90
Create Group Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
Undeploy .sda File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
Chapter 15: IdentityIQ for Oracle ERP – PeopleSoft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Administrator Permission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Schema Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100
Account Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100
Group Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
Additional Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102
Creating the Component Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102
Partitioning Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102
Performance Improvement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102
Creating the Component interface jar file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105
Configuring the Component Interface Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
Upgrade considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107
Chapter 16: IdentityIQ for Oracle ERP – Siebel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109
Supported Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109
Supported Managed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110
Administrator Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110
Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110
Account Group Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112
Adding New Custom Attributes in Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113
Provisioning Policy Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113
Employment Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115
Chapter 17: IdentityIQ for Oracle NetSuite ERP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117
Supported WSDL Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119
Additional Configuration Parameter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122
Schema Extension and Custom Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123
SAP Governance Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Chapter 18: IdentityIQ for SAP ERP - SailPoint SAP Governance Module . . . . . . . . . 129
SAP Governance Module Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129
SAP Governance Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129
SAP Governance Application Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Chapter 19: IdentityIQ for SAP GRC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133
Supported Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134
(Optional) Support of Additional Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135
Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135
Minimum Permissions Required for SAP GRC User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136
SAP GRC Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136
SAP Connector Changes for Supporting SAP GRC Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137
Creating IdentityIQ Application of Type SAP GRC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138
SAP GRC Workflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139
Importing SAP GRC Application Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145
Viewing the Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146
Upgrade Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146
Support Proactive Check and SAP CUA Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146
Upgrade Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146
Upgrade Procedure for Support of Partial Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151
Upgrade Procedure for Support of Provisioning Start and End Date for Role Assignment . . . . . . . . . . .151
Creating a RFC Connection on SAP GRC System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152
Configuring Cross System on SAP GRC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153
(Optional) Support for Additional Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154
Support for Provisioning Start and End Date for Role Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156
Support for Partial Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159
Healthcare Integration Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Chapter 20: IdentityIQ for Epic Healthcare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165
Important Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165
Supported Managed System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166
Additional Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169
Chapter 21: IdentityIQ for Cerner Healthcare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185
Additional Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186
Organization Group Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188
Create Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188
Update Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189
Mainframe Integration Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

Chapter 22: IdentityIQ for RACF Mainframe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195
Installing IdentityIQ for RACF Mainframe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195
Chapter 23: IdentityIQ for TopSecret Mainframe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197
Installing IdentityIQ for TopSecret Mainframe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197
Chapter 24: IdentityIQ for ACF2 Mainframe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199
Installing IdentityIQ for ACF2 Mainframe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199
Chapter 25: IdentityIQ for RACF LDAP Mainframe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .203
AdministratorPermissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .203
Additional Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204
Support for PassPhrase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .208
Support for Connection Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .208
Implementing Secured Communication to RACF LDAP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .209
Defining Search Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211
Chapter 26: IdentityIQ for TopSecret LDAP Mainframe . . . . . . . . . . . . . . . . . . . . . . . . . 215
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215
Additional Configuration Parameter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .217
TopSecretProfile Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .219
TopSecretGroup Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .220
Support for PassPhrase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221
Implementing Secured Communication to Top Secret LDAP Server . . . . . . . . . . . . . . . . . . . . . . . . . . .221
Partitioning Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .224
Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Appendix A: Common Identity Management Integration Configuration . . . . . . . . . . . . 229
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229
Creating the IntegrationConfig Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229
Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231
Appendix B: Connector Classloader. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Upgrade considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234
What is SailPoint IdentityIQ?
Chapter 1: Overview
The following topics are discussed in this chapter:
What is SailPoint IdentityIQ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
SailPoint Integration Guide Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
What is SailPoint IdentityIQ?

SailPoint is an identity and access management solution for enterprise customers that delivers a wide variety of
IAM processes-including automated access certifications, policy management, access request and provisioning,
password management, and identity intelligence. Furthermore, IdentityIQ has a flexible connectivity model that
simplifies the management of applications running in the datacenter or the cloud.
Compliance Manager — IdentityIQ Compliance Manager automates access certifications, policy management,
and audit reporting through a unified governance framework. This enables you to streamline compliance
processes and improve the effectiveness of identity governance, all while lowering costs.
Lifecycle Manager — IdentityIQ Lifecycle Manager manages changes to access through user - friendly self
‐service request and password management interfaces and automated lifecycle events. It provides a flexible,
scalable provisioning solution for addressing the constantly evolving access needs of your business in a way that's
both efficient and compliant.
Privileged Account Management Module — IdentityIQ Privileged Account Management module provides a
standardized approach for extending critical identity governance processes and controls to highly privileged
accounts, enabling IdentityIQ to be used as a central platform to govern standard and privileged accounts.
Connectors and Integration Modules — IdentityIQ offers Integration Modules that support the extended
enterprise IT infrastructure. Third party provisioning and service desk integration enable multiple sources of
fulfillment to access change. Service catalog integration supports a unified service request experience with
integrated governance and fulfillment. Mobile device management integration mitigates risk posed by mobile
devices through centralized visibility, control and automation. And IdentityIQ’s IT security integration provides
enhanced security with improved responsiveness and controls.
Open Identity Platform — SailPoint’s Open Identity Platform lays the foundation for effective and scalable IAM
within the enterprise. It establishes a common framework that centralizes identity data, captures business policy,
models roles, and takes a risk‐based, proactive approach to managing users and resources. The Open Identity
Platform is fully extensible, providing robust analytics which transforms disparate and technical identity data into
relevant business information, resource connectivity that allows organizations to directly connect IdentityIQ to
applications running in the datacenter or in the cloud, and APIs and a plugin framework to allow customers and
partners to extend IdentityIQ to meet a wide array of needs. An open platform allows organizations to build a
single preventive and detective control model that supports all identity business processes, across all
applications‐in the datacenter and the cloud. SailPoint applies consistent governance across compliance,
provisioning and access management processes, maximizing investment and eliminating the need to buy and
integrate multiple products.
Password Manager — IdentityIQ Password Manager delivers a simple-to-use solution for managing user
passwords across cloud and on-premises applications policies from any desktop browser or mobile device. By
providing intuitive self-service and delegated administration options to manage passwords while enforcing
enterprise-grade password, IdentityIQ enables businesses to reduce operational costs and boost productivity.
Amazon Web Services (AWS) Governance Module — Enables organizations to extend existing identity lifecycle
and compliance management capabilities within IdentityIQ to mission-critical AWS IaaS environments to provide
SailPoint Integration Guide 1

SailPoint Integration Guide Overview
a central point of visibility, administration, and governance across the entire enterprise. This includes policy
discovery and access history across all organization accounts, provisioning AWS entities and objects, access
review and certification, and federated access support.
SAP Governance Module — Improves the user experience by introducing a new integrated visual interface for
navigating and selecting SAP identities and roles as part of IdentityIQ lifecycle management and compliance
solution. SAP data is presented in a familiar hierarchy format that closely represents deployed system resources
and organizational structures. New filtering capabilities enable more efficient browsing and selection of SAP data
so tasks can be performed faster. Improved granular support for separation of duty (SOD) violation policies
provides flexibility for customers to craft more detailed identity governance policies that include SAP role details
such as T-Codes and Authorization Objects.

SailPoint Integration Modules deliver extended value from standard IdentityIQ deployments. SailPoint is
committed to providing design, configuration, troubleshooting and best practice information to deploy and
maintain strategic integrations. SailPoint has modified the structure of this document to aid customers and
partner deployments. The focus of this document is product configuration and integration. For more details on
design, troubleshooting and deployment best practices, refer to the Connector and Integration Deployment
Center in Compass, SailPoint’s Online customer portal.
This document provides a guide to the integration between the following products and IdentityIQ:
• SailPoint IdentityIQ Infrastructure Modules
- Access Management Infrastructure Modules
• IdentityIQ for Okta
- Security Information And Event Management Infrastructure Modules
• IdentityIQ for ArcSight IT Security
- IT Service Management Infrastructure Modules
• IdentityIQ for Service Desk
• IdentityIQ for MicroFocus Service Manager Service Desk
• IdentityIQ for BMC Remedy Service Desk
- Enterprise Mobility Management Infrastructure Modules
• IdentityIQ for AirWatch Enterprise Mobility Management
- Provisioning Infrastructure Modules
• IdentityIQ for Oracle Identity Manager
• IdentityIQ for IBM Security Identity Manager
- IaaS - Infrastructure-As-A-Service Module
• IdentityIQ for Amazon Web Services
• SailPoint IdentityIQ Application Modules
- Enterprise Resource Planning Application Modules
• IdentityIQ for SAP ERP - SAP Governance Module
2 SailPoint Integration Guide

• IdentityIQ for Oracle ERP – Oracle E-Business Suite

• IdentityIQ for SAP ERP – SAP Portal - User Management Web Service
• IdentityIQ for Oracle ERP – PeopleSoft
• IdentityIQ for Oracle ERP – Siebel
• IdentityIQ for NetSuite ERP
- SAP Governance Modules
• IdentityIQ for SAP ERP - SailPoint SAP Governance Module
- SAP Governance Application Modules
• IdentityIQ for SAP GRC
- Healthcare Integration Modules
• IdentityIQ for Epic Healthcare
• IdentityIQ for Cerner Healthcare
- Mainframe Integration Modules
• IdentityIQ for RACF Mainframe
• IdentityIQ for TopSecret Mainframe
• IdentityIQ for ACF2 Mainframe
• IdentityIQ for RACF LDAP Mainframe
• IdentityIQ for TopSecret LDAP Mainframe
This document is intended for the above products and IdentityIQ System Administrators and assumes an
advance level of technical knowledge.


Section I: SailPoint IdentityIQ
Infrastructure Modules
The SailPoint IdentityIQ Infrastructure Modules section includes the following modules:
• “Access Management Infrastructure Modules”
• “Security Information And Event Management Infrastructure Modules”
• “IT Service Management Infrastructure Modules”
• “Enterprise Mobility Management Infrastructure Modules”
• “Provisioning Infrastructure Modules”
• “IaaS - Infrastructure-As-A-Service Module”
Access Management Infrastructure
Modules
This section contains information on the following section:
• “IdentityIQ for Okta”
Overview
Chapter 2: IdentityIQ for Okta

Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Supported Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Prerequisite. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Schema Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Account Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Group Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Application Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Provisioning Policy Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Create Account Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Enable/Delete Account Provisioning Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Disable Account Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Create Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Additional Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Aggregation Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Supported Aggregation Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Account Status Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Delta Aggregation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Provisioning of Factors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Overview
IdentityIQ for Okta is an enterprise-level solution for centrally storing and managing user profiles and identity
data. IdentityIQ for Okta enables single sign-on authentication across multiple applications and devices - even
when they are behind firewalls or in the cloud and makes it easier for IT personnel to access essential employee
information.
IdentityIQ for Okta manages Users, Groups, Roles and Application using Rest API provided by Okta. In IdentityIQ
Okta users are managed as accounts and groups, roles and applications are managed as entitlement.
Supported Features
The IdentityIQ for Okta supports the following features:
• Account Management
- Manage Okta Person as Account
- Create, Update, Delete
- Enable, Disable, Unlock
- Change Password, Refresh Accounts
- Aggregation, Partitioning Aggregation, Delta Aggregation, Filter condition for Aggregation
SailPoint Direct Connectors Administration and Configuration Guide 9

Overview
Note: For more information on Delta Aggregation, see “Delta Aggregation”.

- Add/Remove Groups, Roles and Applications
- Discover Schema, Pass Through Authentication
• Account-Group Management
- Aggregation, Refresh Group
- Create, Update, Delete Groups
- Manages Okta Groups and Applications as Account-Groups
• Custom Attributes
- Support for aggregation
- Support for provisioning
Note: For more information on provisioning, see “Create Account Policy”.
Support for Multi-Factor Attribute

The Okta Connector supports aggregation and provisioning of multiple factors attribute of Okta managed system.
To support multi factor, add the factors attribute in account schema as follows:
<AttributeDefinition name="factors" type="string" multi="true"/>
The factors attribute would aggregate in the following format:

factors:factorType=push; provider=OKTA
factorType=token:software:totp; provider=OKTA
For provisioning and aggregation of Okta user with factors, see “Provisioning of Factors”.
Note: Adding factors to account schema would impact the performance of account aggregation.
Prerequisite
• An administrative user must be granted an Okta API token for authentication purposes.
To generate an Okta API token, perform the steps mentioned below:
a. Log in to Okta organization as a user with super administrator privileges. API tokens have the same
permissions as the user who creates them, and if the user permissions change, the API token per-
missions also change.
b. On the Developer Console, select Tokens from the API menu.
c. On the Administrator's UI (Classic UI), select API from the Security menu, and select Tokens.
d. Click Create Token and provide a name for the token.
e. Note the created API Token.
Note: Okta API tokens generated from the above steps are valid for 30 days and automatically would
be refreshed with each API call. Tokens that are not used for 30 days would expire.
• By default, connector account aggregation supports Okta's List Users with Filter feature.
For aggregation with Okta's List Users with Search feature, ensure that the following entry key is added in
the application xml file:
<entry key="ListUsersWithSearch" value="true"/>
10 SailPoint Direct Connectors Administration and Configuration Guide

Configuration Parameters
Note: The List Users with Search parameter now searches for users based on the properties specified in
the search parameter (case insensitive). This operation supports pagination (to a maximum of
50000 results).
This section contains the information that the connector uses to connect and interact with the application. Each
application type requires different information to create and maintain a connection.
The IdentityIQ for Okta uses the following connection parameters:
Attributes Description
Okta Connection Settings
URL* The host URL of Okta instance.
API Token* SSWS API token required for Okta authentication.
Page Size The maximum size of each data set when querying large number of objects.
Minimum value is 1 and maximum value is 200. Default: 200
Aggregation Filter Settings
Filter Condition for Optional condition to bring subset of Accounts during aggregation.
Accounts
For example, status eq “ACTIVE”
Note: For more information on the Aggregation Filters supported on the
managed system, see "Supported Aggregation Filters” on page 18.
Filter Condition for Optional condition to bring subset of Groups during aggregation.
Groups
By default the value is set as follows:
type eq "BUILT_IN" or type eq "OKTA_GROUP"
Note: For more information on the Group Aggregation Filters supported on

the managed system, see "Supported Aggregation Filters” on page 18.
Filter Condition for Optional condition to bring subset of Applications during aggregation.
Applications
For example, status eq “ACTIVE”
Note: Attributes marked with * sign are the mandatory attributes.
Additional Configuration Parameters

To change the default values, add the following parameters in the application debug page:

Schema Attributes
groupsPageSize Sets the maximum size of each data set when querying large number of Groups by
adding the entry key as follows:
<entry key="groupsPageSize" value="10000"/>
Default value of 10000 can be changed.

logsPageSize Sets the maximum size of each data set when querying large number of Logs by
<entry key="logsPageSize" value="1000"/>

appsPageSize Sets the maximum size of each data set when querying large number of
Applications by adding the entry key as follows:
<entry key="appsPageSize" value="200"/>

applicationSkinny (Applicable only for caching approach of account partitioning aggregation) Enables
Users skinny_user endpoint to bring applications connected to user in Okta connector by
<entry key="applicationSkinnyUsers" value="true"/>
Default value is false.

groupSkinnyUsers (Applicable only for caching approach of account partitioning aggregation) Enables
skinny_user endpoint to bring groups connected to user in Okta connector by
<entry key="groupSkinnyUsers" value="true"/>
Default value is false.
Schema Attributes
This section describes the different schema attributes.
Account Attributes
The following table lists the account attributes:
Name Description
id Unique key for user.
login Unique identifier for the user (username).
email Primary address of the user.

Schema Attributes
Name Description
secondEmail Secondary email address of user typically used for account recovery.
firstName First name of the user.
lastName Last name of the user.
middleName Middle name(s) of the user(s).
displayName Name of the user, suitable for display to end users.
nickName Casual way to address the user in real life.
title User’s title, such as ‘Vice President’
honorificPrefix Honorific prefix(es) of the user, or title in most western languages.
honorificSuffix Honorific suffix(es) of the user.
profileUrl URL of user’s Online profile.For example, a web page.
primaryPhone Primary phone number of user such as home number.
mobilePhone Mobile phone number of user.
streetAddress Full street address component of user’s address
city City or locality component of user’s address.
state State or region component of user’s address.
zipCode Zipcode or postal code component of user’s address.
countryCode Country name component of user’s address.
postalAddress Mailing address component of user’s address.
preferredLanguage User’s preferred written or spoken languages.
locale User’s default location for purposes of localizing items such as currency,
date time format, numerical representations, and so on.
timezone User's time zone.
userType Used to identify the organization to user relationship such as ‘Employee’
or ‘Contractor’.
employeeNumber Organization or company assigned unique identifier for the user.
costCenter Name of cost center assigned to the user.
organization Name of user’s organization.
division Name of user’s division.
department Name of user’s department.
manager Display name of the user’s manager.
managerId ID of a user’s manager.
status Status of the user. For example, ACTIVE, PROVISIONED, DEPROVISIONED
and so on.
created Timestamp of user creation.
activated Timestamp when transition to ACTIVE status completed.

Schema Attributes
Name Description
statusChanged Timestamp when status last changed.
lastUpdated Timestamp when user was last updated.
lastLogin Timestamp of last login.
passwordChanged Timestamp when password was last changed.
providerType Type of the credential provider.
providerName Name of the credential provider.
groups Groups assigned to the user.
applications Applications assigned to the user.
roles Administrator roles assigned to the user.
Note: Custom attributes of User profile from Okta can be populated using the Discover Schema
functionality.
Group Attributes
The following table lists the group attributes:
Name Description
groupId Unique key for group.
name Name of the group.
created Timestamp when group was created.
description Description of the group.
lastMembershipUpdated Timestamp when group’s memberships were last updated.
type Determines how a group’s profile and memberships are managed.
lastUpdated Timestamp when group’s profile was last updated.
objectClass Determines the group’s profile.
applications Applications assigned to group.
Application Attributes
The following table lists the application attributes:
Name Description
applicationId Unique key for application.
name Unique key for application definition.
label Unique user-defined display name for application.
created Timestamp when application was created.

Provisioning Policy Attributes
Name Description
status Status of application.
signOnMode Authentication mode of application.
features Enabled application features.
lastUpdated Timestamp when application was last updated.

This section lists different policy attributes for IdentityIQ for Okta.
Note: The attributes marked with * sign are required attributes.
Note: Okta does not support update operation for de-provisioned user.
Create Account Policy

Following table describes various attributes in the create account policy.
Attribute Description
FirstName* First name of the user.
LastName* Last name of the user.
Email* Primary address of the user.
Login* Must be an email.
Activate Checked to set the status as provisioned, unchecked to set status as
staged.
Password Login password for the user.
Provider Type Type of the credential provider, out of the box allowed values are
FEDERATION, SOCIAL, OKTA, ACTIVE_DIRECTORY, LDAP
Provider Name Name of the credential provider.
recoveryQuestion (Optional) Set a recovery question for user.
recoveryAnswer (Optional) An answer to the recovery question.
To provision custom attributes, add a similar attribute in the provisioning policy.

For example, if there are custom attributes customAttr1 and customAttr2 on Okta and provisioning is required
for them, in that case the provisioning plan must contain attributes with the same names that is, customAttr1 and
customAttr2.
Following table describes the status of created account according to different parameters provided in create
account policy above.

Activate Password Recovery Provider Okta Status IdentityIQ

checkbox Question Type Status
Unchecked Provided/Not Empty Empty STAGED Disabled
Provided
Checked Not Provided Empty Empty PROVISIONED Enabled
Checked Provided Empty Empty PASSWORD_RESET Enabled
Unchecked Not Provided Empty FEDERATION/ STAGED Disabled
SOCIAL
Checked Not Provided Empty FEDERATION/ ACTIVE Enabled
SOCIAL
Unchecked Provided/Not Provided Empty STAGED Disabled
Provided
Checked Not provided Provided Empty PROVISIONED Enabled
Checked Provided Provided Empty ACTIVE Enabled
Note: While creating account:

• For ACTIVE_DIRECTORY and LDAP providers specify the directory instance name as the name property.
• Users with a FEDERATION/SOCIAL authentication provider do not support a password credential and
must authenticate through a trusted Identity Provider.
• If Provider Name is not specified or an invalid value is provided, then the provider type and name is set
to OKTA.
Enable/Delete Account Provisioning Policy

Following table describes various attributes in the enable/delete policy.
sendEmail While enabling de-provisioned user, it would not send an activation
email to the user if sendEmail is false. Default value: true.
While deleting an user, it would not send a deactivation email to the

administrator if sendEmail is true. Default value: false.

Additional Information
Disable Account Policy

Following table describes various attributes in the disable policy.
Attribute Value Description

Status* Suspend Temporarily disables the account.
Deprovision Delete all the applications and deactivate the account.
sendEmail True/False While disabling an user, it would not send a deactivation email to the
administrator if sendEmail is true. Default value: false.
For more information on the various mapped status of Okta and IdentityIQ, see "Account Status Mapping” on
page 19.
Create Group Policy

Following table describes various attributes in the create group policy.
Group Name* Name of the group.
Group Description Description of the group.
This section describes the additional information related to the IdentityIQ for Okta.
Aggregation Best Practices

Aggregation with Partitioning approach is implemented using the following alternatives to cater to different
system configurations:
• Caching: works best when the number of connected entitlements are large.
• Sequential: works best when there are large number of accounts having less number of connected
entitlements with an ability to execute multiple partitions in parallel.
For a better performance outcome, the IdentityIQ for Okta works by creating an application and group cache as
explained in the following steps:
1. IdentityIQ for Okta creates cache of user connected to groups.
2. IdentityIQ for Okta creates cache of user connected to applications.
3. IdentityIQ for Okta then fetches the user profiles.
4. IdentityIQ for Okta maps the groups and applications of the fetched user profiles to the caches created
during steps 1 and 2 above.

The above approach works best in environments having less number of connections (users to groups and/or
application). The problem arises when the groups and applications connections are high. Due to API limitations
the cache creation takes a longer time than expected.
To resolve this an alternative approach called as sequential approach is used in the connector. In this approach,
the connector first fetches the user profiles followed by groups and applications. The sequential approach can be
enabled by configuring the following parameters in the application debug page:
• To skip creation of application cache:
<entry key="noAppCaching">
<value>
<Boolean>true</Boolean>
</value>
</entry>
• To skip creation of group cache:
<entry key="noGroupCaching">
<value>
</value>
</entry>
Supported Aggregation Filters

Based on added Accounts/Groups Aggregation Filter, only respective accounts/groups are aggregated in
IdentityIQ.
Account Aggregation Filters

For example, if the added filter is status eq "STAGED" then only staged account must be aggregated in IdentityIQ.
Aggregation Filters Description

status eq "STAGED" Users that have a status of STAGED.
status eq "PROVISIONED" Users that have a status of PROVISIONED.
status eq "ACTIVE" Users that have a status of ACTIVE.
status eq "RECOVERY" Users that have a status of RECOVERY.
status eq "PASSWORD_EXPIRED" Users that have a status of PASSWORD_EXPIRED.
status eq "LOCKED_OUT" Users that have a status of LOCKED_OUT.
status eq "DEPROVISIONED" Users that have a status of DEPROVISIONED.
lastUpdated lt "yyyy-MM-dd'T'HH:mm:ss.SSSZ" Users last updated before a specific timestamp.
lastUpdated eq "yyyy-MM-dd'T'HH:mm:ss.SSSZ" Users last updated at a specific timestamp.
lastUpdated gt "yyyy-MM-dd'T'HH:mm:ss.SSSZ" Users last updated after a specific timestamp.
id eq "00u1ero7vZFVEIYLWPBN" Users with a specified id.
profile.login eq "login@example.com" Users with a specified login.
profile.email eq "email@example.com" Users with a specified email*.


profile.firstName eq "John" Users with a specified firstName*.
profile.lastName eq "Smith" Users with a specified lastName*.
profile.Custom_Integer_Array eq "23" Users with a specified array attribute*.
profile.Custom_String eq "Custom Value for Users with a specified custom attribute*.
String__Updated"
Group Aggregation Filters

By default group Aggregation filter would aggregate type eq "OKTA_GROUP" or type eq "BUILD_IN" groups.

type eq "OKTA_GROUP" Groups that have a type of OKTA_GROUP
type eq "APP_GROUP" Groups that have a type of APP_GROUP
type eq "BUILT_IN" Groups that have a type of BUILT_IN
lastUpdated lt "yyyy-MM-dd'T'HH:mm:ss.SSSZ" Groups with profile last updated before a specific
timestamp
lastUpdated eq "yyyy-MM-dd'T'HH:mm:ss.SSSZ" Groups with profile last updated at a specific
timestamp
lastUpdated gt "yyyy-MM-dd'T'HH:mm:ss.SSSZ" Groups with profile last updated after a specific
timestamp
lastMembershipUpdated lt Groups with memberships last updated before a
"yyyy-MM-dd'T'HH:mm:ss.SSSZ" specific timestamp
lastMembershipUpdated eq Groups with memberships last updated at a specific
"yyyy-MM-dd'T'HH:mm:ss.SSSZ" timestamp
lastMembershipUpdated gt Groups with memberships last updated after a
"yyyy-MM-dd'T'HH:mm:ss.SSSZ" specific timestamp
id eq "00g1emaKYZTWRYYRRTSK" Group with a specified id
Account Status Mapping

Following table lists the mapped status of Okta on IdentityIQ:
Okta Account Status IdentityIQ Account Status

PROVISIONED
PASSWORD_EXPIRED
ACTIVE Active
RECOVERY

Okta Account Status IdentityIQ Account Status

DEPROVISIONED
SUSPEND Disable
STAGED
LOCKED_OUT Locked
Upgrade Considerations
• For applications created before applying 8.0 Patch 2, application definition would have an entry for
Events API. After upgrading IdentityIQ version 8.0 Patch 2, users must manually remove the Events API
entry.
• While upgrading to IdentityIQ 8.0 Patch 2, to support the credential provider type and name, add the
schema attribute providerType and providerName in the account schema. To create Okta user with
various provider type, provide required value for providerType and providerName.
• While upgrading to IdentityIQ 8.0 Patch 2, to support aggregation and provisioning of multiple factors
attribute, add the factors attribute in account schema. For more information, see “Support for
Multi-Factor Attribute”.
Delta Aggregation
The IdentityIQ for Okta supports only account delta aggregation. On Full Aggregation, the respective timestamp
of account aggregation is stored in the Application object which is used by Delta Aggregation to retrieve the
changed data into IdentityIQ. This timestamp is updated after each account delta aggregation.
In account delta aggregation changes to user profile attributes and their entitlements are populated.
The delta for Okta user profile attributes are populated from the users API by comparing the timestamp of last
successful account aggregation against the last updated attribute.
To detect entitlement changes and deleted users, the data is populated from logs API by comparing the
timestamp of last successful account aggregation against the published attribute.
Note: Log data older than 90 days is not returned, in accordance with Okta's Data Retention Policy.
This means, that any data change done prior to 90 days of the last successful account
aggregation timestamp, would not be captured and a full account aggregation would be
required.
For all delta aggregations after applying 8.0 Patch 2, logs API would be considered regardless of application
definition.
Provisioning of Factors
This section provides details on adding factors to the user and removing factors from the user.
Adding factors to the user

The Add Factor to User operation in IdentityIQ is bound to the Enroll Multi-Factors operation in Okta.

To provision or add factors in Okta, the complete JSON body of factors must be passed in the provisioning plan.To
pass additional query parameters with Add Factor operation, an additional attribute request must be added with
the attribute request name in the following format.
factor.<factorType>.<provider>.queryParams
For example, to send query parameter for factor type sms the attribute request name is as follows:
<AttributeRequest name="factor.sms.OKTA.queryParams" op="Add"
value="updatePhone=true&activate=true" />
Note: For every factor a separate attribute request must be added for additional query parameters.
Following is an example of provisioning plan to provision the factors:
<ProvisioningPlan>
<AccountRequest op="Modify">
<AttributeRequest name="factors" op="Add">
<Value>
<List>
<String>{ "factorType": "push", "provider": "OKTA" }</String>
<String>{ "factorType": "token:software:totp", "provider": "GOOGLE" }</String>
<String>{ "factorType": "sms", "provider": "OKTA", "profile": { "phoneNumber":
"<provide phone number>" } }</String>
</List>
</Value>
</AttributeRequest>
<AttributeRequest name="factor.sms.OKTA.queryParams" op="Add"
value="updatePhone=true&activate=true" />
</AccountRequest>
</ProvisioningPlan>
Note: For more information on the JSON body of different factors, see the Okta API Documentation.
Removing factors from the user

The Remove Factor from User operation in IdentityIQ is bound to the Reset Factor operation in Okta.
To remove or reset factors the value of the attribute request must be sent in the following format:
<factorType>.<provider>
For example, to remove the factor type sms the attribute request name is as follows:
<AttributeRequest name="factors" op="Remove" value="sms.OKTA" />
Following is an example of provisioning plan to remove factors:
<ProvisioningPlan>
<AccountRequest op="Modify">
<AttributeRequest name="factors" op="Remove">
<Value>
<List>
<String>sms.OKTA</String>
<String>token:software:totp.OKTA</String>
</List>
</Value>
</AttributeRequest>
</AccountRequest>
</ProvisioningPlan>

Troubleshooting
Troubleshooting
1 - Issues in Delta Aggregation

Following are the various scenarios where data is not populated in Delta Aggregation:
• Roles assigned to account from API are not populated in delta aggregation
• Sometimes applications which are removed from users are not aggregated in account delta aggregation
Resolution: Perform full account aggregation task.
• Sometimes groups which are deleted from managed system are not captured in account delta
aggregation
Resolution: Perform full group aggregation to refresh entitlements.
• For account created with only Default group Everyone event system logs are not captured.
Resolution: To see the Default group assigned to account, perform full account aggregation or create account
with other group so that in delta aggregation for account, both groups details (default and other group) are
aggregated.
2 - For Unlocked Okta account from IdentityIQ, account details page does not display
correct status
In IdentityIQ, managed account refresh action only affects the status of the account in IdentityIQ. Account Details
are not changed and Status is one of the account attribute.
Resolution: To get the correct account details and value of the Account status, execute account aggregation task.
3 - Create Account fails for account created with group assigned as 'Everyone'
By default, on Okta managed system the group 'Everyone' gets assigned to every account created. Create account
would fail with following error message is displayed:
sailpoint.connector.ConnectorException: [ConnectorException] [Error details] Request
execution failed. HTTP Error code: 501, Okta Error code: E0000060, errorSummary:
Unsupported operation., errorCauses:[].
Resolution: While performing create account with Manage user access select the group type other than
Everyone.
4 - Account Aggregation fails with an error message

Account Aggregation fails with the following error message:
Exception during aggregation of Object Type account on Application Okta. Reason:
Unable to create iterator sailpoint.connector.InsufficientPermissionException:
[InsufficientPermissionException]
[Possible suggestions] Furnish appropriate permission to the Okta API token owner.
[Error details] Insufficient privileges detected. HTTP Error code: 401, Okta Error
code: E0000015, errorSummary: You do not have permission to access the feature you
are requesting

Troubleshooting
Resolution:
• Ensure that correct permission/roles are assigned to the API Owner (the user whose api token is getting
used in Okta application). The API Owner must have SUPER ADMIN roles assigned to him for aggregation.
Note: To aggregate Okta roles, SUPER_ADMIN role is required.
• The List Users with Search parameter supports pagination (to a maximum of 50000 results).
• For aggregation with Okta's List Users with Search feature, ensure that the following entry key is added
in the application xml file:
<entry key="ListUsersWithSearch" value="true"/>
Note: The List Users with Search parameter is moved to General Availability (GA). This operation
supports pagination (to a maximum of 50000 results).
5 - Account Preview does not work/displays any data on Okta application page
If the IdentityIQ for Okta is having huge number of user to group/user to application connection, the account
preview functionality would not work as it takes more time to get data from Okta.
Resolution: To verify Okta accounts run the account aggregation task instead of Account Preview. For more
information on best practices of Okta account aggregation, see "Aggregation Best Practices” on page 17.
6 - While performing Account Aggregation warnings are displayed in the logs

While performing account aggregation the following warnings are displayed in the logs:
019-04-18 18:43:25,708 WARN Thread-743
openconnector.connector.okta.OktaConnector:5425 - API rate limit exceeded for
endpoint, Retrying the failed request now
2019-04-18 18:43:25,709 WARN Thread-742
openconnector.connector.okta.OktaConnector:5425 - API rate limit exceeded for
endpoint, Retrying the failed request now
Resolution: If required warnings can be ignored. But to improve Okta aggregation performance, increase Okta API
rate limit.
7 - While creating or updating primary Email address of Okta user, it updates

Username (login) as same email address
While creating or updating primary Email address of Okta user, it updates Username (login) as same email address
Okta has a feature of self-service registration policy. When the SELF_SERVICE_REGISTRATION flag is enabled on
Okta managed system, Okta enforces uniqueness for all primary email addresses and automatically uses that
email address as the end user’s username (login) and primary email address.
Resolution: Disable the SELF_SERVICE_REGISTRATION flag on Okta managed system. For more information
contact the Okta Customer Support.

Troubleshooting

Security Information And Event
Management Infrastructure Modules
• “IdentityIQ for ArcSight IT Security”
Overview
Chapter 3: IdentityIQ for ArcSight IT

Security
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Supported Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Supported Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Configuration to Export IdentityIQ Data to ArcSight. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Configuration to Import HP ArcSight CEF Flat File to SailPoint IdentityIQ. . . . . . . . . . . . . . . . . . . . . . . . . . 32
Overview
ArcSight IT Security Information and Event Management Infrastructure Module (SEIM) is a Universal log
management solution that helps enterprises identify and prioritize current and potential security threats.
SailPoint IdentityIQ collects the security event information such as Audit information. The SailPoint IdentityIQ
integration with ArcSight IT Security allows both end systems to take remediation action in case of security
threats.
IdentityIQ integration with ArcSight enables the following scenarios:
1. IdentityIQ data (Identity, Account, Audit, and Syslog) stored in IdentityIQ can be exported to ArcSight. Arc-
Sight administrator can store this data in an ArcSight Active List.
IdentityIQ data can be exported to ArcSight for correlation, such as successful provisioning of privileged
accounts, password changes, login failure and so on. For more information on ways to export data, see
“Export from IdentityIQ to ArcSight” point in “Supported Features” section.
2. IdentityIQ can import filtered activity event data from ArcSight; based on which activity-based remediation
processing can be triggered. Event records are expected in standard ArcSight Common Event Format (CEF).
Events received are matched with users held within the IdentityIQ warehouse, and used to trigger activity
policies when certain types of event are recognized. These triggers result in a business process being
executed which generates a full re-certification for the affected user, and also causes a re-calculation of the
user's risk score and update of risk reports and dashboard content to highlight the activity.
Note: Creating an ArcSight Active Channel or Active List is outside the scope of this document. This
document assumes the ArcSight administrator is familiar with steps to create an ArcSight Active
Channel or Active List. It provides the IdentityIQ information an ArcSight administrator will
require to create an ArcSight Active Channel or Active List.

Supported Features
Supported Features
• Export from IdentityIQ to ArcSight: The IdentityIQ data can be exported in:
- Flat file in CEF: Using Advanced Analytics we can export Identity, Account, Audit and Syslog data in
CEF.
- Database tables: The ArcSight Data Export task enables you to export Identity (which includes
account and identity data) and Audit data to external tables.
• Import into IdentityIQ from ArcSight: This integration supports including event logging data from
ArcSight and associate it to Identities in IdentityIQ so that potential policy violations can be triggered or
provide greater visibility as part of access reviews as to any suspicious or error prone access a user may
have.
Supported Platform
IdentityIQ for ArcSight IT Security supports the HP ArcSight Enterprise Security Manager version 6.9.
Prerequisites
(Applicable for import of ArcSight Events into SailPoint IdentityIQ) At least one application must be configured in
SailPoint IdentityIQ and Users/Groups aggregated into SailPoint IdentityIQ system.
Note: Users present in HP ArcSight must also be present in SailPoint IdentityIQ.
Configuration
This section describes the general, operation specific configurations and the steps that must be performed to
configure the IdentityIQ for ArcSight IT Security.
Configuration to Export IdentityIQ Data to ArcSight

The Identity, Account and Audit information from SailPoint IdentityIQ can be exported to ArcSight using CEF flat
file or database:
1. Export data from SailPoint IdentityIQ to ArcSight tables.
2. Export data from SailPoint IdentityIQ to Flat file in Common Event Format.
Export Data from SailPoint IdentityIQ to ArcSight tables

The ArcSight Data Export task enables you to export Identity and Audit data to external tables. You can select to
export Identity information and Audit events from IdentityIQ Database.
Create the export databases on your destination data source before using the ArcSight Data Export task.
1. Navigate to Monitor => Tasks.

Configuration
2. Create a new ArcSight Data export task.

3. Provide the Data Source Parameters.
ArcSight Data Export options are:
Options Description
Datasource Parameters
Database Select a database type from the drop-down list.
User Name Enter the user name parameter of the database.
Password Enter the password of the database.
Driver Class Enter the driver class used for the database.
URL Enter the URL of the database.
4. Click on Generate table Creation SQL to generate table’s schema and create database that includes export
tables which you can hand off to a database administrator for execution.
The task adds the following tables in database:
Tables Description
sptr_arcsight_export Table to maintain the task execution history.
sptr_arcsight_identity Table contains exported data of Identity.
sptr_arcsight_audit_event Table contains Audit Events information.
5. Select Object Export options.

The Object Export options are:
Options Description
Export Identities Select the check box to export Identity related data in ArcSight tables. It provides the
following options:
• Full: Exports all the records irrespective if they were exported earlier.
• Incremental: Exports only records that are updated since last run of this
task.
This option can even be selected when running the task for first time.
When the task is running for first time, this option exports all records
similar to the Full option.
Export Audits Select the check box to export Audit Events in ArcSight table. It provides the following
options:
• Full: Exports all the records irrespective if they were exported earlier.
• Incremental: Exports only records that are updated since last run of this
task.
This option can even be selected when running the task for first time.
When the task is running for first time, this option exports all records
similar to the Full option.
6. After completing the customizing report options, click Save for later use or Save and Execute to save the
report and run it immediately.

Configuration
Configuring HP ArcSight Task to populate host name or IP

The value of column application_host can be populated by adding a map arcsightAppNameHostMap. Adding the
arcsightAppNameHostMap map the administrator configuring this integration can define the hostname (or IP
address) which must be used for an Account. It is recommended this hostname (or IP address) is same as the
configured in the ArcSight configuration.
The arcsightAppNameHostMap map must be defined in the ArcSight Data Export Task created above. The key
in the map should be name of the application defined in IdentityIQ and value should be hostname, IP, or any string
that ArcSight administrator understands.
1. To add the map, navigate to debug page, navigate to TaskDefinition and open the ArcSight task configured
above.
2. Add the entry as key = Name of Application defined in IdentityIQ and value as the string to identify host of
Account like Hostname or IP.
3. Save the task definition.
For example:
<entry key="arcsightAppNameHostMap">
<value>
<Map>
<entry key="LinuxApp1" value="linux01.sailpoint.com"/>
<entry key="LinuxApp2" value="127.15.19.21"/>
<entry key="ADDirectApp" value="AD.sailpoint.com"/>
<entry key="ServiceNowApp" value="https://sailpoint.service-now.com"/>
<entry key="ACF2App" value="ACF2-Mainframe"/>
</Map>
</value>
</entry>
Note: If the application name is not defined in the map the host field will be blank.
As mentioned above, this document provides the information an ArcSight administrator requires to create
an ArcSight Active List or Active Channel. The information below provides the same. Following fields are
added in export table:
Table 1—IdentityIQ sptr_arcsight_identity export table

Fields Description
linkid Primary key for Link table in IdentityIQ database. This field will be copied
from spt_link table id field. This will be the primary key for export table.
identityid Primary key in Identity table. This field will be copied from spt_Identity table.
modified_dt Populates timestamp when the record will be exported in export table. The
field can be referred while configuring time based ArcSight database
connector.
identity_display_name Represents Display Name of Identity which will be copied from spt_identity
table field (display_name).
identity_firstname Represents first name of Identity which will be copied from spt_identity
table field (firstname).
identity_lastname Represents last name of Identity which will be copied from spt_identity table
field (lastname).

Configuration
Table 1—IdentityIQ sptr_arcsight_identity export table

Fields Description
application_type Populates the type of Account which is connected to the Identity like
ActiveDirectory – Direct, ACF2 – Full, Box, Cloud Gateway, ServiceNow and
so on.
application_host The host name, IP, or any string which can be used by ArcSight administrator
to identify the host of link/account uniquely. Customer can enter any string
which can be sent to ArcSight to identify the host of link.
This field can be populated as explained in “Configuring HP ArcSight Task to

populate host name or IP” on page 30.
application_name Populates the name of Application of the Account connected to the Identity.
link_display_name The account connected to the identity which will be copied from spt_link
table, field display_name.
entitlements Represents comma separated list of entitlements to the link of Identity.
risk_score Represents the composite risk score of Identity.
Table 2—IdentityIQ sptr_arcsight_audit_event export table

Fields Description
auditid The audit ID which is primary key for the export Audit table. The field will be copied
from spt_audit_event table id field.
created_dt Populates timestamp when the record will be exported in export table. The field can
be referred while configuring time based ArcSight database connector.
owner Describes the Owner of the audit generated.
source Provides more details to help ArcSight administrator determine the source of audit.
action Describes the action taken on entity.
target Provides target details.
application Describes the name of application the target belongs to.
account_name The name of Account is populated in this field.
attribute_name The name of attribute modified.
attribute_value The value provided to the attribute.
Export Data from SailPoint IdentityIQ to Flat file

1. Navigate to Analyze => Advanced Analytics.
2. Navigate to Identity Search/ Audit Search/Account Search Tab.
3. Select the Search Criteria and Fields to display.
4. Click on Run Search.
5. Click on CEF Flat file export button to export search results to file in CEF.

Configuration
The Search Results page have the following options to save:

- Save Search: It is used to save the search criteria and fields to display.
- Save Search as Report: These type of reports can be accessed as a report, as schedules or for
execution by performing the procedure:
a. Navigate to Analyze => Reports.
b. Right click on the report and schedule or execute the report.
c. Navigate to Report Results tab to see the report result.
d. Click on the Report.
e. Click on the CEF Flat file export button to export the report to file in CEF.
This will generate a file with data in CEF which can be used by ArcSight to import events in ArcSight
ESM.
Note: For more information on Advanced Analytics, see SailPoint IdentityIQ User Guide.
Configuration to Import HP ArcSight CEF Flat File to SailPoint

IdentityIQ
1. Access the Application Configuration Console.
2. Navigate to Schema tab.
Mark the field as correlation key for which you want to correlate activity from HP ArcSight to SailPoint
IdentityIQ.
For Example: sAMAccountName for Active Directory application.
3. Navigate to Activity Data Sources tab.
Note: For more information on Activity Data Source, see SailPoint IdentityIQ Administration Guide.
4. Click on Add to add new Activity Data Source.
5. Select Activity Data source Type as CEF Log File. The default Transformation rule and Correlation rule will
be automatically selected.
Note: You can change the value of cefLinkAttribute in correlation rule to set correlation key as per
application.
6. Navigate to Transport Settings tab, select the Transport Type as local, ftp or scp.
7. Navigate to Log File Settings tab and in the File name provide the exact path of the CEF Flat file. For exam-
ple, C:\ArcSight\activedirectory.csv
8. Click on Save button to save activity data source configuration.
9. Click on Save button to save the application.

Configuration
If the correlation key is not marked and aggregation of account for that application is already performed,
then perform the following:
- Access the Application Configuration console.
- Navigate to the Correlation tab.
- Click on New button to create a new Account Correlation.
- Click on next button and provide the name of the configuration.
- Select the Application Attributes and Identity Attributes and click on Add button.
- Click on Save.
- Click on Save to save the application.
After the correlation configuration is done, execute the account aggregation (with optimization turned
off to pick up the existing accounts) again.
10. Navigate to Define => Identities.
11. Click on the identity for which you want to enable Activity monitoring and import data from ArcSight.
12. Navigate to Activity Tab.
13. Select the Activity Monitoring checkbox.
14. Save the Identity.
15. Navigate to Monitor => Tasks.
16. Create a new Activity Aggregation Task.
17. Select an activity data source which is configured above in Step 8.
18. Save and execute the task.
- To see the result of the task executed in previous step navigate to Task Results tab and click on the
task.
- To see the correlated events navigate to Define => Identities. Select the identity for which you have
correlated the event. Navigate to Activity Tab. Check the Recent Activities section.
Note: After correlating the HP ArcSight event to Identity, the Policy Violation and Certification can be
created and used to notify for any activity for that identity using the workflow.

Configuration

IT Service Management Infrastructure
Modules
The Service Management Infrastructure Module helps to perform effective and efficient service management for
IdentityIQ services offered to the organization in the ServiceNow Service Desk. The information contained within
the Service Desk relates to all IdentityIQ services provided by the IT department to the Business. The IdentityIQ
services are purely Role based access that can be requested or revoked through Service Desk. This integration is
simple to configure and fast to deploy, so organizations can go live quickly with confidence, while scaling to an
organization's business needs.
This section contains information on the following sections:
• “IdentityIQ for Service Desk”
• “IdentityIQ for MicroFocus Service Manager Service Desk”
• “IdentityIQ for BMC Remedy Service Desk”
Overview
Chapter 4: IdentityIQ for Service

Desk
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Basic Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Basic Flow of Service Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Basic Configuration of Service Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Configuring IdentityIQ to Integrate with ServiceNow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Retryable Mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Overview
The Rest based integration between SailPoint and IT Service Desk System enables customers to create service
requests, incidents, and change requests in IT Service Desk System for the configured operations (for example,
creating account, removing/deleting access and other operations) for the configured application using rest APIs.
The seamless integration of SailPoint IdentityIQ for IT Service Desk System eliminates the need to build and
maintain a custom integration and reduces time-to-deployment.
Note: Enter the following command to enable log4j2 tracing on Service Desk component:
logger.integration_servicenow.name=openconnector.connector.servicedesk.S
erviceDeskConnector
logger.integration_servicenow.level=debug,file
Supported Features
IdentityIQ for Service Desk supports the following features:
• Creating ticket for all provisioning operations
• Syncing ticket status between the two systems
• Retry Mechanism for Create Ticket request failure
Supported Platforms
IdentityIQ for ServiceNow Service Desk supports the following ServiceNow releases:
• Orlando
• New York
• Madrid

Prerequisites
Prerequisites
• ServiceNow Instance must be up and running.
The IdentityIQ for Service Desk Administrator must be assigned the x_sap_sdim.admin role.
• Install <SailPoint for Service Desk> application from ServiceNow store.
Basic Configuration
The integrated solution speeds the detection and remediation of identity management issues that increase the
risk of compliance violations or security breaches, such as orphaned accounts, policy violations, and
inappropriate access privileges. Organizations can take advantage of a centralized approach spanning thousands
of users and hundreds of resources to strengthen IT controls and provide proof of compliance to auditors and
executive management. The seamless integration of SailPoint and ServiceNow eliminates the need to build and
maintain a custom integration, and speeds time-to-deployment.
For any IT resources managed by ServiceNow Service Desk, IdentityIQ automatically creates a trouble ticket
within ServiceNow Service Desk, passing along all relevant identity data and reviewer comments to populate the
ticket.
To ensure revocation requests get delivered and implemented, IdentityIQ manages all remediation and
revocation requests within a guaranteed delivery model.
To determine the status of user accounts, IdentityIQ performs closed-loop audits on remediation requests and
compares the actual state of user privileges with the original change request. If the request is still open, an alert
will be sent to the reviewer for prompt action and closure.
The integration itself has been designed to be quick to install and easy to use. It makes use of Web Services for
communications between the SailPoint server and the ServiceNow. On the backside of a user recertification,
policy remediation action or access request action, the IdentityIQ server will direct provisioning and service desk
requests to the configured implementers. Based on the connector configured for each target application, service
desk request are issues to a given remediation/implementation point. Once the
IdentityIQforServiceNowServiceDesk file for ServiceNow has been loaded into the IdentityIQ server, all
change/remediation actions result in the creation of new service desk request as shown in Service request creates
ticket using SailPoint Cart JS API. Incident and change request creates ticket using import set table APIs and
transform maps..
The IdentityIQ for ServiceNow Service Desk generates tickets for provisioning requests. These tickets generate
service requests on sc_request and sc_req_item table, incidents on incident table, or change requests on
the change_request table. The module fetches the status of ticket by using the direct web services of target
tables that is, sc_req_item, incident or change_request and updates the SailPoint IdentityIQ database
with the status.
Service request creates ticket using SailPoint Cart JS API. Incident and change request creates ticket using import
set table APIs and transform maps.
Basic Flow of Service Request

IdentityIQ creates ticket by requesting a Catalog item on ServiceNow. Each application on IdentityIQ has a Catalog
item defined on ServiceNow. IdentityIQ calls ServiceNow's Web Service requesting the Catalog Item. The Web
service creates a Cart and adds the Catalog item to the cart. The Catalog item has Catalog Variables. The
information is taken from the IdenityIQ's request and passed on to these Catalog Variables. The Catalog Item has

Configuring IdentityIQ to Integrate with ServiceNow
a Workflow attached to it. After adding Catalog Item to the cart, Cart is submitted. Submission of cart triggers the
Workflow. The workflow creates a task by passing the information from Catalog Variables to Service Request. The
Requested Item ticket number is returned as the response which is later used to check the status.
Depending on the workflow configuration, the task is assigned to the user (group or individual), who then
performs the action which results in change in the State of the Requested Item.
Basic Configuration of Service Request

• Create Catalog items on ServiceNow for each application on IdentityIQ that user wants to manage using
IdentityIQ for Service Desk.
• The opened_by and requested_for fields receives values using the default Rule in ServiceNow
Configuration file. Modify the rule as per requirement to populate the fields.
For example, see requested_for catalog variable in the default Catalog item (IdentityIQ Access Request).
Note: If the user is not present on ServiceNow, then ‘opened_by’ and ‘requested_for’ fields will
display default ServiceNow Administrator.
• Provide the mapping between Application and Catalog item in the catalogItem field in ServiceNow
Integration Configuration file.
The value is sys_id of catalog Item.
For example,
<entry key="Procurement_System" value="8053818edbffb300e90690b3db9619c4"/>
• Verify the default mapping between ServiceNow’s Request (REQ) Status field and IdentityIQ status in
ServiceNow Integration Configuration file. This is used to update the status of IdentityIQ line item.
• Create and publish a workflow and attach it to the respective Catalog Item to handle the Requested Item
(RITM).
The workflow must be able to create a Catalog Task.
For more information on procedure for creating the workflow, see the following link:
http://wiki.servicenow.com/index.php?title=Creating_a_Workflow
Note: Refer the default workflow given in the update set. Login with the Admin user or user with
‘workflow_admin’ to create or update workflow.
• The default workflow, in the Run Script activity has a scripting logic to get values from Catalog Variables
and assign to the fields of Service Request and Requested Item. Use that or modify accordingly. Configure
the Workflow as per requirement.
• The State of Requested Item (RITM) changes when the State field of the Task changes due to the
Workflow defined on the Catalog Item. The Request State on the Service Request changes due to the
default ‘Service Catalog Request’ workflow.
• If some records or columns are not displayed with Minimum permission user, add the specific ACLs to
view the records.
For more information on procedure for creating the ACL, see the following link:
http://wiki.servicenow.com/index.php?title=Using_Access_Control_Rules#Creating_ACL_Rules

This section provides the required information for configuring IdentityIQ to integrate with ServiceNow.

This is intended as an introduction to the configuration needed to integrate IdentityIQ with ServiceNow. It
outlines some examples that must be used as a reference point for implementation. Some changes may be
required to meet specific use case and expertise around both systems are a must for the successful
implementations.
SailPoint provides a default ServiceNow configuration. This configuration implements the integration between
IdentityIQ and the ServiceNow to fulfill creation of tickets based on IdentityIQ access certification remediation
events.
The default configuration is located in the following directory, where iiqHome is the location where IdentityIQ was
installed:
iiqHome/WEB-INF/config/connector/IdentityIQforServiceNowServiceDesk.xml
The configuration must include the following entries:
Parameters Description
url* The base URL of Service Desk System.
For example, https://host.service-now.com

authenticationType* Authentication method that is supported by the managed system
• OAuth2
• Basic
connectorAppForSer The application name by which Service Now account are aggregated. Required
viceNow for Plan Initializer script.
ticketType Select ticket type to generate ticket on Service Desk system:
• serviceRequest
• incident
• changeRequest
Applicable if authenticationType is selected as Basic
username* Service Account username. Required when authenticationType is Basic.
password* Service Account user password. Required when authenticationType is Basic
Applicable if authenticationType is selected as OAuth2
token_url URL for generating access token.
For example, https://host.service-now.com/oauth_token.do

grant_type Select the type of Grant:
• Refresh Token
client_id Client Id for OAuth2 authentication.
client_secret Client secret for OAuth2 authentication.
refresh_token* (Applicable if Grant Type is selected as Refresh Token) A valid refresh token for
grant type authentication.
Application Configuration XML would have all configurations for Service Request, Incident and Change Module.
Depending on the type of selection for ticketType, respective configuration would be executed by connector for
the request processing.

Each module would have provision and checkStatus entries as mentioned below:
Provision:
Entries Description
resource Ticket creation rest endpoint. Do not provide the base url in the value. Base url
would be appended to this endpoint value. Provide only remaining endpoint URL.
ServiceNow: /api/x_sap_sdim/sailpoint_cart_js_api/create_ticket
catalogItem (For Service Request only) Map that provides key value pair of managed application
name and catalog item id.
responseElement* The value is JSON path expression which provides information about where to find
ticket number in the response from rest endpoint. For example,
result.request_number
checkStatusQueryPa Map that provides any query parameters needed for Rest call.
ram
requestObject The value represents JSON root element in the request.
request Map that represents request payload, which has velocity template expression and
velocity variables that would be dynamically updated by integration before making
rest call.
Check Status:
Entries Description
resource Ticket creation rest endpoint. Do not provide the base url in the value. Base url
would be appended to this endpoint value. Provide only remaining endpoint URL.
ServiceNow: /api/now/table/sc_request
queryParam Map that provides key value pair of required query parameters. Velocity Template
variables would be replaced dynamically by Integration.
Required when ticket number is mentioned in the query parameter.

isTicketNumberInUrl true/false, some systems to get status ticket number needs to append to url.
responseElement* The value is JSON path expression which provides information about where to find
ticket number in the response from rest endpoint. For example,
result.request_state
statusMap Map that relates Ticket System status to IdentityIQ status.
statusMapCloserCod Map that relates Ticket System status to IdentityIQ status.
e
Note: This field has higher precedence over status map.

If any changes required in the mapping, change the default value/key values in statusMap and
statusMapCloserCode as mentioned in the following tables:
• statusMap for Service Request:
Entry key (ServiceNow) Value (IdentityIQ)

closed_cancelled Failed
closed_complete Committed
closed_incomplete Failed
closed_rejected Failed
in_process Queued
requested Queued
• statusMap and statusMapCloserCode for Incident
Entry key (ServiceNow) Values (IdentityIQ)

statusMap
1 Queued
2 Queued
3 Queued
6 committed
7 committed
8 Failed
statusMapCloserCode
Solved (Work Around) committed
Solved (Permanently) committed
Solved Remotely (Work Around) committed
Solved Remotely (Permanently) committed
Closed/Resolved by Caller committed
Not Solved (Not Reproducible) Failed
Not Solved (Too Costly) Failed
• statusMap for Change Request

-1 Queued


-2 Queued
-3 Queued
-4 Queued
-5 Queued
0 Queued
3 Committed
4 Failed
Once the configuration information is populated then import IdentityIQforServiceNowServiceDesk.xml file. This
would create an application.
Retryable Mechanism
For availing the advantage of some of the logic around retryable situations, add the retryable error messages list
to the attributes map on an application. The retryableErrors entry is a list of strings through which the connector
searches when it receives a message from the managed application. If one of the strings in the entry exists in the
error, the connector attempts to retry the connection. When the configured error string is not a part of the error
message returned from the connector, then IdentityIQ would not attempt a retry.
For example,
<entry key="retryableErrors">
<value>
<List>
<String>Connection reset</String>
</List>
</value>
</entry>
Note: Error messages containing very specific information about date/time, sequence ID and so on
must be avoided. Error codes or error message substrings would be good candidates for
inclusion.


Overview
Chapter 5: IdentityIQ for MicroFocus

Service Manager Service Desk
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Configuring HP Service Manager (Micro Focus) for IdentityIQ Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Verifying Connectivity between IdentityIQ and HP Service Manager (Micro Focus) . . . . . . . . . . . . . . . . . 56
Overview
This Integration Module creates Service Requests, Incidents and Change Requests in HP Service Manager for the
configured operations (for example, Change Password, Request Entitlement and so on) for the configured
application.
Note: Enter the following command to enable log4j2 tracing on MicroFocus Service Manager Service
Desk component:
logger.integration_hpservicemanager.name=sailpoint.integration.hpservice
manager
logger.integration_hpservicemanager.level=debug,file
Note:
Supported Features
IdentityIQ for MicroFocus Service Manager Service Desk supports the following features:
• Creates the following types of tickets in HP Service Manger (known as Micro Focus) through provisioning
request in IdentityIQ:
- Service Request
- Incident
- Change
• Support for Service Catalog, Incident Management and Change Management Modules in HP Service
Manager.
Note: For Service Catalog Module, following options of the Connector drop down list are
supported:
- Open New Request
- Open an Incident
- Open a Change

Supported Platforms
• Fetching the status of Service Request, Incident or Change from HP Service Manager and update the
status of the respective Access Requests in IdentityIQ.
• Retry mechanism for Create Ticket request failure
Supported Platforms
IdentityIQ for MicroFocus Service Manager Service Desk supports the following version of Service Manager:
• HP Service Manager version 9.6 (now known as Micro Focus Service Manager 9.6)
• HP Service Manager version 9.5
Prerequisites
• Ensure that the (one of the) following WSDL is accessible:
- For Service Request: http://<host>:<port>/SM/7/SM/7/ServiceCatalogAPI.wsdl
- For Incident Request: http://<host>:<port>/SM/7/IncidentManagement.wsdl
- For Change Request: http://<host>:<port>/SM/7/ChangeManagement.wsdl
Where <host> is the host name of the system where HP Service Manager is setup and <port> is port number
configured for the above web services on HP Service Manager setup.Alternatively, use a Soap UI tool to
submit a simple request (for example, incident). For convenience you can use the basic authentication
mechanism for authorization with SOAP UI tool to confirm that the web service layer is functional.
• (Only for Service Request)
- To enable Service Request and perform any operation, you must create a Catalog Item in Service
Catalog module. For more information on the procedure for creating a Catalog Item, see “Creating
New Service Request Catalog Item” on page 57.
- If Identity Name on IdentityIQ does not match the Contact Name on HP Service Manager, perform
the steps mentioned in “Exporting user details from HP Service Manager (Micro Focus)” on page 57
and “Importing user details from HP Service Manager (Micro Focus) to IdentityIQ” on page 58.
Permission for HP Service Manager User

To obtain the minimum permission required for a HP Service Manager User, perform the following:
1. Create a new contact as follows:
- On HP Service Manager page, navigate to System Administration ==> Base System Configuration
==> Scheduled Maintenance ==> Contacts
Under the Contact tab, enter Contact Name and Full Name. Click on Add button on the top of the page.

Prerequisites
2. Create new operators as follows:

- On the left page, navigate to System Administration ==> Ongoing Maintenance ==> Operators
- Enter the following details and click on Add.
• Login Name
• Full Name
• Contact ID
• Default Company
3. Create new application profiles as follows:
- Service Request: To create Request Fulfillment in HP Service Manager from IdentityIQ through
integration, minimum permission required is Request Co-ordinator as a user role who has right to
create any new request fulfillment.
Administrator can create a customized role to create Request Fulfillment from IdentityIQ. Customized
user can be created as follows:
a. Navigate to System Administration ==> Ongoing Maintenance ==> User Roles and enter the follow-
ing parameters:
Tab Field name Supported field value

Profiles Configuration Profile Default
Security Roles Default
Request co-ordinator
Startup Capability Words SOAP API
Data Access Table Name Application
- Incident Request: To create incident in HP Service Manager from IdentityIQ through integration,
minimum permission required is Incident Co-ordinator as a user role who has right to create any new
incident and perform workflow which is capable of closing the incident.
By selecting user role as Incident Co-ordinator, select the following under the Startup tab:
• SOAP API as execute capabilities
• Interactions and Service Desk as Query Groups
Administrator can create a customized role to create incident from IdentityIQ. Customized user can be
created as follows:
ing parameters:

Prerequisites

Incident coordinator
- Change Management: To create change in HP Service Manager from IdentityIQ through integration,
minimum permission required is Change Co-ordinator as a user role who has right to create any new
change.
Administrator can create a customized role to create change from IdentityIQ. Customized user can be
created as follows:
ing parameters:

Change coordinator change
Change coordinator tasks
To perform workflow and close change ticket, select a user with role as Change Manager. This role
activates the Next Phase button which helps to move tickets from one phase to another.
At Change Approval stage, the following users are required to approve the tickets and move them to
next phase:
• Change.Approver: User having group membership of Change.Approver
• Change.Manager: User having group membership of Change.Manager
Once these users submit their approval, ticket gets moved to the next phase and then it can be moved
to closure phase.
4. On the Operator Record page, under the Security tab, enter the Password and select the Unlimited Ses-
sions and Prevent Lockout check boxes.
5. Create new login profiles as follows:
On the Operator Record page, under the Login Profiles tab, enter the details of the following parameters (as
shown in the following figure) and select the Named User check box:
- Date Format: mm/dd/yy
- Message Level: Information
6. On the Operator Record page, under the Startup tab, enter the details of the following parameters and
select the Activate Command Line on Startup checkbox:

Configuring HP Service Manager (Micro Focus) for IdentityIQ
Integration
Parameters Value
RAD Name menu.manager
name MAIN MENU
prompt
string1 HOME
Under the startup, select the values for Executive Capabilities and Query Groups from the drop down list as
follows and click the Save button:
- Execute Capabilities
• partial.key
• SysAdmin
• SQLAdmin
• SOAP API
• user.favorites
- Query Groups
• Service Desk
• Interactions
Configuring HP Service Manager (Micro Focus) for

IdentityIQ Integration
This section provides the required information for configuring IdentityIQ to integrate with HP Service Manager.
This integration enables IdentityIQ to create tickets for requested revocations, track ticket numbers in association
with revocation tasks, and update IdentityIQ with the status of current tickets.
SailPoint provides a default HP Service Manager Service Integration configuration. This configuration implements
the integration between IdentityIQ and the HP Service Manager (Micro Focus) to fulfill creation of tickets based
on IdentityIQ access certification remediation events.

Integration
Configuration
• The default configuration is located in iiqHome/WEB-INF/config/ directory, where iiqHome is the
location where IdentityIQ was installed.
• When integrating with the following requests, modify the respective config files and import in IdentityIQ:
Request XML files

Service Request HPServiceManagerIntegrationConfigForRequest.xml
Incident Request HPServiceManagerIntegrationConfigForIncident.xml
Change Request HPServiceManagerIntegrationConfigForChange.xml
• The integration configuration must include the following entries:

- endpoint: URL to the web service
- namespace: namespace of the XML returned by the web service
- prefix: prefix associated with the namespace
Note: For more information of the entries in the IntegrationConfig file, see “Appendix: A:
Common Identity Management Integration Configuration”.
• The integration configuration includes the following entries if the web service side of the integration is
configured for authentication using the SOAP authentication specifications:
- username
- password
- statusMap
- statusMapClosureCode
The web services and authentication entries are consumed by configuration entries for each web service.
They can be positioned either within the configuration entries themselves or as children of the Attributes
element. Entries that are children of the Attributes element can be thought of as global values, while entries
within the configuration entities can be thought of as local.
For example, if both entries share the same authentication credentials, those credentials might be placed in
the Attributes element as peers of the configuration entries and the integration code searches the parent
entry for the credentials if they are not found in the configuration entries. Conversely, if the configuration
entries have different endpoints (are handled by separate web services), each configuration entry specifies
the endpoint of the web service to call and any value outside of the configuration entry is ignored.
• Following are the supported configuration entries for integration with HP Service Manager. These entries
are children of the integration Attributes element:
- provision
- getRequestStatus
The values of each are Map elements containing key/value pairings of the configuration data. They contain
the specific data needed by the provision() and getRequestStatus() methods of the IdentityIQ integration
executor and correspond to HP Service Manager Web Service methods.

Integration
The provision and getRequestStatus entries contain the following entries:
Entries Description
soapMessage* Full XML template of the entire SOAP envelope that is sent to the web service. The
integration code first runs this template through Apache's Velocity template
engine to provide the data needed by the web service.
responseElement* Name of the element containing the results of the web service call (for example,
the element containing the ticket number opened by the web service in response
to the call from IdentityIQ).
SOAPAction* SOAP requests action
endpoint* HP Service Manager endpoint to send create and get ticket status
namespace* Namespace of the XML returned by the web service
prefix* Prefix associated with the namespace
Note: The (asterisk) * sign represents the required entries.

Before a template is sent to the web service, it is processed by the Velocity template engine. The integration
code provides different data objects to Velocity for evaluation based on the integration method.
The following calls pass the respective objects to Velocity:
Call Objects Description

provision config The integration configuration for provision, represented as a Map
provisioninPlan The data model of the provision request
getRequestStatus config The integration configuration for getRequestStatus, represented
as a Map
requestID The string ID of the request whose status is being queried
Both calls have access to a timestamp variable containing a current Date object and a dateFormatter object.
The dateFormatter is built using an optional dateFormat attribute from the config object. If the dateFormat
attribute does not exist, the formatter defaults to the pattern EEE, d MMM yyyy HH:mm:ss z.
Mappings for Service, Incident and Change Request

If any changes required in the mapping, change the value/key values in “statusMap” and
“statusMapClosureCode” as mentioned in the following tables for Service, Incident and Change Request:
Service Request
Entry Key Values

statusMap
Categorize inProcess
Assign inProcess
Dispatched inProcess

Integration
Entry Key Values

In Progress inProcess
Resolved committed
Suspended inProcess
Closed committed
Pending Other inProcess
Referred inProcess
Replaced Problem inProcess
Open inProcess
Open - Linked inProcess
Open - Idle inProcess
Accepted inProcess
Rejected failure
Work In Progress inProcess
Pending Customer inProcess
Pending Vendor inProcess
Pending Change inProcess
Pending Evidence inProcess
Pending Vendor/Supplier inProcess
Withdrawal Requested failure
initial inProcess
waiting inProcess
reopened inProcess
closed committed
Denied Service Catalog Request failure
Status Map Closure Codes
Incident Closure Codes
Automatically Closed committed
Cancelled failure
Fulfilled committed
Not Reproducible committed
Out of Scope committed
Request Rejected failure
Solved by Change/Service Request committed
Solved by User Instruction committed

Integration
Entry Key Values

Solved by Workaround committed
Unable to solve failure
Withdrawn by User failure
Invalid failure
Request Fulfilment Closure Codes
1 - Successful committed
2 - Successful (with problems) committed
3 - Failed failure
4 - Rejected (financial) failure
5 - Rejected (technical) failure
6 - Rejected (security) failure
7 - Withdrawn failure
8 - Withdrawal requested by customer failure
9 - Cancelled failure
10 - Denied request fulfillment failure
11 - Automatically Closed committed
Change Request Closure Codes
1 committed
2 committed
3 failure
4 failure
5 failure
6 failure
Incident Request
Entry key Values
statusMap
Closed committed
Pending Other inProcess
Referred inProcess
Replaced Problem inProcess
Resolved committed
Open inProcess
Accepted inProcess

Integration
Entry key Values

Rejected failure
Work In Progress inProcess
Pending Customer inProcess
Pending Vendor inProcess
Pending Change inProcess
Automatically Closed committed
Not Reproducible committed
Out of Scope committed
Request Rejected committed
Solved by Change/Service Request committed
Solved by User Instruction committed
Solved by Workaround committed
Unable to solve failure
Withdrawn by User failure
Diagnosed Successfully committed
No Fault Found committed
No User Response failure
Resolved Successfully committed
Change Request
Entry Key Values

statusMap
initial inProcess
waiting inProcess
reopened inProcess
closed committed
1 - Successful committed
2 - Successful (with problems) committed
3 - Failed failure
4 - Rejected failure
5 - Withdrawn failure
6 - Cancelled failure

Integration
Configuration Procedure
The following steps should be performed to modify the default HP Service Manager Service Integration
configuration for a specific HP Service Manager Server.
1. Obtain the environment-specific Web Service “endpoint”, for example, http://<host>:<port>/SM/7/ws.
2. (For HP Service Manager 9.5)
- HPServiceManagerIntegrationConfigForIncident: Set Service as a Configuration Item Identifier.
For example, <ns:Service type="String" mandatory=""
readonly="">CI1001030</ns:Service>
- HPServiceManagerIntegrationConfigForChange:
• Set Category as a Standard Change.
For example, <ns:Category type="String" mandatory="" readonly="">Standard
Change</ns:Category>
• Set Service as a Configuration Item Identifier. For example, CI1001030

For example, <ns:Service type="String" mandatory=""
readonly="">CI1001030</ns:Service>
3. Once you are familiar with the WSDL, modify the default IdentityIQ HP Service Manager configuration
using the information collected about the web service.
- In the <IntegrationConfig> element of the integration configuration, modify the username and
password entries in the attributes map to contain the credentials required for authentication to the
web service.
- In the <IntegrationConfig> element of the integration configuration, modify the provision entry of
the Attributes map by setting the endpoint, and, if necessary, the namespace, the prefix, the
responseElement, and the soapMessage attributes (the default values: IdentityIQ HP Service
Manager IntegrationConfig):
a. Set the value for endpoint to the value located in the WSDL earlier.
Note: The value in the IdentityIQ integration configuration must be a valid HTTP URL and
have any special characters escaped. The most common change that must be
made is to replace all and symbols with &
b. The value for namespace comes from the targetNamespace attribute of the xsd:schema element
in the WSDL.
c. The value for prefix is the prefix of the XML elements that will be contained in the SOAP response.
d. The value for responseElement should be the HP Service Manager form field that corresponds to
the id of the form that the web service creates.
e. The value for soapMessage should be the SOAP message body that IdentityIQ will send to HP
Service Manager. The exact format of this message is a function of the form that is published as
described by the form's WSDL. The XML elements in the soapenv:Body element should be changed
to match the HP Service Manager form fields for the published web service. Each required HP
Service Manager form field must have an element in the SOAP message. The value can be fixed or
can be a variable that will be substituted using IdentityIQ's Velocity templating
Note: For more information on <ManagedResources> in the IntegrationConfig file, see
“Appendix: A: Common Identity Management Integration Configuration”.
4. (Only for Service Request) In the <IntegrationConfig> element of the integration configuration, modify the
catalogItem entry of attributes map. Provide key as Managed Application name and value as Request Item
Name. This request item must be present on HP Service Manager’s Service Request.
For example, <entry key=”Demo App1” value=”Identity Access Request Item”/>

Integration
5. (Only for Service Request) Modify the Rule for applicationName and provide its value same as that of appli-
cation created while importing HP Users in IdentityIQ.
Note: In Rule, the ‘attributeName’ represents the Application's link attribute and is used to
populate the ‘requestedFor’ field in Service Request.
The information in the reference section above show the variables that are provided and the example integration
configuration provides examples of how they are used.
Verifying Connectivity between IdentityIQ and HP Service

Manager (Micro Focus)
Note: Obtain the integration configuration name and an existing ticket number from MicroFocus
Service Manager Service Desk System.
Perform the following procedure for verifying the connection between IdentityIQ and HP Service Manager:
1. Using the IdentityIQ integration console, launch the console by using the following IdentityIQ script in the
WEB-INF/bin directory of the IdentityIQ installation to run IdentityIQ integration:
iiq integration
2. From the console enter the following:
use applicationName
where applicationName is the name of the MicroFocus Service Manager Service Desk Integration Module.
Therefore the command would be as follows:
use HPSMServiceIntegrationModuleRequest
This makes the application ready for further console commands.
3. Enter the following command to get the connection status:
getRequestStatus ticketNumber
where ticketNumber is the number of the existing ticket obtained from MicroFocus Service Manager Service
Desk System.
For example, getRequestStatus SD10001
In the above example, SD10001 is the ticketNumber. The following status is returned:
Result: status = committed; request ID = SD10001; warnings = null; errors = null
This indicates that the connection is successful.
Retryable Mechanism
By default IdentityIQ for MicroFocus Service Manager Service Desk provides retry mechanism for Connection
reset and for unknown host problems occurred from network issues.
However you can configure retryableErrors list in integration configuration (IntegrationConfig) file to add
new exception strings to the attributes map in integration configuration file.
The retryableErrors entry is a list of strings through which the integration searches when it receives a message
from the IdentityIQ for MicroFocus Service Manager Service Desk. Only SOAPException strings are considered for
retry that is, the exceptions raised from SOAP web service. If one of the strings in the entry exists in the error, the
integration attempts to retry the request. When the configured error string is not a part of the error message
returned from MicroFocus Service Manager Service Desk, then IdentityIQ will not attempt a retry.
For example,

<value>
<List>
</List>
</value>
</entry>
inclusion. Only exceptions raised from soap web service are considered for retry.
This section describes the additional information related to IdentityIQ for MicroFocus Service Manager Service
Desk.
Creating New Service Request Catalog Item

1. Log on to HP Service Manager as an administrator.
2. (Only for 9.5) Navigate to Service Catalog => Administration => Manage Items and click on Add New Ser-
vice Item link.
(Only for 9.4 and 9.3) Navigate to Service Catalog => Administration => Manage Catalog and click on Add
New Service Catalog Item link.
3. Mention the mandatory details and click Next.
4. Select the Connector as Open New Request.
5. Select Service Desk as the option from the In Category as drop down and click Next.
6. (Only for 9.4 and 9.5) Provide appropriate values to the following fields and click Next:
- Request Category
- Request SubCategory
- Department
- Request Model
Select appropriate values from the drop down of Urgency, Impact and Assignment.
7. (Only for 9.3) Provide appropriate value for Request Category.
8. Click Finish.
9. (For 9.6 only) Make Service Catalog Item status to Operational and click Save.
Exporting user details from HP Service Manager (Micro Focus)

1. Log on to HP Service Manager as an Administrator.
2. Navigate to System Administration => Base System Configuration => Contacts and click on Search.
All user contact list must be displayed.

Troubleshooting
3. Navigate to More => Export to Text File and select the check box for Export Column Headers.
4. Select the radio button for Comma Separated Value (CSV) in the Delimiter selection.
5. Click on OK.
6. A file with name export.csv will get downloaded to your location.
Importing user details from HP Service Manager (Micro Focus) to

IdentityIQ
1. Navigate to application definition and click on Add New Application button.
2. Enter the application name in the Name field and select the owner.
3. Select the application type as DelimitedFile.
4. Mention the File Path details under the Configuration tab and list the column names under the Columns
section in the same order as that present in the export.csv file.
5. Insert the value as ‘,’ in the Delimiter field.
6. Under the Schema tab click on Discover Schema Attributes and mention Identity attribute as Contact
Name.
7. Click on Preview and Save the application.
Note: For more information on correlating the users on HP Service Manager with identities on
IdentityIQ, see “SailPoint Delimited Connector” chapter of the SailPoint Direct Connectors
Administration and Configuration Guide.
Troubleshooting
This section provides the resolutions for the following errors that may be encountered while setting up and
configuring IdentityIQ for MicroFocus Service Manager Service Desk.
1 - ‘Authorization Required’ error messages

The following type of error messages appear when the authorization data is not sent to HP Service Manager:
Caused by: org.apache.axis2.AxisFault: Transport error: 401 Error:
Authorization Required
Resolution: Verify the procedure to configure appropriate authorization mechanism. For more information on
the procedure, see “Configuration Procedure” on page 55.
2 - Document Type Declaration (DTD) parsing errors

The DTD parsing errors appear when the following JVM arguments are not defined for your application server:
• -Djavax.xml.soap.SOAPConnectionFactory=org.apache.axis2.saaj.SOAPConnectionFac
toryImpl
• -Djavax.xml.soap.MessageFactory=org.apache.axis2.saaj.MessageFactoryImpl
• -Djavax.xml.soap.SOAPFactory=org.apache.axis2.saaj.SOAPFactoryImpl
Resolution: Ensure that the application is pointing to the correct java runtime (that is, 1.6) and the above
mentioned JVM arguments are defined for application server.

Troubleshooting
3 - Max session exceeded error

When multiple requests are in open state and IdentityIQ tries to fetch the latest status with those requests, the
following error message is displayed:
Max session exceeded error
Resolution: Perform the following:

1. Increase the shared memory in sm.ini file to twice or thrice the size.
2. Add the following attributive to sm.ini file:
threadsperprocess:50
4 - Change Ticket status gets committed on IdentityIQ even though ticket is open on
HP Service Manager.
1. On HP Service Manager navigate to Tailoring => Web Services => Format control and search for cm3r
name.
2. Delete the following parameter line from Initialization Expressions of cm3r:
- HP Service Manager 9.5:
if (jscall("ProcessDesignerEnablement.isChangeEnabled")=true and
jscall("ProcessDesignerEnablement.isMigratedWorkflowUsed", "cm3r", category
in $file)=false and null(completion.code in $file)) then (completion.code in
$file=1)
- HP Service Manager 9.4 or 9.3:

if (jscall("ProcessDesignerEnablement.isChangeEnabled")=true and
null(completion.code in $file)) then (completion.code in $file=1)
3. Click Save.
5 - When performing any provisioning action an error message is displayed.

The following error message is displayed, when performing any of the provisioning actions:
sailpoint.integration.hpservicemanager.HPServiceManagerSoapIntegration$MissingRespo
nseElementException: Unable to find a response element matching qname
{http://schemas.hp.com/SM/7}CartItemId. Check the integration config.
Resolution: Ensure that the user is present on HP Service Manager for which the ticket is being created.
6 - Change Ticket status displays pending status on IdentityIQ even when ticket is
closed on HP Service Manager.
When HP status and closure code are not mapped in integration configuration file, change ticket status displays
pending status on IdentityIQ even when ticket is closed on HP Service Manager.
For example,
In 2016-08-02 16:52:48,870 ERROR Workflow Event Thread 1
sailpoint.integration.AbstractIntegrationExecutor:380 - Unknown request status: 1 -
Successful is retryable
java.lang.Exception: Unknown request status: 1 - Successful

Troubleshooting
Resolution: Map HP status code with corresponding IdentityIQ status code in statusMap or
statusMapCloserCode in Integration configuration file.
<entry key="1 - Successful " value="committed" />
7 - Ticket does not exist on HP Service Manager

When IdentityIQ access request is updated with ticket number, ticket does not exist on HP Service Manager
version 9.5.
Resolution: For HP Service Manager version 9.5 there are changes in Incident and Change configuration files.
Ensure that the configuration steps mentioned in the “Configuring HP Service Manager (Micro Focus) for
IdentityIQ Integration” on page 49 for Incident and Change Requests are performed appropriately.

Overview
Chapter 6: IdentityIQ for BMC

Remedy Service Desk
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Administrator Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Basic Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Configuring BMC Remedy AR System for IdentityIQ Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Configuring IdentityIQ for BMC Remedy Action Request System Integration . . . . . . . . . . . . . . . . . . . . . . . . . . 65
BMC Remedy Action Request System Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Creating Multiple Tickets in Remedy System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Verifying Connectivity between IdentityIQ and BMC Remedy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Sample Scenario. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Overview
The integration between SailPoint and BMC Remedy Service Desk enables customers to create incidents and
change requests in BMC Remedy Service Desk for the configured operations (for example, Change Password,
Request Entitlement and so on) for the configured application. The seamless integration of SailPoint and BMC
Remedy Service Desk Integration Module eliminates the need to build and maintain a custom integration, and
speeds time-to-deployment.
Note: Enter the following command to enable log4j2 tracing on BMC Remedy Service Desk
component:
logger.integration_SOAPIntegration.name=sailpoint.integration.SOAPIntegr
ation
logger.integration_SOAPIntegration.level=debug,file
Supported Features
IdentityIQ for BMC Remedy Service Desk supports the following features:
• creating ticket for all provisioning operations that can be performed on Target Application accounts
• getting the status of the created tickets
• creating multiple tickets in Remedy System via IdentityIQ

Supported Platforms
Supported Platforms
IdentityIQ for BMC Remedy Service Desk supports the following versions of BMC Remedy AR System:
• BMC Remedy AR System 18.05
• BMC Remedy AR System 9.1.00
• BMC Remedy AR System 9.0.00
Prerequisites
• BMC Remedy Change Management Application must be installed
• Ensure that the following softwares are operating correctly:
- BMC Remedy AR System
- BMC Remedy Change Management Application
Administrator Permissions
The BMC Remedy Service Desk Integration service account requires the following application permissions:
• Incident Submitter application permission for Incident Management application
Incident Submitter grants access to the Incident Module with the ability to only query and submit Incidents.
This permission may be used in conjunction with Incident Viewer and is superseded by Incident Master and
Incident User.
• Infrastructure Change Submit application permission for Change Management application
Infrastructure Change Submit grants access to the Change Module with the ability to only query and submit
Change requests. This permission is superseded by Infrastructure Change Master and Infrastructure Change
User.
Basic Configuration
The integrated solution speeds the detection and remediation of identity management issues that increase the
risk of compliance violations or security breaches, such as orphaned accounts, policy violations, and
inappropriate access privileges. Organizations can take advantage of a centralized approach spanning thousands
of users and hundreds of resources to strengthen IT controls and provide proof of compliance to auditors and
executive management. The seamless integration of SailPoint and BMC Remedy eliminates the need to build and
maintain a custom integration, and speeds time-to-deployment.
For any IT resources managed by BMC Remedy Service Desk, IdentityIQ automatically creates a trouble ticket
within Remedy Service Desk, passing along all relevant identity data and reviewer comments to populate the
ticket.
To ensure revocation requests get delivered and implemented, IdentityIQ manages all remediation and
revocation requests within a guaranteed delivery model.

Configuring BMC Remedy AR System for IdentityIQ
Integration
To determine the status of user accounts, IdentityIQ performs closed-loop audits on remediation requests and
compares the actual state of user privileges with the original change request. If the request is still open, an alert
will be sent to the reviewer for prompt action and closure.
The integration itself has been designed to be quick to install and easy to use. It makes use of Web Services via
the Remedy Mid Tier to broker communications between the SailPoint server and the AR System server. On the
backside of a user recertification, policy remediation action or access request action, the IdentityIQ server will
direct provisioning and service desk requests to the configured implementers. Based on the IntegrationConfig
configured for each target application, service desk request are issues to a given remediation/implementation
point. Once the IntegrationConfig for Remedy has been loaded into the IdentityIQ server, all change/remediation
actions result in the creation of new service desk request.
At the completion of the change control cycle within IdentityIQ, an “Open Ticket” request is made over the
appropriate SOAP channel to the Mid Tier. From here change request tickets are opened and the new ticket
number is returned to IdentityIQ. The schema for the service request is defined in the IntegrationConfig and
allows for the flexibility to transfer complete details on the service desk request. The default settings will create
a basic ticket as shown in the following figure (Figure 1—Change request).
Figure 1—Change request

Integration
This section provides the required information for configuring IdentityIQ to integrate with BMC Remedy Action
Request System (AR System). This integration enables IdentityIQ to create Change Management tickets for
requested revocations, track ticket numbers in association with revocation tasks, and update IdentityIQ with the
status of current Change Management tickets.

Integration
The following steps should be performed to modify the default Remedy integration configuration for a specific
BMC Remedy application instance.
1. Confirm the default Remedy Change Management Application Web Services exist. This is done by launching
the BMC Remedy Administrator, expanding the appropriate server object and clicking on the “Web Ser-
vices” object.
2. Next, obtain the environment-specific Web Service “endpoint” by performing the following steps:
a. Double-click on the Web Service and select the WSDL tab. Copy the WSDL handler URL into your
buffer (For example, Ctrl-C)
b. With a web browser, visit the WSDL URL for the web service by entering the URL into the browser
address field and pressing return.
c. Search for soap:address location= to find the endpoint URL. Copy this value. It will be used to
replace the endpoint URL in the default IdentityIQ Remedy IntegrationConfig object.
d. Review the Create InputMap section of the WSDL to understand the fields available for population
through the Web Service. These fields should correspond to the fields listed in the <soapenv:Body>
section of the default IdentityIQ IntegrationConfig object
3. Once you are familiar with the WSDL, modify the default IdentityIQ Remedy integration using the informa-
tion collected about the web service.
a. In the <IntegrationConfig> element of the integration configuration, modify the username and
password entries in the attributes map to contain the credentials required for authentication to the
web service.

Configuring IdentityIQ for BMC Remedy Action Request
System Integration
b. In the <IntegrationConfig> element of the integration configuration, modify the provision entry of
the Attributes map by setting the endpoint, and, if necessary, the namespace, the prefix, the
responseElement, and the soapMessage attributes (the default values: IdentityIQ Remedy
IntegrationConfig):
i. Set the value for endpoint to the value located in the WSDL earlier.
Note: The value in the IdentityIQ integration configuration must be a valid HTTP URL and
have any special characters escaped. The most common change that must be
made is to replace all & symbols with &
ii. The value for namespace comes from the targetNamespace attribute of the xsd:schema
element in the WSDL.
iii. The value for prefix is the prefix of the XML elements that will be contained in the SOAP
response sent by the mid tier server.
iv. The value for responseElement should be the ARS form field that corresponds to the id
of the form that the web service creates.
v. The value for soapMessage should be the SOAP message body that IdentityIQ will send
to ARS. The exact format of this message is a function of the form that is published as
described by the form's WSDL. The XML elements in the soapenv:Body element should
be changed to match the ARS form fields for the published web service. Each required
ARS form field must have an element in the SOAP message. The value can be fixed or can
be a variable that will be substituted using IdentityIQ's Velocity templating.
The information in the reference section above show the variables that are provided and the example integration
configuration provides examples of how they are used.

System Integration
This is intended as an introduction to the configuration needed to integrate IdentityIQ with the BMC Remedy
Action Request System. This integration enables IdentityIQ to interact with many of the product solutions that
are built on top of the AR System Server including BMC Remedy Change Management, BMC Remedy IT Service
Management Suite, and BMC Remedy Service Desk.
BMC Remedy Action Request System Integration

SailPoint provides a default Remedy integration configuration. This configuration implements the integration
between IdentityIQ and the Remedy Change Management Application to fulfill creation of tickets based on
IdentityIQ access certification remediation events.
The default configuration is located in iiqHome/WEB-INF/config/remedy-integration.xml directory,
where iiqHome is the location where IdentityIQ was installed.
This section explains the various entries that are specific for this integration. For more information of the entries
in the IntegrationConfig file, see “Appendix A: Common Identity Management Integration Configuration”.

System Integration
The integration configuration must include the following entries:

• endpoint: URL to the web service
• namespace: namespace of the XML returned by the web service
• prefix: prefix associated with the namespace
The integration configuration includes the following entries if the web service side of the integration is configured
for authentication using the SOAP authentication specifications:
• username
• password
• authentication
• locale
• timeZone
• statusMap
The integration configuration includes the following entries if the http authentication is configured:
• basicAuthType: if http authentication is configured the value of basicAuthType is true.
• httpUserName
• httpUserPass
User must modify remedy integration configuration file with the following entries to create incident in BMC
Remedy Action Request System:
• endpoint
• responseElement key
• SOAP envelop and body details
• status mapping
The web services and authentication entries are consumed by configuration entries for each web service. They
can be positioned either within the configuration entries themselves or as children of the Attributes element.
Entries that are children of the Attributes element can be thought of as global values, while entries within the
configuration entities can be thought of as local.
For example, if both entries share the same authentication credentials, those credentials might be placed in the
Attributes element as peers of the configuration entries and the integration code searches the parent entry for
the credentials if they are not found in the configuration entries. Conversely, if the configuration entries have
different endpoints (are handled by separate web services), each configuration entry specifies the endpoint of
the web service to call and any value outside of the configuration entry is ignored.
There are two supported configuration entries for integration with Remedy. These entries are children of the
integration Attributes element:
• getRequestStatus
• provision
The values of each are Map elements containing key/value pairings of the configuration data. They contain the
specific data needed by the getRequestStatus()and provision() methods of the IdentityIQ integration executor
and correspond to Remedy Web Service methods.

System Integration
The getRequestStatus and provision entries contain the following entries:

• soapMessage (required): full XML template of the entire SOAP envelope that is sent to the web service.
The integration code first runs this template through Apache's Velocity template engine to provide the
data needed by the web service.
• responseElement (required): name of the element containing the results of the web service call (for
example, the element containing the ticket number opened by the web service in response to the call
from IdentityIQ).
• statusMap (optional, see “Sample getRequestStatus entry” on page 67 for an example)
• username (optional)
• password (optional)
• authentication (optional)
• locale (optional)
• timeZone (optional)
• endpoint (optional)
• namespace (optional)
• prefix (optional)
Before a template is sent to the web service, it is processed by the Velocity template engine. The integration code
provides different data objects to Velocity for evaluation based on the integration method.
The provision call passes the following objects to Velocity:
• config: the integration configuration for provision, represented as a Map
• provisioningPlan: the data model of the provision request
The getRequestStatus call passes the following objects to Velocity:
• config: the integration configuration for getRequestStatus, represented as a Map
• requestID: the string ID of the request whose status is being queried
Both calls have access to a timestamp variable containing a current Date object and a dateFormatter object. The
dateFormatter is built using an optional dateFormat attribute from the config object. If the dateFormat attribute
does not exist, the formatter defaults to the pattern EEE, d MMM yyyy HH:mm:ss z.
Sample getRequestStatus entry

Note: The entries contained in the Map are the only required entries. Any authentication information
required by this integration is inherited from the parent Attributes element.
<entry key="getRequestStatus">
<value>
<Map>
<entry key="responseElement" value="Status"/>
<entry key="soapMessage">

<value><String><![CDATA[<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
#if ($config.username)
<soapenv:Header>
<ns1:AuthenticationInfo xmlns:ns1="urn:AuthenticationInfo">
<ns1:userName>$config.username</ns1:userName>
<ns1:password>$config.password</ns1:password>
#if ($config.authentication)

System Integration
<ns1:authorization>$config.authentication</ns1:password>
#end
#if ($config.locale)
<ns1:locale>$config.locale</ns1:password>
#end
#if ($config.timeZone)
<ns1:timeZone>$config.timeZone</ns1:password>
#end
</ns1:AuthenticationInfo>
</soapenv:Header>
#end
<soapenv:Body>
<iiq:Get xmlns:iiq="urn:GetAgreementWebService">
<iiq:Issue_ID>$requestID</iiq:Issue_ID>
</iiq:Get>
</soapenv:Body>
</soapenv:Envelope>
]]>
</value>
</entry>
</Map>
</value>
</entry>
Sample provision entry

Note: This Map contains its own web services information. Any authentication information required
by this integration is inherited from the parent Attributes element.
<entry key="provision">
<value>
<Map>
<entry key="endpoint"
value="http://my.server.com:8080/path/to/WS"/>
<entry key="namespace" value="urn:openTicketWebService"/>
<entry key="prefix" value="xyz"/>
<entry key="responseElement" value="Issue_ID"/>
<entry key="soapMessage">

<value><String><![CDATA[<?xml version="1.0"
encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
#if ($config.username)
<soapenv:Header>
<ns1:AuthenticationInfo xmlns:ns1="urn:AuthenticationInfo">
<ns1:userName>$config.username</ns1:userName>
<ns1:password>$config.password</ns1:password>
#if ($config.authentication)
<ns1:authorization>$config.authentication</ns1:password>
#end
#if ($config.locale)
<ns1:locale>$config.locale</ns1:password>
#end
#if ($config.timeZone)
<ns1:timeZone>$config.timeZone</ns1:password>

System Integration
#end
</ns1:AuthenticationInfo>
</soapenv:Header>
#end
<soapenv:Body>
<iiq:Get xmlns:iiq="urn:openTicketWebService">
<iiq:Submitter>
#foreach ($req in $provisionPlan.requesters)
$req.name
#end
</iiq:Submitter>
</iiq:SubmitDate>$timestamp</iiq:SubmitDate>
<iiq:Summary>
Remediation request from IIQ
</iiq:Summary>
<iiq:Description>
Remove Active Directory for $provisionPlan.identity.fullname
</iiq:Description>
<iiq:Issue_ID>$requestID</iiq:Issue_ID>
</iiq:Get>
</soapenv:Body>
</soapenv:Envelope>
]]>
</value>
</entry>
</Map>
</value>
</entry>
Sample statusMap entry

The noMappingFromWS entries are placeholders as there are no results from the web service corresponding to
those IdentityIQ result codes.
<entry key="statusMap">
<value>
<Map>
<entry key="Closed" value="committed" />
<entry key="Rejected" value="failure" />
<entry key="Draft" value="inProcess" />
<entry key="Pending" value="inProcess" />
<entry key="noMappingFromWS" value="retry" />
<entry key="noMappingFromWS" value="warning" />
</Map>
</value>
</entry>
Creating Multiple Tickets in Remedy System

To create multiple tickets in Remedy System via IdentityIQ, add the following attributes in
remedy-integration.xml file:

System Integration
• multipleTicket: If multipleTicket attribute is defined, then the value can be one of the following:
- True: A separate Remedy ticket would be created for each line item from the IdentityIQ access
request.
- False: Single Remedy ticket would be created against all line items from the IdentityIQ access
request.
Default value: true
The format of the entry is as follows:
<entry key='multipleTicket' value='true'/>
• groupTicketBy: If groupTicketBy attribute is defined, then value can be one of the following:
- none: If the attribute is not defined or if attribute value is other than Application, then IdentityIQ sets
this attribute to none.
- Application: If the attribute value is Application and multipleTicket=true, then IdentityIQ
access request lines from the same application would be moved to a single ticket.
The format of the entry is as follows:
<entry key='groupTicketBy' value='none'/>
Default value: none
For example, the multipleTicket and groupTicketBy keys can be placed in the Integration configuration file as
follows:
<IntegrationConfig>
<Attributes>
<Map>
<entry key="multipleTicket" value="true"/>
<entry key='groupTicketBy' value='none'/>
<entry key="provision">
<value>
<Map>
<entry key="endpoint" value="%%REMEDY_REQ_TICKET_ENDPOINT%%"/>
...
...
...
</Map>
</value>
</entry>
</Map>
</Attributes>
<IntegrationConfig>
Verifying Connectivity between IdentityIQ and BMC Remedy

Note: Obtain the integration configuration name and an existing ticket number from BMC Remedy
Service Desk System.
Perform the following procedure for verifying the connection between IdentityIQ and BMC Remedy:
1. Using the IdentityIQ integration console, launch the console by using the following IdentityIQ script in the
WEB-INF/bin directory of the IdentityIQ installation to run IdentityIQ integration:
iiq integration
2. From the console enter the following:
use applicationName

System Integration
where applicationName is the name of the BMC Remedy Service Desk. Therefore the command would be as
follows:
use tst_RemedyIntegration
This makes the application ready for further console commands.
3. Enter the following command to get the connection status:
getRequestStatus ticketNumber
where ticketNumber is the number of the existing ticket obtained from BMC Remedy Service Desk System.
For example, getRequestStatus IM10001
In the above example, IM10001 is the ticketNumber. The following status is returned:
Result: status = committed; request ID = IM10001; warnings = null; errors = null
This indicates that the connection is successful.
Retryable Mechanism
By default IdentityIQ for BMC Remedy Service Desk provides retry mechanism for Connection reset and for
unknown host problems occurred from network issues.
However you can configure retryableErrors list in integration configuration (IntegrationConfig) file to add
new exception strings to the attributes map in the file.
The retryableErrors entry is a list of strings through which the Remedy Integration searches when it receives a
message from the BMC Remedy Service Desk. Only SOAPException strings are considered for retry that is, the
exceptions raised from SOAP web service. If one of the strings in the entry exists in the error, the integration
attempts to retry the request. When the configured error string is not a part of the error message returned from
the BMC Remedy Service Desk, then IdentityIQ will not attempt a retry.
For example,
<value>
<List>
</List>
</value>
</entry>
Additionally IdentityIQ would retry for following exception strings:

<value>
<List>
<String>Connection refused: connect</String>
<String>Connection timed out</String>
</List>
</value>
</entry>

Sample Scenario
inclusion. Only exceptions raised from soap web service are considered for retry.
Sample Scenario
The sample integration scenario is built around a sample system. In the sample scenario IdentityIQ (IIQ) would
be issuing a change request to BMC Remedy Change Management (RCM) based on the results of a scheduled user
entitlement and access review. As a result of remediation actions in this account recertification process,
IdentityIQ would open change requests to control the flow of the manual remediation process.
Scenario
1. The ComplianceManager1 schedules an access review for a business critical application:
a. The certification is scheduled and assigned to ApplicationOwner1.
b. ApplicationOwner1 receives an email with a link to the Online certification process as scheduled.
The link is followed to the open certification.
c. ApplicationOwner1 decides that GroupA on system LDAP should be removed.
d. ApplicationOwner1 decides that RoleA on system RDBMS should be removed.
e. ApplicationOwner1 completes the certification and signs off the process.
2. IdentityIQ evaluates the provisioning plan to enact the remediation requests from the certification:
a. IdentityIQ policy describes the integration execution path for LDAP as being via an automated pro-
visioning system.
b. IdentityIQ policy describes the integration execution path for RDBMS as being via an automated
RCM integration.
3. IdentityIQ creates a service request in RCM:
a. IdentityIQ uses the provision interface to open a service request within Remedy, passing in details
of the changes required to the RDBMS system.
b. RCM responds with the service request number.
c. IdentityIQ stores the service request number for later audit and review.
Troubleshooting
1 - During ticket creation the system is not responding in a normal amount of time
During ticket creation the system is not responding in a normal amount of time resulting in a time out and not
returning the ticket number.
Resolution: Add the timeout additional configuration parameter to the application debug page as follows for
setting the timeout per operation (that is, provision, getrequest):
<entry key="timeout" value="1"/>
Here value is in seconds.

Enterprise Mobility Management
Infrastructure Modules
Enterprise Mobility Management Infrastructure Modules (EMM) manages Devices enrolled in Mobile Device
Management (MDM) System. EMM also manages Users/Administrators of MDM System. Following is an
architecture diagram of EMM:
MDM systems import users from a central directory server or maintains its own repository. Operations to be
performed on devices are sent to the respective MDM System which then performs the specified action on the
target device. EMM does not communicate with the devices directly.
EMM uses two separate applications to manage users and devices. Main EMM application manages users in the
MDM System and the proxy EMM application manages devices in the MDM System. In some cases there is one
application which manages devices.
This section contains information on “IdentityIQ for AirWatch Enterprise Mobility Management”.
Overview
Chapter 7: IdentityIQ for AirWatch

Enterprise Mobility Management
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Supported Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Application Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Operation Specific Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Overview
This chapter provides a guide to the AirWatch Enterprise Mobility Management (EMM) integration and
configuration for your enterprise.
Using this integration, IdentityIQ can retrieve the devices managed by AirWatch, perform operations on them,
and manage AirWatch's user account. These entities are managed in IdentityIQ using separate applications
named as follows:
• AirWatch Enterprise Mobility Management (EMM) Application (referred to as User Application in this
document) for managing AirWatch user accounts
• Device Application (containing the prefix -Devices) is created by IdentityIQ during aggregation and is used
for managing devices.
Supported Features
The AirWatch EMM Infrastructure Module supports the following features:
- Account Aggregation on the user application to bring in AirWatch user accounts
- Account Aggregation on the device application to bring in devices managed in AirWatch EMM
- Delete, Unlock devices
The following table represents what each of the above operation implies to IdentityIQ and AirWatch EMM:
IdentityIQ operation Resulting change on AirWatch

Account aggregation on user The AirWatch user accounts are brought into IdentityIQ.
application
Account aggregation on device The devices that are managed by the AirWatch EMM are retrieved
application into IdentityIQ.
Deleting entitlements from account Removing profiles from AirWatch system.

Supported Platforms
IdentityIQ operation Resulting change on AirWatch

Adding entitlements to account Adding profiles to device from AirWatch system.
Delete account for AirWatch device Enterprise/Device Wipe and Delete device is triggered on the
application device via AirWatch EMM system. For more information, see
“Operation Specific Configuration” on page 3.
Unlock account for AirWatch device Unlock device is triggered on the device via AirWatch EMM
application system.
• Account - Group Management
- Device Group Aggregation where device profiles are addressed as groups.
- Add and remove entitlement (profile) from device.
Supported Platforms
IdentityIQ for AirWatch EMM Infrastructure Module supports the following version of AirWatch:
• AirWatch API version 9.5.0.16 and above
Prerequisites
Administrator user configured for AirWatch EMM Application must have the following role for provisioning
activities:
• REST API Devices Read
• REST API Devices Write
• REST API Devices Execute
• REST API Devices Delete
• REST API Devices Advanced
Note: If AirWatch EMM application is behind proxy server, see the “Special Java Considerations”
section of the SailPoint IdentityIQ Installation Guide.
Configuration
This section describes the application and additional operation specific configurations.
Application Configuration
To create an application in IdentityIQ for AirWatch the following parameters are required:
Application Type AirWatch MIM
AirWatch Admin* Administrator of AirWatch server.

Configuration
AirWatch Server* AirWatch server URL where it's REST API are accessible. For
example, https://apidev-as.awmdm.com.
Password* Password of the administrator.
API Key* AirWatch server's API key defined for REST API.
Operation Specific Configuration

This section describes the various configurations required for the following operations:
• Aggregation
• Provisioning
Aggregation
• Aggregation of devices: Before aggregating devices against the device application create a correlation
rule in the device application to map devices to its AirWatch user. For example, UserName is an attribute
of the device which specifies the name of the user it belongs to, and Display Name of the identity is also
UserName. So in correlation rule specify application attribute as UserName and Identity attribute as
Display Name.
• Parameterized device aggregation: By default AirWatch device aggregation retrieves device profiles and
device applications. If you do not want to manage these entities, you can filter them for not being
retrieved into IdentityIQ.
The following configurable parameters impact aggregation:
- aggregateDeviceProfile: (is an application attribute on AirWatch EMM application) determines if the
profiles connected to devices are to be retrieved or not. The default behavior is to retrieve the
profiles connected to the devices. To change this behavior, set the following value through the debug
pages: <entry key="aggregateDeviceProfile” value="false"/>
- aggregateDeviceApp: (is an application attribute on AirWatch EMM Application) determines if the
application installed on devices must be retrieved or not. The default behavior is to retrieve the
applications installed on the device. To change this behavior, set the following value through the
debug pages: <entry key="aggregateDeviceApp" value="false"/>
Provisioning
The following provisioning operations are available in IdentityIQ when integrating with AirWatch:
• Delete device
Delete device
• Delete Device operation from LCM: In addition to Delete Device, you will be prompted to select Entire
Device Wipe or Enterprise Wipe Only options before deleting the device.
• Delete Device operation from Certification: The default wipe operation will be the Enterprise Wipe
Only. To change this default behavior to Entire Device Wipe add the following entry in the application
debug of the device application:
<entry key="defaultWipeFromCertification" value="Entire Device Wipe"/>
Note: If the AirWatch application is already created, update the delete provisioning policy with new
field, name as SecurityPIN and type as String.

Configuration

Provisioning Infrastructure Modules
• “IdentityIQ for Oracle Identity Manager”
• “IdentityIQ for IBM Security Identity Manager”
Overview
Chapter 8: IdentityIQ for Oracle

Identity Manager
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Installing the OIM Integration Web Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Testing the OIM Integration Web Application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Configuration for OIM Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Aggregating from OIM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Known/Open Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Overview
This chapter provides a guide to the integration between Oracle Identity Manager (OIM) and IdentityIQ. This
chapter is intended for Oracle and IdentityIQ System Administrators and assumes a high degree of technical
knowledge.
The integration is achieved by deploying a small web application in the application server that hosts OIM.
IdentityIQ communicates with the web services contained in this application to read and write account
information. Configuration of the OIM integration requires the username and password of the OIM
administrator or another user with sufficient permissions.
Supported Features
The IdentityIQ for Oracle Identity Manager supports the following functions:
- Oracle Identity Manager user aggregation along with the connected child accounts and application
- Add/Remove Entitlements operations for Oracle Identity Manager connected child accounts
• User Management
- Manages Oracle Identity Manager Users as Accounts
- Add/Remove Entitlements operations for Oracle Identity Manager Users

Supported Platforms
Supported Platforms
IdentityIQ for Oracle Identity Manager supports the following versions of Oracle Identity Manager:
• Oracle Identity Manager 11g R2
• Oracle Identity Manager 11g R1
Installing the OIM Integration Web Application

You must first deploy the OIM Integration Servlet web application to the application server hosting the OIM
application. The iiq.war file for this web application is contained in the IdentityIQ distribution as
$INSTALLDIR/integration/OIM/iiqIntegration-OIM.jar or in the distribution for an IdentityIQ patch in
a .jar file named Integration-oim-<version>.jar.
The iiqIntegration-OIM.jar file contains iiq.war file. You can customize the iiq.war file in many ways
before being deployed into the application server hosting OIM.
Note: Ensure that if you are deploying web application as war file, it should be named as iiq.war. If you
are deploying the web application from a directory, then directory must be named as iiq.
Following are the required customization steps:
1. Configure access to OIM by modifying WEB-INF/classes/xellerate.properties to set.
• XL.HomeDir: the full path to the directory where OIM is installed
• userName: the OIM administrator that has the appropriate permission to read and write user and
account data
• password: the password for the OIM administrator
For more information on the other properties that need to be set in xellerate.properties file, see “Properties
that can be defined in xellerate.properties” on page 10.
2. Copy OIM_ORACLE_HOME/designconsole/lib/oimclient.jar API implementation file from the OIM
installation into the WEB-INF/lib directory of the integration application.
Authentication for Web Application

Note: By default deployed Web application (iiq.war) in the application server (Weblogic) does not
support authentication.
The Oracle Identity Manager application provides support for authenticating the IdentityIQ Web Application
deployed on the Weblogic Server.
Following are the required customization steps for supporting authentication for Web Application:
1. Provide Username and Password in the Oracle Identity Manager application through debug page. The
Username and Password must be one of the user configured in the Application server (Weblogic), where
the Web Application (iiq.war) is deployed.
User can be found at Weblogic Application Server console: Security Realms ==> myrealm ==>Users and
Groups.
For example:
<entry key="username" value="weblogic1"/>
<entry key="password" value="Sailpoint"/>

Testing the OIM Integration Web Application
Note: The password would be encrypted once user saves the application.
2. Update the existing xellerate.properties file by providing the new parameters (localUser and local-
Password) as follows:
#localUser=admin
#localPassword=Sailpoint
The localUser and localPassword properties are used for authentication:
- End User is expected to provide user and password of application server (Weblogic)
- User can be found at Weblogic Application Server console: Security Realms ==> myrealm ==>Users
and Groups
3. For setting the authentication, update the web.xml file as follows:
<web-app>
<display-name>OIM Service</display-name>
<servlet>
<servlet-name>OIM REST Servlet</servlet-name>
<servlet-class>sailpoint.integration.oim.OIMRestServlet</servlet-class>
<init-param>
<param-name>handler</param-name>
<param-value>sailpoint.integration.oim.OIMIntegration</param-value>
</init-param>
<init-param>
<param-name>authenticator</param-name>
<param-value>sailpoint.integration.oim.OIMBasicAuthenticator</param-value>
</init-param>

</servlet>
<servlet-mapping>
<servlet-name>OIM REST Servlet</servlet-name>
<url-pattern>/resources/*</url-pattern>
</servlet-mapping>
</web-app>

Verify if the installation was successful using the following steps:
Note: For each test URL throughout this document, change the host name and port to match your OIM
Server instance.
1. From any browser enter the following URL:
http://localhost:8080/iiq/resources/ping
The following response is displayed:

OIM integration ready

Failure to get a ping response indicates a problem with the deployment of the Servlet.
2. Verify the integration Servlet can communicate with OIM by entering the following URL:
http//localhost:8080/iiq/resources/users
You should see a response containing the names of all OIM users. This might take a while to assemble
depending on the number of users. To view details of a particular user, enter the following URL where
<OMIUSER> is the name of a user in your OIM instance:
http://localhost:8080/iiq/resources/user/<OIMUSER>
To see additional diagnostic information for of a particular user, enter the following URL where <OMIUSER>
is the name of a user in your OIM instance:
http://localhost:8080/iiq/resources/debug/<OIMUSER>
If you are unable to request user information, there may be a problem with the credentials you entered in
the xellerate.properties file. For more information, see “Properties that can be defined in
xellerate.properties” on page 10.
Properties that can be defined in xellerate.properties

1. Add a ManagedResource definition in the ManagedResource list for an each OIM resource. For each
resource, define a property prefix by adding a property whose name is the prefix and whose value is
the OIM resource name.
For example:
AD=AD User
Oracle=Oracle DB User
This declares that any property that begins with ERP is related to the OIM resource named ERP Central
Component.
2. For each ManagedResource, define the account attribute that represents the unique account identifier. The
names used here must be the resource names used by OIM. The identityAttribute must have the internal
form field name containing the account identifier. Use the OIM Design Console application to find the pro-
cess form for each resource and view the field names. The example below gives two typical names, one
used by the connector for Oracle database users and the other for the Active Directory connector.
AD.id=UD_ADUSER_UID
Oracle.id=UD_DB_ORA_U_USERNAME
3. Define the names of the child forms that support multiple attributes. The value is a CSV of the internal child
form names:
AD.childForms=UD_ADUSRC
Oracle.childForms=UD_DB_ORA_R
In this example UD_ADUSRC is the internal name for the child form AD User Group Details and
UD_DB_ORA_R is the internal name for the child form DBUM Grant/Revoke Roles.
4. Each child form name in the Oracle.childForms property there is another property whose value is a CSV of
the child form fields to return and the order in which they will appear in IdentityIQ.
Oracle.UD_DB_ORA_R=UD_DB_ORA_R_ROLE,UD_DB_ORA_R_ADMIN_OPTION
In the previous example, we will return two fields from the child form UD_DB_ORA_R. The first field has the
Role name and the second has the Role Admin option.
5. Following is the configuration for resource with child forms: ERP Central Component:

Configuration for OIM Application
ERP=ERP Central Component

ERP.id=UD_ECC_USER_ID
ERP.childForms=UD_ECC_PRO,UD_ECCRL
ERP.UD_ECC_PRO=UD_ECC_PRO_SYSTEMNAME,UD_ECC_PRO_USERPROFILE
ERP.UD_ECCRL=UD_ECCRL_SYSTEMNAME,UD_ECCRL_USERROLE
Note: Before IdentityIQ 6.0 there was a parameter in xellerate.properties file as oldChildFormNames
which was used for the resources who have only one field in the childform, for example, Active
Directory resource. For IdentityIQ version 6.0 onwards, the value must be set to true if the user
wants to support oldChildFormNames where field returned would be form name + field name
(For example, UD_ADUSRC:UD_ADUSRC_GROUPNAME field in Active directory).
6. To aggregate all the active and disabled OIM users in IdentityIQ, add a new parameter OIM_USER_TYPE in
xelerate.properties file with the value as ALL. If OIM_USER_TYPE parameter is deleted from the
xelerate.properties file then only the active OIM users will be aggregated. By default only active OIM
user are aggregated.
Configuration for OIM Application

Perform the following steps to create an IdentityIQ application for OIM:
1. Navigate to the IdentityIQ Define=>Application page.
2. Create a new application of type Oracle Identity Manager.
3. On the Attributes tab, enter the Oracle Identity Manager Host and Oracle Identity Manager Port.
4. Click Test Connection to verify the connection to OIM.
Note: You can make use of the “OIM Application creator” task to discover all the resources present in
OIM environment. The input for this task would be an newly created application of type “Oracle
Identity Manager” and executing this task would result in the creation of all multiplexed
resources.
Testing the OIM Integration Client

While any IdentityIQ feature that generates a provisioning request such as a certification remediation, a role
assignment, or a Lifecycle Manager request can be used to test the integration, it is sometimes useful to test at
the provisioning layer using the IdentityIQ integration console.
Launch the console by using the IdentityIQ script in the INSTALLDIR/WEB-INF/bin directory of the IdentityIQ
installation to run iiq integration.
From the console command prompt, use the list command to display the names of all Application objects created
in the system. Using the example in the previous section, verify an Application object of type Oracle Identity
Manager exits.
Use the following command:
use OIMApplicationName
Use the ping command to initiate a test connection message with OIM. A successful connection will return the
following message:
Response: Connection test successful

Aggregating from OIM
If any problem occurs in the communication of this application with the OIM Integration Web Application,
troubleshoot this application by viewing the application server logs for both the IdentityIQ and OIM application
servers. You can enable log4j tracing on both sides by using the following:
log4j.logger.sailpoint.integration=debug
log4j.logger.sailpoint.connector=debug
This lets you see if the requests are transmitting over the network, and how they are processed.
If the OIM servlet is deployed on Weblogic 11g, tracing can be enabled on it by adding an entry to the logging file
on the Weblogic server. Following is the logging file:
<DOMAIN_HOME>/config/fmwconfig/servers/oim_server1/logging.xml
Following is the entry that needs to be added:

<logger name="SailPoint.integration.oim" level="TRACE:32"/>
For more information on enabling system logging in OIM is included in the Oracle Identity Manager Administrator
Guide.
Aggregating from OIM

To aggregate OIM users and resource accounts, create and execute an IdentityIQ Account Aggregation task.
Include the OIM application in the applications to scan list.
When the aggregation is complete from the OIM application, a new application is created for every resource in
OIM. The application schema includes attributes seen in the resource accounts. All users in OIM have an account
created that is associated with the OIM application and includes all of the standard and extended user attributes
of those users. Additionally, all of the resource accounts are aggregated and associated with the newly created
applications.
Once the initial aggregation from the OIM application is completed, you can aggregate from it again to read in
information for all managed systems.
Note: You can make use of the “OIM Application Creator task” to discover all of the Resources present
in the OIM environment. The input for this task is an application of type Oracle Identity
Manager. Executing this task results in the creation of all multiplexed Resource applications.
Known/Open Issues
Following is the known/open issue of Oracle Identity Manager:
• You cannot perform provisioning operations simultaneously on the OIM server from IdentityIQ and the
OIM console. This is a class loading issue observed with OIM 11g, after deploying iiq servlet(iiq.war) on
Weblogic OIM Managed Server.
Workaround for this issue: Create another, empty WLS(Weblogic)Managed server next to the OIM
Managed Server and only deploy the IIQ Servlet. Also, update the Xellerate.properties file by
un-commenting the attribute java.naming.provider.url. This Url needs the host name of the host where
OIM managed server is deployed and the listening port of the OIM managed server.
• Create OIM user and Update OIM user operations are not working with Oracle Identity Manager 11g R2.

Overview
Chapter 9: IdentityIQ for IBM

Security Identity Manager
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
General Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Configuration for Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Configuration for Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Overview
This chapter is designed to provide the necessary procedures, configuration steps, and general product
guidelines to successfully integrate IBM Security® Identity Manager (ISIM) into your IdentityIQ production
environment.
This chapter is intended for ISIM and IdentityIQ System Administrators and assumes a high degree of technical
knowledge of these systems.
Note: Consider the terminologies ISIM and ITIM to be the same throughout the document.
Supported Features
The IdentityIQ for IBM Security Identity Manager provides the ability to provision Target Application accounts
from IdentityIQ.
The IdentityIQ for IBM Security Identity Manager supports the following functions:
• User Management
- Manages IBM Security Identity Manager Users as Accounts
- Aggregating Users, Provisioning ISIM Roles
• Target Application Accounts Management
- Manages Target Application Accounts as Accounts
- Aggregating Target Accounts directly
- Enable, Disable, Reset Password

Supported Platforms
Supported Platforms
IdentityIQ for IBM Security Identity Manager supports version 6.0 of IBM Security Identity Manager.
General Configuration
The installation steps for ISIM integrations vary based on the functions you wish to perform. IdentityIQ in
conjunction with ISIM allows the following functionality:
• Aggregation
• Provisioning Entitlements in ISIM
Configuration for Aggregation

Aggregating from IBM Security Identity Manager involves configuring the ISIM application settings within the
IdentityIQ user interface.
ISIM has two types of objects that can be aggregated; people and accounts. IdentityIQ refers to these as identities
and accounts (or links). To aggregate from ISIM, perform the following:
1. Create An ISIM Application: Create a new application using the IBM Security Identity Manager connector
and fill in the required parameters following the steps provided in the IdentityIQ User’s Guide.
Use the tenant DN search base. For example,
erglobalid=00000000000000000000,ou=example,dc=com
Leave the search filter blank. This is auto-generated correctly during aggregation. This application is used to
aggregate ISIM person objects.
2. Setup Correlation Attribute: Create an identity attribute that is sourced from the erglobalid on the ISIM
application and mark it as search-able. This is used to correlate ISIM accounts to this identity.
3. Create ISIM Account Applications: Run the ITIM Application Creator task to inspect ISIM and retrieve infor-
mation about the ISIM services (applications). This task auto-generates an application for each service
defined in ISIM.
4. Setup Correlation on the ISIM Account Applications: Set the correlation rule on the generated applications
to Correlation - ISIM Account. This correlates the account to the identity using the erglobalid. If the rule
is not listed by default, import it from the $ISIM_INTEGRATION_PACKAGE/samples/ITIM-Account-
CorrelationRule.xml location.
5. Aggregate: Run aggregation for the ISIM application first and then for each ISIM account application.
Configuration for Provisioning

Provisioning entitlements and role assignments in ISIM requires the installation of IdentityIQ’s ISIM integration
web application in WebSphere with ISIM. This process varies slightly depending on the version of WebSphere.
IdentityIQ roles are queued and pushed in ISIM on a schedule. This is accomplished by using the Synchronize
Roles task.

Configuration for Provisioning
1. Prepare the WAR: The iiqIntegration-ITIM.war file contains a properties file named itim.proper-
ties with information about how to connect using ISIM. In order to execute, this must be edited to
include appropriate information about the ISIM installation. Additionally, the .war file does not include any
of the required jar files of ISIM files since these can change depending on the version and fixpack level of
ISIM. These need to be copied out of the ISIM lib directory and added to the .war file.
a. Expand the iiqIntegration-ITIM.war file in a temporary directory.
b. Edit the WEB-INF/classes/itim.properties file and change the properties match your
environment. Save the file with your changes. The following can be changed:
• PLATFORM_URL: URL to use to communicate with ISIM.
The format of the URL must be same as the value of enrole.appServer.url from
enRole.properties located under <ITIM-HOME>/data directory.
• PLATFORM_PRINCIPAL: The administrator user who can login to the administrator Console
of WAS.
• PLATFORM_CREDENTIALS: Password of the principal. Encrypting password is supported.
• TENANT_DN: The root DN of the ISIM tenant.
c. Copy the required jar files of ISIM into the lib directory. These .jar files are located in the deployed
ISIM ear directory.
(For ISIM 6.0): Example ISIM ear directory:
$WAS_HOME/profiles/<app server>/installedApps/<cell>/ITIM.ear
Following are the required files:
• api_ejb.jar
• itim_api.jar
• itim_server_api.jar
d. Update the iiqIntegration-ITIM.war file to include the updated itim.properties and

required jar files of ISIM.
For example,
jar uvf iiqIntegration-ITIM.war WEB-INF/classes/itim.properties \
WEB-INF/lib/api_ejb.jar WEB-INF/lib/itim_api.jar \
WEB-INF/lib/itim_common.jar WEB-INF/lib/itim_server_api.jar \
WEB-INF/lib/jlog.jar
2. Install the IdentityIQ ISIM Integration Web Application: In the WebSphere Administrative Console, navi-
gate to Enterprise Applications and select Install.
a. Select iiqIntegration-ITIM.war as the application to install and type iiqisim as the context
root.
b. Continue through the rest of the installation wizard accepting the defaults.
c. When completed, click Save to save the changes to the master configuration.
3. Setup the Integration Config: The IntegrationConfig object holds information about how to connect Iden-
tityIQ to ISIM and all of the configuration requirements for various functions. ISIM supports dual role push
mode, which means that both detectable and assignable roles can be used. An example can be found in the
ISIM integration folder within your IdentityIQ installation directory in the $INSTALLDIR/integra-
tion/ITIM/samples/exampleIntegration.xml directory.

Troubleshooting
The main properties that need to be set are:

- executor: sailpoint.integration.isim.ISIMIntegrationExecutor
- ApplicationRef: The reference to the ISIM application
- Attributes=> URL: The URL to the IIQ web service on the ISIM server. For example,
https://myisim.example.com:9080/iiqisim/resources
Note: SailPoint recommends that you use SSL when transmitting sensitive electronic information.
- Attributes=> username: ISIM user's credentials used for basic HTTP authentication.
- Attributes=> password: ISIM user's password used for basic HTTP authentication.
- ManagedResources map: Mappings of local IdentityIQ applications to ISIM services, including
mappings of local IdentityIQ attribute names to ISIM service attribute names.
For more information, see “Appendix: A: Common Identity Management Integration Configuration”.
4. Verify: Be certain that the integration has been installed correctly by using the ping command in the inte-
gration console. If successful, this should respond and list version information about the ISIM jar files that
were put into the iiqIntegration-ISIM.war file. Compare this version information against the version of the
ISIM server to ensure correct operation.
5. Role Requests: Set the roleSyncStyle to dual in the IntegrationConfig file as follows:
<IntegrationConfig executor="sailpoint.integration.isim.ISIMIntegrationExecutor"
name="ISIM 5.1 Integration" roleSyncStyle="dual">
Other than this, the role should be assignable (for example, a business role) and the name has to match the
name of the role in ISIM.
6. Support for Role Management (Itim Role Management): The ISIM User can be provisioned and De-provi-
sioned from IdentityIQ Lifecycle Manager flow. This can be enabled by setting the value of IS_ITIM-
ROLES_PROVISIONED property to true in the itim.properties file. By default the value of
IS_ITIMROLES_PROVISIONED is set to false as follows:
IS_ITIMROLES_PROVISIONED=false
Note: If user wants to provision the ISIM roles attribute from Lifecycle Manager flow then change the
property of the ITIM role application Account schema attribute for Identity Security Manager
(parent) to managed and multivalued. By default, the ISIM Roles will not be provisioned.
Note:
Troubleshooting
1 - An error message appears when the url format in itim.properties is not valid
The following error messages appear when the url format in itim.properties is not valid:
• java.lang.NoClassDefFoundError: com.ibm.cv.CVProxyException
Workaround: Copy com.ibm.cv.kmip.ext.jar file to <WAS-HOME>/profiles/<App
server>/classes directory and restart the application server.
• java.util.MissingResourceException: Can't find resource for bundle tmsMessages
Workaround: Copy tmsMessages.properties and tmsMessages_en.properties file from
<ISIM-HOME>/data to <WAS-HOME>/profiles/<App server>/classes directory and restart the
application server.

IaaS - Infrastructure-As-A-Service Module
• “IdentityIQ for Amazon Web Services”
IdentityIQ for Amazon Web Services Setup
Chapter 10: IdentityIQ for Amazon

Web Services
IdentityIQ for Amazon Web Services Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
IdentityIQ for Amazon Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Supported Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Service IAM User Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Administrator Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Schema Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Provisioning Policy Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
(Optional) Upgrade Consideration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
IdentityIQ for Amazon Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
IdentityIQ for Amazon Web Services Setup

The IdentityIQ for Amazon Web Services allows organizations to extend existing identity lifecycle and compliance
management capabilities within IdentityIQ to mission-critical AWS IaaS environments to provide a central point
of visibility, administration, and governance across the entire enterprise. This includes policy discovery and user
access history across all organization accounts, provisioning AWS entities and objects, access review and
certification, and improved federated access support.
The AWS Governance Module for IdentityIQ is a licensed module and includes the necessary connectivity
components for operation.
For more information on installing the plug in for IdentityIQ for Amazon Web Services, see “AWS Governance
Module” document on compass.
IdentityIQ for Amazon Web Services

Amazon Web Services (AWS) is a secure cloud services platform, offering compute power, database storage,
content delivery and other functionality to help businesses scale and grow.
The SailPoint Amazon Web Services (AWS) Governance Module can be used to manage all the AWS Accounts in
your organization or a subset of AWS Accounts. IdentityIQ for Amazon Web Services manages the AWS
Organizations entities such as Service Control Policies, Organization Units and AWS Accounts. It also manages the
IAM (Identity Access Management) entities such as Users, Groups, Roles, Inline policies, Managed policies (AWS
and Customer managed) under each AWS Account.
The AWS Governance Module uses the AWS STS (Security Token Service) to setup cross-account access between
AWS accounts.

Supported Features
IdentityIQ for Amazon Web Services supports the following features:
- IAM Entities Management
• Manages IAM Users under the AWS Account as Accounts
• Aggregate, Refresh Accounts
• Create, Update, Delete
• Change Password
• Add/Remove Entitlements (Groups, AWS Managed Policies, Customer Managed Policies)
• Enable, Disable
For more information on enabling and disabling, see “IAM User Status” on page 32.
• Group Management
- IAM Entities Management
• IAM Groups: Aggregate, Refresh Group, Create, Update, Delete
• AWS Managed Policy Management: Aggregate, Refresh
• Customer Managed Policy Management: Aggregate, Refresh, Create
• Inline Policy Management: Aggregate, Refresh
Note: Inline Policy can be removed only through Certification.
• Role Management: Aggregate, Refresh, Update (Add/ Remove AWS Managed Policy or
Customer Managed Policy from Role)
- Organization Entities Management
The AWS Governance Module also supports following operation on Organization Entities (managed as
group object only):
• AWS Accounts Management: Aggregate, Refresh
• Organization Unit Management: Aggregate, Refresh
• Service Control Policy Management: Aggregate, Refresh
• Permissions Management: AWS Governance Module supports JSON Policy for Permission Policy and
Trust Policy as direct permission.
The Permission Policy for following AWS entities are represented as direct permission:
- AWS Managed Policies
- Customer Managed Policies
- Inline Policies
- Service Control Policies
The Trust Policy for following AWS entity is represented as direct permission:
- Roles

The supported features mentioned in this section can be represented in matrix form as follows:
Object Type IdentityIQ Aggre- Re- Create Update Delete Request User
Type gation fresh -able Status
IAM User Account
NA
Groups (Primary) Entitlement

NA
AWS Managed Policy Entitlement

NA NA NA NA
Customer Managed Entitlement

Policy NA NA NA
Inline Policy Group

NA NA NA NA
Service Control Group

Policy NA NA NA NA NA
Roles* Group
NA NA NA NA
Organization Unit Group

NA NA NA NA NA
AWS Accounts Group

NA NA NA NA NA
Note: * Role aggregation takes care of aggregating the trust polices (entities that can assume a role)
as direct permission.
Service IAM User Overview

A Service IAM User is required for the connector to perform aggregation and provisioning operations in AWS
Governance Module. The necessary minimum permissions that are required by the service user are outlined in
the “Administrator Permissions” section below.
If IdentityIQ requires to manage all AWS accounts or a subset of the AWS accounts present in the AWS
Organization, then it is required to determine where the Service IAM User gets created and if any additional steps
that must be performed for proper working of the AWS Governance Module.

Prerequisites
• Create Service IAM User as follows and assign the required permission to perform the operations (as
mentioned in “Administrator Permissions”):
Service User Requirement:
- Service User In Master AWS Account:
• To manage the organization entities like SCPs, OUs and AWS Accounts, it is required to create
Service IAM User in master AWS Account. Service IAM User must be present in the master
account with the required permissions. Additionally, all the organization related permissions
must be given through the role present in master account.
• (If Manage All Accounts is selected in “Configuration Parameters”) To manage all AWS accounts,
the service user must be in the master account to get all the AWS Account IDs.
- Service User In Member AWS Account:
• (If Include AWS Account IDs is selected in “Configuration Parameters”) To manage only IAM
entities of various AWS Account, create Service IAM User in any of the AWS Account by deleting
the schema objects of Organization Entities.
• Ensure that you create Cross Account Role across the AWS Accounts with same name and assign the
permissions as required.
For more information on creating the Cross Account Role, see “Creating Cross Account Role” on page 33.
Note: The trust relationship must be established with the account explicitly in which the Service IAM
User belongs to, along with other AWS Accounts that are to be managed.
Customer Managed Policies must be created and attached to the AWS Service IAM User and Role respectively as
mentioned in the table below.
Note: The AWS System Administrator can refine the Permission Policies as needed.
Note: If ‘Include AWS Account IDs’ list is specified and organization schema is not present in the
application, then ‘iam:GetUser’ API permission is not required for AWS Service IAM User.
The description for the policy name and role that are used is as follows:
• SPServiceIAMUser: an IAM account in the master (or designated Service IAM User) account that is used
as the connector’s service account to your AWS environment.
• SPOrganizationPolicy: allows management of Organization entities. This will only be created if the
ServiceIAMUser is created in your organization’s AWS master account.
• SPAggregationPolicy: allows mostly read access in order to aggregate IAM entities from your AWS
environment.
• SPProvisioningPolicy: allows write access for provisioning IAM entities back to your AWS environment.
• SPServiceIAMUserAccess: a role that will have the above mentioned policies and will allow the
ServiceIAMUser to perform all the necessary tasks needed for the connector to work.
The following table lists the examples of policies for the respective policy names:
Policy Name Policy Document

For AWS Service IAM User


SPServiceIAMUSer {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource":
"arn:aws:iam::*:role/SPServiceUserAccountAccess"
}
]
}
For Role
SPOrganizationPolicy {
"Version": "2012-10-17",
(Must be assigned to the "Statement": [
Role which is in master {
AWS Account to manage "Sid": "VisualEditor0",
Organization Entities) "Effect": "Allow",
"Action": [
"organizations:ListPoliciesForTarget",
"organizations:ListAccountsForParent",
"organizations:ListRoots",
"organizations:ListAccounts",
"organizations:ListTargetsForPolicy",
"organizations:DescribeOrganization",
"organizations:DescribeOrganizationalUnit",
"organizations:DescribeAccount",
"organizations:ListParents",
"organizations:ListOrganizationalUnitsForParent",
"organizations:DescribePolicy",
"organizations:ListPolicies"
],
"Resource": "*"
}
]
}


SPAggregationPolicy {
"Version": "2012-10-17",
Role of AWS Account {
which needs to be "Sid": "VisualEditor0",
managed) "Effect": "Allow",
"Action": [
"iam:GetPolicyVersion",
"iam:ListServiceSpecificCredentials",
"iam:ListMFADevices",
"iam:ListSigningCertificates",
"iam:GetGroup",
"iam:ListSSHPublicKeys",
"iam:ListAttachedRolePolicies",
"iam:ListAttachedUserPolicies",
"iam:ListAttachedGroupPolicies",
"iam:ListRolePolicies",
"iam:ListAccessKeys",
"iam:ListPolicies",
"iam:GetRole",
"iam:GetPolicy",
"iam:ListGroupPolicies",
"iam:ListRoles",
"iam:ListUserPolicies",
"iam:GetUserPolicy",
"iam:ListGroupsForUser",
"iam:ListAccountAliases",
"iam:ListUsers",
"iam:ListGroups",
"iam:GetGroupPolicy",
"iam:GetUser",
"iam:GetRolePolicy",
"iam:GetLoginProfile",
"iam:ListEntitiesForPolicy",
"iam:GetAccessKeyLastUsed"
],
"Resource": "*"
}
]
}


SPProvisioningPolicy {
"Version": "2012-10-17",
Role of AWS Account {
which needs to be "Sid": "VisualEditor0",
managed) "Effect": "Allow",
"Action": [
"iam:UpdateLoginProfile",
"iam:CreateGroup",
"iam:DeleteAccessKey",
"iam:DeleteGroup",
"iam:AttachUserPolicy",
"iam:DeleteUserPolicy",
"iam:UpdateAccessKey",
"iam:AttachRolePolicy",
"iam:DeleteUser",
"iam:CreateUser",
"iam:CreateAccessKey",
"iam:CreatePolicy",
"iam:CreateLoginProfile",
"iam:RemoveUserFromGroup",
"iam:AddUserToGroup",
"iam:DetachRolePolicy",
"iam:DeleteSigningCertificate",
"iam:AttachGroupPolicy",
"iam:DeleteRolePolicy",
"iam:DetachGroupPolicy",
"iam:DetachUserPolicy",
"iam:DeleteGroupPolicy",
"iam:DeleteLoginProfile"
],
"Resource": "*"
}
]
}
Note: For all provisioning operations, in addition to the provisioning policy permissions listed for
“SPProvisioningPolicy” the permissions for “Refresh Operations”are also required.
Note: For more information on operation specific administrator permissions required for IAM and
Organization APIs, see “Operation Specific Service IAM User permissions” on page 33.
The following table lists the configuration parameters of AWS Governance Module:
Access Key ID* Enter the Access Key ID of the Service IAM User.
Secret Access Key* Enter the Secret Access Key of the Service IAM User.

Role Name Enter the role name that is created in all the AWS Accounts that are to be
aggregated.
Note: If the Amazon Resource Name (ARN) of the role contains a path,
then it should be created with same path and name in all the AWS
accounts. Input value must be provided as follows:
<entire Role Path>/<Role Name>.
Manage All Accounts When checked, will manage IAM entities from all the accounts.
Exclude AWS Account IDs Lists all the AWS Account IDs that are to be excluded.
Include AWS Account IDs Lists all the AWS Account IDs that are to be included.
Page Size The maximum size of each dataset when querying over large number of
objects for IAM entities. Default: 100
Note: Parameters with * sign are mandatory parameters.

The following table describes the additional configuration parameters that can be set in the application debug
page:
assumeRoleDurationInSeconds The duration, in seconds, of the role session. The value can range from
900 seconds (15 minutes) up to the maximum session duration setting
for the role.
Set the value of the assumeRoleDurationInSeconds parameter as

follows:
<entry key="assumeRoleDurationInSeconds"
value="3600"/>
Default value: 3600

assumeRoleSessionName An identifier for the assumed role session. Use the role session name to
uniquely identify a session when the same role is assumed by different
principals or for different reasons. In cross-account scenarios, the role
session name is visible to, and can be logged by the account that owns
the role.
Set the value of the assumeRoleSessionName parameter as follows:

<entry key="assumeRoleSessionName"
value="SailPointUser"/>
Default value: SailPointUser

Schema Attributes
The following schema attributes are defined:
• Account Schema
• Group Schema
Account Schema
The following table lists the account schema:
Attributes Type Description

UserName String The friendly name of the user.
UserId String The unique ID of the user.
Path String Path to the user.
ARN String Amazon Resource Name of the user.
CreateDate String Creation date of the user.
ConsoleAccess String Password status of the user.
Groups Group Groups the user is a part of.
AWSManagedPolicies AWSManaged AWS Managed Policies directly assigned to the user.
Policy
CustomerManagedPolicies CustomerMan Customer Managed Policies directly assigned to the user.
agedPolicy
InlinePolicies InlinePolicy Inline Policies directly assigned to the user.
Access Keys String Access keys associated with the user.
AWS CodeCommit HTTPS String AWS CodeCommit HTTPS Git credentials associated with
Credentials the user.
AWS CodeCommit SSH String AWS CodeCommit SSH public keys associated with the
Keys user.
Signing Certificates String Signing Certificates associated with the user.
Multi-Factor String Multi-Factor Authentication device associated with the
Authentication Device user.
PasswordLastUsed String Password last used date of the user.
AccessKeyLastUsed String Access key last used details of the user.
Group Schema
The following table lists the group schema:

Object Type: Group
GroupName String The friendly name of the group.


GroupId String The unique ID of the group.
Path String Path to the group.
ARN String Amazon Resource Name of the group.
Create String Creation date of the group.
AWSManagedPolicies AWSManaged AWS Managed Policies directly assigned to the group.
Policy
CustomerManagedPolicies CustomerMan Customer Managed Policies directly assigned to the
agedPolicy group.
InlinePolicies InlinePolicy Inline Policies directly assigned to the group.
Object Type: AWSManagedPolicy
PolicyName String The friendly name of the AWS managed policy.
PolicyId String The unique ID of the AWS managed policy.
Description String A friendly description of the AWS managed policy.
ARN String Amazon Resource Name of the AWS managed policy.
Path String The path to the AWS managed policy.
CreateDate String The creation date of the AWS managed policy.
UpdateDate String The last update date of the AWS managed policy.
DefaultVersionId String The currently enabled version ID of the AWS managed
policy.
PolicyJSON String The JSON document for the AWS managed policy.
Object Type: Customer Managed Policy
PolicyName String The friendly name of the customer managed policy.
PolicyId String The unique ID of the customer managed policy.
Description String A friendly description of the customer managed policy.
CreateDate String The creation date of the customer managed policy.
UpdateDate String The last update date of the customer managed policy.
ARN String Amazon Resource Name of the customer managed policy.
Path String The path to the customer managed policy.
DefaultVersionId String The currently enabled version ID of the customer
managed policy.
PolicyJSON String The JSON document for the customer managed policy.
PolicyGroups String Groups attached to the customer managed policy.
PolicyRoles String Roles attached to the customer managed policy.
Object Type: InlinePolicy
Name String The friendly name of the policy.


Id String The unique ID of the policy.
PolicyJSON String The JSON document for the policy.
Object Type: Role
RoleName String The friendly name of the role.
RoleId String The unique ID of the role.
Path String Path to the Role.
ARN String Amazon Resource Name of the role.
Description String Role Description.
CreateDate String Creation date of the role.
AWSManagedPolicies AWSManaged AWS Managed Policies directly assigned to the role.
Policy
CustomerManagedPolicies CustomerMan Customer Managed Policies directly assigned to the role.
agedPolicy
InlinePolicies InlinePolicy Inline Policies directly assigned to the role.
TrustPolicyJSON String Trust Relationship Policy JSON.
MaxSessionDuration String Maximum CLI/API session duration.
Object Type: SCP
SCPName String The friendly name of the Service Control Policy.
SCPId String The unique ID of the Service Control Policy.
ARN String Amazon Resource Name of the Service Control Policy.
Description String A friendly description of the Service Control Policy.
AWSManaged String A boolean value that indicates whether the Service
Control Policy is an AWS managed policy.
PolicyJSON String The JSON document for the Service Control Policy.
Object Type: AWSAccount
AWSAccountName String The friendly name of the AWS account.
AWSAccountId String The unique ID of the AWS account.
ARN String Amazon Resource Name of the AWS account.
Email String The email address associated with the AWS account.
Status String The status of the AWS account in the organization.
JoinedMethod String The method by which the AWS account joined the
organization.
JoinedTimestamp String The date the AWS account became a part of the
organization.
OrganizationUnit OrganizationU Organization unit holding the AWS Account.
nit


Object Type: OrganizationUnit
OUName String The friendly name of the Organization Unit.
OUId String The unique ID of the Organization Unit.
ARN String Amazon Resource Name of the Organization Unit.
ServiceControlPolicies SCP Service Control Policies attached to the Organization Unit.
Parent OrganizationU Parent Organization Unit.
nit
AWSAccounts AWSAccount AWS Accounts attached to the Organization Unit.

The following default provisioning policies are defined for Account and Account-Group.
Account
• Create: The following table lists the attributes that are required for creating an account.
Name Description
User Name* Enter the user name for IAM user.
AWS Account* Enter the Account ID or ARN of the AWS Account under which the IAM user is to
be created.
Password Enter the password for IAM user that allows users to sign-in to the AWS
Management Console.
Require Password Users must create a new password at next sign-in. Users automatically get the
Reset IAMUserChangePassword policy to allow them to change their own password.
Programmatic Create an access key ID and secret access key for Programmatic Access.
Access
Path Specify the path to the IAM user.
• Enable: The following table lists the attributes that are required for enabling an account.
Name Description
Password Enter the password for IAM user that allows users to sign-in
to the AWS Management Console.
Access Keys Enables the recent access key.
AWS CodeCommit SSH Keys Enables the recent SSH key.
AWS CodeCommit HTTPS Credentials Enables th recent HTTPS credential.

Group
• Create: The following table lists the attributes that are required for creating a group and customer
managed policy.
Name Description
Group
Group Name* Enter the group name for IAM group.
AWS Account* Enter the Account Id or ARN of the AWS account under which the IAM group is to
be created.
Path Specify the path to the IAM group.
CustomerManagedPolicy
Policy Name* Enter the policy name.
AWS Account* Enter the Account Id of the AWS account under which the IAM Policy is to be
created.
Policy Description Enter the policy description.
Policy JSON* Enter the policy document as a JSON string.
Path Specify the path to the policy.
• Update: The following table lists the attributes that are required for updating group and role.
Name Description
UpdateGroup
Group Name Enter the group name for the IAM group.
Path Specify the path to the IAM group.
ARN ARN of the group.
Creation Date Creation date of the group.
AWS Managed Policies Select the AWS managed policies name to be attached.
Customer Managed Policies Select the Customer managed policies name to be attached.
Inline Policies Associated inline policies.
UpdateRole
Role Name Role name for the IAM role.
Path Path to the IAM role.
ARN ARN of the role.
Creation Date Creation date of the role.
MaxSessionDuration Duration in seconds for which this role can be assumed.
Trust Policy JSON Trust policy JSON attached to the Role.

Name Description
AWS Managed Policies Select the AWS managed policies name to be attached.
Customer Managed Policies Select the Customer managed policies name to be attached.
Inline Policies Associated inline policies.
This section describes the additional information related to the AWS Governance Module setup.
(Optional) Upgrade Consideration

When upgrading IdentityIQ to version 8.0 Patch 2,
• to view the list of groups and roles that the customer managed policy is attached to, add the PolicyGroups
and PolicyRoles attributes in schema of object type Customer Managed Policy.
• to get the information of password last used date and access key last used details of IAM User, add the
PasswordLastUsed and AccessKeyLastUsed attributes in the account schema.
For more information on PasswordLastUsed and AccessKeyLastUsed attributes, see “Account Schema” on
page 27.
IAM User Status

Following are the IdentityIQ operations with the corresponding IAM User Status:
• Enable
- Set Console Password (This would also activate the Signing Certificate if it is associated with an IAM
User.)
- Activate Last Created Access Keys
- Activate Last CreatedAWS CodeCommit HTTPS Credentials
- Activate Last CreatedAWS CodeCommit SSH Keys
- Activate Signing Certificates
• Disable
- Deletes Console Password
- Inactive Both Access Keys
- Inactive Both AWS CodeCommit HTTPS Credentials
- Inactive All AWS CodeCommit SSH Keys
- Inactive Signing Certificates

Creating Cross Account Role

To aggregate the data present in AWS accounts in an organization, AWS Governance Module uses assume role
functionality of AWS System. This functionality will help in getting data from different AWS accounts.
• Create cross account role to allow users from one AWS Account to access resources in another AWS
Account.
• AWS Account Ids must be specified in the trust Relationship Policy in JSON format as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::MasterAccount ID:root",
"arn:aws:iam::AccountId1:root",
"arn:aws:iam::AccountId2:root",
"arn:aws:iam::AccountId3:root"
]
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Where AccountId1, AccountId2, and AccountId3 are the Account Ids that are to be managed.
Operation Specific Service IAM User permissions

This section lists the operation specific administrator permissions required for the following:
• IAM APIs
• Organization APIs
Identity and Access Management APIs

The following table lists the IdentityIQ operations along with the corresponding IAM API (Actions) used:
IdentityIQ operation IAM API (Action)

Test Connection GetUser
Account Update CreateAccessKey
Reset Password • UpdateLoginProfile
• CreateLoginProfile
Group Create CreateGroup
Group Update • UpdateGroup
• AttachGroupPolicy
• DetachGroupPolicy
Create Customer Managed Policy CreatePolicy


Account Aggregation
• Summary/Attributes (UserName, • ListUsers
UserId, Path, ARN, CreateDate, Pass- • GetLoginProfile
wordLastUsed) • ListGroupsForUser
• ConsoleAccess • ListUserPolicies
• Groups • ListAttachedUserPolicies
• AWSManagedPolicies and Custom- • ListAccessKeys
erManagedPolicies • ListServiceSpecificCredentials
• InlinePolicies • ListSSHPublicKeys
• Access Keys • ListSigningCertificates
• AWS CodeCommit HTTPS Creden- • ListMFADevices
tials • GetAccessKeyLastUsed
• AWS CodeCommit SSH Keys
• Signing Certificates
• Multi-Factor Authentication (MFA)
Device
• AccessKeyLastUsed
Account-Group Aggregation (Group)
• Summary/Attributes (GroupName, • ListGroups
GroupId, Path, ARN, CreateDate) • ListAttachedGroupPolicies
• AWSManagedPolicies and Custom- • ListGroupPolicies
erManagedPolicies
• InlinePolicies
Account-Group Aggregation (AWSManagedPolicy and CustomerManagedPolicy)
• Summary/Attributes (PolicyName, • ListPolicies
PolicyId, ARN, Path, CreateDate, • GetPolicy
UpdateDate, DefaultVersionId) • GetPolicyVersion
• Description • (Only for CustomerManagedPolicy) ListEntitiesForPolicy
• PolicyJSON
• (Only for CustomerManagedPolicy)
PolicyGroups, PolicyRoles
Account-Group Aggregation (Role)
• Summary/Attributes (RoleName, • ListRoles
RoleId, Path, ARN, Description, Cre- • ListAttachedRolePolicies
ateDate, TrustPolicyJSON, MaxSes- • ListRolePolicies
sionDuration)
• AWSManagedPolicies and Custom-
erManagedPolicies
• InlinePolicies
Account-Group Aggregation (InlinePolicy)
• Id • No API is called for this attribute, it is formatted as: ARN
• Name of the entity:InlinePolicy:InlinePolicyName
• PolicyJSON • ListUserPolicies, ListGroupPolicies, ListRolePolicies
• GetUserPolicies, GetGroupPolicies, GetRolePolicies


Account Refresh
• Summary/Attributes (UserName, • GetUser
UserId, Path, ARN, CreateDate) • ListGroupsForUser
• Groups • ListAccessKeys
• Access Keys • ListSigningCertificates
• Signing Certificates • GetLoginProfile
• Password • ListMFADevices
• MFA Device • ListServiceSpecificCredentials
• AWS CodeCommit HTTPS Cre-
dentials and AWS CodeCommit SSH
Keys: ListServiceSpecificCredentials
Refresh Operations
• Refresh Group • GetGroup
• Refresh Role • GetRole
• Refresh AWSManagedPolicy and • GetPolicy
CustomerManagedPolicy • GetUserPolicies
• Refresh Inline Policy associated with • GetGroupPolicies
User • GetRolePolicies
• Refresh Inline Policy associated with
Group
• Refresh Inline Policy associated with
Role
Group Delete
• Read Accounts in the Group • DeleteGroup
• Remove Accounts from the Group • GetGroup
• Read Group Policies • RemoveUserFromGroup
• Remove Group Policies • ListGroupPolicies
• DeleteGroupPolicy
Account Enable
• Set Password • UpdateLoginProfile
• Activate Access Keys (Last created • UpdateAccessKey
one) • UpdateServiceSpecificCredential
• Activate AWS CodeCommit HTTPS • UpdateSSHPublicKey
Credentials (Last created one)
• Activate AWS CodeCommit SSH Keys
(Last created one)


Account Delete
• Read Groups • DeleteUser
• Remove Groups • ListGroupsForUser
• Read AWSManagedPolicy and Cus- • RemoveUserFromGroup
tomerManagedPolicy • ListAttachedUserPolicies
• Remove AWSManagedPolicy and • DetachUserPolicy
CustomerManagedPolicy • ListUserPolicies
• Read InlinePolicy • DeleteUserPolicy
• Read Security Credentials • ListAccessKeys
- Access Keys • ListSigningCertificates
- Signing Certificates • GetLoginProfile
- Password • ListMFADevices
- MFA Device • ListServiceSpecificCredentials
- AWS CodeCommit HTTPS • ListSSHPublicKeys
Credentials • DeleteAccessKey
- AWS CodeCommit SSH Keys • DeleteSigningCertificate
• Remove Security Credentials • DeleteLoginProfile
- Access Keys • DeactivateMFADevice
- Signing Certificates • DeleteServiceSpecificCredential
- Password • DeleteSSHPublicKey
- MFA Device
- AWS CodeCommit HTTPS
Credentials
- AWS CodeCommit SSH Keys
Account Disable
• Delete Password • DeleteLoginProfile
• Deactivate Access Keys (All) • UpdateAccessKey
• Deactivate AWS CodeCommit HTTPS • UpdateServiceSpecificCredential
Credentials (All) • UpdateSSHPublicKey
• Deactivate AWS CodeCommit SSH
Keys (All)
Request Entitlement (Group and Managed Policies for User)
• Add group to user • AddUserToGroup
• Add AWSManagedPolicy and Cus- • AttachUserPolicy
tomerManagedPolicy to user
Remove Entitlement (Group, Managed Policies, Inline Policies from User)
• Remove group from user • RemoveUserFromGroup
• Remove AWSManagedPolicy and • DetachUserPolicy
CustomerManagedPolicy from user • DeleteUserPolicy
• Remove Inline Policy from user


Remove Inline Policy
• Read from User • GetUserPolicies
• Delete from User • DeleteUserPolicy
• Read from Group • GetGroupPolicies
• Delete from Group • DeleteGroupPolicy
• Read Role • GetRolePolicies
• Delete from Role • DeleteRolePolicy
Update Role
• Attach AWSManagedPolicy and Cus- • AttachRolePolicy
tomerManagedPolicy • DetachRolePolicy
• Remove AWSManagedPolicy and
CustomerManagedPolicy
Organization APIs
The following table lists the IdentityIQ operations along with the corresponding IAM APIs used for managing
organizational entities:
IdentityIQ operations Organizations API (Actions)

Test Connections Role (Master Account): organizations:ListAccounts
Account-Group Aggregation (OrganizationUnit)
• Summary/Attributes (OUName, OUId, • ListRoots, ListOrganizationalUnitsForParent
ARN, Parent) • ListPoliciesForTarget
• ServiceControlPolicies • ListAccountsForParent
• AWSAccounts
Account-Group Aggregation (SCP)
• Summary/Attributes (SCPName, • ListPolicies
SCPId, ARN, Description, • DescribePolicy
AWSManaged)
• PolicyJSON
Account-Group Aggregation (AWSAccount)
• Summary/Attributes (AWSAccountName, • ListAccounts
AWSAccountId, ARN, EmailId, Status, • ListRoots, ListParents, DescribeOrganizationalUnit
JoinedType, JoinedTimestamp)
• OrganizationUnit
Get Operations
• SCP • DescribePolicy
• AWS Accounts • DescribeAccount, ListRoots, ListParents,
• Organizational Unit DescribeOrganizationalUnit
• DescribeOrganizationalUnit, ListRoots, ListPar-
ents, ListPoliciesForTarget, ListAccountsForParent


Section II: SailPoint IdentityIQ
Application Modules
The SailPoint IdentityIQ Application Modules section includes the following modules:
• “Enterprise Resource Planning Application Modules”
• “SAP Governance Modules”
• “SAP Governance Application Modules”
• “Healthcare Integration Modules”
• “Mainframe Integration Modules”
Enterprise Resource Planning Application
Modules
• “IdentityIQ for SAP ERP - SAP Governance Module”
• “IdentityIQ for SAP ERP - S/4HANA Cloud”
• “IdentityIQ for Oracle ERP – Oracle E-Business Suite”
• “IdentityIQ for SAP ERP – SAP Portal - User Management Web Service”
• “IdentityIQ for Oracle ERP – PeopleSoft”
• “IdentityIQ for Oracle ERP – Siebel”
• “IdentityIQ for Oracle NetSuite ERP”
Overview
Chapter 11: IdentityIQ for SAP ERP -

SAP Governance Module
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Supported Managed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Schema Extension and Custom Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Upgrade Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Create Account Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Entitlement Validity Period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
CUA Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Entitlement Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Password Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Logon and Communication Language Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Delta Aggregation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Partitioning Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Overview
SAP Enterprise Resource Planning software solution is an integrated software solution that incorporates the key
business functions of the organization.
The IdentityIQ for SAP ERP aggregates and provisions all the users along with their roles/profiles of the SAP
system.
IdentityIQ for SAP ERP supports provisioning to a standalone SAP system as well as SAP Central User
Administration (CUA) system.
Supported Features
IdentityIQ for SAP ERP supports the following features:
- Manages SAP users as Accounts
- Aggregation, Partitioning Aggregation, Delta Aggregation, Refresh Accounts, Pass Through
Authentication

Overview
For more information on Delta Aggregation and Partitioning Aggregation, see “Additional Information”
on page 59.
- Change Password
- Add/Remove Entitlements
Entitlements are Roles (for user), Profiles (for user), UserGroup (User group of the user).
- Add /Remove Contractual User Type ID
- Manages SAP Roles as Account-Groups
- Manages SAP Profiles as Account-Groups
- Aggregation, Refresh Groups
Notes
The following table lists the notes of the respective supported features:
Supported features Notes

Pass Through Authentication If Pass Through authentication is enabled, user can login through
IdentityIQ using user name and password without any authorization
required.
Aggregation IdentityIQ for SAP ERP aggregates Generated Profile associated to Role as
a part of Account-Group Aggregation.
Change Password • For “Change password in Permanent Mode” ensure that the
SNC is configured on SAP server. The log on session during
which a productive password is set must be secured using
Secure Network Communications (SNC).
• SAP recommends that setting of productive passwords is
more risky than setting an initial one, therefore additional
security checks must be applied as follows:
- The log on session during which a productive password
is set must be secured using Secure Network
Communications (SNC).
- The user needs an additional authorization to set a
productive password (authorization object:
S_USER_GRP, activity: 'PP' - Set Productive)
For more information, see SAP note
https://service.sap.com/sap/support/notes/1287410 (SAP
Service marketplace login required).

Overview
Supported features Notes

Manages SAP Profiles as Few system composite profiles might have child profiles which are not
Account-Groups present in SAP system. For example, for each release composite profile
SAP_NEW contains a single profile SAP_NEW_<rel>, (for example,
SAP_NEW_21D). This profiles holds its release status. Profiles like
SAP_NEW_<rel> may not be aggregated.
Account - Group Aggregation In Account-Group aggregation for SAP CUA landscape, IdentityIQ for SAP
ERP will not fetch child roles, child profiles of any composite role and
profile, as CUA system does not maintain child level roles and profile
details for child subsystems. Same way it will not fetch TCodes and
Generated Profile for group object type.
Supported Managed Systems

IdentityIQ for SAP ERP supports the following versions of managed systems:
• SAP Enterprise Resource Planning (ERP) Central Component (ECC) 6.0
• SAP NetWeaver 7.5, 7.4, 7.3, 7.2, 7.1 and 7.0
IdentityIQ for SAP ERP supports the following modules of managed systems:
• SAP HR/HCM module
• SAP S/4HANA on-premise
• SAP Business Warehouse
• SAP Customer Relationship Management (CRM)
• SAP Process Integration (PI)
• SAP GRC
• SAP Fiori
• SAP Supply Chain Management (SCM)
• SAP Advanced Planning and Optimization (SAP APO)
Note: IdentityIQ for SAP ERP manages ABAP users. For more information, see "Supported Features"
on page 43.
Prerequisites
SAP JCO version 3.0.x libraries, along with sapjco3.dll (on Microsoft Windows) or libsapjco3.so (on UNIX),
must be present in the java.library.path directory on the host. The JCO libraries (JCO Release 3.0.x) must
be downloaded from the SAP website by navigating to the customer service marketplace and download the Java
Integration Module.
The following table lists the required permissions for the specific operations mentioned below in this section:
Operation Required permissions

Test Connection Test Connection

Overview
Operation Required permissions

Account Aggregation Test Connection and Account Aggregation
Note: For Account Aggregation of CUA systems, additional
permissions must be executed as specified in the “ Account
Aggregation” section.
Group Aggregation Test Connection and Group Aggregation
Note: For Group Aggregation of CUA systems, additional
permissions must be executed as specified in the “ Group
Aggregation” section.
Delta Aggregation Test Connection, Account Aggregation and Delta Aggregation
Create Account Test Connection, Account Aggregation and Create Account
Note: For Create Account of CUA systems or SNC network,
additional permissions must be executed as specified in the “
Create Account (Create user with assign role and profiles)”
section.
Enable/Disable/Unlock Account Test Connection, Account Aggregation and
Enable/Disable/Unlock Account
Delete Account Test Connection, Account Aggregation and Delete Account
Add/Remove Entitlement Test Connection, Account Aggregation and Add/Remove
Entitlement
Change Password Test Connection, Account Aggregation and Change Password
Note: For Change Password of SNC network, additional
permissions must be executed as specified in the “ Add/Remove
Entitlements and Change Password” section.
The role assigned to the SAP Administrative user must have the following Authorization Objects as mentioned in
the tables below.
Test Connection
Authorization Field name Field description Field value

Objects
S_RFC ACTVT Activity 16 - Execute
RFC_NAME Name of RFC object RFCPING
RFC_TYPE Type of RFC object FUGR, FUNC

Overview
Account Aggregation

Objects
S_RFC RFC_NAME Name of RFC object BAPI_USER_GETLIST,
BAPI_USER_GET_DETAIL,
DDIF_FIELDINFO_GET,
MSS_GET_SY_DATE_TIME,
RFC_GET_FUNCTION_INTERFACE,
SDTX, SMSSDATA1, SU_USER
S_TABU_NAM ACTVT Activity 03 - Display
TABLE Name TABLE USR11, USR06, USR02, TUTYP,
TUTYPA
S_USER_GRP ACTVT Activity 03 - Display
CLASS User group in user master * or specify the Group you want to
maintenance assign for the user.
For example, SUPER
• Additional permissions for CUA systems

Objects
S_RFC RFC_NAME Name of RFC object BAPI_USER_LOCACTGROUPS_READ,
BAPI_USER_LOCPROFILES_READ
Group Aggregation

Objects
S_RFC ACTVT Activity 16 - Execute
RFC_NAME Name of RFC object BAPI_HELPVALUES_GET,
PRGN_ACTIVITY_GROUPS_LOAD_RFC,
PRGN_EXCHANGE,
COLL_ACTGROUPS_GET_ACTGROUPS,
DDIF_FIELDINFO_GET,
MSS_GET_SY_DATE_TIME,
PRGN_COLLECTIVE_ACTGROUPS,
RFC_GET_FUNCTION_INTERFACE, SDTX,
SMSSDATA1

Overview

Objects
S_TABU_NAM TABLE Name TABLE • (Roles) AGR_FLAGS, AGR_PROF,
AGR_TCODES, AGR_TEXTS
(Roles)
• (Profiles) AGR_DEFINE, USR11,
UST10C, UST10S
• (To aggregate Authorization
Objects associated with role)
AGR_1251, AGR_1252
Note: If you do not want to aggregate
the Authorization Objects (AGR_1251
and AGR_1252), then these permissions
must not be provided and Authorization
Objects must be removed from group
schema also.
Note: Group aggregation specific to Authorization Objects would not be supported for SAP CUA
system.
• Additional permissions for CUA systems

Objects
S_TABU_NAM TABLE Name TABLE • (Profiles) USRSYSPRF, USRSYSPRFT
• (Roles) USRSYSACTT, USRSYSACT
Delta Aggregation

Objects
S_RFC RFC_NAME Name of RFC object /SAILPOIN/USR_CHANGE_DOC_USERS
, /SAILPOIN/IDENTITYIQ_FUGR,
/SAILPOIN/USR_CHANGE_DOC_ROLES
S_TABU_NAM TABLE Name TABLE USBAPILINK
S_USER_GRP ACTVT Activity 08 - Display change document
Create Account (Create user with assign role and profiles)

Objects
S_USER_GRP ACTVT Activity 01 - Create or generate
S_RFC RFC_NAME Name of RFC object SDIFRUNTIME

Overview

Objects
S_USER_SAS ACTVT Activity 22 - Enter, Include, Assign, 01 -
Create
ACT_GROUP Role name * or you can specify role name for
which you have assigned
For example, SUPER

PROFILE Auth. profile in user master * or you can specify Profile for
maintenance which you have assigned
SUBSYSTEM Receiving system for central * or specify the system you are
user administration targeting.
• For SNC (Secure Network Communication)

Objects
S_USER_GRP ACTVT Activity PP – Set Productive
Enable/Disable/Unlock Account
Authorization Objects Field name Field description Field value

S_USER_GRP ACTVT Activity 05 - Lock
Delete Account
Authorization Objects Field name Field description Field value

S_USER_GRP ACTVT Activity 06 - Delete
Add/Remove Entitlements and Change Password

Objects
S_USER_GRP ACTVT Activity 22 - Enter, Include, Assign,
02-Change, 78 - Assign
S_RFC RFC_NAME Name of RFC object SDIFRUNTIME


Objects
S_USER_SAS ACTVT Activity 22 - Enter, Include, Assign
which you have assigned
For example, SUPER

PROFILE Auth. profile in user master * or you can specify Profile for
maintenance which you have assigned
SUBSYSTEM Receiving system for central * or specify the system you are
user administration targeting.
S_USER_AGR ACTVT Activity 02 - Change
which you want to provide access
S_USER_PRO ACTVT Activity 22 - Enter, Include, Assign
PROFILE Auth. profile * or you can specify profile name
for which you want to provide
access.
- (For Change Password only) For SNC (Secure Network Communication)

Objects
S_USER_GRP ACTVT Activity PP – Set Productive
The following table lists the configuration parameters of IdentityIQ for SAP ERP:
SAP Host* Host on which the SAP Server is running
System Number* 2-digit SAP system number (Default: 00)
Client Number* 3-digit SAP client number (Default: 001)
Client Language* 2-letter SAP client language (Default: EN)
Username* SAP Administrator user
Password* SAP Administrator user password
CUA system For CUA system detection

Unlock on Password Change If checked, the account would be unlocked while changing password.
Note: Account will be unlocked at the time of set password only if the
account is locked by incorrect password attempts.
Partition Enabled Check box to determine if partition aggregation is required.
Partition Statements Criteria to specify the range of users to be downloaded.
For example, If the range is specified as A-M, then this specifies that all
the users whose User IDs are between A and M (including A and M) would
be treated as one partition and downloaded.
To specify more than one partition the entries should be separated using
a new line character. For more information, see “Partitioning
Aggregation” on page 63.
Load Balance Configuration parameters
Load Balancer Select this to configure and enable load balancing on this application.
Host SAP message server host.
Note: Required for a logon load balanced connection.
Client Group Logon group name of SAP application servers.
Port Number SAP message server service or port number.
SNC Configuration parameters
SNC Mode Represents Secure Network Connection which also internally signifies
jco.client.snc_mode in SAP. SNC will be enabled if the mode is
selected as ON whose value is 1. If SNC is off, the value will be 0.
SNC Level of Security Represents the quality of protection level (QOP) which is defined as
follows:
1 — Apply authentication only

2 — Apply integrity protection (authentication)
3 — Apply privacy protection (integrity and authentication)
8 — Apply the default protection
9 — Apply the maximum protection
In SAP, it relates to jco.client.snc_qop. Default: 1

SNC Partner Name Represents SNC partner.
For example, provide input as p:CN=R3, O=XYZ-INC, C=EN in SAP. If SNC is

configured, it relates to jco.client.snc_partnername.
SNC Name Represent SNC name which internally signifies
jco.client.snc_myname. It overrides default SNC partner.

Schema Attributes
SNC Library Path to library which provides SNC service. It internally signifies
jco.client.snc_lib.
For example, the value to be passed:

• on Microsoft Windows:
C:/sapcryptolib/sapcrypto.dll (the location of the
cryptographic library)
• on UNIX:
/opt/sailpoint/lib/custom/libsapcrypto.so (the
location of the cryptographic library)
SAP GRC Settings parameters
Enable SAP GRC Enables the application for SAP GRC policy violation checks.
SAP GRC Connector Name SAP GRC Connector name which is configured on GRC server for this
application.
Note: For more information on SAP GRC configuration, see SailPoint SAP Governance Application
Module Guide.

To enable JCO RFC client trace add the following entry key in the application debug page:
<entry key="trace">
<value>
</value>
</entry>
Note: Enabling this parameter can result in printing of secure data in logs.
Schema Attributes
Account Attributes
Academic Title (Address) Academic title of the user.
Academic Title 2 (Address) 2nd Academic title of the user.
Addr Number (Address) Address number of the user.

Schema Attributes
Alias (Logon Data) Alias name.
Birth Name (Address) Name at birth.
Building (Address) Name of the building.
Building 2 (Address) Name 2 of the building.
Building Long (Address) Long name of the building.
Care of (Address) Care of name.
Check Status (Address) Check status for the user.
City (Address) Name of the city.
City Number (Address) Number of the city.
Code (Address) Signature initials
Communication Language (Address) Communication language of the user.
Note: The different values to be set for this attribute are

mentioned in “Logon and Communication Language Attributes”
on page 60.
Communication type (Address) Communication method for the user.
Company (Address) Name of the company.
Company Address (Address) Address of the company.
Company Address 2 (Address) Address 2 of the company.
Contractual User Type ID Contractual user types associated with user.
Note: For more information, see “Upgrade Considerations” on
page 58.
Country (Address) Name of the country.
Country ISO (Address) ISO name of the country.
Delivery District (Address) Delivery district name.
Department (Address) Department name.
District (Address) District name.
District Number (Address) District number for the user.
E-Mail (Address) E-mail address.
E-Mail List (Address) E-mail address list.
Employee Number (Address) Employee number of the user.
Fax (Address) Fax number.
Fax Extension (Address) Fax extension number
Fax List (Address) Fax number list

Schema Attributes
First name (Address) First name of the user
Floor (Address) Floor number
Floor 2 (Address) Floor 2 number
Format (Address) Format name
Full Name (Address) Full name of the user
Full Name 2 (Address) Full name 2 of the user
Function (Address) Function of the user
GUI Flag Unsecured communication permitted.
House Number 2 (Address) House number 2 of the user
House Number (Address) House number of the user
House Number 3 (Address) House number 3 of the user
Inhouse ML (Address) Inhouse mail of the user
Initials (Address) Initials of the user
Language CR P (Address) CR P language of the user
Language ISO (Address) ISO language of the user
Language UCP ISO (Address) CP ISO language of the user
Language UP ISO (Address) P ISO language of the user
Last Name (Address) Last name of the user
Location (Address) Location name
Logon Language (Defaults) Logon language for the user.
Note: The different values to be set for this attribute are

mentioned in “Logon and Communication Language Attributes”
on page 60.
Middle Name (Address) Middle name of the user
Name Country (Address) Name of the country
Nickname (Address) Nickname of the user
Notes (Address) Notes for the user
Other City (Address) Name of the other city
Other City Number (Address) Number of the other city
Pager/SMS List (Address) Pager or SMS number list in the format
pager_type#pager_number
Parameter List (Parameters) Parameter list in the format prameter_ID=parameter_value
Pboxcity Number (Address) Pbox number of the city
PCODE 1 Ext (Address) Postal code 1 extension

Schema Attributes
PO Box (Address) PO box number
PO Box City (Address) PO box number of the city
PO Box City ISO (Address) PO box number of the ISO city
PO Box Country (Address) PO box number of the country
PO Box Region (Address) PO box number of the region
PO Box Without Number (Address) PO box without number
Postal Code (Address) Postal code of the user
Postal Code 2 (Address) 2nd postal code of the user
Postal Code 3 (Address) 3rd postal code of the user
Prefix 1 (Address) 1st prefix
Prefix 2 (Address) 2nd prefix
Print Immediately (Defaults) Print immediately flag for the user
Printer List (Address) Print destination list
Region (Address) Name of the region
Region Group (Address) Group name of the region
Remote Communication List Communication notes list
(Address)
Remote Function Call List (Address) Remote function call destination list
Remote Mail List (Address) Remote mail list of the user
Room Number (Address) Room number of the user
Room Number 2 (Address) 2nd room number of the user
Reference User Reference user name.
Search Term 2 P (Address) 2nd search term P for the user
Search Term P (Address) Search term P for the user
Search Term 1 (Address) 1st search term for the user
Search Term 2 (Address) 2nd search term for the user
Second Name (Address) Second name of the user
Start Menu (Defaults) Start menu for the user
Street Abbreviation (Address) Street abbreviation for the user
Street Address (Address) Street address of the user
Street Address 2 (Address) Street address 2 of the user

Schema Attributes
Street Number (Address) Street number of the user
SNC Name SNC name.
Tax Jurisdiction Code (Address) Tax jurisdiction code of the user
Telephone (Address) Telephone number
Telephone Extension (Address) Telephone extension number
Telephone List (Address) Telephone number list
Teletex List (Address) Teletex number list
Telex List (Address) Telex number list
Time Format (Defaults) Time format of the user
Time Zone (Address) System time zone.
Title (Address) Title of the user
Title SPPL (Address) Title SPPL of the user
Transportation Zone (Address) Transportation zone of the user
TZone (Defaults) Personal time zone.
URL (Homepage) List (Address) URL (Homepage) address list in the format URI_type#URI_name
User Last Logon Time User last log in time.
User Last Logon Date User last log in date.
Productive Password User password set in permanent mode.
User Name User Name.
User Title (Address) Title of the user
User Type (Logon Data) Type of the user
User Valid From (Logon Data) Valid from date for the user
User Valid To (Logon Data) Valid to date for the user.
User Group (Groups) User group of the user
X.400 List (Address) Organization name list
Roles Roles for user.
Note: The Account Aggregation fetches the active roles
(composite /simple) assigned directly to the user.
Profiles Profiles for user.
Group Attributes
The following table lists the different group attributes:

Schema Attributes
Group Object Type = Role
Name Role name.
Type Role type.
Description Role description.
Child Roles Sub Role list.
Note: The child roles will display the child roles of composite roles in the
Group object properties of Entitlement Catalog. For existing applications
which are getting upgraded, mark entitlement as true to display the child
roles in Entitlement grid of Group object properties.
Long Description Role long description.
Subsystem System name for CUA System Aggregation.
Generated Profile System generated profile associated to Role which has authorizations.
TCodes Transaction code list.
Authorization Objects Authorization objects associated with role.
Group Object Type = Profile
ID Profile name along with the description.
Name Profile name.
Type Profile type.
Description Profile description.
Subsystem System name for CUA System Aggregation.
Child Profiles Sub profile list.
Schema Extension and Custom Attributes

The schema can be extended up to the extent of the fields within the structures provisioned by the SAP standard
BAPI. The fields in the following structures will be provisioned:
• ADDRESS
• ALIAS
• COMPANY
• DEFAULTS
• LOGONDATA
• PASSWORD
Note: No custom attributes will be supported during provisioning.

While upgrading to IdentityIQ version 8.0 Patch 2, perform the following changes at schema level:
• Ensure that in Role schema, following attributes are added with appropriate properties:
- Generated Profile
- TCodes (Entitlement, Multi-Valued)
- Authorization Objects
• In order to achieve the profile aggregation functionality for an existing application in previous releases it
is recommended to perform the following procedure:
- Add Profile schema under the Settings tab in the application page
- In Account Schema the schemaObjectType attribute of Profiles must be changed to profile.
• To skip the inactive roles assignment during aggregation, add the following line in the application debug
page:
<entry key="skipInactiveRoles" value="true"/>
Note: When upgrading IdentityIQ from version 6.x to 8.0 Patch 2, ensure that the ‘Include
Permissions’ check box in Role schema is not selected.
• To fetch Contractual user types associated with user after upgrading IdentityIQ to version 8.0 Patch 2, add
the Contractual User Type ID attribute to the application with:
- Property: Multi-Valued
- Data Type: string
Note: Only the active Contractual User ID assigned to the user would be aggregated.
• To support aggregation and provisioning of Contractual User Type ID in the language configured in SAP
Direct application, configure the following entry key as true:
<entry key="useClientLanguageForLicense" value="true"/>

This section lists the different policy attributes of IdentityIQ for SAP ERP.
Note: The attributes marked with * sign are the required attributes.
Create Account Attributes

The following table lists the provisioning policy attributes for Create Account:
User Name* Name of the user to create.
password Password for the user.
Last Name* Last name of the user.

This section describes the additional information related to the IdentityIQ for SAP ERP.
Entitlement Validity Period

The user can be assigned a SAP Role with Start Date and an End Date. The ability to select or specify the same,
while requesting an entitlement for an account, is available in IdentityIQ by creating custom Provisioning Plan.
CUA Support
By default the IdentityIQ for SAP ERP would not download data from CUA configured SAP System. In order to
override this behavior, the CUASystem configuration parameter must be checked in configuration parameter list.
Entitlement Data
The aggregated entitlement data consists of the following:
• SAP Roles (Simple and Composite)
• SAP Profiles (Simple and Composite)
Password Change
The following change password policy must be added to set password as productive using administrative change
password request.
<Form name="con_prov_policy_user_create_username" objectType="account"
type="ChangePassword">
<Attributes>
<Map>
<entry key="IIQTemplateOwnerDefinition">
<value>
<DynamicValue value=""/>
</value>
</entry>
</Map>
</Attributes>
<Field displayName="Productive Password" filterString=""
helpKey="ProductivePasswordFlag" name="Productive Password" required="true"
type="string" value="true">
<AllowedValuesDefinition>
<Value>
<List>
<String>true</String>
<String>false</String>
</List>
</Value>
</AllowedValuesDefinition>
</Field>
</Form>

Logon and Communication Language Attributes

Following is a list of different Logon and Communication Language fields:
• Serbian
• Chinese
• Thai
• Korean
• Romanian
• Slovenian
• Croatian
• Malay
• Ukrainian
• Estonian
• Afrikaans
• Icelandic
• Catalan
• Serbian (Latin)
• Indonesian
• Arabic
• Hebrew
• Czech
• German
• English
• French
• Greek
• Hungarian
• Italian
• Japanese
• Danish
• Polish
• Chinese traditional
• Dutch
• Norwegian
• Portugese
• Slovak
• Russian
• Spanish
• Turkish
• Finnish
• Swedish
• Bulgarian
• Lithuanian
• Latvian
• Customer reserve
Delta Aggregation
This section describes the procedure for configuring the SAP Connector for Delta Aggregation.

Supported attributes
The SAP Direct Connector supports Delta Aggregation for the following attributes:
• User created
• User deleted
• Password
• User Type
• Administrator lock set // IdentityIQ Disabled
• Administrator lock released // IdentityIQ Enabled
• Incorrect logon lock set // IdentityIQ Locked
• Incorrect logon lock released // IdentityIQ Unlocked
• Validity Period
• Account Number
• User Group
• SAP Profile(s) Assigned
• SAP Profile(s) Deleted
• Security Policy
Importing the BAPIs

This section describes how to import the transport request that contains the non - certified function modules
used by SAP Connector to achieve the delta aggregation functionality.
Function modules are imported using one of the following methods:
• Using the Transport Control program manually
• Using the menu-driven administration of Transport Requests via SAP GUI
Prerequisites
Copy the API Transport files to SAP. Use the following procedure to unpack and import the transport files function
modules:
1. Copy the transport files.
Transport request is contained in the ImportSAPDirect.TAR compressed file.
The compressed file for each release contains the following files:
- RrequestNumber.sapId
- KrequestNumber.sapId
Using WinZip or a similar utility, uncompress and copy each file from the appropriate compressed file to the
subdirectory of the local transport directory of the target SAP system as follows:
- Copy the RrequestNumber.sapId file to the
sapHomeDir\trans\data\RrequestNumber.sapId directory.
- Copy the KrequestNumber.sapId file to the

sapHomeDir\trans\cofiles\KrequestNumber.sapId directory.
Note: The values of requestNumber and sapId. These values are required later.

Using the Transport Control Program manually

1. At the command prompt (for both Microsoft Windows or UNIX systems), enter the following command to
register the transport with the buffer:
os prompt> tp addtobuffer sapIdKrequestNumber yourSid
In the preceding command line, sapId and requestNumber were determined in step 1 of “ Prerequisites”.
2. Enter the following command to import the above transport request in to your SAP Solutions system:
os prompt>tp import sapIdKrequestNumber yourSid client=yourClient U126
After executing the tp import command, the system issues a return code, indicating the status of the import.
The most common return codes are described in the table below:
Table 1—Transport Request Import - Common Return Codes

Return Code Description
0 Successful import. The Transport imported successfully.
4 Warning status. Minor version differences were detected. The Transport Imported
successfully. (No action is required.)
Importing the Transport via SAP GUI

If you are running SAP GUI, use the following procedure for importing the function modules:
1. Log in to SAP GUI with administrator permissions.
2. Perform one of the following:
- From the Command field, run transaction STMS
OR
- From the menu, select Tools => Administration => Transports => Transport management system.
3. In the Transport Management System window, press F5.
4. In the Import Overview window, double-click your system queue.
The requests list for the system is displayed.
5. From the menu bar in the Import Queue window, select Extras => Other requests => Add.
6. Enter the request number and click Yes.
7. In the Attach to import queue message box, click Yes.
8. In the Import Queue window, click on the new line, and then press Ctrl + F11 to import the request.
9. In the Import Transport Request dialog box, perform the following:
a. In the Target client field, enter the name of the SAP client to which you want to import the trans-
port.
b. On the Date tab, under Start Date, set the values that you require.
c. On the Execution tab, under Import, ensure that Synchronous is selected.
d. On the Options tab, under Import options, ensure that all of the check boxes are selected.
10. In the Start Import dialog box, click Yes.
Verification
All non-validated function modules are transported as a function group whose name starts with SailPoint’s
unique namespace ("/SAILPOIN")

Troubleshooting
To verify that the required function modules have been imported in to the SAP system, perform the following:
1. In the SAP system, execute SE37 transaction.
2. Enter: /SAILPOIN/* in the Function Module field.
3. Press the F4 key.
This displays the Repository Info System window that lists all the imported functional modules currently
available on the SAP system as follows:
- SAILPOIN/USR_CHANGE_DOC_ROLES
- SAILPOIN/USR_CHANGE_DOC_USERS
Partitioning Aggregation
To use the partitioning aggregation feature in IdentityIQ for SAP ERP perform the following:
1. Select the Partition Enabled check box.
2. Specify the criteria for partitioning in the Partition Statements textbox of the configuration parameter.
IdentityIQ for SAP ERP accepts multiple characters in partition statement.
For example, -AZ, -MZ, KA-RL, SA-SZ and ABG-ASHI
The AL- and K- values are not accepted in the partition statement.
To specify more than one partition the entries must be separated using a newline character.
Troubleshooting
1 - Distribution of a user to SAP CUA Subsystem

In a SAP CUA landscape, a SAP role or profile requires a SUBSYSTEM to distribute the user to. The facility to select
or specify the same, while requesting an entitlement for an account, is absent in IdentityIQ.
Workaround: The subsystem name is prepended to the Account-Group while aggregating account-groups from
a SAP CUA system. As a result, only a limited subset of subsystem and account-group combinations will be
available while requesting entitlements, and thus distributing users, in a SAP CUA landscape.
2 - Removed Entitlements are present in Current access page

Even after the execution of Refresh Entitlement Correlation the entitlements are not getting deleted from the
current access page.
Workaround: Execute the Perform Identity Request Maintenance task to remove those entitlements. Ensure
that the Verify provisioning for requests option is selected for this task.
3 - Password not set in permanent mode

After upgrade to the existing application, the password is not set in permanent mode, even when the user is
created with the Password in permanent mode attribute selected.
This behavior occurs since the attribute name has changed from Password in permanent mode to Productive
Password.

Troubleshooting
Workaround: In the debug page rename Password in permanent mode to Productive Password in schema and
provisioning plan.
4 - Few attributes are not working after upgrading to version 8.0 Patch 2
Few attributes are not working after upgrading from version 6.0 patch 7 and version 6.1 to version 8.0 Patch 2.
Resolution: Open the application debug page of version 6.4 and use the following corresponding parameters:
Parameters used in version 6.0 patch 7/6.1 Parameters to be used in version 8.0 Patch 2
Password in permanent mode Productive Password
Deactivate Password Deactivated
LASTNAME Last name
Reference User Name Reference User
User Last Login User Last Logon Time
5 - Login fails for non aggregated accounts when pass through is enabled
Login fails for non aggregated accounts when pass through is enabled.
In IdentityIQ for SAP ERP the SAPJCO libraries are used, which need permission to make connection with SAP
Server. The user who does not have these permissions will not be able to log in and will not be a valid member
of the authentication process.
Resolution: Perform the following to add the administrator permissions:
1. Run the PFCG transaction (Profile generator, maintain your roles, authorizations, and profiles) and enter
the role name.
2. Click on Single and save the Role created.
3. Click on Authorization Tab => Display Authorization Data.
Template will appear, cancel the template.
4. Click on Manual tab and add the following:
- S_RFC (All Activities)
- S_USER_AGR (Activities: 02, 03, 22, 36, 78)
- S_USER_GRP (Activities: 01, 02, 03, 05, 06, 22, 78)
- S_USER_PRO (Activities: 01, 02, 03, 06, 07, 22)
- S_USER_AUT (Activities : 03, 08)
- S_USER_SAS (Activities : 01, 06, 22)
- S_TABU_DIS (Activities: All Activities)
(Additionally for SAP CUA System) S_USER_SYS (Activities: 03, 59, 68, 78)
- Click on the Generate (Shift+F5) icon.
- Click on the Save (Ctrl+S) icon.
- Click on Back (F3) icon.

Troubleshooting
5. Click on the Generate (Shift+F5) icon and assign the above created role to a SAP user who must be an
administrator.
6. Run the PFCG transaction.
7. Provide the role name which the customer has created.
8. Click on USER tab => User Comparison.
6 - When performing Delta Aggregation after upgrade, an error message appears

When performing Delta Aggregation after upgrade, the following error message appears:
Aggregation date needs to be set in configuration.
Resolution: Open the SAP-Direct application debug page and set the following parameters:
<entry key="lastAggregationDate" value="2014-06-21"/>
<entry key="lastAggregationTime" value="20:54:34"/>
In the above parameters the format of Date and Time are as follows:
• Date: yyyy-MM-dd (the date should be the current date of the SAP server)
• Time: HH:mm:ss (the time should be the current time of the SAP server)
7 - Change password feature is not working with SNC, when PRODUCITVE_PWD

attribute is X
Change password feature is not working with SNC, when PRODUCITVE_PWD attribute is X.
Resolution: Define the productivePasswordValue attribute in debug pages as follows:
<entry key="productivePasswordValue" value="1">
By default the code would consider the value as X.
8 - Aggregation fails with error 'NOT AUTHORIZATION'

Aggregation fails with the following error due to not having proper authorization of authorization object
'S_TABU_DIS (Activities: All Activities)'.
Resolution: Provide the authorization of authorization object ‘S_TABU_DIS (Activities: All Activities)’
Activities-All
Table Authorization Group-* (means all)
Or skip aggregation of license data of the user by adding the following entry key in debug pages of the application:
<entry key="skipLicenseData">
<value>
</value>
</entry>
9 - Test connection fails with an error message

Test connection fails with the following error message:
com.sap.conn.rfc.driver.CpicDirver

Troubleshooting
Resolution: Download the latest SAPJCO.jar and SAPJCO.dll files from SAP Marketplace and then use that
SAPJCO Jar file with the latest downloaded SAPJCO dll file.
10 - Role and Profile description in a language other than English

Resolution: In Account-Group Aggregation, if the Role and Profile Description is required in a language other than
English language, add the descriptionLanguage parameter with the correct value.
For example, <entry key="descriptionLanguage" value="D"/>
In the above example, the value 'D' is the language code for Dutch language supported by SAP.
If the descriptionLanguage parameter is not provided, the descriptions displayed are in English language.
11 - Login to IdentityIQ fails for username and password with utf8 characters
The following error message appears when login to IdentityIQ for username and password with utf8 characters:
ERROR http-8080-1 sailpoint.server.Authenticator:323 -
sailpoint.connector.AuthenticationFailedExcept
com.sap.conn.jco.JCoException: (109) RFC_ERROR_CANCELLED: Handle close pending
Resolution: Add the following entry in the application debug page:

<entry key="jco.client.codepage" value="4110"/>
12 - Test connection/aggregation fails with an error message

Test connection / aggregation fails with the following error message:
Bad username or password. com.sap.conn.jco.JCoException: (109)
RFC_ERROR_CANCELLED: Handle close pending
Resolution: Ensure that the administrator user specified in application has sufficient rights on the SAP systems
as mentioned in the “Administrator Permissions” on page 45 section.
13 - Test connection/aggregation fails if user name or password contain UTF-8

character
<entry key="jco.client.pcs" value="2"/>
14 - Test Connection fails with an error even when all the required libraries are
there in the required path
Test connection fails with the following error may be due to the libraries not getting loaded in Java even when all
the required libraries are there in the required path:
[ConnectorException] [Error details] Destination Listener not initialized. Please
make sure that all required libraries are in path.
Resolution: This issue can be resolved by performing the following procedure:

1. Create a folder/directory and place all the required libraries in it as mentioned in “Prerequisites” on
page 45.

Troubleshooting
2. Set the following environment variable:

• LD_LIBRARY_PATH => location of libraries in Linux
• PATH => location of libraries in Windows
For example, LD_LIBRARY_PATH=/home/admin/lib

Troubleshooting

Overview

S/4HANA Cloud
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Overview
SAP S/4HANA is an Enterprise Resource Planning (ERP) Business Suite based on the SAP HANA in-memory
database with which transactions and business data analysis can be performed in real-time.
IdentityIQ for SAP ERP - S/4HANA Cloud supports aggregating and provisioning for the Business users along with
their business roles of the SAP S/4HANA system.
Supported Features
IdentityIQ for SAP ERP - S/4HANA Cloud supports the following features:
- Manages SAP S/4HANA business users of Employee type as Accounts
- Enable/Disable Account
- Aggregation
- Add/Remove Entitlements (Business Roles)
- Manages Business Roles as Account-Groups
- Aggregation
Note: Group Aggregation is supported through reading of roles data through CSV files. For more
information, see “ Prerequisites”.
Prerequisites
1. Create Communication Users, System and Arrangement on the SAP system for the SAP S/4HANA Cloud con-
nector.
2. Export the Role Data.

For more information on exporting the role data and creating the communication users, system and
arrangement, see SAP S/4HANA Cloud Prerequisites.
The following table lists the required permissions for the specific operations mentioned below in this section:
Operation Required Permissions

Test Connection Test Connection
Aggregation Test Connection and Aggregation
Provisioning Test Connection, Aggregation and Provisioning
The administrative user must have access to the following Inbound Services to perform the operations:
Operation Inbound SOAP Services Service Interface

Test Connection Business User - Read https://<hostname>/sap/bc/srt/scs_ext/sap/querybusi
nessuserin
Account/Group Business User - Read
Aggregation https://<hostname>/sap/bc/srt/scs_ext/sap/querybusi
nessuserin
Provisioning Business User - Update https://<hostname>/sap/bc/srt/scs_ext/sap/managebu
sinessuserin
The following table lists the configuration parameters of IdentityIQ for SAP ERP:
S/4HANA Connection Settings
URL* URL to connect to the S/4HANA Cloud system.
For example, https://<Service URL/ Service Instance>.com

User Name* S/4HANA Cloud communication user with required permissions.
Password* Password for the communication user.
Page Size Number of records to fetch in a single page.
Role Details File Path* Enter the CSV file path. The CSV file contains the following details:
• Business Role UUID
• Business Role ID

Schema Attributes
Schema Attributes
Account Attributes
First Name First name of business user.
Last Name Last name of business user.
Person External ID Person external ID of business user.
Business Partner Role Business partner role of business user.
Person ID Person ID of business user.
Email Email address of business user.
User Name User name of business user.
User ID User ID of business user.
Employee Date Valid From Employment start date of the business user.
Employee Date Valid To Employment end date of the business user.
Is Locked Is business user locked.
Business Roles Business roles assigned to business user.
Group Attributes
Business Role UUID Business Role Universally Unique Identifier.
Business Role ID Business Role ID.
Troubleshooting
1 - Invalid file extension

If an incorrect Role Details File Path is provided without the extension of the file, the following error message
appears during aggregation:
“Exception during aggregation of Object Type account on Application SAP HANA. Reason:
Unable to create iterator sailpoint.connector.InvalidConfigurationException:

Troubleshooting
[InvalidConfigurationException] [Possible suggestions] Ensure that Role Details File

Path is correct and accessible. [Error details] Invalid Role Details file path.“
Resolution: Ensure that the .csv file extension is provided.
2 - Incorrect Connection Credentials

The following error message appears when incorrect inputs are provided for URL, Username or Password:
For Invalid URL 403 Not Authorized.
For Invalid UserName / Password 401 Not Authorized.
Resolution: Ensure that the inputs provided for URL, Username and Password are correct and valid.
3 - Test Connection fails with an error message

[ConnectorException] [Possible suggestions] Provide correct configurations, ensure
user is active with correct set of permissions and credentials. [Error details] Error
extracting response from XML
Resolution: Enter the value of URL correctly. For more information, see SAP S/4HANA Cloud Prerequisites.

Overview
Chapter 13: IdentityIQ for Oracle ERP

– Oracle E-Business Suite
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Additional Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Create Account Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Create Group Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Overview
The Oracle E-Business Suite is an integrated suite of development, runtime, and system management tools. It also
includes Forms, JDeveloper, Single Sign-On, Oracle Internet Directory, Portal, Discoverer, Web Cache, Integration,
Oracle BPEL Process Manager.
IdentityIQ for Oracle ERP – Oracle E-Business Suite controls the activities related to account/groups by signing in
managed system. IdentityIQ for Oracle ERP – Oracle E-Business Suite will manage the following entities of Oracle
E-Business Suite:
• User
• Group (Responsibility, Role)
Supported Features
IdentityIQ for Oracle ERP – Oracle E-Business Suite supports the following features:
- Manages Oracle E-Business Suite users
- Aggregation, Refresh Accounts, Discover Schema
- Create, Update
- Enable, Disable, Change Password

Overview

Supports multiple group functionality.
- Manages Oracle E-Business Suite groups as RESPONSIBILITY
• Aggregation, Refresh Groups
The following versions represent the respective responsibilities:
• 4: Oracle Applications
• W: Oracle Self-Service Web Applications
• M: Oracle Mobile Applications
IdentityIQ for Oracle ERP – Oracle E-Business Suite aggregates responsibilities of only type ‘4’ ‘W’
and ‘M’. Hence Account-Group aggregation fetches only responsibilities of type ‘Oracle
Applications’ ‘Self-Service Web Applications’ and ‘Oracle Mobile Application’.
For more information on upgraded application of IdentityIQ, see “Upgrade Considerations” on
page 84.
• Create, Update
- Manages Oracle E-Business Suite groups as ROLE
• Aggregation, Refresh Groups

Following versions of Oracle E-Business Suite are supported by the IdentityIQ for Oracle ERP – Oracle E-Business
Suite:
• Oracle E-Business Suite 12.2.1 to 12.2.8
• Oracle E-Business Suite 12.1.x
Prerequisites
The compatible JDBC drivers must be used in the classpath of IdentityIQ for connecting to Oracle E-Business
Server. For example, ojdbc8.jar.
Note: - (For Invoker rights only) After upgrading IdentityIQ to version 8.0 Patch 2, invoke the upgraded
wrapper packages. For invoking the new wrapper package, additional permissions must be
provided.
- Few additional permissions are required for definer rights also.
For more information on the additional permissions, see "Additional Administrator
Permissions” on page 77.
1. Rights present on Oracle packages:
Enter the following command to find the rights present on the Oracle packages:
SELECT dbo.object_name,
(DECODE(SIGN(bitand(options,16)),1,'INVOKER','DEFINER')) "authid"
FROM dba_objects dbo, sys.PROCEDURE$ p

Overview
WHERE p.obj# = dbo.object_id

AND dbo.object_type = 'PACKAGE'
AND dbo.object_name = 'xxx'
AND dbo.owner = 'APPS';
Where xxx package is FND_USER_PKG, FND_RESPONSIBILITY_PKG, WF_LOCAL_SYNCH, FND_WEB_SEC,
FND_GLOBAL, or FND_USER_RESP_GROUPS_API.
Sample example:
Enter the following command to find the rights present on the FND_USER_PKG:
SELECT dbo.object_name,
(DECODE(SIGN(bitand(options,16)),1,'INVOKER','DEFINER')) "authid"
FROM dba_objects dbo, sys.PROCEDURE$ p
WHERE p.obj# = dbo.object_id
AND dbo.object_type = 'PACKAGE'
AND dbo.object_name = 'FND_USER_PKG'
AND dbo.owner = 'APPS';
2. If xxx package has Invoker rights, perform the following:
Copy the package scripts from
identityiq\integration\OracleEBS\iiqIntegration-OracleEBS.zip directory to the
OracleHome\bin directory and rename the type of scripts from *.txt to *.sql
Using SQL*Plus, log in to the Oracle database as APPS and run the following:
Run the @SP_xxx package script using SQL*Plus
Sample example: If FND_USER_PKG has invoker rights, run the @SP_FND_USER _PKG script using SQL*Plus
Perform this step for all xxx packages.
3. Log in to the Oracle database as database administrator for creating the new administrator user account
using SQL*Plus as follows:
create role ${new role};
create user ${new user} identified by ${password};
grant create session to ${new user};
grant create synonym to ${new user};
alter user ${new user} enable editions;
grant ${new role} to ${new user};
Grant permissions to the new role created in the above step (${new role}):
grant select on APPS.FND_PRODUCT_GROUPS to ${new role};
grant select on APPS.FND_USER to ${new role};
grant select on SYS.DBA_USERS to ${new role};
grant select on APPS.FND_RESPONSIBILITY_VL to ${new role};
grant select on APPS.FND_APPLICATION_VL to ${new role};
grant select on APPS.FND_DATA_GROUPS to ${new role};
grant select on APPS.FND_USER_RESP_GROUPS_ALL to ${new role};
grant select on DUAL to ${new role};
grant select on APPS.PER_ALL_PEOPLE_F to ${new role};
grant select on APPS.RA_CUSTOMERS to ${new role};
grant select on APPS.FND_MENUS to ${new role};
grant select on APPS.FND_REQUEST_GROUPS to ${new role};
grant select on APPS.FND_APPLICATION to ${new role};
grant select on APPS.FND_DATA_GROUP_UNITS to ${new role};
grant select on APPS.FND_APPLICATION_TL to ${new role};

Overview
grant select on APPS.FND_RESPONSIBILITY to ${new role};

grant select on APPS.WF_ROLES to ${new role};
grant select on APPS.WF_LOCAL_ROLES to ${new role};
grant select on APPS.WF_ALL_ROLES_VL to ${new role};
grant select on APPS.WF_ROLE_HIERARCHIES to ${new role};
grant select on APPS.FND_REQUEST_GROUP_UNITS to ${new role};
• If xxx package has Definer rights, perform the following:
grant execute on APPS.xxx to ${new role};
For example, grant execute on APPS.FND_USER_PKG to ${new role};
• If xxx package has Invoker rights, perform the following:
grant execute on APPS.SP_XXX to ${new role};
For example, grant execute on APPS.SP_FND_USER_PKG to ${new role};
4. Login by the new user name ${new user} and create the following synonym:
create synonym FND_PRODUCT_GROUPS for APPS.FND_PRODUCT_GROUPS;
create synonym FND_USER for APPS.FND_USER;
create synonym DBA_USERS for SYS.DBA_USERS;
create synonym FND_RESPONSIBILITY_VL for APPS.FND_RESPONSIBILITY_VL;
create synonym FND_APPLICATION_VL for APPS.FND_APPLICATION_VL;
create synonym FND_DATA_GROUPS for APPS.FND_DATA_GROUPS;
create synonym FND_USER_RESP_GROUPS_ALL for APPS.FND_USER_RESP_GROUPS_ALL;
create synonym PER_ALL_PEOPLE_F for APPS.PER_ALL_PEOPLE_F;
create synonym RA_CUSTOMERS for APPS.RA_CUSTOMERS;
create synonym FND_MENUS for APPS.FND_MENUS;
create synonym FND_REQUEST_GROUPS for APPS.FND_REQUEST_GROUPS;
create synonym FND_APPLICATION for APPS.FND_APPLICATION;
create synonym FND_RESPONSIBILITY for APPS.FND_RESPONSIBILITY;
create synonym FND_APPLICATION_TL for APPS.FND_APPLICATION_TL;
create or replace synonym FND_DATA_GROUP_UNITS for APPS.FND_DATA_GROUP_UNITS;
create or replace synonym WF_ROLES for APPS.WF_ROLES;
create or replace synonym WF_LOCAL_ROLES for APPS.WF_LOCAL_ROLES;
create or replace synonym WF_ROLE_HIERARCHIES for APPS.WF_ROLE_HIERARCHIES;
create or replace synonym WF_ALL_ROLES_VL for APPS.WF_ALL_ROLES_VL;
create synonym FND_REQUEST_GROUP_UNITS for APPS.FND_REQUEST_GROUP_UNITS;
• If xxx package has Definer rights, perform the following:
create or replace synonym xxx for APPS.XXX;
For example, create or replace synonym FND_USER_PKG for APPS.FND_USER_PKG;
• If xxx package has Invoker rights, perform the following:
create or replace synonym xxx for APPS.SP_XXX;
For example, create or replace synonym FND_USER_PKG for APPS.SP_FND_USER_PKG;

Note: If table ar_customers exist instead of ra_customer then provide the select permissions as
follows:
grant select on APPS.AR_CUSTOMERS to ${new role};
Also the synonym must be as follows:
create synonym AR_CUSTOMERS for APPS.AR_CUSTOMERS;
Additional Administrator Permissions
Sr.No Permissions to Role Synonyms

Definer
1 grant execute on create or replace synonym
APPS.FND_USER_RESP_GROUPS_ FND_USER_RESP_GROUPS_API for
API TO ${new role}; APPS.FND_USER_RESP_GROUPS_API;
Invoker
2 grant execute on create or replace synonym
APPS.SP_FND_USER_RESP_GROUP FND_USER_RESP_GROUPS_API for
S_API to ${new role}; APPS.SP_FND_USER_RESP_GROUPS_API;
Common table permissions
3 grant select on create or replace synonym WF_LOCAL_USER_ROLES
APPS.WF_LOCAL_USER_ROLES TO for APPS.WF_LOCAL_USER_ROLES;
${new role};
4 grant select on create or replace synonym
APPS.FND_USER_RESP_GROUPS_ FND_USER_RESP_GROUPS_DIRECT for
DIRECT TO ${new role}; APPS.FND_USER_RESP_GROUPS_DIRECT;
5 grant select on create synonym PER_PERIODS_OF_PLACEMENT for
APPS.PER_PERIODS_OF_PLACEME APPS. PER_PERIODS_OF_PLACEMENT;
NT TO ${new role};
6 grant select on create synonym PER_PERIODS_OF_SERVICE for
APPS.PER_PERIODS_OF_SERVICE APPS. PER_PERIODS_OF_SERVICE;
TO ${new role};
Note: After upgrading to the IdentityIQ version 8.0 Patch 2 from IdentityIQ version prior to 7.2,
aggregation would fail for all the service accounts with older permissions.
The following table lists the configuration parameters of IdentityIQ for Oracle ERP – Oracle E-Business Suite:

Oracle E-Business Connection Settings
Connection User* The Oracle EBS Login name through which we want to connect Oracle EBS. For
example, APPS


Password* The authentication details of login.
Database URL* The url to connect to the database. The format is
jdbc:oracle:thin:@<HOST>:<PORT>:<SID>
For example jdbc:oracle:thin:@xxx.xx.xx.xx:1521:ORCL url consist of

• jdbc:oracle:thin:@: This is common part which states that the
connection is made using thin driver.
• xxx.xx.xx.xx: server Name or IP of the oracle server
• 1521: The port number of the oracle server. This port number should be
known by the oracle server administrator.
• ORCL: The SID of the oracle server.
JDBC Driver* It is the name of the Driver class supported by JDBC Type 4.
For example, oracle.jdbc.driver.OracleDriver
E-Business Proxy (Optional) E-Business Proxy User for Audit purpose. This user must be created in
User Oracle E-Business Suite Portal. Audit records would be created/updated with this
user for all provisioning operations done for Oracle E-Business through IdentityIQ.
If not provided an error would be displayed on Oracle E-Business Portal when user
tries to view Record History for any user and his/her assigned entitlements.
Note: Set the following permissions as mentioned in the "Administrator

Permissions” on page 74 when ‘E-Business Proxy User’ parameter is not set:
• Under Grant Permissions:
grant select on SYS.DBA_USERS to ${new role};
• Creating the synonym:
create synonym DBA_USERS for SYS.DBA_USERS
Additional This text box can be used to specify the additional configuration parameters. These
Connection additional parameters must be passed in key value pairs. If multiple parameters
Parameters must be specified, then they need to be passed in new line.
For example,
oracle.net.encryption_client=ACCEPTED
oracle.net.encryption_types_client=AES256
Account Aggregation Settings
Note: To use the Account Aggregation Settings, see ‘Account Aggregation Filters’ under "Upgrade
Considerations” on page 84.


Account Select the type of users to be aggregated: Employees, Contractors, Employee and
Aggregation Filters Contractors, and all users from FND_USER table.
Aggregate only Select to aggregate Oracle E-Business users that are
employees associated with valid Employee records of Oracle HRMS
system.
Aggregate only Select to aggregate Oracle E-Business users that are
contractors associated with valid Contractor records of Oracle HRMS
system.
Aggregate employees Select to aggregate Oracle E-Business users that are
and contractors associated with valid Employee and Contractor records of
Oracle HRMS system.
Aggregate all users from Select to aggregate all the E-Business users that are there
FND_USER table in in the FND_USER table.
Oracle E-Business
HRMS Person All the E-Business records associated with person records active after the date
Records Effective specified here would be aggregated in the connector. Format of the date entered is
From* MM/DD/YYYY.

The following table describes the additional configuration parameters that must be set in the application debug
page:
Parameter Description
endDateUserEntitlements To end date of the roles and responsibilities on disabling an Oracle
E-Business Suite account, set the value of endDateUserEntitlements
parameter to true as follows:
<entry key="endDateUserEntitlements">
<value>
</value>
</entry>
useEffectiveDate To aggregate all the Oracle E-Business users without any aggregation filters,
set the value of useEffectiveDate parameter to false as follows:
<entry key="useEffectiveDate">
<value>
<Boolean>false</Boolean>
</value>
</entry>
Note: For more information, see "Upgrade Considerations” on page 84.

Schema Attributes
skipFutureAssignedGroups To aggregate and provision future dated E-Business users, set the value of
skipFutureAssignedGroups parameter to false as follows:
<entry key="skipFutureAssignedGroups">
<value>
<Boolean>false</Boolean>
</value>
</entry>

disableOldFNDAccounts (Applicable only for Create User) To disable any existing active FND
accounts, set the value of disableOldFNDAccounts parameter to true
as follows:
<entry key="disableOldFNDAccounts">
<value>
</value>
</entry>

useResponsibilityWithAppl To identify responsibility group uniquely for new applications, use the
ication combination of Responsibility_id and Application_id, set the value of
useResponsibilityWithApplication parameter to true as follows:
<entry key="useResponsibilityWithApplication">
<value>
</value>
</entry>
Schema Attributes
Account Attributes
USER_NAME Application username (what a user types in at the Oracle
Applications sign-on screen).
USER_ID Application user identifier.
START_DATE The date the user name becomes active.

Schema Attributes
END_DATE The date the user name becomes inactive.
DESCRIPTION Description.
PASSWORD_DATE The date the current password was set.
PASSWORD_EXPR The number of accesses left for the password.
PASSWORD_NO_OF_DAYS The number of accesses allowed for the password.
EMAIL_ADDRESS The electronic mail address for the user.
FAX The fax number for the user.
EMPLOYEE_ID Identifier of employee to whom the application username is
assigned.
EMPLOYEE_NUMBER Unique number of the employee.
FULL_NAME Full name of the user.
CUSTOMER_ID Customer contact identifier. If the AOL user is a customer contact,
this value is a foreign key to the corresponding customer contact.
CUSTOMER_NAME Customer name.
RESPONSIBILITIES Responsibilities assigned to a user.
ROLES Roles assigned to a user.
Custom Attributes
Perform the following to support the custom attributes in IdentityIQ for Oracle ERP – Oracle E-Business Suite:
• Add the custom attribute name in the account schema by clicking Add attribute button.
Note: If custom attributes are required in the schema, a ‘jdbcbuildmap’ rule is required.
• Add the following lines in the application debug page:
<entry key = "customAttribute" >
<value>
<List>
<String>custom1</String>
</List>
</value>
</entry>
Discover Schema
Discover schema replaces the schema attributes by columns from the FND_USER table by deleting all the other
schema attributes not present in FND_USER table (except the roles and responsibility attributes).
If there are any correlation rules using attributes other than the columns from FND_USER table, then they must
be added again.

Schema Attributes
Group Attributes
This section describes the different group attributes.
Responsibility GroupObjectType Attributes

The following table lists the Responsibility GroupObjectType attributes:
RESPONSIBILITY_NAME Name of the responsibility.
APPLICATION_NAME Application that owns the information for the responsibility.
RESPONSIBILITY_ID Responsibility identifier.
RESPONSIBILITY_KEY Internal developer name for responsibility.
START_DATE The date the responsibility becomes active.
END_DATE The date the responsibility expires.
DESCRIPTION Description
STATUS Shows status of the responsibility.
VERSION Version
WEB_HOST_NAME IP address or alias of the computer where the Webserver is running.
Defaults to the last agent.
WEB_AGENT_NAME Name of Oracle Web Agent. Defaults to the last agent.
DATA_GROUP_APPL_NAME Name of the data group application.
REQUEST_GROUP_APPL_NAME Request Group Application name.
DATA_GROUP_ID Identifier of data group.
DATA_GROUP_NAME Name of the Data Group.
MENU_NAME Name of the menu.
REQUEST_GROUP_NAME Request group name.
Role GroupObjectType Attributes

The following table lists the Role GroupObjectType attributes:
NAME An internal name for the role.
DISPLAY_NAME The display name of the role.
DESCRIPTION Description
START_DATE The date at which the role becomes valid.
EXPIRATION_DATE The date at which the role is no longer valid in the directory
service.
APPLICATION_NAME Application that owns the information for the role.

STATUS The availability of the Role to participate in a workflow process.
SUBORDINATE_ROLES Subordinate roles for a role.
SUBORDINATE_RESPONSIBILITIES Subordinate responsibilities for a role.

This section lists the single provisioning policy attributes of IdentityIQ for Oracle ERP – Oracle E-Business Suite
that allows you to select the type of user/group to create.

The following table lists the provisioning policy attributes for Create Accounts:
Name* Name of the login user.
Password* Password of the login user.
Description Description.
Start Date* The date from which login user becomes active.
End Date The date from which login user becomes inactive.
Password Expiration Type Type of the password to expire.
Number of Days Days after which user password will expire.
Permanent Mode In permanent mode change of password on first login is not required.
Employee ID Person ID of the employee or contractor from the Oracle-HRMS system.
Note: Applicable to new application of Oracle E-Business Suite after
upgrading IdentityIQ to version 8.0 Patch 2.
Create Group Attributes

The following table lists the provisioning policy attributes for Create Group (Responsibility):
Responsibility and Application Name of the responsibility.
Name*
Application Name (Read only) Name of the application.
Description Description
Responsibility Key* Internal developer name for responsibility.

Start Date* The date the responsibility becomes active.
End Date The date the responsibility expires.
Responsibility Version Responsibility version.
Data Group Name* Name of the data group.
Data Group Application Name* Name of the data group application.
Menu Name* Name of the menu.
Request Group Name Request group name.
Request Group Application Name Request group application name.
This section describes the additional information related to the IdentityIQ for Oracle ERP – Oracle E-Business
Suite.
• (Optional) After upgrading to IdentityIQ version 8.0 Patch 2, perform the following for provisioning of a
responsibility of type other than ‘Oracle Applications’:
a. Navigate to Provisioning Policies ==> Create Group.
b. Click on Edit icon of Responsibility Version field and in Edit Options ==> Settings, modify the name
from PASSWORD_EXPR to VERSION.
c. Click on Edit Options ==> Value settings in the Allowed Values field enter Oracle Mobile
Application and click on + icon.
d. Click on Apply and Save the provisioning policy.
e. Click Save on the next screen and save the Application.
• Account Aggregation Filters
After upgrading to IdentityIQ version 8.0 Patch 2, by adding <entry key="useEffectiveDate"
value="true"/> parameter in the application debug page users have the ability to select the type of users
to be aggregated: Employees, Contractors, Employees and Contractors or all users from FND_USER table.
For more information on adding the useEffectiveDate parameter, see "Additional Configuration
Parameters” on page 79.
• Assigning responsibilities to future dated E-Business users
After upgrading to IdentityIQ version 8.0 Patch 2, the Oracle E-Business Suite connector would be able to
provision and aggregate future E-Business users. If responsibilities are provided in the create request of
future user, the connector would use user's start date for responsibility assignment's start date.
For provisioning of future dated users for application created prior to IdentityIQ version 8.0 Patch 2, add the
skipFutureAssignedGroups entry key to the application debug page. For more information, see
"Additional Configuration Parameters” on page 79.
• Disabling existing accounts during provisioning
After upgrading to IdentityIQ version 8.0 Patch 2, the Oracle E-Business Suite connector would be able to
disable any existing active FND accounts.

For disabling any active FND accounts for application created prior to IdentityIQ version 8.0 Patch 2, set the
value of the disableOldFNDAccounts parameter to true in the application debug page. For more
information, see "Additional Configuration Parameters” on page 79.
• Identifying responsibility group uniquely
After upgrading to IdentityIQ version 8.0 Patch 2, the Oracle E-Business Suite connector can use combination
of Responsibility_id and Application_id to identify responsibility group uniquely for new applications.
For existing application user can use this feature by setting the value of
useResponsibilityWithApplication to true in the application debug page.
For more information, see "Additional Configuration Parameters” on page 79.
Note: After setting the value of useResponsibilityWithApplication attribute to true,
previous entitlement data cannot be retrieved.
• After upgrading to IdentityIQ version 8.0 Patch 2, the Oracle E-Business Suite Connector would not
aggregate indirect roles and responsibilities assigned to Oracle E-business users during account
aggregation.
• After upgrading to IdentityIQ version 8.0 Patch 2, for aggregating disabled accounts on the previous
application of Oracle E-Business Suite, set the value of the aggregateActiveAccounts parameter to
false in the application debug page.
Support for Oracle Security Feature

Note: Oracle recommends the use of standard security feature (network encryption and Data
integrity feature).
With this release of IdentityIQ, Oracle ERP – Oracle E-Business Suite is enhanced to support the network
encryption and Data integrity feature for the Oracle Database target system.
This functionality can be leveraged by providing the required values for Additional Connection Parameters
configuration parameter added under the "Configuration Parameters” on page 77.
For example, oracle.net.encryption_client=REJECTED
User Editions
(Applicable only for Administrator User Account) For Oracle Database version 11g R2 and above which allow the
Edition-based Redefinition, when creating new database user, enable editions on that user by using the following
command on the database to avoid any errors while creating the synonyms:
alter user ${new user} enable editions;
Fore more information on Administrator User Account, see "Administrator Permissions” on page 74.
Support of provisioning of Start Date, End Date and Justification

Attributes
With IdentityIQ version 8.0 Patch 2, Oracle E-Business connector supports provisioning of Start and End Date and
the justification attributes when assigning a role or responsibility using the following sample Plan:
<!DOCTYPE ProvisioningPlan PUBLIC "sailpoint.dtd" "sailpoint.dtd">

<ProvisioningPlan nativeIdentity="AccountName">
<AccountRequest application="ApplicationName" nativeIdentity="AccountName"
op="Modify">

Troubleshooting
<AttributeRequest name="ROLES" op="Add" value="RoleCode">

<Attributes>
<Map>
<entry key="assignment" value="true" />
<entry key="endDate">
<value><String>YYYY/MM/DD</String></value>
</entry>
<entry key="startDate">
</entry>
</Map>
</Attributes>
</AttributeRequest>
<AttributeRequest name="RESPONSIBILITIES" op="Add" value="RESPONSIBILITIES_ID">
<Attributes>
<Map>
<entry key="assignment" value="true"/>
<entry key="endDate">
</entry>
<entry key="startDate">
<value><String>YYYY/MM/DD</String>
</value>
</entry>
</Map>
</Attributes>
</AttributeRequest>
</AccountRequest>
</ProvisioningPlan>
Last_Updated_By Attribute
The Oracle E-Business Connector updates the WHO columns (created_by/last_updated_by) based on the
following conditions:
• If user selects Self-Service Change Password, the WHO columns would be updated with a value of the
self user, irrespective of the configuration of E-Business Proxy User.
• For any other provisioning operations done by a service account user, if E-Business Proxy User is
configured, the WHO columns would be updated with a value of the E-Business Proxy User.
• If E-Business Proxy User is not configured, then the WHO columns would be updated with a value of the
service account user.
Troubleshooting
1 - Provisioning and Aggregation would fail with the an error message on previous
application of Oracle E-Business Suite after upgrading IdentityIQ to version 8.0
Patch 2
After upgrading IdentityIQ to version 8.0 Patch 2, provisioning and aggregation would fail with the following error
message on previous application of Oracle E-Business Suite:
ORA-00942: table or view does not exist

Troubleshooting
Resolution: After upgrading IdentityIQ to version 8.0 Patch 2, for successful provisioning and aggregation
operations on previous application of Oracle E-Business Suite, additional permissions from Sr.No 1 to 4 are
required as mentioned in the table under the “Additional Administrator Permissions” section.
2 - RA_Customers table not found when managing Oracle version 12c

If Customer is using IdentityIQ for Oracle ERP – Oracle E-Business Suite to manage Oracle version 12c, the
Integration Module installation expects a table named RA_Customers. This table is renamed as AR_Customers
in Oracle version 12c.
Resolution: Assign the following synonym to the new user,
create synonym ra_customers for apps.ar_customers;
3 - User must be re-hired who is disabled in native system

When a user must be re-hired who is disabled in native system, the following error message appears on native
system:
User already exists
Resolution: To re-hire user who is disabled in native system, refresh the accounts from IdentityIQ using manage
accounts. This corrects the status of the user in IdentityIQ and can be enabled manually from IdentityIQ or native
system.
4 - A new user with an existing user name on native system is in disabled state must
be newly hired
When a new user must be hired with an old user name on native system is in disabled state, the following error
message appears on the native system:
User already exists
Resolution: IdentityIQ does not have the old user details which is disabled on the native system. The create user
request would fail in IdentityIQ with the above error message. Therefore a new name must be entered for the
new user.

Troubleshooting

Overview
Chapter 14: IdentityIQ for SAP ERP

– SAP Portal - User Management Web
Service
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Overview
SAP Enterprise Portal integrates information and applications across the enterprise to provide an integrated
single point of access to information, enterprise applications, and services both inside and outside an
organization. IdentityIQ for SAP ERP – SAP Portal - User Management Web Service uses the UME service to
perform user management. The User Management Engine (UME) provides a centralized user management for all
Java applications and can be configured to work with user management data from multiple data sources.
The UME can be configured to read and write user-related data from and to multiple data sources, such as
Lightweight Directory Access Protocol (LDAP) directories, the system database of the AS Java, and user
management of an AS ABAP.
IdentityIQ for SAP ERP – SAP Portal - User Management Web Service manages the following entities of SAP User
Management Engine (UME):
• User
• Role (UME and Portal)

Overview
Supported Features
IdentityIQ for SAP ERP – SAP Portal - User Management Web Service supports the following features:
- Manages SAP Portal users as Accounts
- Aggregation, Refresh Accounts, Pass Through Authentication
- Manages SAP Roles as Account-Groups
- Aggregation

Following versions of SAP NetWeaver versions are supported by the IdentityIQ for SAP ERP – SAP Portal - User
Management Web Service:
• SAP NetWeaver 7.5, 7.4, 7.3, 7.2 and 7.1
Note: IdentityIQ for SAP ERP – SAP Portal - User Management Web Service manages SAP User
Management Engine users. For more information, see "Supported Features" on page 90.
Prerequisites
The sailpoint_ume.sda file must be deployed on the SAP Enterprise Portal server which must be provisioned.
Perform the following steps to deploy the sailpoint_ume.sda file:
1. Copy the SDA file from ($build)/integration/sap/dist directory to a temporary directory on the
SAP server.
2. Navigate to the home directory of SAP Enterprise Portal server
..\usr\sap\(ep_instance_name)\J02\j2ee\console on SAP server and execute
textconsole.bat.
3. Run the following command:
>DEPLOY tmpDir\sailpoint_ume.sda(location of the sailpoint_ume.sda file)
where tmpDir is the temporary directory where the SDA file is extracted.
For undeploying the .sda file, see “Undeploy .sda File” on page 95.

The administrative account must have the following permissions for performing test connection, aggregation and
provision operations:
• pcd:portal_content/administrator/user_admin/user_admin_role
• pcd:portal_content/administrator/system_admin/system_admin_role
• pcd:portal_content/administrator/super_admin/super_admin_role
• SAP_J2EE_ADMIN
This section contains the information that this Module uses to connect and interact with the application. Each
application type requires different information to create and maintain a connection.
The IdentityIQ for SAP ERP – SAP Portal - User Management Web Service uses the following connection
attributes:
Table 1—IdentityIQ for SAP ERP – SAP Portal - User Management Web Service - Primary Attributes
UMWebService The url for the UMWebService. For example:
URL*
http://HOST:PORT
In the above url, HOST refers to the instance where SAP Portal-User Management
WebService is installed and PORT is the listening port of the server.
This url can use either http or https.
Note: When using https, the portal server’s keystore and the application server’s
keystore must be configured.
Username* The SAP Portal user name used when connecting to the web service.
password* Password for the user account specified in Username.
Account Filter Enter the string representation of an object filter. Any account object matching the
filter is filtered out of the dataset. The following is an example of a filterString that
filters out all objects where the uniqueId starts with USER.R3_DATASOURCE:
uniqueId.startsWith("USER.R3_DATASOURCE.&q
uot;)
If this property is non-empty, filtering happens on the IdentityIQ server side and
does not filter on the SAP portal side.

Schema Attributes
Table 1—IdentityIQ for SAP ERP – SAP Portal - User Management Web Service - Primary Attributes
Group Filter Enter the string representation of an object filter. Any roles object matching the
filter is filtered out of the dataset. The following is an example of a filterString that
filters out all objects from the that have a displayName starting with com.sap.pct:
displayName.startsWith("com.sap.pct")
When this property is non-empty filtering happens on the IdentityIQ server side and
does not filter on the SAP portal side
Schema Attributes
Account Attributes
uniqueId Users unique identification
firstName Users first name
lastName Users last name
displayName Users display name
company Users company name
title Users title
uniqueName Users unique name
(Identity Name+ Display Name)
city Users city
postalCode Users postal address
email Users email address
street Users street
state Users state
country Users country
zip Users postal zip code
fax Users fax
telephone Users telephone number

cellPhone Users cell phone number
department Users department assigned
salutation Users salutation
jobTitle Users job title
timeZone Timezone of the user
language Language of the user
securityType Users's security type
lockStatus User is locked or open
roles Role assigned to the user
groups Groups assigned to the user
validFrom Valid from date
validTo Valid to date
Group Attributes
displayName is Display name of the role
uniqueName identity Attribute Unique name of the role
uniqueId Unique ID of the role
description Description of the role
userMembers Users associated to the role
groupMembers Groups associated to the role

This section lists the different policy attributes of IdentityIQ for SAP ERP – SAP Portal - User Management Web
Service.


uniqueId Users unique identification
First Name Users first name
Last Name* Users last name
Display Name Users display name
company Users company name
Department Users department assigned
Unique Name* Users unique name
Password* Users password
City Users city
Street Users street
Email Users email address
State Users state
Country Users country
Zip Users postal zip code
Fax Users fax
Tele Phone Users telephone number
Cell Phone Users cell phone number
Salutation Users salutation
JobTitle Users job title
Language Language of the user
Security Type Users's security type
Lock Status User is locked or open
Password Change Required To create a new account in SAP Portal Server with productive
password.
Values are as follows:

• True: Does not sets the password as productive
• False: Sets the password as productive.
Note: User must add “changePasswordRequired” attribute
in schema and create provisioning policy and set the
required display name (for example, “Password Change
Required”).
Create Group Attributes

The following table lists the provisioning policy attributes for Update Account:

Role Name* Display name of the role
Description Description of the role
User Members Users associated to the role
Group Members Groups associated to the role
This section describes the additional information related to IdentityIQ for SAP ERP – SAP Portal - User
Management Web Service.
Undeploy .sda File

Perform the following steps to undeploy the .sda file:
1. From the command prompt browse the following location:
..\usr\sap\(SAPEP instance)\J02\j2ee\console
2. Run the following file:
textconsole.bat
3. At the query prompt enter the following command:
>UNDEPLOY name=SailpointSapEPArchive vendor=sailpoint.com
Troubleshooting
1 - Aggregation fails with an error message

During aggregation when SAP Portal Server is connected to Active Directory/LDAP Server, the following error
message appears:
Reason: java.lang.NullPointerException
Resolution: Undeploy the existing sailpoint_ume.sda file and deploy the new sailpont_ume.sda file. For more
information, see “Undeploy .sda File” on page 95.

Troubleshooting

Overview

– PeopleSoft
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Administrator Permission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Schema Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Account Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Group Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Additional Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Creating the Component Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Partitioning Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Performance Improvement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Creating the Component interface jar file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Configuring the Component Interface Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Upgrade considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Overview
The IdentityIQ for Oracle ERP – PeopleSoft manages the administrative entities of PeopleSoft server (User Profiles
and Roles). The IdentityIQ for Oracle ERP – PeopleSoft communicates to the PeopleSoft server through
component interfaces.
Supported Features
IdentityIQ for Oracle ERP – PeopleSoft supports the following features:
- Manages PeopleSoft users as Accounts
- Aggregation, Partitioning Aggregation, Refresh Accounts, Discover Schema
For more information on partitioning aggregation, see “Partitioning Aggregation” on page 102.

Overview

- Manages PeopleSoft roles as Account-Groups
- Manages PeopleSoft Roles with Route Controls attached to it as Account-Group
Note: With this release of IdentityIQ, SailPoint provides support for having two or more Connector
application instances in the same IdentityIQ application through the Connector Classloader
functionality which require different libraries. For more information on this, see “Appendix B:
Connector Classloader”.

IdentityIQ for Oracle ERP – PeopleSoft supports the following managed systems:
• PeopleTools version 8.57, 8.56, 8.55, 8.54, 8.53
• PeopleSoft Server version 9.2, 9.1
IdentityIQ for Oracle ERP – PeopleSoft supports the following modules of Managed System:
• PeopleSoft Financial and Supply Chain Management
• PeopleSoft Human Capital Management
• PeopleSoft Campus Solution
Prerequisites
To use the IdentityIQ for Oracle ERP – PeopleSoft, you must first configure the component interfaces on
PeopleSoft. This requires the following steps:
1. Creating the Component Interfaces
2. Creating the Component interface jar file
3. Configuring the Component Interface Security
The following files must be present on the computer where the IdentityIQ for Oracle ERP – PeopleSoft is installed:
• psjoa.jar (found on PeopleSoft server at %PS_HOME%\class where %PS_HOME% is the location where
PeopleSoft is installed)
During an upgrade/patch application with the PeopleSoft Tools/Server, the psjoa.jar file must be new and
placed in the IdentityIQ classpath.
• iiqPeopleSoftCompInt.jar (See “Creating the Component interface jar file”)
For any upgrades in PeopleTool versions, it is recommended to regenerate the
iiqPeopleSoftCompInt.jar file to upload instead of the old/ existing jar file.
Administrator Permission
The PeopleSoft user who must act as an administrator for proper functioning of the IdentityIQ for Oracle ERP
– PeopleSoft and must have access to the related Component Interfaces. For more information, see Configuring
the Component Interface Security.

This section contains the information that IdentityIQ for Oracle ERP – PeopleSoft uses to connect and interact
with the application. Each application type requires different information to create and maintain a connection.
The IdentityIQ for Oracle ERP – PeopleSoft uses the following connection attributes:
PeopleSoft Connection Settings
Host* The hostname of the PeopleSoft server.
Port* The Jolt port (Jolt Server Listener Port) on which the PeopleSoft server is
listening. Default: 9000
To determine the JOLT Server Listener (JSL) port of the application server,
check the JOLTListener section in the psappsrv.cfg file. The file is located
in <PS_CFG_HOME>\appserv\<DOMAIN_NAME>, where:
• PS_CFG_HOME: Location of configuration file of PeopleSoft Server.
• DOMAIN_NAME: Name of the domain which is to be administered.
Connection Credentials
User* The user name used to login to PeopleSoft.
Password* The password to use to login to PeopleSoft.
Domain Connection Determines if Domain connection Password is configured.
Password Enabled
Domain Connection Password is required if Domain Connection Password Enabled attribute is
Password* selected.
Component Interface Details
User Component Interface* The name of the PeopleSoft component interface to use to read
PeopleSoft User Profile.
For more information, see PeopleSoft Component Interface Utility.

Group Component The name of the PeopleSoft component interface to use to read
Interface* PeopleSoft Roles.

Route Control Component The name of the PeopleSoft component interface to use to read
Interface PeopleSoft RouteControls.

Iteration Partitioning
Partition Enabled Check box to determine if partition aggregation is required.

Schema Attributes
Partition Statements Criteria to specify the range of users to be downloaded. For example, if the
range is specified as A-M, then this specifies that all the Users whose User
IDs are between A and M (including A and M) would be treated as one
partition and downloaded.
To specify more than one partition the entries should be separated using
a newline character. For more information, see “Partitioning Aggregation”
on page 102
Library Configuration
Application Libraries Location of jar files required for communicating with Server (For example,
Relative: \lib-connectors\PSFT\<jars>
OR
Absolute: C:\Temp\PSFT\<jars>)
Note: All the parameters marked with the * sign in the above table are the mandatory
parameters.
Note the following:
• While deleting a User, add Component Interface in debug as deleteComponentInterface.
For example, <entry key="deleteComponentInterface" value="SAILPOINT_DEL_USER"/>
• SailPoint recommends of saving the required jars belonging to the same People Tool version at the same
location.
• If user wants to use \WEB-INF\lib-connectors location to save the jars, then it is a must to create a
new folder under \WEB-INF\lib-connectors and save the jars location.
Schema Attributes
Account Attributes
UserID The PeopleSoft User ID.
AccountLocked Status of Account if it is locked or not.
AlternateUserID User ID Alias.
CurrencyCode Currency code of the user.
DefaultMobilePage Default mobile page.
EffectiveDateFrom Workflow attribute - from date.
EffectiveDateTo Workflow attribute - to date.
EmailAddresses Email address of the user.

Schema Attributes
EmailUser Routing preferences - email user. It is a multivalued attribute.
ExpertEntry Enable expert entry.
FailedLogins Number of failed logins.
IDTypes User ID types and values.
LanguageCode Language code.
LastUpdateDateTime Last update date/time.
LastUpdateUserID Last update user ID.
MultiLanguageEnabled Multi-language enabled.
NavigatorHomePermissionList Default navigator home page permission list.
Opertype Use external authentication.
PasswordExpired Is password expired.
PrimaryEmailAddress Primary email address.
PrimaryPermissionList Primary permission list.
ProcessProfilePermissionList Process profile permission list.
roleNames Roles and Roles along with Route Controls assigned to the user
profile.
RowSecurityPermissionList Row security permission list.
SymbolicID Used to map the User Id to Access ID.
UserDescription Description of the user.
Roles Roles and Roles along with Route Controls assigned to the user -
detailed.
Encrypted Encrypted
ReassignWork Reassign work to alternate user.
ReassignUserID Reassigned user’s UserID.
RowSecurityPermissionList Row Security Permissions.
SupervisingUserID Supervisor’s User Id.
UserIDAlias Alias of the user.
WorkListEntriesCount Count of worklist entries.
WorklistUser Displays user workflow.
Group Attributes
ALLOWNOTIFY Workflow routing - allow notifications.

ALLOWLOOKUP Workflow routing - allow recipient lookup.
DESCR Description of the role.
DESCRLONG Long description.
LASTUPDDTTM Last update date/time.
LASTUPDOPERID Last update user ID.
RolePermissionLists Permission List for the role.
ROLENAME Name of the role.
ROLETYPE Type of the role.
RouteControl Route Control name.
RouteControlDescription Route Control description.
Roles that can be granted Roles that can be granted by this role.
Roles that can grant Roles that can grant this role.
This section describes the additional information related to the IdentityIQ for Oracle ERP – PeopleSoft.
Creating the Component Interfaces

For creating the component interfaces, see PeopleSoft Component Interface Utility.
To use the partitioning aggregation feature in IdentityIQ for Oracle ERP – PeopleSoft, perform the following:
1. Select the Partition Enabled check box.
2. Specify the criteria for partitioning in the Partition Statements textbox of the configuration parameter.
For example, download all the PeopleSoft User Profiles from A to M (including A and M) (the statement A-M
would be treated as one partition)
To specify more than one partition the entries must be separated using a newline character.
Performance Improvement
For improving the performance of PeopleSoft, create views and add new people code in the component
interfaces on the Managed system.
For more information, see “Creating Views and adding new People Code in Component Interface” on page 103.

Creating Views and adding new People Code in Component Interface

This section describes the procedure for creating views and adding new people code in component interface on
Managed System.
Note: The following script is for PeopleSoft with Oracle as the backend server. For database other than
Oracle, the script must be modified accordingly.
(Database tables might be created with schema prefix (for example, sysadm))
Creating Views
Login to database with sysdba permissions and execute the following commands:
1. //This script is for creation of View for getting User IDs
CREATE VIEW SP_PS_USERID_VIEW AS (SELECT OPRID FROM PSOPRDEFN);

GRANT SELECT ON SP_PS_USERID_VIEW TO people;
commit;
2. //This script is for creation of View for getting Role Names
CREATE VIEW SP_PS_ROLE_VIEW AS (SELECT ROLENAME FROM PSROLEDEFN);

GRANT SELECT ON SP_PS_ROLE_VIEW TO people;
3. commit;
//This script is for creation of View for getting Route controls and its description
CREATE VIEW SP_PS_RTE_CNTL_PROFILE_VIEW AS (select

RTE_CNTL_PROFILE,NVL(DESCRLONG,'NA') as DESCRLONG FROM PS_RTE_CNTL_PROF);
GRANT SELECT ON SP_PS_RTE_CNTL_PROFILE_VIEW TO people;
commit;
Adding new People Code

1. Adding new function getIds in user component interface
Note: The SAILPOINT_USERS component interface must be available. To create SAILPOINT_USERS or
any other user, see PeopleSoft Component Interface Utility.
a. Open the SAILPOINT_USERS component interface.

b. Right click on methods section and click on View Peoplecode.
c. Copy and paste the following script in the blank space.
REM This is an example of commenting PeopleCode;

/* ----- Logic for getting userIds from the view SP_PS_USERID_VIEW ----- */
Function getIds(&delimiter As string) Returns string;
&finalString = "";
&sql_text = "SELECT OPRID FROM SP_PS_USERID_VIEW ORDER BY OPRID";
&userSql = CreateSQL(&sql_text);
While &userSql.Fetch(&userId);
&finalString = &finalString | &userId | &delimiter;
End-While;
&userSql.Close();
Return &finalString;
End-Function;

d. Save the script and component interface.

e. Close the component interface and reopen to verify that a new method is available with name
getIds.
2. Adding new function getIds in role component interface
Note: The SAILPOINT_ROLES component interface must be available. To create SAILPOINT_Roles or
any other user, see PeopleSoft Component Interface Utility.
a. Open the SAILPOINT_Roles component interface.


/* ----- Logic for getting roleIds from the view SP_PS_ROLE_VIEW ----- */

&finalString = "";
&sql_text = "SELECT ROLENAME FROM SP_PS_ROLE_VIEW ORDER BY ROLENAME";
&userSql = CreateSQL(&sql_text);
While &userSql.Fetch(&roleId);
&finalString = &finalString | &roleId | &delimiter;
End-While;
&userSql.Close();
End-Function;

e. Close the component interface and reopen to verify that a new method is available with new name
getIds.
3. (Optional for Route Controls feature only) Adding new function getIds in route control component interface
Note: The SAILPOINT_ROUTECONTROL component interface must be available. To create
SAILPOINT_ROUTECONTROL or any other user, see PeopleSoft Component Interface Utility.
a. Open the SAILPOINT_ROUTECONTROL component interface.


/* ----- Logic for getting route control name and description from the view
SP_PS_RTE_CNTL_PROFILE_VIEW ----- */

Local Record &rtCntlId;
&finalString = "";
&rtCntlId = CreateRecord(Record.RTE_CNTL_PROF);
&sql_text = "SELECT RTE_CNTL_PROFILE,DESCRLONG FROM
SP_PS_RTE_CNTL_PROFILE_VIEW ORDER BY RTE_CNTL_PROFILE";
&rtCntrlSql = CreateSQL(&sql_text, &rtCntlId);
While &rtCntrlSql.Fetch(&rtCntlId);
&finalString = &finalString | &rtCntlId.RTE_CNTL_PROFILE.Value |
&delimiter | &rtCntlId.DESCRLONG.Value | &delimiter | &delimiter;
End-While;
&rtCntrlSql.Close();

End-Function;

e. Close the component interface and reopen to verify that a new method is available with new name
getIds.
Creating the Component interface jar file

The iiqPeopleSoftCompInt.jar file contains the PeopleSoft Component Interface java classes. It must be
generated from the respective PeopleSoft resource and then copied into the IdentityIQ classpath.
Perform the following steps to create the iiqPeopleSoftCompInt.jar file from the Component interface java
files.
1. Logon to PeopleSoft Application Designer in two tier mode.
2. Open the Component Interface project and open all the component interfaces by double clicking each com-
ponent interface. For example, SAILPOINT_USERS
3. From the menu select Build ==> PeopleSoft APIs.
The Build PeopleSoft API Bindings window appears.
4. From the Build PeopleSoft API Bindings window, select the Build check box in the java Classes frame and
clear the COM Type Library and C Header Files Build check boxes.
In the Select APIs to Build drop down menu, select the following options:
- CompIntfc.CompIntfcPropertyInfo
- CompIntfc.CompIntfcPropertyInfoCollection
- PeopleSoft.* (all Component Interfaces that begin with the prefix PeopleSoft)
- CompIntfc.SAILPOINT_* (all Component Interfaces that begin with the prefix
CompIntfc.SAILPOINT_)
Note: If you need to generate Component Interface Java files for the entire group of Component
Interfaces click ALL.
Create a directory to deploy the Java files. For example, if you specify C:\CI as the file path, then the
Component Interface Java files are generated in C:\CI\PeopleSoft\Generated\CompIntfc.
6. Compile the JAVA files by performing the following steps:
a. Open the command prompt and change directories to the folder where the generated JAVA files are
located. For example, C:\CI.
b. Navigate to the PeopleSoft\Generated\CompIntfc\ directory.
c. Run the following command:
javac -classpath %PS_HOME%\class\psjoa.jar *.java
Where %PS_HOME% is the location that PeopleSoft is installed.
Important: Ensure that the JAVA compiler used for compiling the generated JAVA files is compatible
with the JAVA provided with the PeopleSoft installation that needs to be managed.
d. (Optional) You can delete all the generated java files from the existing directory, however, do not
delete the .class files.
7. Perform the following steps to package the compiled files as the iiqPeopleSoftCompInt.jar file:
a. Open the Command prompt and navigate to the newly created directory. For example, C:\CI
b. Run the command: jar -cvf iiqPeopleSoftCompInt.jar *

8. Copy the generated iiqPeopleSoftCompInt.jar and %PS_HOME%\class\psjoa.jar files to the com-

puter where IdentityIQ is running.
Configuring the Component Interface Security

Before using the IdentityIQ for Oracle ERP – PeopleSoft, you must allow the PeopleSoft user, for whom the
Module is configured, to access the generated component interfaces.
To set security for the PeopleTools project, perform the following:
1. Log into the PeopleSoft web interface.
Default: http://<server-name>:<port-number>/psp/ps
2. Navigate to PeopleTools ==> Security ==> Permissions & Roles ==> Permission Lists.
3. Click Add a New Value to create a new permission list. Type New_Name as the name of the permission list,
then click Add.
4. Click the Component Interfaces tab and add the created component interface.
For example,
- SAILPOINT_DEL_ROLE
- SAILPOINT_DEL_USER
- SAILPOINT_ROLES
- SAILPOINT_USERS
- SAILPOINT_ROUTECONTROL
5. For each added component interface, click Edit ==> Full Access (All), then click OK.
6. Click Save to save the new permission list.
7. Navigate to PeopleTools ==> Security ==> Permissions & Roles ==> Roles.
8. Click Add a New Value to create a new role. Type New_Name as the name and then click Add. For example,
SAILPOINT_ROLE.
9. Enter the description as IdentityIQ Role.
10. Click the Permission Lists tab and add the permission list created in Step 3. Click Save to save the role.
11. Navigate to PeopleTools ==> Security ==> User Profiles, and select the user (for whom the permissions
must be provided) that is being used in the IdentityIQ for Oracle ERP – PeopleSoft.
12. Click the Roles tab and add the role created in Step 10. Click Save to add the role to the user.
Upgrade considerations
• (Optional) To use the Route Control functionality after upgrading IdentityIQ from any previous version to
IdentityIQ version 8.0 Patch 2, manually add the following attributes in the Group Schema:
- RouteControl
- RouteControlDescription
For more information on the above attributes, see “Group Attributes” on page 101.
Note: With this new implementation, there would be an impact on certification history. Certification
history would be lost and would not be in synchronization with previous data.

Troubleshooting
Troubleshooting
1 - When the supported platform version is Java 1.6 an error message appears
When the supported platform version is Java version 1.6, the following error message appears:
java.lang.UnsupportedClassVersionError: psft/pt8/joa/API : Unsupported major.minor
version 51.0 (unable to load class psft.pt8.joa.API)
Resolution: Ensure that the supported platform version is Java 1.7.
2 - (Only for PeopleTools version 8.54) Connection to Server not established

When testing the CI (Component Interface) Java APIs after upgrading to PeopleTools version 8.54, the connection
to the application server fails with the following error message appears:
openconnector.ConnectorExpception: Connection to server not established
Resolution: Navigate to the location where PeopleSoft is installed. For example,

C:\PS_CFG_HOME\webserv\peoplesoft\applications\peoplesoft\PORTAL.war\WEB-INF\classe
s.
Copy all the files from this directory into the WEB_INF\classes directory of IdentityIQ.
Now you will be able to successfully connect to the server. This solution is documented in the following
knowledge base article on the Oracle support site:
E-CI: Java API Connection Fails With "java.lang.NoClassDefFoundError:
com/peoplesoft/pt/management/runtime/pia/JoltSessionMXBean" Error(1947124.1)

Troubleshooting

Overview

– Siebel
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Supported Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Supported Managed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Administrator Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Account Group Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Adding New Custom Attributes in Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Provisioning Policy Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Overview
The IdentityIQ for Oracle ERP – Siebel manages entities in Oracle's Siebel CRM. Here Employee is managed as
Accounts and Position as Account Groups. By default, the IdentityIQ for Oracle ERP – Siebel uses the Employee
Siebel business component of the Employee Siebel business object for account provisioning. For Account Group
provisioning Position business component of Position business object is used by Integration Module. However,
the Integration Module can be configured to manage other Siebel Business Object/Component in the
Account/Account Group provisioning. The Integration Module manages both single and multi-valued attributes
of Siebel system. The Integration Module schema can be modified to manage attributes other than Schema that
comes by default with Integration Module.
Supported Features
IdentityIQ for Oracle ERP – Siebel provides support for the following features:
- Manages Employee as Accounts
- Aggregation, Refresh Accounts
Note: Enable Account operation sets the Employment Status attribute to Active while it is set to
Terminated for Disable Account operation.


- Manages Position as Account-Groups
Note: With this release of IdentityIQ, SailPoint provides support for having two or more Connector
application instances in the same IdentityIQ application through the Connector Classloader
functionality which require different libraries. For more information on this, see “Appendix B:
Connector Classloader”.

IdentityIQ for Oracle ERP – Siebel supports the following version of Siebel CRM Managed System:
• Siebel CRM version 16.0
Prerequisites
Following Siebel JAR file is required in the WEB-INF/lib directory:
Siebel.jar and SiebelJI_<<Language>>.jar
For example, for Siebel CRM with English language: Siebel.jar, SiebelJI_enu.jar
The Siebel JAR file is available in the SIEBEL_INSTALLATION_DIRECTORY/siebsrvr/CLASSES directory.
Note: Do not copy JAR file for multiple versions of Siebel into the WEB-INF/lib directory; it may
create conflicts at runtime.
Note: IdentityIQ for Oracle ERP – Siebel requires JRE 1.6 or above to manage Siebel CRM.
The IdentityIQ for Oracle ERP – Siebel requires Siebel administrator credentials to accomplish provisioning tasks.
The administrator user name and password configured for Oracle ERP – Siebel must be assigned sufficient
privileges within Siebel to create new records and to update existing records for the specified business
component.
For example, SADMIN user which is created during Siebel server installation is one of the example of
administrator.
Note: A responsibility named “Siebel Administrator” assigned to this user gives access to all views.
This section contains the information that this Integration Module uses to connect and interact with the
application. Each application type requires different information to create and maintain a connection.
The IdentityIQ for Oracle ERP – Siebel uses the connection parameters listed in the following table:

Table 1—Configuration parameters

Transport Protocol Transport protocol while communicating with Siebel server. Select
TCPIP or NONE. Default: TCPIP
Encryption Data Encryption method. Select RSA or NONE. Default: NONE
Compression Data Compression technique. Select ZLIB or NONE. Default: ZLIB
Siebel Server Host Host Name where Siebel server is installed.
SCB Port Listening port number for the Siebel Connection Broker (alias
SCBroker).
Sample value: 2321
Siebel Enterprise Name Name of Siebel Enterprise. Sample value: SBA_82
Siebel Object Manager Name of Siebel Application Object Manager. Sample value:
SCCObjMgr
Admin User Name User ID of the target system user account that you want to use for
Integration Module operations. Sample value: SADMIN
Password Password of the target system user account that you want to use for
Integration Module operations. Sample value: sadmin
Language Language in which the text on the UI is displayed.
Specify any one of the following values:
• For English: ENU
• For Brazilian Portuguese: PTB
• For French: FRA
• For German: DEU
• For Italian: ITA
• For Japanese: JPN
• For Korean: KOR
• For Simplified Chinese: CHS
• For Spanish: ESP
• For Traditional Chinese: CHT
Account Business Object Business Object for Account. Default value: Employee
Account Business Component Business Component for Account. Default value: Employee
Entitlement Business Object Business Object for Entitlement. Default value: Position
Entitlement Business Component Business Component for Entitlement. Default value: Position
Siebel URL Siebel server connection string. The server is connected using
connection string. Specific parameters defined in the form are
ignored. For example:
siebel.transport.encryption.compression://host:port/Enterpri
seServer/AppObjMgr_lang" lang="lang_code"

Schema Attributes
Schema Attributes
By default the following mentioned set of attributes are managed:
Account Attributes
The following table lists the account attributes (Siebel Employee attributes):
Login Name Employee’s login name.
First Name Employee’s first name.
Last Name Employee’s Last name.
Position Multi-value attribute that contains a list of all positions assigned to employee.
Primary Position Employee’s primary position.
Responsibility Multi-value attribute that contains a list of all responsibilities of employee.
Primary Responsibility Id Employee’s Primary responsibility ID.
Division Division
Employment Status Employment Status
Street Address Street Address
Job Title Job Title
Phone Number Phone Number
Fax Number Fax Number
Hire Date Hire date
Alias Alias
State State
Availability Status Availability status of employee.
ManagerLogin Employee’s Manager login.
Account Group Attributes

The following table lists the Account Group attributes (Siebel Position attributes):
Id Unique Id for Position Entity.
Name Name of Position.
Last Name Last Name of Employees having this Position.
Division Division of Position.
Role Role

Start Date Start date for allocation of Position to Employee referred by Last Name.
Position Type Position Type.
Parent Position Name Parent Position’s name.
Note: The search is made on identityAttribute while finding records. By default, "Login Name" for
Account and "Id" for Account Group is set in the identityAttribute.
Adding New Custom Attributes in Schema

Currently IdentityIQ for Oracle ERP – Siebel schema provides basic minimum attributes required to manage
Employee and position. If you want to enhance schema, you can add more attributes to the existing schema. You
can use Siebel Tools to get the details about attributes to be managed using schema. If you add any new multi
value attribute, configure the following attribute in Application using the debug page:
<entry key="customMVGAttr">
<value>
<List>

<ApplicationRef>
<Reference class='Application' name='Example Integration'/>
</ApplicationRef>

<Attributes>
<Map>
<entry key='url' value='http://somehost:8080/rest/iiq'/>
<entry key='username' value='jlarson'/>

Creating the IntegrationConfig Object
<entry key='password' value='1:987zxd9872970293874'/>

</Map>
</Attributes>

<ManagedResources>
<ManagedResource name='LDAP 42'>
<ApplicationRef>
<Reference class='Application' name='Corporate Directory'/>
</ApplicationRef>
<ResourceAttributes>
<ResourceAttribute name='memberOf' localName='groups'/>
</ResourceAttributes>
</ManagedResource>
</ManagedResources>
The executor attribute has the name of a class that implements the sailpoint.object.IntegrationExecutor
interface. This class is conceptually similar to a Connector class in that it does the work specific to a particular
integration. Each integration package will come with an example IntegrationConfig that contains the executor
class name.
ApplicationRef
Some integrations support identity aggregation. In these cases there is a sailpoint.object.Application object
defined to represent the IDM system and an implementation of the sailpoint.connector.Connector interface that
handles communication with the IDM system. This is normally a multiplexed connector that returns objects
representing the IDM system account as well as accounts on managed resources. Links in the identity cube are
created for the managed resource accounts as well as the IDM system account.
<ApplicationRef>
<Reference class='Application' name='Example Integration'/>
</ApplicationRef>
The documentation of each integration must describe the supported configuration attributes.
The following attribute is reserved and can only be used for the purposes defined here.
• universalManager: enables the integration as a manager of all applications
The universalManager attribute is set to the string true to enable this integration as a manager for all IdentityIQ
applications without a ManagedResources list. This can be helpful in test environments to validate deployment
configuration as well as environments where all provisioning must be fulfilled by a single integration.
ManagedResources
If the integration supports provisioning, it must define a list of managed resources that corresponding to
applications defined in IdentityIQ. This determines how provisioning plans created during certification or role
assignment are divided and sent to each integration.

<ManagedResources>
<ManagedResource name='LDAP 42'>
<ApplicationRef>
<Reference class='Application' name='Corporate Directory'/>

Provisioning
</ApplicationRef>
<ResourceAttributes>
<ResourceAttribute name='memberOf' localName='groups'/>
</ResourceAttributes>
</ManagedResource>
</ManagedResource>
The ManagedResources element contains a list of ManagedResource elements. A ManagedResource element

must contain an ApplicationRef that defines the associated IdentityIQ application. The ManagedResource
element might have an optional name attribute that defines the name of the resource within the IDM system. If
the name is not specified it is assumed that the resource name is the same as the IdentityIQ application name.
The ManagedResource element might also contain a ResourceAttributes element that contains one or more
ResourceAttribute elements. ResourceAttribute is used to define mappings between attribute names in the IDM
system and IdentityIQ. ResourceAttribute has the following XML attributes.
• name: attribute name in the IDM system
• localName: attribute name in the IdentityIQ application schema
If a provisioning plan is sent to this integration with attributes that are not in the ResourceAttributes list it is
assumed that the name in IdentityIQ is the same as the name in the IDM system.
The ResourceAttributes list does not define a filter for attributes sent to the IDM system it only defines name
mappings. When an integration has an IdentityIQ application in the ManagedResource list it is assumed that all
attribute requests for that application are sent to that integration. You cannot have more than one integration
managing different sets of attributes for the same application.
There is a special attribute that can be defined in Attributes that declares the integration as the manager of all
applications in IdentityIQ regardless of the content of the ManagedResources element. You can still use
ManagedResources to define name mappings for certain applications when necessary.
Aggregation
Some integrations support feeds of identity information through the normal aggregation process. In these cases
the integration package will have a SailPoint.connector.Connector implementation class and an example
SailPoint.object.Application object in XML.
IDM connectors are usually multiplexed connectors that return objects representing the IDM system account as
well as accounts on all managed resources.
When an aggregation application is defined a reference to it should be placed in the IntegrationConfig. This
enables provisioning operations to obtain the account name in the IDM system that corresponds to an identity
in IdentityIQ.
Provisioning
Provisioning can be performed in several ways.
• After role assignment from the IdentityIQ identity edit page
• After role assignment from the Access Request Manager
• During certification to handle revocations and role completions
• In a background reconciliation task
• During aggregation

Provisioning
All provisioning processes in IdentityIQ are either managed fully by workflows or can launch workflows before
provisioning occurs, which provides the opportunity to insert an approval step before provisioning. The default
workflow for IdentityIQ identity edits is named Identity Update. By default it has no approvals but does attempt
provisioning.
Certifications can do provisioning to remove entitlements and roles that were revoked as well as add missing
entitlements that are necessary to satisfy a role assignment.
A reconciliation task is an instance of the Identity Refresh task template with the provisioning argument set to
true. This argument is visible in the configuration page for the refresh task. Reconciliation compares the assigned
roles with the detected entitlements and automatically provisioning any missing entitlements. Entitlements
might be missing due to either changes in role assignments for an identity, or changes to the definition of roles
already assigned to an identity.
Reconciliation is intended to replace the IdentityIQ Provisioning. The old provisioning page was role oriented,
monitored changes to roles, and sent provisioning requests for users assigned to modified roles. It did not detect
changes to the assigned roles list of identities, however. The reconciliation task is identity oriented and calculates
all changes necessary to make an identity's entitlements match the currently assigned roles.
Since reconciliation is now part of the core set of identity refresh options, it can also be done during aggregation.
This is less common, but aggregation could change account attributes that are used by role assignment rules
resulting in changes to the assigned and detected role lists. With provisioning enabled, the aggregation could
trigger the provisioning of missing entitlements for the assigned roles. A common use case for this would be
aggregating from an application representing a HR system with HR attributes determining assigned business
roles.
Note: Automated provisioning done by the reconciliation task or within workflows typically does not
remove entitlements, it only adds missing entitlements. Removal of unnecessary entitlements
is expected to be done in a certification where a user has more control. While it is possible to
enable removals during automated provisioning, it is potentially dangerous and should not be
done without careful consideration.

Appendix B: Connector Classloader
The Java classloader dynamically loads the Java classes into the Java Virtual Machine. While loading a class, all
the corresponding dependencies are loaded. The classloader that loads a class is associated with that class. The
classloader that loads a class, also loads all its dependencies and hence it is recommended that the same class
must not be loaded by different Classloaders.
This appendix describes about two different version of same Connectors requiring different libraries.
To create two applications instances of a connector, where each instance is connecting to different type of target
system or different version of target system which requires different set of third-party jars. This can be achieved
by performing the following configurations with the help of Connector Classloader:
1. Create two separate directories under WEB-INF/lib-connectors directory with the specific versions or
types of directories and add respective set of third-party libs to these directories.
2. Add the connector-classpath attribute to the application attribute map.
The following attribute application map displays the possibility of adding a single jar to Connector
Classloader’s classpath or by adding the directory location which would add all the jars under that to
classpath:


<entry key="connector-classpath">
<value>
<List>
<String>\lib-connectors\JDBCCustom\commons-codec-1.9.jar</String> 
<String>\lib-connectors\ JDBCCustom \</String> 
</List>
</value>
</entry>
For example, PeopleSoft Direct Connector’s two instances can be created on the same IdentityIQ and both
the instances are connecting to separate target systems.
Assuming that one application instance is connecting to 8.X and another to 7.X, create two separate
directories under the web-inf/lib-connectors directory as follows:
- PPLSFT7.0
- PPLSFT8.0
Add the required set of libraries under the specific directories by adding the configuration to respective
applications classpath as follows:
- For PeopleSoft 7.0

<value>
<List>
<String>\lib-connectors\PPLSFT7.0\</String>

</List>
</value>
</entry>
- For PeopleSoft 8.0

<value>
<List>
<String>\lib-connectors\PPLSFT8.0\</String>
</List>
</value>
</entry>
Upgrade considerations
After upgrading IdentityIQ, custom connectors and customization rules can be impacted if connectors are
initiated directly without using Connector Factory.
For example, connector = ConnectorFactory.getConnector(application, null);

8 0 2 SailPoint Integration Guide

Uploaded by

Copyright:

Available Formats

8 0 2 SailPoint Integration Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

8 0 2 SailPoint Integration Guide

Uploaded by

Copyright:

Available Formats

SailPoint

Section I: SailPoint IdentityIQ Infrastructure Modules . . . . . . . . . . . . . . . . . 5

Security Information And Event Management Infrastructure Modules 25

IT Service Management Infrastructure Modules . . . . . . . . . . . . . . . . . . . . . .35

Enterprise Mobility Management Infrastructure Modules . . . . . . . . . . . .73

Provisioning Infrastructure Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

IaaS - Infrastructure-As-A-Service Module . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Section II: SailPoint IdentityIQ Application Modules . . . . . . . . . . . . . . . . . .39

SAP Governance Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

SAP Governance Application Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Healthcare Integration Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Mainframe Integration Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

What is SailPoint IdentityIQ?

SailPoint Integration Guide 1

SailPoint Integration Guide Overview

2 SailPoint Integration Guide

• IdentityIQ for Oracle ERP – Oracle E-Business Suite

SailPoint Integration Guide 3

4 SailPoint Integration Guide

Chapter 2: IdentityIQ for Okta

SailPoint Direct Connectors Administration and Configuration Guide 9

Note: For more information on Delta Aggregation, see “Delta Aggregation”.

Note: For more information on provisioning, see “Create Account Policy”.

Support for Multi-Factor Attribute

The factors attribute would aggregate in the following format:

10 SailPoint Direct Connectors Administration and Configuration Guide

Note: For more information on the Group Aggregation Filters supported on

Note: Attributes marked with * sign are the mandatory attributes.

Additional Configuration Parameters

SailPoint Direct Connectors Administration and Configuration Guide 11

Default value of 10000 can be changed.

Default value of 1000 can be changed.

Default value of 200 can be changed.

Default value is false.

Default value is false.

12 SailPoint Direct Connectors Administration and Configuration Guide

SailPoint Direct Connectors Administration and Configuration Guide 13

14 SailPoint Direct Connectors Administration and Configuration Guide

Provisioning Policy Attributes

Create Account Policy

To provision custom attributes, add a similar attribute in the provisioning policy.

SailPoint Direct Connectors Administration and Configuration Guide 15

Activate Password Recovery Provider Okta Status IdentityIQ

Note: While creating account:

Enable/Delete Account Provisioning Policy

While deleting an user, it would not send a deactivation email to the

16 SailPoint Direct Connectors Administration and Configuration Guide

Disable Account Policy

Attribute Value Description

Create Group Policy

Aggregation Best Practices

SailPoint Direct Connectors Administration and Configuration Guide 17

Supported Aggregation Filters

Account Aggregation Filters

Aggregation Filters Description

18 SailPoint Direct Connectors Administration and Configuration Guide

Aggregation Filters Description

Group Aggregation Filters

Aggregation Filters Description