Configure SailPoint Integration
IdentityIQ is an identity and access management solution from SailPoint. BeyondInsight offers two ways of integrating with IdentityIQ via IdentityIQ's Simple Table Integration, referred to as v1 (Role Import) and v2 (Entitlement Provisioning). We recommend the V2 (Entitlement Provisioning) method for integration.
V1 Role Import
User accounts and roles created in IdentityIQ can be imported and managed in BeyondInsight.
V2 Entitlement Provisioning
BeyondInsight accounts and groups can be imported into IdentityIQ. New or existing Active Directory users can then be provisioned to BeyondInsight local groups. Although the role import method can also be used with entitlement provisioning, we do not recommend it.
For both versions, permissions defined in BeyondInsight and Password Safe are synchronized with IdentityIQ.
Create the SailPoint Integration Connector
- In the BeyondInsight console, go to Configuration > General > Connectors.
- In the Connectors pane, click Create New Connector.
- Enter a name for the connector.
- Select SailPoint Integration.
- Check Enable SailPoint Integration, and then provide the following information:
- Integration Version: Select the type of integration you are configuring: v1 (Role import) or v2 (Entitlement provisioning).
- Database: Select a database type from the list: MySQL, Oracle, DB2, or Microsoft SQL Server.
- If your database is DB2, set the Path to DB2 DLL, which is DB2's ADO.NET library.
- Host: Enter the IP address or host name of the SailPoint instance.
- Port: Enter the port to use to connect to the SailPoint MySQL instance.
- Username: Enter the username that has read and write access to the STI database and read access to the IdentityIQ database.
- Password: The password for the username entered above.
- IdentityIQ Database Name: Enter the name of the IdentityIQ database.
- IdentityIQ Schema Name: Enter the name of the IdentityIQ schema. For MySQL, the schema name is the same as the database name.
- STI Database Name: Enter the name of the STI database.
- STI Schema Name: Enter the name of the STI schema.
If you use DB2, you must install a driver package on the BeyondInsight server. The name of the package is ibm_data_server_driver_package_win64_v11.1 and it can be downloaded from https://www.ibm.com/support/pages/node/387577
- Click Update.
Create a SailPoint User Group (for v1 - Role Import)
- Select Configuration > Role Based Access > Users & Groups.
- In the User Groups pane, click +.
- Select SailPoint Group.
- Select a SailPoint role from the list that you want to import.
- Assign permissions for this group.
- Click Create.
The user accounts are imported from SailPoint. You can then log in to BeyondInsight and Password Safe with these user accounts, using their Active Directory credentials.
Provision Users to BeyondInsight Local Groups (for v2 - Entitlement Provisioning)
Provision operations are performed in IdentityIQ. Once BeyondInsight has synchronized its users and groups with IdentityIQ, and the STI BeyondInsight account and group aggregation tasks in IdentityIQ have run, you can provision new or existing users to BeyondInsight local groups.
Only BeyondInsight local groups can be provisioned in IdentityIQ. BeyondInsight active directory groups and role-based groups that were imported from IdentityIQ cannot be provisioned because they are based on an external data source and can't be modified.
In order for an identity to be provisioned, the identity must have an active directory account. If an identity has multiple active directory accounts, you must complete a provisioning form to select which active directory account is intended to be provisioned.
View Permissions in IdentityIQ
Periodically, permissions and users are synchronized with SailPoint. You can view BeyondInsight and Password Safe permissions in SailPoint by logging in to IdentityIQ and performing one of the following series of steps:
- Select the Define tab, and then select Applications.
- Select BeyondInsight from the list.
- Click Accounts.
- All the users associated with BeyondInsight are displayed. Click on a user to view BeyondInsight attributes.
- Click the Define tab, and then select Identities.
- Enter the username in the Filter criteria box and search.
- Click the username to view details.
- Click the Application Accounts tab.
- Look for the BeyondInsight application and click the arrow next to it.
- The BeyondInsight-specific attributes for this user are displayed. You can click any of the roles the user is associated with under BeyondInsight’s attributes to view more information.
- Select the Object Properties tab to display its permissions query. This displays all of the PAM permission data.