SailPoint and Automatic AD provisioning

There are 4 options for AD provisioning

  • Request an entitlement in either application,
  • Request a role containing entitlements in the target application(s),
  • Request an account in the application(s),
  • Set up roles to be automatically assigned, then run refresh with the options to refresh entitlements, detected and assigned roles and to provision assignments.

Item 1-3 is manual. For item 4 [Automatic] you have to think of SailPoint from an RBAC perspective. A user will have an account created in AD because the user has been assigned a Role that requires an AD resource. So we will create a Role and assign to all users based on a condition.

  1. Make sure IQService is installed
  2. Configure the AD application to aggregate from users and groups from AD
  3. Sync in the Domain Users group from AD
  1. Create an IT Role and add the Domain Users as entitlement
  2. Create a Business Role and add the IT Role as a required role. For the Assigment Rule of the Role, you add if Lastname is present (return identity.getLastname();)
  3. Go to the AD application, configuration, provisioning policy. Create a create policy in the AD, there is a default policy that comes with it, amend it to fit your needs. Make sure samaccountname, DN, lastname, displayname, Objecttype is there. Go through all the fields and uncheck Required review.
  4. Create a refresh identity cube task.  Make sure the following is checked
    • Refresh assigned Roles
    • Provision assignments
  5. Run the task