LukeParke/api-specs
1
0
Fork 0
mirror of https://github.com/LukeHagar/api-specs.git synced 2025-12-06 12:27:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

Apply automatic changes

Browse Source
This commit is contained in:
tyler-mairose-sp
2024-04-03 19:34:40 +00:00
committed by github-actions[bot]
parent 3588d87f71
commit a0067d1938
7 changed files with 57819 additions and 57802 deletions
Download Patch File Download Diff File Expand all files Collapse all files

158
dereferenced/deref-sailpoint-api.beta.json
View File

File diff suppressed because one or more lines are too long

462
dereferenced/deref-sailpoint-api.beta.yaml
View File

@@ -1,7 +1,7 @@
openapi: 3.0.1
info:
title: IdentityNow Beta API
description: 'Use these APIs to interact with the IdentityNow platform to achieve repeatable, automated processes with greater scalability. These APIs are in beta and are subject to change. We encourage you to join the SailPoint Developer Community forum at https://developer.sailpoint.com/discuss to connect with other developers using our APIs.'
title: Identity Security Cloud Beta API
description: 'Use these APIs to interact with the Identity Security Cloud platform to achieve repeatable, automated processes with greater scalability. These APIs are in beta and are subject to change. We encourage you to join the SailPoint Developer Community forum at https://developer.sailpoint.com/discuss to connect with other developers using our APIs.'
termsOfService: 'https://developer.sailpoint.com/discuss/tos'
contact:
name: Developer Relations
@@ -27,11 +27,11 @@ tags:
- name: Access Profiles
description: |
Use this API to implement and customize access profile functionality.
With this functionality in place, administrators can create access profiles and configure them for use throughout IdentityNow, enabling users to get the access they need quickly and securely.
With this functionality in place, administrators can create access profiles and configure them for use throughout Identity Security Cloud, enabling users to get the access they need quickly and securely.
Access profiles group entitlements, which represent access rights on sources.
For example, an Active Directory source in IdentityNow can have multiple entitlements: the first, 'Employees,' may represent the access all employees have at the organization, and a second, 'Developers,' may represent the access all developers have at the organization.
For example, an Active Directory source in Identity Security Cloud can have multiple entitlements: the first, 'Employees,' may represent the access all employees have at the organization, and a second, 'Developers,' may represent the access all developers have at the organization.
An administrator can then create a broader set of access in the form of an access profile, 'AD Developers' grouping the 'Employees' entitlement with the 'Developers' entitlement.
@@ -39,7 +39,7 @@ tags:
When users need both Active Directory employee and developer access, they can request access to the 'AD Developers' access profile.
Access profiles are the most important units of access in IdentityNow. IdentityNow uses access profiles in many features, including the following:
Access profiles are the most important units of access in Identity Security Cloud. Identity Security Cloud uses access profiles in many features, including the following:
- Provisioning: When you use the Provisioning Service, lifecycle states and roles both grant access to users in the form of access profiles.
@@ -49,7 +49,7 @@ tags:
- Roles: You can group one or more access profiles into a role to quickly assign access items based on an identity's role.
In IdentityNow, administrators can use the Access drop-down menu and select Access Profiles to view, configure, and delete existing access profiles, as well as create new ones.
In Identity Security Cloud, administrators can use the Access drop-down menu and select Access Profiles to view, configure, and delete existing access profiles, as well as create new ones.
Administrators can enable and disable an access profile, and they can also make the following configurations:
- Manage Entitlements: Manage the profile's access by adding and removing entitlements.
@@ -57,60 +57,89 @@ tags:
- Access Requests: Configure access profiles to be requestable and establish an approval process for any requests that the access profile be granted or revoked.
Do not configure an access profile to be requestable without first establishing a secure access request approval process for the access profile.
- Multiple Account Options: Define the logic IdentityNow uses to provision access to an identity with multiple accounts on the source.
- Multiple Account Options: Define the logic Identity Security Cloud uses to provision access to an identity with multiple accounts on the source.
Refer to [Managing Access Profiles](https://documentation.sailpoint.com/saas/help/access/access-profiles.html) for more information about access profiles.
- name: Access Request Approvals
description: |
Use this API to implement and customize access request approval functionality.
With this functionality in place, administrators can delegate qualified users to review users' requests for access or managers' requests to revoke team members' access to applications, entitlements, or roles.
This enables more qualified users to review access requests and the others to spend their time on other tasks.
In IdentityNow, users can request access to applications, entitlements, and roles, and managers can request that team members' access be revoked.
For applications and entitlements, administrators can set access profiles to require approval from the access profile owner, the application owner, the source owner, the requesting user's manager, or a governance group for access to be granted or revoked.
For roles, administrators can also set roles to allow access requests and require approval from the role owner, the requesting user's manager, or a governance group for access to be granted or revoked.
If the administrator designates a governance group as the required approver, any governance group member can approve the requests.
When a user submits an access request, IdentityNow sends the first required approver in the queue an email notification, based on the access request configuration's approval and reminder escalation configuration.
In Approvals in IdentityNow, required approvers can view pending access requests under the Requested tab and approve or deny them, or the approvers can reassign the requests to different reviewers for approval.
If the required approver approves the request and is the only reviewer required, IdentityNow grants or revokes access, based on the request.
If multiple reviewers are required, IdentityNow sends the request to the next reviewer in the queue, based on the access request configuration's approval reminder and escalation configuration.
The required approver can then view any completed access requests under the Reviewed tab.
Refer to [Access Requests](https://documentation.sailpoint.com/saas/help/requests/index.html) for more information about access request approvals.
- name: Access Requests
description: |
Use this API to implement and customize access request functionality.
With this functionality in place, users can request access to applications, entitlements, or roles, and managers can request that team members' access be revoked.
This allows users to get access to the tools they need quickly and securely, and it allows managers to take away access to those tools.
IdentityNow's Access Request service allows end users to request access that requires approval before it can be granted to users and enables qualified users to review those requests and approve or deny them.
Identity Security Cloud's Access Request service allows end users to request access that requires approval before it can be granted to users and enables qualified users to review those requests and approve or deny them.
In the Request Center in IdentityNow, users can view available applications, roles, and entitlements and request access to them.
In the Request Center in Identity Security Cloud, users can view available applications, roles, and entitlements and request access to them.
If the requested tools requires approval, the requests appear as 'Pending' under the My Requests tab until the required approver approves, rejects, or cancels them.
Users can use My Requests to track and/or cancel the requests.
In My Team on the IdentityNow Home, managers can submit requests to revoke their team members' access.
In My Team on the Identity Security Cloud Home, managers can submit requests to revoke their team members' access.
They can use the My Requests tab under Request Center to track and/or cancel the requests.
Refer to [Requesting Access](https://documentation.sailpoint.com/saas/user-help/requests/requesting_access.html) for more information about access requests.
- name: Access Request Approvals
description: |
Use this API to implement and customize access request approval functionality.
With this functionality in place, administrators can delegate qualified users to review users' requests for access or managers' requests to revoke team members' access to applications, entitlements, or roles.
This enables more qualified users to review access requests and the others to spend their time on other tasks.
In Identity Security Cloud, users can request access to applications, entitlements, and roles, and managers can request that team members' access be revoked.
For applications and entitlements, administrators can set access profiles to require approval from the access profile owner, the application owner, the source owner, the requesting user's manager, or a governance group for access to be granted or revoked.
For roles, administrators can also set roles to allow access requests and require approval from the role owner, the requesting user's manager, or a governance group for access to be granted or revoked.
If the administrator designates a governance group as the required approver, any governance group member can approve the requests.
When a user submits an access request, Identity Security Cloud sends the first required approver in the queue an email notification, based on the access request configuration's approval and reminder escalation configuration.
In Approvals in Identity Security Cloud, required approvers can view pending access requests under the Requested tab and approve or deny them, or the approvers can reassign the requests to different reviewers for approval.
If the required approver approves the request and is the only reviewer required, Identity Security Cloud grants or revokes access, based on the request.
If multiple reviewers are required, Identity Security Cloud sends the request to the next reviewer in the queue, based on the access request configuration's approval reminder and escalation configuration.
The required approver can then view any completed access requests under the Reviewed tab.
Refer to [Access Requests](https://documentation.sailpoint.com/saas/help/requests/index.html) for more information about access request approvals.
- name: Access Request Identity Metrics
description: |
Use this API to implement access request identity metrics functionality.
With this functionality in place, access request reviewers can see relevant details about the requested access item and associated source activity.
This allows reviewers to see how many of the identities who share a manager with the access requester have this same type of access and how many of them have had activity in the related source.
This additional context about whether the access has been granted before and how often it has been used can help those approving access requests make more informed decisions.
- name: Accounts
description: |
Use this API to implement and customize account functionality.
With this functionality in place, administrators can manage users' access across sources in Identity Security Cloud.
In Identity Security Cloud, an account refers to a user's account on a supported source.
This typically includes a unique identifier for the user, a unique password, a set of permissions associated with the source and a set of attributes. Identity Security Cloud loads accounts through the creation of sources in Identity Security Cloud.
Administrators can correlate users' identities with the users' accounts on the different sources they use.
This allows Identity Security Cloud to govern the access of identities and all their correlated accounts securely and cohesively.
To view the accounts on a source and their correlated identities, administrators can use the Connections drop-down menu, select Sources, select the relevant source, and select its Account tab.
To view and edit source account statuses for an identity in Identity Security Cloud, administrators can use the Identities drop-down menu, select Identity List, select the relevant identity, and select its Accounts tab.
Administrators can toggle an account's Actions to aggregate the account, enable/disable it, unlock it, or remove it from the identity.
Accounts can have the following statuses:
- Enabled: The account is enabled. The user can access it.
- Disabled: The account is disabled, and the user cannot access it, but the identity is not disabled in Identity Security Cloud. This can occur when an administrator disables the account or when the user's lifecycle state changes.
- Locked: The account is locked. This may occur when someone has entered an incorrect password for the account too many times.
- Pending: The account is currently updating. This status typically lasts seconds.
Administrators can select the source account to view its attributes, entitlements, and the last time the account's password was changed.
Refer to [Managing User Accounts](https://documentation.sailpoint.com/saas/help/common/users/user_access.html#managing-user-accounts) for more information about accounts.
- name: Account Activities
description: |
Use this API to implement account activity tracking functionality.
With this functionality in place, users can track source account activity in IdentityNow, which greatly improves traceability in the system.
With this functionality in place, users can track source account activity in Identity Security Cloud, which greatly improves traceability in the system.
An account activity refers to a log of each action performed on a source account. This is useful for auditing the changes that occur on an account throughout its life.
In IdentityNow's Search, users can search for account activities and select the activity's row to get an overview of the activity's account action and view its progress, its involved sources, and its most basic metadata, such as the identity requesting the option and the recipient.
In Identity Security Cloud's Search, users can search for account activities and select the activity's row to get an overview of the activity's account action and view its progress, its involved sources, and its most basic metadata, such as the identity requesting the option and the recipient.
Account activity includes most actions IdentityNow completes on source accounts. Users can search in IdentityNow for the following account action types:
Account activity includes most actions Identity Security Cloud completes on source accounts. Users can search in Identity Security Cloud for the following account action types:
- Access Request: These include any access requests the source account is involved in.
@@ -121,14 +150,14 @@ tags:
- Certification: These include actions removing an entitlement from an account on a source as a result of the entitlement's revocation during a certification.
- Cloud Automated `Lifecyclestate`: These include automated lifecycle state changes that result in a source account's correlated identity being assigned to a different lifecycle state.
IdentityNow replaces the `Lifecyclestate` variable with the name of the lifecycle state it has moved the account's identity to.
Identity Security Cloud replaces the `Lifecyclestate` variable with the name of the lifecycle state it has moved the account's identity to.
- Identity Attribute Update: These include updates to a source account's correlated identity attributes as the result of a provisioning action.
When you update an identity attribute that also updates an identity's lifecycle state, the cloud automated `Lifecyclestate` event also displays.
Account Activity does not include attribute updates that occur as a result of aggregation.
- Identity Refresh: These include correlated identity refreshes that occur for an account on a source whenever the account's correlated identity profile gets a new role or updates.
These also include refreshes that occur whenever IdentityNow assigns an application to the account's correlated identity based on the application's being assigned to All Users From Source or Specific Users From Source.
These also include refreshes that occur whenever Identity Security Cloud assigns an application to the account's correlated identity based on the application's being assigned to All Users From Source or Specific Users From Source.
- Lifecycle State Refresh: These include the actions that took place when a lifecycle state changed. This event only occurs after a cloud automated `Lifecyclestate` change or a lifecycle state change.
@@ -142,9 +171,9 @@ tags:
Use this API to implement account aggregation progress tracking functionality.
With this functionality in place, administrators can view in-progress account aggregations, their statuses, and their relevant details.
An account aggregation refers to the process IdentityNow uses to gather and load account data from a source into IdentityNow.
An account aggregation refers to the process Identity Security Cloud uses to gather and load account data from a source into Identity Security Cloud.
Whenever IdentityNow is in the process of aggregating a source, it adds an entry to the Aggregation Activity Log, along with its relevant details.
Whenever Identity Security Cloud is in the process of aggregating a source, it adds an entry to the Aggregation Activity Log, along with its relevant details.
To view aggregation activity, administrators can select the Connections drop-down menu, select Sources, and select the relevant source, select its Import Data tab, and select Account Aggregation.
In Account Aggregation, administrators can view the account aggregations' statuses and details in the Account Activity Log.
@@ -154,73 +183,61 @@ tags:
Use this API to implement account usage insight functionality.
With this functionality in place, administrators can gather information and insights about how their tenants' source accounts are being used.
This allows organizations to get the information they need to start optimizing and securing source account usage.
- name: Accounts
description: |
Use this API to implement and customize account functionality.
With this functionality in place, administrators can manage users' access across sources in IdentityNow.
In IdentityNow, an account refers to a user's account on a supported source.
This typically includes a unique identifier for the user, a unique password, a set of permissions associated with the source and a set of attributes. IdentityNow loads accounts through the creation of sources in IdentityNow.
Administrators can correlate users' identities with the users' accounts on the different sources they use.
This allows IdentityNow to govern the access of identities and all their correlated accounts securely and cohesively.
To view the accounts on a source and their correlated identities, administrators can use the Connections drop-down menu, select Sources, select the relevant source, and select its Account tab.
To view and edit source account statuses for an identity in IdentityNow, administrators can use the Identities drop-down menu, select Identity List, select the relevant identity, and select its Accounts tab.
Administrators can toggle an account's Actions to aggregate the account, enable/disable it, unlock it, or remove it from the identity.
Accounts can have the following statuses:
- Enabled: The account is enabled. The user can access it.
- Disabled: The account is disabled, and the user cannot access it, but the identity is not disabled in IdentityNow. This can occur when an administrator disables the account or when the user's lifecycle state changes.
- Locked: The account is locked. This may occur when someone has entered an incorrect password for the account too many times.
- Pending: The account is currently updating. This status typically lasts seconds.
Administrators can select the source account to view its attributes, entitlements, and the last time the account's password was changed.
Refer to [Managing User Accounts](https://documentation.sailpoint.com/saas/help/common/users/user_access.html#managing-user-accounts) for more information about accounts.
- name: Auth Profile
description: |
Auth Profile - Represents authentication configuration for an Identity Profile. This object gets created when an Identity Profile is created.
APIs can be used to retrieve and update Auth Profiles.
- name: Certifications
description: |
Use this API to implement certification functionality.
This API provides specific functionality that improves an organization's ability to manage its certification process.
A certification refers to Identity Security Cloud's mechanism for reviewing a user's access to entitlements (sets of permissions) and approving or removing that access.
These certifications serve as a way of showing that a user's access has been reviewed and approved.
Multiple certifications by different reviewers are often required to approve a user's access.
A set of multiple certifications is called a certification campaign.
For example, an organization may use a Manager Certification as a way of showing that a user's access has been reviewed and approved by their manager, or if the certification is part of a campaign, that the user's access has been reviewed and approved by multiple managers.
Once this certification has been completed, Identity Security Cloud would provision all the access the user needs, nothing more.
This API enables administrators and reviewers to get useful information about certifications at a high level, such as the reviewers involved, and at a more granular level, such as the permissions affected by changes to entitlements within those certifications.
It also provides the useful ability to reassign identities and items within certifications to other reviewers, rather than [reassigning the entire certifications themselves](https://developer.sailpoint.com/idn/api/beta/submit-reassign-certs-async/).
Refer to [Managing User Accounts](https://documentation.sailpoint.com/saas/help/common/users/user_access.html#managing-user-accounts) for more information about accounts.
- name: Certification Campaigns
description: |
Use this API to implement certification campaign functionality.
With this functionality in place, administrators can create, customize, and manage certification campaigns for their organizations' use.
Certification campaigns provide IdentityNow users with an interactive review process they can use to identify and verify access to systems.
Certification campaigns provide Identity Security Cloud users with an interactive review process they can use to identify and verify access to systems.
Campaigns help organizations reduce risk of inappropriate access and satisfy audit requirements.
A certification refers to IdentityNow's mechanism for reviewing a user's access to entitlements (sets of permissions) and approving or removing that access.
A certification refers to Identity Security Cloud's mechanism for reviewing a user's access to entitlements (sets of permissions) and approving or removing that access.
These certifications serve as a way of showing that a user's access has been reviewed and approved.
Multiple certifications by different reviewers are often required to approve a user's access.
A set of multiple certifications is called a certification campaign.
For example, an organization may use a Manager Certification campaign as a way of showing that a user's access has been reviewed and approved by multiple managers.
Once this campaign has been completed, IdentityNow would provision all the access the user needs, nothing more.
Once this campaign has been completed, Identity Security Cloud would provision all the access the user needs, nothing more.
IdentityNow provides two simple campaign types users can create without using search queries, Manager and Source Owner campaigns:
Identity Security Cloud provides two simple campaign types users can create without using search queries, Manager and Source Owner campaigns:
You can create these types of campaigns without using any search queries in IdentityNow:
You can create these types of campaigns without using any search queries in Identity Security Cloud:
- ManagerCampaign: IdentityNow provides this campaign type as a way to ensure that an identity's access is certified by their managers.
- ManagerCampaign: Identity Security Cloud provides this campaign type as a way to ensure that an identity's access is certified by their managers.
You only need to provide a name and description to create one.
- Source Owner Campaign: IdentityNow provides this campaign type as a way to ensure that an identity's access to a source is certified by its source owners.
- Source Owner Campaign: Identity Security Cloud provides this campaign type as a way to ensure that an identity's access to a source is certified by its source owners.
You only need to provide a name and description to create one.
You can specify the sources whose owners you want involved or just run it across all sources.
For more information about these campaign types, refer to [Starting a Manager or Source Owner Campaign](https://documentation.sailpoint.com/saas/help/certs/starting_campaign.html).
One useful way to create certification campaigns in IdentityNow is to use a specific search and then run a campaign on the results returned by that search.
One useful way to create certification campaigns in Identity Security Cloud is to use a specific search and then run a campaign on the results returned by that search.
This allows you to be much more specific about whom you are certifying in your campaigns and what access you are certifying in your campaigns.
For example, you can search for all identities who are managed by "Amanda.Ross" and also have the access to the "Accounting" role and then run a certification campaign based on that search to ensure that the returned identities are appropriately certified.
You can use IdentityNow search queries to create these types of campaigns:
You can use Identity Security Cloud search queries to create these types of campaigns:
- Identities: Use this campaign type to review and revoke access items for specific identities.
You can either build a search query and create a campaign certifying all identities returned by that query, or you can search for individual identities and add those identities to the certification campaign.
@@ -231,7 +248,7 @@ tags:
- Role Composition: Use this campaign type to review a role's composition, including its title, description, and membership criteria.
You can either build a search query and create a campaign certifying all roles returned by that query, or you can search for individual roles and add those roles to the certification campaign.
- Uncorrelated Accounts: Use this campaign type to certify source accounts that aren't linked to an authoritative identity in IdentityNow.
- Uncorrelated Accounts: Use this campaign type to certify source accounts that aren't linked to an authoritative identity in Identity Security Cloud.
You can use this campaign type to view all the uncorrelated accounts for a source and certify them.
For more information about search-based campaigns, refer to [Starting a Campaign from Search](https://documentation.sailpoint.com/saas/help/certs/starting_search_campaign.html).
@@ -239,7 +256,7 @@ tags:
Once you have generated your campaign, it becomes available for preview.
An administrator can review the campaign and make changes, or if it's ready and accurate, activate it.
Once the campaign is active, organization administrators or certification administrators can designate other IdentityNow users as certification reviewers.
Once the campaign is active, organization administrators or certification administrators can designate other Identity Security Cloud users as certification reviewers.
Those reviewers can view any of the certifications they either need to review (active) or have already reviewed (completed).
When a certification campaign is in progress, certification reviewers see the listed active certifications whose involved identities they can review.
@@ -255,38 +272,23 @@ tags:
The end of a certification campaign is determined by its deadline, its completion status, or by an administrator's decision.
For more information about certifications and certification campaigns, refer to [Certifications](https://documentation.sailpoint.com/saas/user-help/certifications.html).
- name: Certifications
description: |
Use this API to implement certification functionality.
This API provides specific functionality that improves an organization's ability to manage its certification process.
A certification refers to IdentityNow's mechanism for reviewing a user's access to entitlements (sets of permissions) and approving or removing that access.
These certifications serve as a way of showing that a user's access has been reviewed and approved.
Multiple certifications by different reviewers are often required to approve a user's access.
A set of multiple certifications is called a certification campaign.
For example, an organization may use a Manager Certification as a way of showing that a user's access has been reviewed and approved by their manager, or if the certification is part of a campaign, that the user's access has been reviewed and approved by multiple managers.
Once this certification has been completed, IdentityNow would provision all the access the user needs, nothing more.
This API enables administrators and reviewers to get useful information about certifications at a high level, such as the reviewers involved, and at a more granular level, such as the permissions affected by changes to entitlements within those certifications.
It also provides the useful ability to reassign identities and items within certifications to other reviewers, rather than [reassigning the entire certifications themselves](https://developer.sailpoint.com/idn/api/beta/submit-reassign-certs-async/).
- name: Connector Rule Management
- name: Connectors
description: |
Use this API to implement connector functionality.
With this functionality in place, administrators can view available connectors.
Connectors are the bridges IdentityNow uses to communicate with and aggregate data from sources.
For example, if it is necessary to set up a connection between IdentityNow and the Active Directory source, a connector can bridge the two and enable IdentityNow to synchronize data between the systems.
Connectors are the bridges Identity Security Cloud uses to communicate with and aggregate data from sources.
For example, if it is necessary to set up a connection between Identity Security Cloud and the Active Directory source, a connector can bridge the two and enable Identity Security Cloud to synchronize data between the systems.
This ensures account entitlements and states are correct throughout the organization.
In IdentityNow, administrators can use the Connections drop-down menu and select Sources to view the available source connectors.
In Identity Security Cloud, administrators can use the Connections drop-down menu and select Sources to view the available source connectors.
Refer to [IdentityNow Connectors](https://documentation.sailpoint.com/connectors/identitynow/landingpages/help/landingpages/identitynow_connectivity_landing.html) for more information about the connectors available in IdentityNow.
Refer to [Identity Security Cloud Connectors](https://documentation.sailpoint.com/connectors/identitynow/landingpages/help/landingpages/identitynow_connectivity_landing.html) for more information about the connectors available in Identity Security Cloud.
Refer to [SaaS Connectivity](https://developer.sailpoint.com/idn/docs/saas-connectivity) for more information about the SaaS custom connectors that do not need VAs (virtual appliances) to communicate with their sources.
Refer to [SaaS Connectivity](https://developer.sailpoint.com/docs/connectivity/saas-connectivity) for more information about the SaaS custom connectors that do not need VAs (virtual appliances) to communicate with their sources.
Refer to [Managing Sources](https://documentation.sailpoint.com/saas/help/sources/managing_sources.html) for more information about using connectors in IdentityNow.
Refer to [Managing Sources](https://documentation.sailpoint.com/saas/help/sources/managing_sources.html) for more information about using connectors in Identity Security Cloud.
- name: Connector Rule Management
- name: Custom Forms
description: |
Use this API to build and manage custom forms.
@@ -296,32 +298,35 @@ tags:
Forms can be used within workflows as an action or as a trigger. The Form Action allows you to assign a form as a step in a running workflow, suspending the workflow until the form is submitted or times out, and the workflow resumes. The Form Submitted Trigger initiates a workflow when a form is submitted. The trigger can be configured to initiate on submission of a full form, a form element with any value, or a form element with a particular value.
Refer to [Forms](https://documentation.sailpoint.com/saas/help/forms/index.html) for more information about using forms in IdentityNow.
Refer to [Forms](https://documentation.sailpoint.com/saas/help/forms/index.html) for more information about using forms in Identity Security Cloud.
- name: Custom Password Instructions
description: |
Use this API to implement custom password instruction functionality.
With this functionality in place, administrators can create custom password instructions to help users reset their passwords, change them, unlock their accounts, or recover their usernames.
This allows administrators to emphasize password policies or provide organization-specific instructions.
Administrators must first use [Update Password Org Config](https://developer.sailpoint.com/idn/api/beta/put-password-org-config) to set `customInstructionsEnabled` to `true`.
Administrators must first use [Update Password Org Config](https://developer.sailpoint.com/docs/api/beta/put-password-org-config/) to set `customInstructionsEnabled` to `true`.
Once they have enabled custom instructions, they can use [Create Custom Password Instructions](https://developer.sailpoint.com/idn/api/beta/create-custom-password-instructions) to create custom page content for the specific pageId they select.
Once they have enabled custom instructions, they can use [Create Custom Password Instructions](https://developer.sailpoint.com/docs/api/beta/create-custom-password-instructions/) to create custom page content for the specific pageId they select.
For example, an administrator can use the pageId forget-username:user-email to set the custom text for the case when users forget their usernames and must enter their emails.
Refer to [Creating Custom Instruction Text](https://documentation.sailpoint.com/saas/help/pwd/pwd_reset.html#creating-custom-instruction-text) for more information about creating custom password instructions.
- name: Discovered Applications
description: |
Use this API to retrieve all the available discovered apps for a given tenant id.
- name: Entitlements
description: |
Use this API to implement and customize entitlement functionality.
With this functionality in place, administrators can view entitlements and configure them for use throughout IdentityNow in certifications, access profiles, and roles.
Administrators in IdentityNow can then grant users access to the entitlements or configure them so users themselves can request access to the entitlements whenever they need them.
With this functionality in place, administrators can view entitlements and configure them for use throughout Identity Security Cloud in certifications, access profiles, and roles.
Administrators in Identity Security Cloud can then grant users access to the entitlements or configure them so users themselves can request access to the entitlements whenever they need them.
With a good approval process, this entitlement functionality allows users to gain the specific access they need on sources quickly and securely.
Entitlements represent access rights on sources.
Entitlements are the most granular form of access in IdentityNow.
Entitlements are often grouped into access profiles, and access profiles themselves are often grouped into roles, the broadest form of access in IdentityNow.
Entitlements are the most granular form of access in Identity Security Cloud.
Entitlements are often grouped into access profiles, and access profiles themselves are often grouped into roles, the broadest form of access in Identity Security Cloud.
For example, an Active Directory source in IdentityNow can have multiple entitlements: the first, 'Employees,' may represent the access all employees have at the organization, and a second, 'Developers,' may represent the access all developers have at the organization.
For example, an Active Directory source in Identity Security Cloud can have multiple entitlements: the first, 'Employees,' may represent the access all employees have at the organization, and a second, 'Developers,' may represent the access all developers have at the organization.
An administrator can then create a broader set of access in the form of an access profile, 'AD Developers' grouping the 'Employees' entitlement with the 'Developers' entitlement.
@@ -345,17 +350,17 @@ tags:
- Type: This is the entitlement's type. Some sources support multiple types, each with a different attribute schema.
IdentityNow uses entitlements in many features, including the following:
Identity Security Cloud uses entitlements in many features, including the following:
- Certifications: Entitlements can be revoked from an identity that no longer needs them.
- Roles: Roles can group access profiles which themselves group entitlements. You can grant and revoke access on a broad level with roles. Role membership criteria can grant roles to identities based on whether they have certain entitlements or attributes.
- Access Profiles: Access profiles group entitlements.
They are the most important units of access in IdentityNow.
IdentityNow uses them in provisioning, certifications, and access requests, and administrators can configure them to grant very broad or very granular access.
They are the most important units of access in Identity Security Cloud.
Identity Security Cloud uses them in provisioning, certifications, and access requests, and administrators can configure them to grant very broad or very granular access.
You cannot delete entitlements directly from IdentityNow.
You cannot delete entitlements directly from Identity Security Cloud.
Entitlements are deleted based on their inclusion in aggregations.
Refer to [Deleting Entitlements](https://documentation.sailpoint.com/saas/help/access/entitlements.html#deleting-entitlements) more information about deleting entitlements.
@@ -363,30 +368,34 @@ tags:
Refer to [Entitlements](https://documentation.sailpoint.com/saas/help/access/entitlements.html) for more information about entitlements.
- name: Governance Groups
description: |
Use this API to implement and customize Governance Group functionality. With this functionality in place, administrators can create Governance Groups and configure them for use throughout IdentityNow.
Use this API to implement and customize Governance Group functionality. With this functionality in place, administrators can create Governance Groups and configure them for use throughout Identity Security Cloud.
A governance group is a group of users that can make governance decisions about access. If your organization has the Access Request or Certifications service, you can configure governance groups to review access requests or certifications. A governance group can determine whether specific access is appropriate for a user.
Refer to [Creating and Managing Governance Groups](https://documentation.sailpoint.com/saas/help/common/users/governance_groups.html) for more information about how to build Governance Groups in the visual builder in the IdentityNow UI.
- name: IAI Message Catalogs
Refer to [Creating and Managing Governance Groups](https://documentation.sailpoint.com/saas/help/common/users/governance_groups.html) for more information about how to build Governance Groups in the visual builder in the Identity Security Cloud UI.
- name: IAI Access Request Recommendations
- name: IAI Common Access
- name: IAI Message Catalogs
- name: IAI Outliers
- name: IAI Peer Group Strategies
- name: IAI Recommendations
- name: IAI Role Mining
- name: Icons
description: |
Use this API to implement functionality related to object icons (application icons for example).
With this functionality in place, administrators can set or remove an icon for specific object type for use throughout Identity Security Cloud.
- name: Identities
description: |
Use this API to implement identity functionality.
With this functionality in place, administrators can synchronize an identity's attributes with its various source attributes.
IdentityNow uses identities as users' authoritative accounts. Identities can own other accounts, entitlements, and attributes.
Identity Security Cloud uses identities as users' authoritative accounts. Identities can own other accounts, entitlements, and attributes.
An identity has a variety of attributes, such as an account name, an email address, a job title, and more.
These identity attributes can be correlated with different attributes on different sources.
For example, the identity John.Smith can own an account in the GitHub source with the account name John-Smith-Org, and IdentityNow knows they are the same person with the same access and attributes.
For example, the identity John.Smith can own an account in the GitHub source with the account name John-Smith-Org, and Identity Security Cloud knows they are the same person with the same access and attributes.
In IdentityNow, administrators often set up these synchronizations to get triggered automatically with a change or to run on a schedule.
In Identity Security Cloud, administrators often set up these synchronizations to get triggered automatically with a change or to run on a schedule.
To manually synchronize attributes for an identity, administrators can use the Identities drop-down menu and select Identity List to view the list of identities.
They can then select the identity they want to manually synchronize and use the hamburger menu to select 'Synchronize Attributes.'
Doing so immediately begins the attribute synchronization and analyzes all accounts for the selected identity.
@@ -397,12 +406,12 @@ tags:
- name: Identity Profiles
description: |
Use this API to implement and customize identity profile functionality.
With this functionality in place, administrators can manage identity profiles and configure them for use by identities throughout IdentityNow.
With this functionality in place, administrators can manage identity profiles and configure them for use by identities throughout Identity Security Cloud.
Identity profiles represent the configurations that can be applied to identities as a way of granting them a set of security and access, as well as defining the mappings between their identity attributes and their source attributes.
This allows administrators to save time by applying identity profiles to any number of similar identities rather than configuring each one individually.
In IdentityNow, administrators can use the Identities drop-down menu and select Identity Profiles to view the list of identity profiles.
In Identity Security Cloud, administrators can use the Identities drop-down menu and select Identity Profiles to view the list of identity profiles.
This list shows some details about each identity profile, along with its status. They can select an identity profile to view and modify its settings, its mappings between identity attributes and correlating source account attributes, and its provisioning settings.
Administrators can also use this page to create new identity profiles or delete existing ones.
@@ -412,14 +421,14 @@ tags:
Use this API to implement and customize lifecycle state functionality.
With this functionality in place, administrators can view and configure custom lifecycle states for use across their organizations, which is key to controlling which users have access, when they have access, and the access they have.
A lifecycle state describes a user's status in a company. For example, two lifecycle states come by default with IdentityNow: 'Active' and 'Inactive.'
A lifecycle state describes a user's status in a company. For example, two lifecycle states come by default with Identity Security Cloud: 'Active' and 'Inactive.'
When an active employee takes an extended leave of absence from a company, his or her lifecycle state may change to 'Inactive,' for security purposes.
The inactive employee would lose access to all the applications, sources, and sensitive data during the leave of absence, but when the employee returns and becomes active again, all that access would be restored.
This saves administrators the time that would otherwise be spent provisioning the employee's access to each individual tool, reviewing the employee's certification history, etc.
Administrators must define the criteria for being in each lifecycle state, and they must define how IdentityNow manages users' access to apps and sources for each lifecycle state.
Administrators must define the criteria for being in each lifecycle state, and they must define how Identity Security Cloud manages users' access to apps and sources for each lifecycle state.
In IdentityNow, administrators can manage lifecycle states by going to Admin > Identities > Identity Profile, selecting the identity profile whose lifecycle states they want to manage, selecting the 'Provisioning' tab, and using the left panel to select the lifecycle state they want to modify.
In Identity Security Cloud, administrators can manage lifecycle states by going to Admin > Identities > Identity Profile, selecting the identity profile whose lifecycle states they want to manage, selecting the 'Provisioning' tab, and using the left panel to select the lifecycle state they want to modify.
In the 'Provisioning' tab, administrators can make the following access changes to an identity profile's lifecycle state:
@@ -435,10 +444,10 @@ tags:
To maintain access across multiple lifecycle states, administrators must grant the access profiles in each lifecycle state.
For example, if an administrator wants users with the 'HR Employee' identity profile to maintain their building access in both the 'Active' and 'Leave of Absence' lifecycle states, the administrator must grant the access profile for that building access to both lifecycle states.
During scheduled refreshes, IdentityNow evaluates lifecycle states to determine whether their assigned identities have the access defined in the lifecycle states' access profiles.
If the identities are missing access, IdentityNow provisions that access.
During scheduled refreshes, Identity Security Cloud evaluates lifecycle states to determine whether their assigned identities have the access defined in the lifecycle states' access profiles.
If the identities are missing access, Identity Security Cloud provisions that access.
Administrators can also use the 'Provisioning' tab to configure email notifications for IdentityNow to send whenever an identity with that identity profile has a lifecycle state change.
Administrators can also use the 'Provisioning' tab to configure email notifications for Identity Security Cloud to send whenever an identity with that identity profile has a lifecycle state change.
Refer to [Configuring Lifecycle State Notifications](https://documentation.sailpoint.com/saas/help/provisioning/lifecycle.html#configuring-lifecycle-state-notifications) for more information on how to do so.
An identity's lifecycle state can have four different statuses: the lifecycle state's status can be 'Active,' it can be 'Not Set,' it can be 'Not Valid,' or it 'Does Not Match Technical Name Case.'
@@ -449,6 +458,12 @@ tags:
description: Read and write operations for managing client data and statuses
- name: Managed Clusters
description: 'Operations for accessing and managing client Clusters, including Log Configuration'
- name: Manual Discover Applications
description: |
Use this API to manually upload application names to be correlated to an ISC connector.
- name: Manual Discover Applications Template
description: |
Use this API to download the CSV template to send to the application discovery service.
- name: MFA Configuration
description: Configure and test multifactor authentication (MFA) methods
- name: MFA Controller
@@ -460,23 +475,23 @@ tags:
This allows organizations to provide secure access to non-employees and control that access.
The 'non-employee' term refers to any consultant, contractor, intern, or other user in an organization who is not a full-time permanent employee.
Organizations can track non-employees' access and activity in IdentityNow by creating and maintaining non-employee sources.
Organizations can track non-employees' access and activity in Identity Security Cloud by creating and maintaining non-employee sources.
Organizations can have a maximum of 50 non-employee sources.
By using SailPoint's Non-Employee Lifecycle Management functionality, you agree to the following:
- SailPoint is not responsible for storing sensitive data.
You may only add account attributes to non-employee identities that are necessary for business operations and are consistent with your contractual limitations on data that may be sent or stored in IdentityNow.
You may only add account attributes to non-employee identities that are necessary for business operations and are consistent with your contractual limitations on data that may be sent or stored in Identity Security Cloud.
- You are responsible for regularly downloading your list of non-employee accounts for all the sources you create and storing this list of accounts in a managed location to maintain an authoritative system of record and backup data for these accounts.
To manage non-employees in IdentityNow, administrators must create a non-employee source and add accounts to the source.
To manage non-employees in Identity Security Cloud, administrators must create a non-employee source and add accounts to the source.
To create a non-employee source in IdentityNow, administrators must use the Admin panel to go to Connections > Sources.
To create a non-employee source in Identity Security Cloud, administrators must use the Admin panel to go to Connections > Sources.
They must then specify 'Non-Employee' in the 'Source Type' field.
Refer to [Creating a Non-Employee Source](https://documentation.sailpoint.com/saas/help/common/non-employee-mgmt.html#creating-a-non-employee-source) for more details about how to create non-employee sources.
To add accounts to a non-employee source in IdentityNow, administrators can select the non-employee source and add the accounts.
To add accounts to a non-employee source in Identity Security Cloud, administrators can select the non-employee source and add the accounts.
They can also use the 'Manage Non-Employees' widget on their user dashboards to reach the list of sources and then select the non-employee source they want to add the accounts to.
Administrators can either add accounts individually or in bulk. Each non-employee source can have a maximum of 20,000 accounts.
@@ -490,8 +505,8 @@ tags:
- name: OAuth Clients
description: |
Use this API to implement OAuth client functionality.
With this functionality in place, users with the appropriate security scopes can create and configure OAuth clients to use as a way to obtain authorization to use the IdentityNow REST API.
Refer to [Authentication](https://developer.sailpoint.com/idn/api/authentication) for more information about OAuth and how it works with the IdentityNow REST API.
With this functionality in place, users with the appropriate security scopes can create and configure OAuth clients to use as a way to obtain authorization to use the Identity Security Cloud REST API.
Refer to [Authentication](https://developer.sailpoint.com/docs/api/authentication/) for more information about OAuth and how it works with the Identity Security Cloud REST API.
- name: Org Config
description: Operations for managing org configuration settings (eg. time zone)
- name: Password Configuration
@@ -546,7 +561,7 @@ tags:
Refer to this list https://docs.oracle.com/cd/E13214_01/wli/docs92/xref/xqisocodes.html to see all the available ISO 639-1 language codes and ISO 3166-1 country codes.
- Upload the .txt file to IdentityNow with [Update Password Dictionary](https://developer.sailpoint.com/idn/api/beta/update-password-dictionary). Uploading a new file always overwrites the previous dictionary file.
- Upload the .txt file to Identity Security Cloud with [Update Password Dictionary](https://developer.sailpoint.com/docs/api/beta/put-password-dictionary). Uploading a new file always overwrites the previous dictionary file.
Administrators can then specify which password policies check new passwords against the password dictionary by doing the following: In the Admin panel, they can use the Password Mgmt dropdown menu to select Policies, select the policy, and select the 'Prevent use of words in this site's password dictionary' checkbox beside it.
@@ -556,7 +571,7 @@ tags:
Use this API to implement password management functionality.
With this functionality in place, users can manage their identity passwords for all their applications.
In IdentityNow, users can select their names in the upper right corner of the page and use the drop-down menu to select Password Manager.
In Identity Security Cloud, users can select their names in the upper right corner of the page and use the drop-down menu to select Password Manager.
Password Manager lists the user's identity's applications, possibly grouped to share passwords.
Users can then select 'Change Password' to update their passwords.
@@ -588,18 +603,18 @@ tags:
For example, an administrator can group the ActiveDirectory, GitHub, and G Suite sources together so that all those sources' applications can also be grouped to share a password.
A user can then update his or her password for ActiveDirectory, GitHub, Gmail, Google Drive, and Google Calendar all at once, rather then updating each one individually.
The following are required for administrators to create a password sync group in IdentityNow:
The following are required for administrators to create a password sync group in Identity Security Cloud:
- At least two direct connect sources connected to IdentityNow and configured for Password Management.
- At least two direct connect sources connected to Identity Security Cloud and configured for Password Management.
- Each authentication source in a sync group must have at least one application. Refer to [Adding and Resetting Application Passwords](https://documentation.sailpoint.com/saas/help/pwd/adv_config.html#adding-and-resetting-application-passwords) for more information about adding applications to sources.
- At least one password policy. Refer to [Managing Password Policies](https://documentation.sailpoint.com/saas/help/pwd/policies.html) for more information about password policies.
In the Admin panel in IdentityNow, administrators can use the Password Mgmt dropdown menu to select Sync Groups.
In the Admin panel in Identity Security Cloud, administrators can use the Password Mgmt dropdown menu to select Sync Groups.
To create a sync group, administrators must provide a name, choose a password policy to be enforced across the sources in the sync group, and select the sources to include in the sync group.
Administrators can also delete sync groups in IdentityNow, but they should know the following before they do:
Administrators can also delete sync groups in Identity Security Cloud, but they should know the following before they do:
- Passwords related to the associated sources will become independent, so changing one will not change the others anymore.
@@ -614,12 +629,12 @@ tags:
- name: Personal Access Tokens
description: |
Use this API to implement personal access token (PAT) functionality.
With this functionality in place, users can use PATs as an alternative to passwords for authentication in IdentityNow.
With this functionality in place, users can use PATs as an alternative to passwords for authentication in Identity Security Cloud.
PATs embed user information into the client ID and secret.
This replaces the API clients' need to store and provide a username and password to establish a connection, improving IdentityNow organizations' integration security.
This replaces the API clients' need to store and provide a username and password to establish a connection, improving Identity Security Cloud organizations' integration security.
In IdentityNow, users can do the following to create and manage their PATs: Select the dropdown menu under their names, select Preferences, and then select Personal Access Tokens.
In Identity Security Cloud, users can do the following to create and manage their PATs: Select the dropdown menu under their names, select Preferences, and then select Personal Access Tokens.
They must then provide a description about the token's purpose.
They can then select 'Create Token' at the bottom of the page to generate and view the Secret and Client ID.
@@ -635,24 +650,23 @@ tags:
Administrators can use this API to make those necessary identity attributes public to non-administrators.
For example, a non-administrator deciding whether to approve another identity's request for access to the Workday application, whose access may be restricted to members of the HR department, would want to know whether the identity is a member of the HR department.
If an administrator has used [Update Public Identity Config](https://developer.sailpoint.com/idn/api/beta/update-public-identity-config) to make the "department" attribute public, the approver can see the department and make a decision without requesting any more information.
If an administrator has used [Update Public Identity Config](https://developer.sailpoint.com/docs/api/beta/update-public-identity-config/) to make the "department" attribute public, the approver can see the department and make a decision without requesting any more information.
- name: Requestable Objects
description: |
Use this API to implement requestable object functionality.
With this functionality in place, administrators can determine which access items can be requested with the [Access Request APIs](https://developer.sailpoint.com/idn/api/beta/access-requests), along with their statuses.
With this functionality in place, administrators can determine which access items can be requested with the [Access Request APIs](https://developer.sailpoint.com/docs/api/beta/access-requests/), along with their statuses.
This can be helpful for administrators who are implementing and customizing access request functionality as a way of checking which items are requestable as they are created, assigned, and made available.
- name: Role Insights
- name: Roles
description: |
Use this API to implement and customize role functionality.
With this functionality in place, administrators can create roles and configure them for use throughout IdentityNow.
IdentityNow can use established criteria to automatically assign the roles to qualified users. This enables users to get all the access they need quickly and securely and administrators to spend their time on other tasks.
With this functionality in place, administrators can create roles and configure them for use throughout Identity Security Cloud.
Identity Security Cloud can use established criteria to automatically assign the roles to qualified users. This enables users to get all the access they need quickly and securely and administrators to spend their time on other tasks.
Entitlements represent the most granular level of access in IdentityNow.
Entitlements represent the most granular level of access in Identity Security Cloud.
Access profiles represent the next level and often group entitlements.
Roles represent the broadest level of access and often group access profiles.
For example, an Active Directory source in IdentityNow can have multiple entitlements: the first, 'Employees,' may represent the access all employees have at the organization, and a second, 'Developers,' may represent the access all developers have at the organization.
For example, an Active Directory source in Identity Security Cloud can have multiple entitlements: the first, 'Employees,' may represent the access all employees have at the organization, and a second, 'Developers,' may represent the access all developers have at the organization.
An administrator can then create a broader set of access in the form of an access profile, 'AD Developers' grouping the 'Employees' entitlement with the 'Developers' entitlement.
@@ -668,12 +682,12 @@ tags:
For example, an organization's accountant can access all the tools the organization's accountants need with the 'Accountant' role.
If the accountant switches to engineering, a qualified member of the organization can quickly revoke the accountant's 'Accountant' access and grant access to the 'Engineer' role instead, granting access to all the tools the organization's engineers need.
In IdentityNow, adminstrators can use the Access drop-down menu and select Roles to view, configure, and delete existing roles, as well as create new ones.
In Identity Security Cloud, adminstrators can use the Access drop-down menu and select Roles to view, configure, and delete existing roles, as well as create new ones.
Administrators can enable and disable the role, and they can also make the following configurations:
- Manage Access: Manage the role's access by adding or removing access profiles.
- Define Assignment: Define the criteria IdentityNow uses to assign the role to identities.
- Define Assignment: Define the criteria Identity Security Cloud uses to assign the role to identities.
Use the first option, 'Standard Criteria,' to provide specific criteria for assignment like specific account attributes, entitlements, or identity attributes.
Use the second, 'Identity List,' to specify the identities for assignment.
@@ -681,6 +695,7 @@ tags:
Do not configure a role to be requestable without establishing a secure access request approval process for that role first.
Refer to [Working with Roles](https://documentation.sailpoint.com/saas/help/access/roles.html) for more information about roles.
- name: Role Insights
- name: Search Attribute Configuration
- name: Segments
description: |
@@ -692,7 +707,7 @@ tags:
For example, administrators could group all their organization's London office employees into one segment, "London Office Employees," by their shared location.
The administrators could then define the access items the London employees would need, and the identities in the "London Office Employees" would then only be able to see and access those items.
In IdentityNow, administrators can use the 'Access' drop-down menu and select 'Segments' to reach the 'Access Requests Segments' page.
In Identity Security Cloud, administrators can use the 'Access' drop-down menu and select 'Segments' to reach the 'Access Requests Segments' page.
This page lists all the existing access request segments, along with their statuses, enabled or disabled.
Administrators can use this page to create, edit, enable, disable, and delete segments.
To create a segment, an administrator must provide a name, define the identities grouped in the segment, and define the items the identities in the segment can access.
@@ -700,16 +715,16 @@ tags:
When administrators use the API to create and manage segments, they use a JSON expression in the `visibilityCriteria` object to define the segment's identities and access items.
Refer to [Managing Access Request Segments](https://documentation.sailpoint.com/saas/help/requests/segments.html) for more information about segments in IdentityNow.
Refer to [Managing Access Request Segments](https://documentation.sailpoint.com/saas/help/requests/segments.html) for more information about segments in Identity Security Cloud.
- name: Service Desk Integration
description: |
Use this API to build an integration between IdentityNow and a service desk ITSM (IT service management) solution.
Once an administrator builds this integration between IdentityNow and a service desk, users can use IdentityNow to raise and track tickets that are synchronized between IdentityNow and the service desk.
Use this API to build an integration between Identity Security Cloud and a service desk ITSM (IT service management) solution.
Once an administrator builds this integration between Identity Security Cloud and a service desk, users can use Identity Security Cloud to raise and track tickets that are synchronized between Identity Security Cloud and the service desk.
In IdentityNow, administrators can create a service desk integration (sometimes also called an SDIM, or Service Desk Integration Module) by going to Admin > Connections > Service Desk and selecting 'Create.'
In Identity Security Cloud, administrators can create a service desk integration (sometimes also called an SDIM, or Service Desk Integration Module) by going to Admin > Connections > Service Desk and selecting 'Create.'
To create a Generic Service Desk integration, for example, administrators must provide the required information on the General Settings page, the Connectivity and Authentication information, Ticket Creation information, Status Mapping information, and Requester Source information on the Configure page.
Refer to [Integrating SailPoint with Generic Service Desk](https://documentation.sailpoint.com/connectors/generic_sd/help/integrating_generic_service_desk/intro.html) for more information about the process of setting up a Generic Service Desk in IdentityNow.
Refer to [Integrating SailPoint with Generic Service Desk](https://documentation.sailpoint.com/connectors/generic_sd/help/integrating_generic_service_desk/intro.html) for more information about the process of setting up a Generic Service Desk in Identity Security Cloud.
Administrators can create various service desk integrations, all with their own nuances.
The following service desk integrations are available:
@@ -727,7 +742,7 @@ tags:
- [ServiceNow Service Desk](https://documentation.sailpoint.com/connectors/servicenow/sdim/help/integrating_servicenow_sdim/intro.html)
- [Zendesk Service Desk](https://documentation.sailpoint.com/connectors/zendesk/help/integrating_zendesk_sd/introduction.html)
- name: SOD Policy
- name: SOD Policies
description: |
Use this API to implement and manage "separation of duties" (SOD) policies.
With SOD policy functionality in place, administrators can organize the access in their tenants to prevent individuals from gaining conflicting or excessive access.
@@ -739,7 +754,7 @@ tags:
Organizations can use "separation of duties" (SOD) policies to enforce and track their internal security rules throughout their tenants.
These SOD policies limit each user's involvement in important processes and protects the organization from individuals gaining excessive access.
To create SOD policies in IdentityNow, administrators use 'Search' and then access 'Policies'.
To create SOD policies in Identity Security Cloud, administrators use 'Search' and then access 'Policies'.
To create a policy, they must configure two lists of access items. Each access item can only be added to one of the two lists.
They can search for the entitlements they want to add to these access lists.
@@ -749,7 +764,7 @@ tags:
These violations are included in SOD violation reports that other users will see in emails at regular intervals if they're subscribed to the SOD policy.
The other users can then better help to enforce these SOD policies.
To create a subscription to a SOD policy in IdentityNow, administrators use 'Search' and then access 'Layers'.
To create a subscription to a SOD policy in Identity Security Cloud, administrators use 'Search' and then access 'Layers'.
They can create a subscription to the policy and schedule it to run at a regular interval.
Refer to [Managing Policies](https://documentation.sailpoint.com/saas/help/sod/manage-policies.html) for more information about SOD policies.
@@ -775,25 +790,20 @@ tags:
This second option is a good way to prevent SOD violations from triggering at all.
Refer to [Handling Policy Violations](https://documentation.sailpoint.com/saas/help/sod/policy-violations.html) for more information about SOD policy violations.
- name: Source Usages
description: |
Use this API to implement source usage insight functionality.
With this functionality in place, administrators can gather information and insights about how their tenants' sources are being used.
This allows organizations to get the information they need to start optimizing and securing source usage.
- name: Sources
description: |
Use this API to implement and customize source functionality.
With source functionality in place, organizations can use IdentityNow to connect their various sources and user data sets and manage access across all those different sources in a secure, scalable way.
With source functionality in place, organizations can use Identity Security Cloud to connect their various sources and user data sets and manage access across all those different sources in a secure, scalable way.
[Sources](https://documentation.sailpoint.com/saas/help/sources/managing_sources.html) refer to the IdentityNow representations for external applications, databases, and directory management systems that maintain their own sets of users, like Dropbox, GitHub, and Workday, for example.
[Sources](https://documentation.sailpoint.com/saas/help/sources/managing_sources.html) refer to the Identity Security Cloud representations for external applications, databases, and directory management systems that maintain their own sets of users, like Dropbox, GitHub, and Workday, for example.
Organizations may use hundreds, if not thousands, of different source systems, and any one employee within an organization likely has a different user record on each source, often with different permissions on many of those records.
Connecting these sources to IdentityNow makes it possible to manage user access across them all.
Then, if a new hire starts at an organization, IdentityNow can grant the new hire access to all the sources they need.
If an employee moves to a new department and needs access to new sources but no longer needs access to others, IdentityNow can grant the necessary access and revoke the unnecessary access for all the employee's various sources.
If an employee leaves the company, IdentityNow can revoke access to all the employee's various source accounts immediately.
Connecting these sources to Identity Security Cloud makes it possible to manage user access across them all.
Then, if a new hire starts at an organization, Identity Security Cloud can grant the new hire access to all the sources they need.
If an employee moves to a new department and needs access to new sources but no longer needs access to others, Identity Security Cloud can grant the necessary access and revoke the unnecessary access for all the employee's various sources.
If an employee leaves the company, Identity Security Cloud can revoke access to all the employee's various source accounts immediately.
These are just a few examples of the many ways that source functionality makes identity governance easier, more efficient, and more secure.
In IdentityNow, administrators can create configure, manage, and edit sources, and they can designate other users as source admins to be able to do so.
In Identity Security Cloud, administrators can create configure, manage, and edit sources, and they can designate other users as source admins to be able to do so.
They can also designate users as source sub-admins, who can perform the same source actions but only on sources associated with their governance groups.
Admins go to Connections > Sources to see a list of the existing source representations in their organizations.
They can create new sources or select existing ones.
@@ -801,17 +811,17 @@ tags:
To create a new source, the following must be specified: Source Name, Description, Source Owner, and Connection Type.
Refer to [Configuring a Source](https://documentation.sailpoint.com/saas/help/accounts/loading_data.html#configuring-a-source) for more information about the source configuration process.
IdentityNow connects with its sources either by a direct communication with the source server (connection information specific to the source must be provided) or a flat file feed, a CSV file containing all the relevant information about the accounts to be loaded in.
Different sources use different connectors to share data with IdentityNow, and each connector's setup process is specific to that connector.
Identity Security Cloud connects with its sources either by a direct communication with the source server (connection information specific to the source must be provided) or a flat file feed, a CSV file containing all the relevant information about the accounts to be loaded in.
Different sources use different connectors to share data with Identity Security Cloud, and each connector's setup process is specific to that connector.
SailPoint has built a number of connectors to come out of the box and connect to the most common sources, and SailPoint actively maintains these connectors.
Refer to [IdentityNow Connectors](https://documentation.sailpoint.com/connectors/identitynow/landingpages/help/landingpages/identitynow_connectivity_landing.html) for more information about these SailPoint supported connectors.
Refer to [Identity Security Cloud Connectors](https://documentation.sailpoint.com/connectors/identitynow/landingpages/help/landingpages/identitynow_connectivity_landing.html) for more information about these SailPoint supported connectors.
Refer to the following links for more information about two useful connectors:
- [JDBC Connector](https://documentation.sailpoint.com/connectors/jdbc/help/integrating_jdbc/introduction.html): This customizable connector an directly connect to databases that support JDBC (Java Database Connectivity).
- [Web Services Connector](https://documentation.sailpoint.com/connectors/webservices/help/integrating_webservices/introduction.html): This connector can directly connect to databases that support Web Services.
Refer to [SaaS Connectivity](https://developer.sailpoint.com/idn/docs/saas-connectivity) for more information about SailPoint's new connectivity framework that makes it easy to build and manage custom connectors to SaaS sources.
Refer to [SaaS Connectivity](https://developer.sailpoint.com/docs/connectivity/saas-connectivity/) for more information about SailPoint's new connectivity framework that makes it easy to build and manage custom connectors to SaaS sources.
When admins select existing sources, they can view the following information about the source:
@@ -824,12 +834,12 @@ tags:
- Associated access profiles (groupings of entitlements).
The user account data and the entitlements update with each data aggregation from the source.
Organizations generally run scheduled, automated data aggregations to ensure that their data is always in sync between their sources and their IdentityNow tenants so an access change on a source is detected quickly in IdentityNow.
Organizations generally run scheduled, automated data aggregations to ensure that their data is always in sync between their sources and their Identity Security Cloud tenants so an access change on a source is detected quickly in Identity Security Cloud.
Admins can view a history of these aggregations, and they can also run manual imports.
Refer to [Loading Account Data](https://documentation.sailpoint.com/saas/help/accounts/loading_data.html) for more information about manual and scheduled aggregations.
Admins can also make changes to determine which user account data IdentityNow collects from the source and how it correlates that account data with identity data.
To define which account attributes the source shares with IdentityNow, admins can edit the account schema on the source.
Admins can also make changes to determine which user account data Identity Security Cloud collects from the source and how it correlates that account data with identity data.
To define which account attributes the source shares with Identity Security Cloud, admins can edit the account schema on the source.
Refer to [Managing Source Account Schemas](https://documentation.sailpoint.com/saas/help/accounts/schema.html) for more information about source account schemas and how to edit them.
To define the mapping between the source account attributes and their correlating identity attributes, admins can edit the correlation configuration on the source.
Refer to [Assigning Source Accounts to Identities](https://documentation.sailpoint.com/saas/help/accounts/correlation.html) for more information about this correlation process between source accounts and identities.
@@ -837,16 +847,21 @@ tags:
Admins can also delete sources, but they must first ensure that the sources no longer have any active connections: the source must not be associated with any identity profile or any app, and it must not be referenced by any transform.
Refer to [Deleting Sources](https://documentation.sailpoint.com/saas/help/sources/managing_sources.html#deleting-sources) for more information about deleting sources.
Well organized, mapped out connections between sources and IdentityNow are essential to achieving comprehensive identity access governance across all the source systems organizations need.
Well organized, mapped out connections between sources and Identity Security Cloud are essential to achieving comprehensive identity access governance across all the source systems organizations need.
Refer to [Managing Sources](https://documentation.sailpoint.com/saas/help/sources/managing_sources.html) for more information about all the different things admins can do with sources once they are connected.
- name: Source Usages
description: |
Use this API to implement source usage insight functionality.
With this functionality in place, administrators can gather information and insights about how their tenants' sources are being used.
This allows organizations to get the information they need to start optimizing and securing source usage.
- name: SP-Config
description: Import and export configuration for some objects between tenants.
- name: Tagged Objects
description: |
Use this API to implement object tagging functionality.
With object tagging functionality in place, any user in an organization can use tags as a way to group objects together and find them more quickly when the user searches IdentityNow.
With object tagging functionality in place, any user in an organization can use tags as a way to group objects together and find them more quickly when the user searches Identity Security Cloud.
In IdentityNow, users can search their tenants for information and add tags objects they find.
In Identity Security Cloud, users can search their tenants for information and add tags objects they find.
Tagging an object provides users with a way of grouping objects together and makes it easier to find these objects in the future.
For example, if a user is searching for an entitlement that grants a risky level of access to Active Directory, it's possible that the user may have to search through hundreds of entitlements to find the correct one.
@@ -854,7 +869,7 @@ tags:
The user can add the same tag to multiple objects the user wants to group together for an easy future search, and the user can also do so in bulk.
When the user wants to find that tagged entitlement again, the user can search for "tags:AD_RISKY" to find all objects with that tag.
With the API, you can tag even more different object types than you can in IdentityNow (access profiles, entitlements, identities, and roles).
With the API, you can tag even more different object types than you can in Identity Security Cloud (access profiles, entitlements, identities, and roles).
You can use the API to tag all these objects:
- Access profiles
@@ -883,7 +898,7 @@ tags:
- You can have up to 10,000 tag associations, pairings of 1 tag to 1 object, in your tenant.
Because of these limits, it is recommended that you work with your governance experts and security teams to establish a list of tags that are most expressive of governance objects and access managed by IdentityNow.
Because of these limits, it is recommended that you work with your governance experts and security teams to establish a list of tags that are most expressive of governance objects and access managed by Identity Security Cloud.
These are the types of information often expressed in tags:
@@ -895,15 +910,15 @@ tags:
- Risk levels
Refer to [Tagging Items in Search](https://documentation.sailpoint.com/saas/help/search/index.html?h=tags#tagging-items-in-search) for more information about tagging objects in IdentityNow.
Refer to [Tagging Items in Search](https://documentation.sailpoint.com/saas/help/search/index.html?h=tags#tagging-items-in-search) for more information about tagging objects in Identity Security Cloud.
- name: Task Management
- name: Tenant
description: API for reading tenant details.
- name: Transforms
description: 'Operations for creating, managing, and deleting transforms'
description: 'Operations for creating, managing, and deleting transforms.'
- name: Triggers
description: |
Event Triggers provide real-time updates to changes in IdentityNow so you can take action as soon as an event occurs, rather than poll an API endpoint for updates. IdentityNow provides a user interface within the admin console to create and manage trigger subscriptions. These endpoints allow for programatically creating and managing trigger subscriptions.
Event Triggers provide real-time updates to changes in Identity Security Cloud so you can take action as soon as an event occurs, rather than poll an API endpoint for updates. Identity Security Cloud provides a user interface within the admin console to create and manage trigger subscriptions. These endpoints allow for programatically creating and managing trigger subscriptions.
There are two types of event triggers:
* `FIRE_AND_FORGET`: This trigger type will send a payload to each subscriber without needing a response. Each trigger of this type has a limit of **50 subscriptions**.
@@ -914,10 +929,10 @@ tags:
| Name | ID | Type | Trigger condition |
|-|-|-|-|
| [Access Request Dynamic Approval](https://developer.sailpoint.com/idn/docs/event-triggers/triggers/access-request-dynamic-approval) | idn:access-request-dynamic-approver | REQUEST_RESPONSE |After an access request is submitted. Expects the subscriber to respond with the ID of an identity or workgroup to add to the approval workflow. |
| [Access Request Decision](https://developer.sailpoint.com/idn/docs/event-triggers/triggers/access-request-decision) | idn:access-request-post-approval | FIRE_AND_FORGET | After an access request is approved. |
| [Access Request Submitted](https://developer.sailpoint.com/idn/docs/event-triggers/triggers/access-request-submitted) | idn:access-request-pre-approval | REQUEST_RESPONSE | After an access request is submitted. Expects the subscriber to respond with an approval decision. |
| [Account Aggregation Completed](https://developer.sailpoint.com/idn/docs/event-triggers/triggers/account-aggregation-completed) | idn:account-aggregation-completed | FIRE_AND_FORGET | After an account aggregation completed, terminated, failed. |
| [Access Request Dynamic Approval](https://developer.sailpoint.com/docs/extensibility/event-triggers/triggers/access-request-dynamic-approval/) | idn:access-request-dynamic-approver | REQUEST_RESPONSE |After an access request is submitted. Expects the subscriber to respond with the ID of an identity or workgroup to add to the approval workflow. |
| [Access Request Decision](https://developer.sailpoint.com/docs/extensibility/event-triggers/triggers/access-request-decision/) | idn:access-request-post-approval | FIRE_AND_FORGET | After an access request is approved. |
| [Access Request Submitted](https://developer.sailpoint.com/docs/extensibility/event-triggers/triggers/access-request-submitted/) | idn:access-request-pre-approval | REQUEST_RESPONSE | After an access request is submitted. Expects the subscriber to respond with an approval decision. |
| [Account Aggregation Completed](https://developer.sailpoint.com/docs/extensibility/event-triggers/triggers/account-aggregation-completed/) | idn:account-aggregation-completed | FIRE_AND_FORGET | After an account aggregation completed, terminated, failed. |
| Account Attributes Changed | idn:account-attributes-changed | FIRE_AND_FORGET | After an account aggregation, and one or more account attributes have changed. |
| Account Correlated | idn:account-correlated | FIRE_AND_FORGET | After an account is added to an identity. |
| Accounts Collected for Aggregation | idn:aggregation-accounts-collected | FIRE_AND_FORGET | New, changed, and deleted accounts have been gathered during an aggregation and are being processed. |
@@ -926,32 +941,35 @@ tags:
| Campaign Ended | idn:campaign-ended | FIRE_AND_FORGET | After a campaign ends. |
| Campaign Generated | idn:campaign-generated | FIRE_AND_FORGET | After a campaign finishes generating. |
| Certification Signed Off | idn:certification-signed-off | FIRE_AND_FORGET | After a certification is signed off by its reviewer. |
| [Identity Attributes Changed](https://developer.sailpoint.com/idn/docs/event-triggers/triggers/account-aggregation-completed) | idn:identity-attributes-changed | FIRE_AND_FORGET | After One or more identity attributes changed. |
| [Identity Created](https://developer.sailpoint.com/idn/docs/event-triggers/triggers/identity-created) | idn:identity-created | FIRE_AND_FORGET | After an identity is created. |
| [Provisioning Action Completed](https://developer.sailpoint.com/idn/docs/event-triggers/triggers/provisioning-completed) | idn:post-provisioning | FIRE_AND_FORGET | After a provisioning action completed on a source. |
| [Scheduled Search](https://developer.sailpoint.com/idn/docs/event-triggers/triggers/scheduled-search) | idn:saved-search-complete | FIRE_AND_FORGET | After a scheduled search completed. |
| [Source Created](https://developer.sailpoint.com/idn/docs/event-triggers/triggers/source-created) | idn:source-created | FIRE_AND_FORGET | After a source is created. |
| [Source Deleted](https://developer.sailpoint.com/idn/docs/event-triggers/triggers/source-deleted) | idn:source-deleted | FIRE_AND_FORGET | After a source is deleted. |
| [Source Updated](https://developer.sailpoint.com/idn/docs/event-triggers/triggers/source-updated) | idn:source-updated | FIRE_AND_FORGET | After configuration changes have been made to a source. |
| [VA Cluster Status Change](https://developer.sailpoint.com/idn/docs/event-triggers/triggers/va-cluster-status-change) | idn:va-cluster-status-change | FIRE_AND_FORGET | After the status of a VA cluster has changed. |
| [Identity Attributes Changed](https://developer.sailpoint.com/docs/extensibility/event-triggers/triggers/account-aggregation-completed/) | idn:identity-attributes-changed | FIRE_AND_FORGET | After One or more identity attributes changed. |
| [Identity Created](https://developer.sailpoint.com/docs/extensibility/event-triggers/triggers/identity-created/) | idn:identity-created | FIRE_AND_FORGET | After an identity is created. |
| [Provisioning Action Completed](https://developer.sailpoint.com/docs/extensibility/event-triggers/triggers/provisioning-completed/) | idn:post-provisioning | FIRE_AND_FORGET | After a provisioning action completed on a source. |
| [Scheduled Search](https://developer.sailpoint.com/docs/extensibility/event-triggers/triggers/scheduled-search/) | idn:saved-search-complete | FIRE_AND_FORGET | After a scheduled search completed. |
| [Source Created](https://developer.sailpoint.com/docs/extensibility/event-triggers/triggers/source-created/) | idn:source-created | FIRE_AND_FORGET | After a source is created. |
| [Source Deleted](https://developer.sailpoint.com/docs/extensibility/event-triggers/triggers/source-deleted/) | idn:source-deleted | FIRE_AND_FORGET | After a source is deleted. |
| [Source Updated](https://developer.sailpoint.com/docs/extensibility/event-triggers/triggers/source-updated/) | idn:source-updated | FIRE_AND_FORGET | After configuration changes have been made to a source. |
| [VA Cluster Status Change](https://developer.sailpoint.com/docs/extensibility/event-triggers/triggers/va-cluster-status-change/) | idn:va-cluster-status-change | FIRE_AND_FORGET | After the status of a VA cluster has changed. |
## Early Access Event Triggers
Triggers that are in-development and not ready for production use. Please contact support to enable these triggers in your tenant.
| Name | ID | Type | Trigger condition |
|-|-|-|-|
| [Identity Deleted](https://developer.sailpoint.com/idn/docs/event-triggers/triggers/identity-deleted) | idn:identity-deleted | FIRE_AND_FORGET | After an identity is deleted. |
| [Source Account Created](https://developer.sailpoint.com/idn/docs/event-triggers/triggers/source-account-created) | idn:source-account-created | FIRE_AND_FORGET | After a source account is created. |
| [Source Account Deleted](https://developer.sailpoint.com/idn/docs/event-triggers/triggers/source-account-deleted) | idn:source-account-deleted | FIRE_AND_FORGET | After a source account is deleted. |
| [Source Account Updated](https://developer.sailpoint.com/idn/docs/event-triggers/triggers/source-account-updated) | idn:source-account-updated | FIRE_AND_FORGET | After a source account is changed. |
| [Identity Deleted](https://developer.sailpoint.com/docs/extensibility/event-triggers/triggers/identity-deleted/) | idn:identity-deleted | FIRE_AND_FORGET | After an identity is deleted. |
| [Source Account Created](https://developer.sailpoint.com/docs/extensibility/event-triggers/triggers/source-account-created/) | idn:source-account-created | FIRE_AND_FORGET | After a source account is created. |
| [Source Account Deleted](https://developer.sailpoint.com/docs/extensibility/event-triggers/triggers/source-account-deleted/) | idn:source-account-deleted | FIRE_AND_FORGET | After a source account is deleted. |
| [Source Account Updated](https://developer.sailpoint.com/docs/extensibility/event-triggers/triggers/source-account-updated/) | idn:source-account-updated | FIRE_AND_FORGET | After a source account is changed. |
Refer to [Event Triggers](https://developer.sailpoint.com/idn/docs/event-triggers/) for more information about event triggers.
Refer to [Event Triggers](https://developer.sailpoint.com/docs/extensibility/event-triggers/) for more information about event triggers.
- name: Vendor Connector Mappings
description: |
Use this API to manage mappings between various SaaS vendors and Identity Security Cloud (ISC) connectors.
- name: Work Items
description: |
Use this API to implement work item functionality.
With this functionality in place, users can manage their work items (tasks).
Work items refer to the tasks users see in IdentityNow's Task Manager.
Work items refer to the tasks users see in Identity Security Cloud's Task Manager.
They can see the pending work items they need to complete, as well as the work items they have already completed.
Task Manager lists the work items along with the involved sources, identities, accounts, and the timestamp when the work item was created.
For example, a user may see a pending 'Create an Account' work item for the identity Fred.Astaire in GitHub for Fred's GitHub account, fred-astaire-sp.
@@ -976,23 +994,7 @@ tags:
Refer to [Work Reassignment](https://documentation.sailpoint.com/saas/help/users/work_reassignment.html) for more information about this topic.
- name: Workflows
description: |
Workflows allow administrators to create custom automation scripts directly within IdentityNow. These automation scripts respond to [event triggers](https://developer.sailpoint.com/idn/docs/event-triggers#how-to-get-started-with-event-triggers) and perform a series of actions to perform tasks that are either too cumbersome or not available in the IdentityNow UI. Workflows can be configured via a graphical user interface within IdentityNow, or by creating and uploading a JSON formatted script to the Workflow service. The Workflows API collection provides the necessary functionality to create, manage, and test your workflows via REST.
- name: Manual Discover Applications
description: |
Use this API to manually upload application names to be correlated to an IDN connector.
- name: Manual Discover Applications Template
description: |
Use this API to download the CSV template to send to the application discovery service.
- name: Discovered Applications
description: |
Use this API to retrieve all the available discovered apps for a given tenant id.
- name: Vendor Connector Mappings
description: |
Use this API to manage mappings between various SaaS vendors and IdentityNow (IDN) connectors.
- name: Icons
description: |
Use this API to implement functionality related to object icons (application icons for example).
With this functionality in place, administrators can set or remove an icon for specific object type for use throughout IdentityNow.
Workflows allow administrators to create custom automation scripts directly within Identity Security Cloud. These automation scripts respond to [event triggers](https://developer.sailpoint.com/docs/extensibility/event-triggers/#how-to-get-started-with-event-triggers) and perform a series of actions to perform tasks that are either too cumbersome or not available in the Identity Security Cloud UI. Workflows can be configured via a graphical user interface within Identity Security Cloud, or by creating and uploading a JSON formatted script to the Workflow service. The Workflows API collection provides the necessary functionality to create, manage, and test your workflows via REST.
security:
- UserContextAuth: []
components:
@@ -1001,14 +1003,14 @@ components:
type: oauth2
description: |
OAuth2 Bearer token (JWT) generated using either a Personal Access token or through the Authorization Code flow.
See [IdentityNow REST API Authentication](https://developer.sailpoint.com/idn/api/authentication) for more information.
- Directions for generating a [personal access token](https://developer.sailpoint.com/idn/api/authentication#personal-access-tokens)
- Directions using [client credentials flow](https://developer.sailpoint.com/idn/api/authentication#client-credentials-grant-flow)
- Directions for using [authorization code flow](https://developer.sailpoint.com/idn/api/authentication#authorization-code-grant-flow)
See [Identity Security Cloud REST API Authentication](https://developer.sailpoint.com/docs/api/authentication/) for more information.
- Directions for generating a [personal access token](https://developer.sailpoint.com/docs/api/authentication/#personal-access-tokens)
- Directions using [client credentials flow](https://developer.sailpoint.com/docs/api/authentication/#client-credentials-grant-flow)
- Directions for using [authorization code flow](https://developer.sailpoint.com/docs/api/authentication/#authorization-code-grant-flow)
Which authentication method should I choose? See our [guide](https://developer.sailpoint.com/idn/api/authentication#which-oauth-20-grant-flow-should-i-use)
Which authentication method should I choose? See the [guide](https://developer.sailpoint.com/docs/api/authentication/#which-oauth-20-grant-flow-should-i-use).
Learn more about how to find your `tokenUrl` and `authorizationUrl` [in our docs](https://developer.sailpoint.com/idn/api/authentication#find-your-tenants-oauth-details)
Learn more about how to find your `tokenUrl` and `authorizationUrl` [in the docs](https://developer.sailpoint.com/docs/api/authentication/#find-your-tenants-oauth-details).
flows:
clientCredentials:
tokenUrl: 'https://tenant.api.identitynow.com/oauth/token'
@@ -1025,12 +1027,12 @@ components:
type: oauth2
description: |
OAuth2 Bearer token (JWT) generated using client credentials flow.
See [IdentityNow REST API Authentication](https://developer.sailpoint.com/idn/api/authentication) for more information.
- Directions using [client credentials flow](https://developer.sailpoint.com/idn/api/authentication#client-credentials-grant-flow)
See [Identity Security Cloud REST API Authentication](https://developer.sailpoint.com/docs/api/authentication/) for more information.
- Directions using [client credentials flow](https://developer.sailpoint.com/docs/api/authentication/#client-credentials-grant-flow)
Which authentication method should I choose? See our [guide](https://developer.sailpoint.com/idn/api/authentication#which-oauth-20-grant-flow-should-i-use)
Which authentication method should I choose? See the [guide](https://developer.sailpoint.com/docs/api/authentication/#which-oauth-20-grant-flow-should-i-use).
Learn more about how to find your `tokenUrl` and `authorizationUrl` [in our docs](https://developer.sailpoint.com/idn/api/authentication#find-your-tenants-oauth-details)
Learn more about how to find your `tokenUrl` and `authorizationUrl` [in the docs](https://developer.sailpoint.com/docs/api/authentication/#find-your-tenants-oauth-details).
flows:
clientCredentials:
tokenUrl: 'https://tenant.api.identitynow.com/oauth/token'

124
dereferenced/deref-sailpoint-api.v3.json
View File

File diff suppressed because one or more lines are too long

468
dereferenced/deref-sailpoint-api.v3.yaml
View File

@@ -1,7 +1,7 @@
openapi: 3.0.1
info:
title: IdentityNow V3 API
description: 'Use these APIs to interact with the IdentityNow platform to achieve repeatable, automated processes with greater scalability. We encourage you to join the SailPoint Developer Community forum at https://developer.sailpoint.com/discuss to connect with other developers using our APIs.'
title: Identity Security Cloud V3 API
description: 'Use these APIs to interact with the Identity Security Cloud platform to achieve repeatable, automated processes with greater scalability. We encourage you to join the SailPoint Developer Community forum at https://developer.sailpoint.com/discuss to connect with other developers using our APIs.'
termsOfService: 'https://developer.sailpoint.com/discuss/tos'
contact:
name: Developer Relations
@@ -27,11 +27,11 @@ tags:
- name: Access Profiles
description: |
Use this API to implement and customize access profile functionality.
With this functionality in place, administrators can create access profiles and configure them for use throughout IdentityNow, enabling users to get the access they need quickly and securely.
With this functionality in place, administrators can create access profiles and configure them for use throughout Identity Security Cloud, enabling users to get the access they need quickly and securely.
Access profiles group entitlements, which represent access rights on sources.
For example, an Active Directory source in IdentityNow can have multiple entitlements: the first, 'Employees,' may represent the access all employees have at the organization, and a second, 'Developers,' may represent the access all developers have at the organization.
For example, an Active Directory source in Identity Security Cloud can have multiple entitlements: the first, 'Employees,' may represent the access all employees have at the organization, and a second, 'Developers,' may represent the access all developers have at the organization.
An administrator can then create a broader set of access in the form of an access profile, 'AD Developers' grouping the 'Employees' entitlement with the 'Developers' entitlement.
@@ -39,7 +39,7 @@ tags:
When users need both Active Directory employee and developer access, they can request access to the 'AD Developers' access profile.
Access profiles are the most important units of access in IdentityNow. IdentityNow uses access profiles in many features, including the following:
Access profiles are the most important units of access in Identity Security Cloud. Identity Security Cloud uses access profiles in many features, including the following:
- Provisioning: When you use the Provisioning Service, lifecycle states and roles both grant access to users in the form of access profiles.
@@ -49,7 +49,7 @@ tags:
- Roles: You can group one or more access profiles into a role to quickly assign access items based on an identity's role.
In IdentityNow, administrators can use the Access drop-down menu and select Access Profiles to view, configure, and delete existing access profiles, as well as create new ones.
In Identity Security Cloud, administrators can use the Access drop-down menu and select Access Profiles to view, configure, and delete existing access profiles, as well as create new ones.
Administrators can enable and disable an access profile, and they can also make the following configurations:
- Manage Entitlements: Manage the profile's access by adding and removing entitlements.
@@ -57,71 +57,66 @@ tags:
- Access Requests: Configure access profiles to be requestable and establish an approval process for any requests that the access profile be granted or revoked.
Do not configure an access profile to be requestable without first establishing a secure access request approval process for the access profile.
- Multiple Account Options: Define the logic IdentityNow uses to provision access to an identity with multiple accounts on the source.
- Multiple Account Options: Define the logic Identity Security Cloud uses to provision access to an identity with multiple accounts on the source.
Refer to [Managing Access Profiles](https://documentation.sailpoint.com/saas/help/access/access-profiles.html) for more information about access profiles.
- name: Access Request Approvals
description: |
Use this API to implement and customize access request approval functionality.
With this functionality in place, administrators can delegate qualified users to review users' requests for access or managers' requests to revoke team members' access to applications, entitlements, or roles.
This enables more qualified users to review access requests and the others to spend their time on other tasks.
In IdentityNow, users can request access to applications, entitlements, and roles, and managers can request that team members' access be revoked.
For applications and entitlements, administrators can set access profiles to require approval from the access profile owner, the application owner, the source owner, the requesting user's manager, or a governance group for access to be granted or revoked.
For roles, administrators can also set roles to allow access requests and require approval from the role owner, the requesting user's manager, or a governance group for access to be granted or revoked.
If the administrator designates a governance group as the required approver, any governance group member can approve the requests.
When a user submits an access request, IdentityNow sends the first required approver in the queue an email notification, based on the access request configuration's approval and reminder escalation configuration.
In Approvals in IdentityNow, required approvers can view pending access requests under the Requested tab and approve or deny them, or the approvers can reassign the requests to different reviewers for approval.
If the required approver approves the request and is the only reviewer required, IdentityNow grants or revokes access, based on the request.
If multiple reviewers are required, IdentityNow sends the request to the next reviewer in the queue, based on the access request configuration's approval reminder and escalation configuration.
The required approver can then view any completed access requests under the Reviewed tab.
Refer to [Access Requests](https://documentation.sailpoint.com/saas/help/requests/index.html) for more information about access request approvals.
- name: Access Requests
description: |
Use this API to implement and customize access request functionality.
With this functionality in place, users can request access to applications, entitlements, or roles, and managers can request that team members' access be revoked.
This allows users to get access to the tools they need quickly and securely, and it allows managers to take away access to those tools.
IdentityNow's Access Request service allows end users to request access that requires approval before it can be granted to users and enables qualified users to review those requests and approve or deny them.
Identity Security Cloud's Access Request service allows end users to request access that requires approval before it can be granted to users and enables qualified users to review those requests and approve or deny them.
In the Request Center in IdentityNow, users can view available applications, roles, and entitlements and request access to them.
In the Request Center in Identity Security Cloud, users can view available applications, roles, and entitlements and request access to them.
If the requested tools requires approval, the requests appear as 'Pending' under the My Requests tab until the required approver approves, rejects, or cancels them.
Users can use My Requests to track and/or cancel the requests.
In My Team on the IdentityNow Home, managers can submit requests to revoke their team members' access.
In My Team on the Identity Security Cloud Home, managers can submit requests to revoke their team members' access.
They can use the My Requests tab under Request Center to track and/or cancel the requests.
Refer to [Requesting Access](https://documentation.sailpoint.com/saas/user-help/requests/requesting_access.html) for more information about access requests.
- name: Account Usages
- name: Access Request Approvals
description: |
Use this API to implement account usage insight functionality.
With this functionality in place, administrators can gather information and insights about how their tenants' source accounts are being used.
This allows organizations to get the information they need to start optimizing and securing source account usage.
Use this API to implement and customize access request approval functionality.
With this functionality in place, administrators can delegate qualified users to review users' requests for access or managers' requests to revoke team members' access to applications, entitlements, or roles.
This enables more qualified users to review access requests and the others to spend their time on other tasks.
In Identity Security Cloud, users can request access to applications, entitlements, and roles, and managers can request that team members' access be revoked.
For applications and entitlements, administrators can set access profiles to require approval from the access profile owner, the application owner, the source owner, the requesting user's manager, or a governance group for access to be granted or revoked.
For roles, administrators can also set roles to allow access requests and require approval from the role owner, the requesting user's manager, or a governance group for access to be granted or revoked.
If the administrator designates a governance group as the required approver, any governance group member can approve the requests.
When a user submits an access request, Identity Security Cloud sends the first required approver in the queue an email notification, based on the access request configuration's approval and reminder escalation configuration.
In Approvals in Identity Security Cloud, required approvers can view pending access requests under the Requested tab and approve or deny them, or the approvers can reassign the requests to different reviewers for approval.
If the required approver approves the request and is the only reviewer required, Identity Security Cloud grants or revokes access, based on the request.
If multiple reviewers are required, Identity Security Cloud sends the request to the next reviewer in the queue, based on the access request configuration's approval reminder and escalation configuration.
The required approver can then view any completed access requests under the Reviewed tab.
Refer to [Access Requests](https://documentation.sailpoint.com/saas/help/requests/index.html) for more information about access request approvals.
- name: Accounts
description: |
Use this API to implement and customize account functionality.
With this functionality in place, administrators can manage users' access across sources in IdentityNow.
With this functionality in place, administrators can manage users' access across sources in Identity Security Cloud.
In IdentityNow, an account refers to a user's account on a supported source.
This typically includes a unique identifier for the user, a unique password, a set of permissions associated with the source and a set of attributes. IdentityNow loads accounts through the creation of sources in IdentityNow.
In Identity Security Cloud, an account refers to a user's account on a supported source.
This typically includes a unique identifier for the user, a unique password, a set of permissions associated with the source and a set of attributes. Identity Security Cloud loads accounts through the creation of sources in Identity Security Cloud.
Administrators can correlate users' identities with the users' accounts on the different sources they use.
This allows IdentityNow to govern the access of identities and all their correlated accounts securely and cohesively.
This allows Identity Security Cloud to govern the access of identities and all their correlated accounts securely and cohesively.
To view the accounts on a source and their correlated identities, administrators can use the Connections drop-down menu, select Sources, select the relevant source, and select its Account tab.
To view and edit source account statuses for an identity in IdentityNow, administrators can use the Identities drop-down menu, select Identity List, select the relevant identity, and select its Accounts tab.
To view and edit source account statuses for an identity in Identity Security Cloud, administrators can use the Identities drop-down menu, select Identity List, select the relevant identity, and select its Accounts tab.
Administrators can toggle an account's Actions to aggregate the account, enable/disable it, unlock it, or remove it from the identity.
Accounts can have the following statuses:
- Enabled: The account is enabled. The user can access it.
- Disabled: The account is disabled, and the user cannot access it, but the identity is not disabled in IdentityNow. This can occur when an administrator disables the account or when the user's lifecycle state changes.
- Disabled: The account is disabled, and the user cannot access it, but the identity is not disabled in Identity Security Cloud. This can occur when an administrator disables the account or when the user's lifecycle state changes.
- Locked: The account is locked. This may occur when someone has entered an incorrect password for the account too many times.
@@ -133,12 +128,12 @@ tags:
- name: Account Activities
description: |
Use this API to implement account activity tracking functionality.
With this functionality in place, users can track source account activity in IdentityNow, which greatly improves traceability in the system.
With this functionality in place, users can track source account activity in Identity Security Cloud, which greatly improves traceability in the system.
An account activity refers to a log of each action performed on a source account. This is useful for auditing the changes performed on an account throughout its life.
In IdentityNow's Search, users can search for account activities and select the activity's row to get an overview of the activity's account action and view its progress, its involved sources, and its most basic metadata, such as the identity requesting the option and the recipient.
In Identity Security Cloud's Search, users can search for account activities and select the activity's row to get an overview of the activity's account action and view its progress, its involved sources, and its most basic metadata, such as the identity requesting the option and the recipient.
Account activity includes most actions IdentityNow completes on source accounts. Users can search in IdentityNow for the following account action types:
Account activity includes most actions Identity Security Cloud completes on source accounts. Users can search in Identity Security Cloud for the following account action types:
- Access Request: These include any access requests the source account is involved in.
@@ -149,14 +144,14 @@ tags:
- Certification: These include actions removing an entitlement from an account on a source as a result of the entitlement's revocation during a certification.
- Cloud Automated `Lifecyclestate`: These include automated lifecycle state changes that result in a source account's correlated identity being assigned to a different lifecycle state.
IdentityNow replaces the `Lifecyclestate` variable with the name of the lifecycle state it has moved the account's identity to.
Identity Security Cloud replaces the `Lifecyclestate` variable with the name of the lifecycle state it has moved the account's identity to.
- Identity Attribute Update: These include updates to a source account's correlated identity attributes as the result of a provisioning action.
When you update an identity attribute that also updates an identity's lifecycle state, the cloud automated `Lifecyclestate` event also displays.
Account Activity does not include attribute updates that occur as a result of aggregation.
- Identity Refresh: These include correlated identity refreshes that occur for an account on a source whenever the account's correlated identity profile gets a new role or updates.
These also include refreshes that occur whenever IdentityNow assigns an application to the account's correlated identity based on the application's being assigned to All Users From Source or Specific Users From Source.
These also include refreshes that occur whenever Identity Security Cloud assigns an application to the account's correlated identity based on the application's being assigned to All Users From Source or Specific Users From Source.
- Lifecycle State Refresh: These include the actions that took place when a lifecycle state changed. This event only occurs after a cloud automated `Lifecyclestate` change or a lifecycle state change.
@@ -165,7 +160,12 @@ tags:
- Password Change: These include password changes on sources.
Refer to [Account Activity](https://documentation.sailpoint.com/saas/help/search/index.html#account-activity) for more information about account activities.
- name: Auth User
- name: Account Usages
description: |
Use this API to implement account usage insight functionality.
With this functionality in place, administrators can gather information and insights about how their tenants' source accounts are being used.
This allows organizations to get the information they need to start optimizing and securing source account usage.
- name: Auth Users
description: |
Use this API to implement user authentication system functionality.
With this functionality in place, users can get a user's authentication system details, including their capabilities, and modify those capabilities.
@@ -178,39 +178,66 @@ tags:
With this functionality in place, administrators can get and manage existing branding items, and they can also create new branding items and configure them for use throughout Identity Security Cloud.
The Branding APIs provide administrators with a way to customize branding items.
This customization includes details like their colors, logos, and other information.
- name: Certifications
description: |
Use this API to implement certification functionality.
With this functionality in place, administrators and designated certification reviewers can review users' access certifications and decide whether to approve access, revoke it, or reassign the review to another reviewer.
Implementing certifications improves organizations' data security by reducing inappropriate access through a distributed review process and helping them satisfy audit and regulatory requirements.
A certification refers to Identity Security Cloud's mechanism for reviewing a user's access to entitlements (sets of permissions) and approving or removing that access.
These serve as a way of showing that a user's access has been reviewed and approved.
Multiple certifications by different reviewers are often required to approve a user's access.
A set of multiple certifications is called a certification campaign.
For example, an organization may use a Manager Certification as a way of showing that a user's access has been reviewed and approved by their manager, or if the certification is part of a campaign, that the user's access has been reviewed and approved by multiple managers.
Once this certification has been completed, Identity Security Cloud would provision all the access the user needs, nothing more.
Organization administrators or certification administrators can designate other Identity Security Cloud users as certification reviewers.
Those reviewers can select the 'Certifications' tab to view any of the certifications they either need to review or have already reviewed under the 'Active' and 'Completed' tabs, respectively.
When a certification campaign is in progress, certification reviewers will see certifications listed under 'Active,' where they can review the involved identities.
Under the 'Decision' column on the right, next to each access item, reviewers can select the checkmark to approve access, select the 'X' to revoke access, or they can toggle the 'More Options' menu to reassign the certification to another reviewer and provide a reason for reassignment in the form of a comment.
Once a reviewer has made decisions on all the certification's involved access items, he or she must select 'Sign Off' to complete the review process.
Doing so converts the certification into read-only status, preventing any further changes to the review decisions and deleting the work item (task) from the reviewer's list of work items.
Once all the reviewers have signed off, the certification campaign either completes or, if any reviewers decided to revoke access for any of the involved identities, it moves into a remediation phase. In the remediation phase, identities' entitlements are altered to remove any entitlements marked for revocation.
In this situation, the certification campaign completes once all the remediation requests are completed.
Refer to [Certifications](https://documentation.sailpoint.com/saas/user-help/certifications.html) for more information about certifications.
- name: Certification Campaigns
description: |
Use this API to implement certification campaign functionality.
With this functionality in place, administrators can create, customize, and manage certification campaigns for their organizations' use.
Certification campaigns provide IdentityNow users with an interactive review process they can use to identify and verify access to systems.
Certification campaigns provide Identity Security Cloud users with an interactive review process they can use to identify and verify access to systems.
Campaigns help organizations reduce risk of inappropriate access and satisfy audit requirements.
A certification refers to IdentityNow's mechanism for reviewing a user's access to entitlements (sets of permissions) and approving or removing that access.
A certification refers to Identity Security Cloud's mechanism for reviewing a user's access to entitlements (sets of permissions) and approving or removing that access.
These certifications serve as a way of showing that a user's access has been reviewed and approved.
Multiple certifications by different reviewers are often required to approve a user's access.
A set of multiple certifications is called a certification campaign.
For example, an organization may use a Manager Certification campaign as a way of showing that a user's access has been reviewed and approved by multiple managers.
Once this campaign has been completed, IdentityNow would provision all the access the user needs, nothing more.
Once this campaign has been completed, Identity Security Cloud would provision all the access the user needs, nothing more.
IdentityNow provides two simple campaign types users can create without using search queries, Manager and Source Owner campaigns:
Identity Security Cloud provides two simple campaign types users can create without using search queries, Manager and Source Owner campaigns:
You can create these types of campaigns without using any search queries in IdentityNow:
You can create these types of campaigns without using any search queries in Identity Security Cloud:
- ManagerCampaign: IdentityNow provides this campaign type as a way to ensure that an identity's access is certified by their managers.
- ManagerCampaign: Identity Security Cloud provides this campaign type as a way to ensure that an identity's access is certified by their managers.
You only need to provide a name and description to create one.
- Source Owner Campaign: IdentityNow provides this campaign type as a way to ensure that an identity's access to a source is certified by its source owners.
- Source Owner Campaign: Identity Security Cloud provides this campaign type as a way to ensure that an identity's access to a source is certified by its source owners.
You only need to provide a name and description to create one.
You can specify the sources whose owners you want involved or just run it across all sources.
For more information about these campaign types, refer to [Starting a Manager or Source Owner Campaign](https://documentation.sailpoint.com/saas/help/certs/starting_campaign.html).
One useful way to create certification campaigns in IdentityNow is to use a specific search and then run a campaign on the results returned by that search.
One useful way to create certification campaigns in Identity Security Cloud is to use a specific search and then run a campaign on the results returned by that search.
This allows you to be much more specific about whom you are certifying in your campaigns and what access you are certifying in your campaigns.
For example, you can search for all identities who are managed by "Amanda.Ross" and also have the access to the "Accounting" role and then run a certification campaign based on that search to ensure that the returned identities are appropriately certified.
You can use IdentityNow search queries to create these types of campaigns:
You can use Identity Security Cloud search queries to create these types of campaigns:
- Identities: Use this campaign type to review and revoke access items for specific identities.
You can either build a search query and create a campaign certifying all identities returned by that query, or you can search for individual identities and add those identities to the certification campaign.
@@ -221,7 +248,7 @@ tags:
- Role Composition: Use this campaign type to review a role's composition, including its title, description, and membership criteria.
You can either build a search query and create a campaign certifying all roles returned by that query, or you can search for individual roles and add those roles to the certification campaign.
- Uncorrelated Accounts: Use this campaign type to certify source accounts that aren't linked to an authoritative identity in IdentityNow.
- Uncorrelated Accounts: Use this campaign type to certify source accounts that aren't linked to an authoritative identity in Identity Security Cloud.
You can use this campaign type to view all the uncorrelated accounts for a source and certify them.
For more information about search-based campaigns, refer to [Starting a Campaign from Search](https://documentation.sailpoint.com/saas/help/certs/starting_search_campaign.html).
@@ -229,7 +256,7 @@ tags:
Once you have generated your campaign, it becomes available for preview.
An administrator can review the campaign and make changes, or if it's ready and accurate, activate it.
Once the campaign is active, organization administrators or certification administrators can designate other IdentityNow users as certification reviewers.
Once the campaign is active, organization administrators or certification administrators can designate other Identity Security Cloud users as certification reviewers.
Those reviewers can view any of the certifications they either need to review (active) or have already reviewed (completed).
When a certification campaign is in progress, certification reviewers see the listed active certifications whose involved identities they can review.
@@ -245,49 +272,6 @@ tags:
The end of a certification campaign is determined by its deadline, its completion status, or by an administrator's decision.
For more information about certifications and certification campaigns, refer to [Certifications](https://documentation.sailpoint.com/saas/user-help/certifications.html).
- name: Certifications
description: |
Use this API to implement certification functionality.
With this functionality in place, administrators and designated certification reviewers can review users' access certifications and decide whether to approve access, revoke it, or reassign the review to another reviewer.
Implementing certifications improves organizations' data security by reducing inappropriate access through a distributed review process and helping them satisfy audit and regulatory requirements.
A certification refers to IdentityNow's mechanism for reviewing a user's access to entitlements (sets of permissions) and approving or removing that access.
These serve as a way of showing that a user's access has been reviewed and approved.
Multiple certifications by different reviewers are often required to approve a user's access.
A set of multiple certifications is called a certification campaign.
For example, an organization may use a Manager Certification as a way of showing that a user's access has been reviewed and approved by their manager, or if the certification is part of a campaign, that the user's access has been reviewed and approved by multiple managers.
Once this certification has been completed, IdentityNow would provision all the access the user needs, nothing more.
Organization administrators or certification administrators can designate other IdentityNow users as certification reviewers.
Those reviewers can select the 'Certifications' tab to view any of the certifications they either need to review or have already reviewed under the 'Active' and 'Completed' tabs, respectively.
When a certification campaign is in progress, certification reviewers will see certifications listed under 'Active,' where they can review the involved identities.
Under the 'Decision' column on the right, next to each access item, reviewers can select the checkmark to approve access, select the 'X' to revoke access, or they can toggle the 'More Options' menu to reassign the certification to another reviewer and provide a reason for reassignment in the form of a comment.
Once a reviewer has made decisions on all the certification's involved access items, he or she must select 'Sign Off' to complete the review process.
Doing so converts the certification into read-only status, preventing any further changes to the review decisions and deleting the work item (task) from the reviewer's list of work items.
Once all the reviewers have signed off, the certification campaign either completes or, if any reviewers decided to revoke access for any of the involved identities, it moves into a remediation phase. In the remediation phase, identities' entitlements are altered to remove any entitlements marked for revocation.
In this situation, the certification campaign completes once all the remediation requests are completed.
Refer to [Certifications](https://documentation.sailpoint.com/saas/user-help/certifications.html) for more information about certifications.
- name: Certification Summaries
description: |
Use this API to implement certification summary functionality.
With this functionality in place, administrators and designated certification reviewers can review summaries of identity certification campaigns and draw conclusions about the campaigns' scope, security, and effectiveness.
Implementing certification summary functionality improves organizations' ability to review their [certifications](https://documentation.sailpoint.com/saas/user-help/certifications.html) and helps them satisfy audit and regulatory requirements by enabling them to trace access changes and the decisions made in their review processes.
A certification refers to IdentityNow's mechanism for reviewing a user's access to entitlements (sets of permissions) and approving or removing that access.
These certifications serve as a way of showing that a user's access has been reviewed and approved.
Multiple certifications by different reviewers are often required to approve a user's access.
A set of multiple certifications is called a certification campaign.
For example, an organization may use a Manager Certification as a way of showing that a user's access has been reviewed and approved by their manager, or if the certification is part of a campaign, that the user's access has been reviewed and approved by multiple managers.
Once this certification has been completed, IdentityNow would provision all the access the user needs, nothing more.
Certification summaries provide information about identity certification campaigns such as the identities involved, the number of decisions made, and the access changed.
For example, an administrator or designated certification reviewer can examine the Manager Certification campaign to get an overview of how many entitlement decisions are made in that campaign as opposed to role decisions, which identities would be affected by changes to the campaign, and how those identities' access would be affected.
- name: Certification Campaign Filters
description: |
Use this API to implement the certification campaign filter functionality. These filters can be used to create a certification campaign that includes a subset of your entitlements or users to certify.
@@ -317,42 +301,70 @@ tags:
Once the campaign filter is created, it can be linked while creating the campaign. The generated campaign will have the items to review as per the campaign filter.
For example, An inclusion campaign filter is created with a source of Source 1, an operation of Equals, and an entitlement of Entitlement 1. When this filter is selected, only users who have Entitlement 1 are included in the campaign, and only Entitlement 1 is shown in the certification.
- name: Certification Summaries
description: |
Use this API to implement certification summary functionality.
With this functionality in place, administrators and designated certification reviewers can review summaries of identity certification campaigns and draw conclusions about the campaigns' scope, security, and effectiveness.
Implementing certification summary functionality improves organizations' ability to review their [certifications](https://documentation.sailpoint.com/saas/user-help/certifications.html) and helps them satisfy audit and regulatory requirements by enabling them to trace access changes and the decisions made in their review processes.
A certification refers to Identity Security Cloud's mechanism for reviewing a user's access to entitlements (sets of permissions) and approving or removing that access.
These certifications serve as a way of showing that a user's access has been reviewed and approved.
Multiple certifications by different reviewers are often required to approve a user's access.
A set of multiple certifications is called a certification campaign.
For example, an organization may use a Manager Certification as a way of showing that a user's access has been reviewed and approved by their manager, or if the certification is part of a campaign, that the user's access has been reviewed and approved by multiple managers.
Once this certification has been completed, Identity Security Cloud would provision all the access the user needs, nothing more.
Certification summaries provide information about identity certification campaigns such as the identities involved, the number of decisions made, and the access changed.
For example, an administrator or designated certification reviewer can examine the Manager Certification campaign to get an overview of how many entitlement decisions are made in that campaign as opposed to role decisions, which identities would be affected by changes to the campaign, and how those identities' access would be affected.
- name: Connectors
description: |
Use this API to implement connector functionality.
With this functionality in place, administrators can view available connectors.
Connectors are the bridges IdentityNow uses to communicate with and aggregate data from sources.
For example, if it is necessary to set up a connection between IdentityNow and the Active Directory source, a connector can bridge the two and enable IdentityNow to synchronize data between the systems.
Connectors are the bridges Identity Security Cloud uses to communicate with and aggregate data from sources.
For example, if it is necessary to set up a connection between Identity Security Cloud and the Active Directory source, a connector can bridge the two and enable Identity Security Cloud to synchronize data between the systems.
This ensures account entitlements and states are correct throughout the organization.
In IdentityNow, administrators can use the Connections drop-down menu and select Sources to view the available source connectors.
In Identity Security Cloud, administrators can use the Connections drop-down menu and select Sources to view the available source connectors.
Refer to [IdentityNow Connectors](https://documentation.sailpoint.com/connectors/identitynow/landingpages/help/landingpages/identitynow_connectivity_landing.html) for more information about the connectors available in IdentityNow.
Refer to [Identity Security Cloud Connectors](https://documentation.sailpoint.com/connectors/identitynow/landingpages/help/landingpages/identitynow_connectivity_landing.html) for more information about the connectors available in Identity Security Cloud.
Refer to [SaaS Connectivity](https://developer.sailpoint.com/idn/docs/saas-connectivity) for more information about the SaaS custom connectors that do not need VAs (virtual appliances) to communicate with their sources.
Refer to [SaaS Connectivity](https://developer.sailpoint.com/docs/connectivity/saas-connectivity/) for more information about the SaaS custom connectors that do not need VAs (virtual appliances) to communicate with their sources.
Refer to [Managing Sources](https://documentation.sailpoint.com/saas/help/sources/managing_sources.html) for more information about using connectors in IdentityNow.
Refer to [Managing Sources](https://documentation.sailpoint.com/saas/help/sources/managing_sources.html) for more information about using connectors in Identity Security Cloud.
- name: Global Tenant Security Settings
description: |
Use this API to implement and customize global tenant security settings.
With this functionality in place, administrators can manage the global security settings that a tenant/org has.
This API can be used to configure the networks and Geographies allowed to access IdentityNow URLs.
This API can be used to configure the networks and Geographies allowed to access Identity Security Cloud URLs.
- name: Identity Profiles
description: |
Use this API to implement identity profile functionality.
With this functionality in place, administrators can view identity profiles and their configurations.
Identity profiles represent the configurations that can be applied to identities as a way of granting them a set of security and access, as well as defining the mappings between their identity attributes and their source attributes.
In Identity Security Cloud, administrators can use the Identities drop-down menu and select Identity Profiles to view the list of identity profiles.
This list shows some details about each identity profile, along with its status.
They can select an identity profile to view its settings, its mappings between identity attributes and correlating source account attributes, and its provisioning settings.
Refer to [Creating Identity Profiles](https://documentation.sailpoint.com/saas/help/setup/identity_profiles.html) for more information about identity profiles.
- name: Lifecycle States
description: |
Use this API to implement and customize lifecycle state functionality.
With this functionality in place, administrators can create and configure custom lifecycle states for use across their organizations, which is key to controlling which users have access, when they have access, and the access they have.
A lifecycle state describes a user's status in a company. For example, two lifecycle states come by default with IdentityNow: 'Active' and 'Inactive.'
A lifecycle state describes a user's status in a company. For example, two lifecycle states come by default with Identity Security Cloud: 'Active' and 'Inactive.'
When an active employee takes an extended leave of absence from a company, his or her lifecycle state may change to 'Inactive,' for security purposes.
The inactive employee would lose access to all the applications, sources, and sensitive data during the leave of absence, but when the employee returns and becomes active again, all that access would be restored.
This saves administrators the time that would otherwise be spent provisioning the employee's access to each individual tool, reviewing the employee's certification history, etc.
Administrators can create a variety of custom lifecycle states. Refer to [Planning New Lifecycle States](https://documentation.sailpoint.com/saas/help/provisioning/lifecycle.html#planning-new-lifecycle-states) for some custom lifecycle state ideas.
Administrators must define the criteria for being in each lifecycle state, and they must define how IdentityNow manages users' access to apps and sources for each lifecycle state.
Administrators must define the criteria for being in each lifecycle state, and they must define how Identity Security Cloud manages users' access to apps and sources for each lifecycle state.
In IdentityNow, administrators can manage lifecycle states by going to Admin > Identities > Identity Profile, selecting the identity profile whose lifecycle states they want to manage, selecting the 'Provisioning' tab, and using the left panel to either select the lifecycle state they want to modify or create a new lifecycle state.
In Identity Security Cloud, administrators can manage lifecycle states by going to Admin > Identities > Identity Profile, selecting the identity profile whose lifecycle states they want to manage, selecting the 'Provisioning' tab, and using the left panel to either select the lifecycle state they want to modify or create a new lifecycle state.
In the 'Provisioning' tab, administrators can make the following access changes to an identity profile's lifecycle state:
@@ -368,28 +380,16 @@ tags:
To maintain access across multiple lifecycle states, administrators must grant the access profiles in each lifecycle state.
For example, if an administrator wants users with the 'HR Employee' identity profile to maintain their building access in both the 'Active' and 'Leave of Absence' lifecycle states, the administrator must grant the access profile for that building access to both lifecycle states.
During scheduled refreshes, IdentityNow evaluates lifecycle states to determine whether their assigned identities have the access defined in the lifecycle states' access profiles.
If the identities are missing access, IdentityNow provisions that access.
During scheduled refreshes, Identity Security Cloud evaluates lifecycle states to determine whether their assigned identities have the access defined in the lifecycle states' access profiles.
If the identities are missing access, Identity Security Cloud provisions that access.
Administrators can also use the 'Provisioning' tab to configure email notifications for IdentityNow to send whenever an identity with that identity profile has a lifecycle state change.
Administrators can also use the 'Provisioning' tab to configure email notifications for Identity Security Cloud to send whenever an identity with that identity profile has a lifecycle state change.
Refer to [Configuring Lifecycle State Notifications](https://documentation.sailpoint.com/saas/help/provisioning/lifecycle.html#configuring-lifecycle-state-notifications) for more information on how to do so.
An identity's lifecycle state can have four different statuses: the lifecycle state's status can be 'Active,' it can be 'Not Set,' it can be 'Not Valid,' or it 'Does Not Match Technical Name Case.'
Refer to [Moving Identities into Lifecycle States](https://documentation.sailpoint.com/saas/help/provisioning/lifecycle.html#moving-identities-into-lifecycle-states) for more information about these different lifecycle state statuses.
Refer to [Setting Up Lifecycle States](https://documentation.sailpoint.com/saas/help/provisioning/lifecycle.html) for more information about lifecycle states.
- name: Identity Profiles
description: |
Use this API to implement identity profile functionality.
With this functionality in place, administrators can view identity profiles and their configurations.
Identity profiles represent the configurations that can be applied to identities as a way of granting them a set of security and access, as well as defining the mappings between their identity attributes and their source attributes.
In IdentityNow, administrators can use the Identities drop-down menu and select Identity Profiles to view the list of identity profiles.
This list shows some details about each identity profile, along with its status.
They can select an identity profile to view its settings, its mappings between identity attributes and correlating source account attributes, and its provisioning settings.
Refer to [Creating Identity Profiles](https://documentation.sailpoint.com/saas/help/setup/identity_profiles.html) for more information about identity profiles.
- name: Non-Employee Lifecycle Management
description: |
Use this API to implement non-employee lifecycle management functionality.
@@ -397,23 +397,23 @@ tags:
This allows organizations to provide secure access to non-employees and control that access.
The 'non-employee' term refers to any consultant, contractor, intern, or other user in an organization who is not a full-time permanent employee.
Organizations can track non-employees' access and activity in IdentityNow by creating and maintaining non-employee sources.
Organizations can track non-employees' access and activity in Identity Security Cloud by creating and maintaining non-employee sources.
Organizations can have a maximum of 50 non-employee sources.
By using SailPoint's Non-Employee Lifecycle Management functionality, you agree to the following:
- SailPoint is not responsible for storing sensitive data.
You may only add account attributes to non-employee identities that are necessary for business operations and are consistent with your contractual limitations on data that may be sent or stored in IdentityNow.
You may only add account attributes to non-employee identities that are necessary for business operations and are consistent with your contractual limitations on data that may be sent or stored in Identity Security Cloud.
- You are responsible for regularly downloading your list of non-employee accounts for all the sources you create and storing this list of accounts in a managed location to maintain an authoritative system of record and backup data for these accounts.
To manage non-employees in IdentityNow, administrators must create a non-employee source and add accounts to the source.
To manage non-employees in Identity Security Cloud, administrators must create a non-employee source and add accounts to the source.
To create a non-employee source in IdentityNow, administrators must use the Admin panel to go to Connections > Sources.
To create a non-employee source in Identity Security Cloud, administrators must use the Admin panel to go to Connections > Sources.
They must then specify 'Non-Employee' in the 'Source Type' field.
Refer to [Creating a Non-Employee Source](https://documentation.sailpoint.com/saas/help/common/non-employee-mgmt.html#creating-a-non-employee-source) for more details about how to create non-employee sources.
To add accounts to a non-employee source in IdentityNow, administrators can select the non-employee source and add the accounts.
To add accounts to a non-employee source in Identity Security Cloud, administrators can select the non-employee source and add the accounts.
They can also use the 'Manage Non-Employees' widget on their user dashboards to reach the list of sources and then select the non-employee source they want to add the accounts to.
Administrators can either add accounts individually or in bulk. Each non-employee source can have a maximum of 20,000 accounts.
@@ -426,8 +426,8 @@ tags:
- name: OAuth Clients
description: |
Use this API to implement OAuth client functionality.
With this functionality in place, users with the appropriate security scopes can create and configure OAuth clients to use as a way to obtain authorization to use the IdentityNow REST API.
Refer to [Authentication](https://developer.sailpoint.com/idn/api/authentication) for more information about OAuth and how it works with the IdentityNow REST API.
With this functionality in place, users with the appropriate security scopes can create and configure OAuth clients to use as a way to obtain authorization to use the Identity Security Cloud REST API.
Refer to [Authentication](https://developer.sailpoint.com/docs/api/authentication/) for more information about OAuth and how it works with the Identity Security Cloud REST API.
- name: Password Configuration
description: |
Use this API to implement organization password configuration functionality.
@@ -436,32 +436,6 @@ tags:
These configurations include details like custom password instructions, as well as digit token length and duration.
Refer to [Configuring User Authentication for Password Resets](https://documentation.sailpoint.com/saas/help/pwd/pwd_reset.html) for more information about organization password configuration functionality.
- name: Password Management
description: |
Use this API to implement password management functionality.
With this functionality in place, users can manage their identity passwords for all their applications.
In IdentityNow, users can select their names in the upper right corner of the page and use the drop-down menu to select Password Manager.
Password Manager lists the user's identity's applications, possibly grouped to share passwords.
Users can then select 'Change Password' to update their passwords.
Grouping passwords allows users to update their passwords more broadly, rather than requiring them to update each password individually.
Password Manager may list the applications and sources in the following groups:
- Password Group: This refers to a group of applications that share a password.
For example, a user can use the same password for Google Drive, Google Mail, and YouTube.
Updating the password for the password group updates the password for all its included applications.
- Multi-Application Source: This refers to a source with multiple applications that share a password.
For example, a user can have a source, G Suite, that includes the Google Calendar, Google Drive, and Google Mail applications.
Updating the password for the multi-application source updates the password for all its included applications.
- Applications: These are applications that do not share passwords with other applications.
An organization may require some authentication for users to update their passwords.
Users may be required to answer security questions or use a third-party authenticator before they can confirm their updates.
Refer to [Managing Passwords](https://documentation.sailpoint.com/saas/user-help/accounts/passwords.html) for more information about password management.
- name: Password Dictionary
description: |
Use this API to implement password dictionary functionality.
@@ -506,11 +480,37 @@ tags:
Refer to this list https://docs.oracle.com/cd/E13214_01/wli/docs92/xref/xqisocodes.html to see all the available ISO 639-1 language codes and ISO 3166-1 country codes.
- Upload the .txt file to IdentityNow with [Update Password Dictionary](https://developer.sailpoint.com/idn/api/v3/update-password-dictionary). Uploading a new file always overwrites the previous dictionary file.
- Upload the .txt file to Identity Security Cloud with [Update Password Dictionary](https://developer.sailpoint.com/docs/api/v3/put-password-dictionary). Uploading a new file always overwrites the previous dictionary file.
Administrators can then specify which password policies check new passwords against the password dictionary by doing the following: In the Admin panel, they can use the Password Mgmt dropdown menu to select Policies, select the policy, and select the 'Prevent use of words in this site's password dictionary' checkbox beside it.
Refer to [Configuring Advanced Password Management Options](https://documentation.sailpoint.com/saas/help/pwd/adv_config.html) for more information about password dictionaries.
- name: Password Management
description: |
Use this API to implement password management functionality.
With this functionality in place, users can manage their identity passwords for all their applications.
In Identity Security Cloud, users can select their names in the upper right corner of the page and use the drop-down menu to select Password Manager.
Password Manager lists the user's identity's applications, possibly grouped to share passwords.
Users can then select 'Change Password' to update their passwords.
Grouping passwords allows users to update their passwords more broadly, rather than requiring them to update each password individually.
Password Manager may list the applications and sources in the following groups:
- Password Group: This refers to a group of applications that share a password.
For example, a user can use the same password for Google Drive, Google Mail, and YouTube.
Updating the password for the password group updates the password for all its included applications.
- Multi-Application Source: This refers to a source with multiple applications that share a password.
For example, a user can have a source, G Suite, that includes the Google Calendar, Google Drive, and Google Mail applications.
Updating the password for the multi-application source updates the password for all its included applications.
- Applications: These are applications that do not share passwords with other applications.
An organization may require some authentication for users to update their passwords.
Users may be required to answer security questions or use a third-party authenticator before they can confirm their updates.
Refer to [Managing Passwords](https://documentation.sailpoint.com/saas/user-help/accounts/passwords.html) for more information about password management.
- name: Password Sync Groups
description: |
Use this API to implement password sync group functionality.
@@ -522,18 +522,18 @@ tags:
For example, an administrator can group the ActiveDirectory, GitHub, and G Suite sources together so that all those sources' applications can also be grouped to share a password.
A user can then update his or her password for ActiveDirectory, GitHub, Gmail, Google Drive, and Google Calendar all at once, rather then updating each one individually.
The following are required for administrators to create a password sync group in IdentityNow:
The following are required for administrators to create a password sync group in Identity Security Cloud:
- At least two direct connect sources connected to IdentityNow and configured for Password Management.
- At least two direct connect sources connected to Identity Security Cloud and configured for Password Management.
- Each authentication source in a sync group must have at least one application. Refer to [Adding and Resetting Application Passwords](https://documentation.sailpoint.com/saas/help/pwd/adv_config.html#adding-and-resetting-application-passwords) for more information about adding applications to sources.
- At least one password policy. Refer to [Managing Password Policies](https://documentation.sailpoint.com/saas/help/pwd/policies.html) for more information about password policies.
In the Admin panel in IdentityNow, administrators can use the Password Mgmt dropdown menu to select Sync Groups.
In the Admin panel in Identity Security Cloud, administrators can use the Password Mgmt dropdown menu to select Sync Groups.
To create a sync group, administrators must provide a name, choose a password policy to be enforced across the sources in the sync group, and select the sources to include in the sync group.
Administrators can also delete sync groups in IdentityNow, but they should know the following before they do:
Administrators can also delete sync groups in Identity Security Cloud, but they should know the following before they do:
- Passwords related to the associated sources will become independent, so changing one will not change the others anymore.
@@ -548,19 +548,19 @@ tags:
- name: Personal Access Tokens
description: |
Use this API to implement personal access token (PAT) functionality.
With this functionality in place, users can use PATs as an alternative to passwords for authentication in IdentityNow.
With this functionality in place, users can use PATs as an alternative to passwords for authentication in Identity Security Cloud.
PATs embed user information into the client ID and secret.
This replaces the API clients' need to store and provide a username and password to establish a connection, improving IdentityNow organizations' integration security.
This replaces the API clients' need to store and provide a username and password to establish a connection, improving Identity Security Cloud organizations' integration security.
In IdentityNow, users can do the following to create and manage their PATs: Select the dropdown menu under their names, select Preferences, and then select Personal Access Tokens.
In Identity Security Cloud, users can do the following to create and manage their PATs: Select the dropdown menu under their names, select Preferences, and then select Personal Access Tokens.
They must then provide a description about the token's purpose.
They can then select 'Create Token' at the bottom of the page to generate and view the Secret and Client ID.
Refer to [Managing Personal Access Tokens](https://documentation.sailpoint.com/saas/help/common/generate_tokens.html) for more information about PATs.
- name: Public Identities
description: |
Use this API in conjunction with [Public Identites Config](https://developer.sailpoint.com/idn/api/v3/public-identities-config) to enable non-administrators to view identities' publicly visible attributes.
Use this API in conjunction with [Public Identites Config](https://developer.sailpoint.com/docs/api/v3/public-identities-config/) to enable non-administrators to view identities' publicly visible attributes.
With this functionality in place, non-administrators can view identity attributes other than the default attributes (email, lifecycle state, and manager), depending on which identity attributes their organization administrators have made public.
This can be helpful for access approvers, certification reviewers, managers viewing their direct reports' access, and source owners viewing their tasks.
- name: Public Identities Config
@@ -574,28 +574,28 @@ tags:
Administrators can use this API to make those necessary identity attributes public to non-administrators.
For example, a non-administrator deciding whether to approve another identity's request for access to the Workday application, whose access may be restricted to members of the HR department, would want to know whether the identity is a member of the HR department.
If an administrator has used [Update Public Identity Config](https://developer.sailpoint.com/idn/api/v3/update-public-identity-config) to make the "department" attribute public, the approver can see the department and make a decision without requesting any more information.
If an administrator has used [Update Public Identity Config](https://developer.sailpoint.com/docs/api/v3/update-public-identity-config/) to make the "department" attribute public, the approver can see the department and make a decision without requesting any more information.
- name: Reports Data Extraction
description: |
Use this API to implement reports lifecycle managing and monitoring.
With this functionality in place, users can run reports, view their results, and cancel reports in progress.
This can be potentially helpful for auditing purposes.
This can be potentially helpful for auditing purposes.
- name: Requestable Objects
description: |
Use this API to implement requestable object functionality.
With this functionality in place, administrators can determine which access items can be requested with the [Access Request APIs](https://developer.sailpoint.com/idn/api/v3/access-requests), along with their statuses.
With this functionality in place, administrators can determine which access items can be requested with the [Access Request APIs](https://developer.sailpoint.com/docs/api/v3/access-requests/), along with their statuses.
This can be helpful for administrators who are implementing and customizing access request functionality as a way of checking which items are requestable as they are created, assigned, and made available.
- name: Roles
description: |
Use this API to implement and customize role functionality.
With this functionality in place, administrators can create roles and configure them for use throughout IdentityNow.
IdentityNow can use established criteria to automatically assign the roles to qualified users. This enables users to get all the access they need quickly and securely and administrators to spend their time on other tasks.
With this functionality in place, administrators can create roles and configure them for use throughout Identity Security Cloud.
Identity Security Cloud can use established criteria to automatically assign the roles to qualified users. This enables users to get all the access they need quickly and securely and administrators to spend their time on other tasks.
Entitlements represent the most granular level of access in IdentityNow.
Entitlements represent the most granular level of access in Identity Security Cloud.
Access profiles represent the next level and often group entitlements.
Roles represent the broadest level of access and often group access profiles.
For example, an Active Directory source in IdentityNow can have multiple entitlements: the first, 'Employees,' may represent the access all employees have at the organization, and a second, 'Developers,' may represent the access all developers have at the organization.
For example, an Active Directory source in Identity Security Cloud can have multiple entitlements: the first, 'Employees,' may represent the access all employees have at the organization, and a second, 'Developers,' may represent the access all developers have at the organization.
An administrator can then create a broader set of access in the form of an access profile, 'AD Developers' grouping the 'Employees' entitlement with the 'Developers' entitlement.
@@ -611,12 +611,12 @@ tags:
For example, an organization's accountant can access all the tools the organization's accountants need with the 'Accountant' role.
If the accountant switches to engineering, a qualified member of the organization can quickly revoke the accountant's 'Accountant' access and grant access to the 'Engineer' role instead, granting access to all the tools the organization's engineers need.
In IdentityNow, adminstrators can use the Access drop-down menu and select Roles to view, configure, and delete existing roles, as well as create new ones.
In Identity Security Cloud, adminstrators can use the Access drop-down menu and select Roles to view, configure, and delete existing roles, as well as create new ones.
Administrators can enable and disable the role, and they can also make the following configurations:
- Manage Access: Manage the role's access by adding or removing access profiles.
- Define Assignment: Define the criteria IdentityNow uses to assign the role to identities.
- Define Assignment: Define the criteria Identity Security Cloud uses to assign the role to identities.
Use the first option, 'Standard Criteria,' to provide specific criteria for assignment like specific account attributes, entitlements, or identity attributes.
Use the second, 'Identity List,' to specify the identities for assignment.
@@ -629,25 +629,25 @@ tags:
Use this API to implement saved search functionality.
With saved search functionality in place, users can save search queries and then view those saved searches, as well as rerun them.
Search queries in IdentityNow can grow very long and specific, which can make reconstructing them difficult or tedious, so it can be especially helpful to save search queries.
It also opens the possibility to configure IdentityNow to run the saved queries on a schedule, which is essential to detecting user information and access changes throughout an organization's tenant and across all its sources.
Refer to [Scheduled Search](https://developer.sailpoint.com/idn/api/v3/scheduled-search) for more information about running saved searches on a schedule.
Search queries in Identity Security Cloud can grow very long and specific, which can make reconstructing them difficult or tedious, so it can be especially helpful to save search queries.
It also opens the possibility to configure Identity Security Cloud to run the saved queries on a schedule, which is essential to detecting user information and access changes throughout an organization's tenant and across all its sources.
Refer to [Scheduled Search](https://developer.sailpoint.com/docs/api/v3/scheduled-search/) for more information about running saved searches on a schedule.
In IdentityNow, users can save searches under a name, and then they can access that saved search and run it again when they want.
In Identity Security Cloud, users can save searches under a name, and then they can access that saved search and run it again when they want.
Refer to [Managing Saved Searches](https://documentation.sailpoint.com/saas/help/search/saved-searches.html) for more information about saving searches and using them.
- name: Scheduled Search
description: |
Use this API to implement scheduled search functionality.
With scheduled search functionality in place, users can run saved search queries on their tenants on a schedule, and IdentityNow emails them the search results.
With scheduled search functionality in place, users can run saved search queries on their tenants on a schedule, and Identity Security Cloud emails them the search results.
Users can also share these search results with other users by email by adding those users as subscribers, or those users can subscribe themselves.
One of the greatest benefits of saving searches is the ability to run those searches on a schedule.
This is essential for organizations to constantly detect any changes to user information or access throughout their tenants and across all their sources.
For example, the manager Amanda Ross can schedule a saved search "manager.name:amanda.ross AND attributes.location:austin" on a schedule to regularly stay aware of changes with the Austin employees reporting to her.
IdentityNow emails her the search results when the search runs, so she can work on other tasks instead of actively running this search.
Identity Security Cloud emails her the search results when the search runs, so she can work on other tasks instead of actively running this search.
In IdentityNow, scheduling a search involves a subscription.
In Identity Security Cloud, scheduling a search involves a subscription.
Users can create a subscription for a saved search and schedule it to run daily, weekly, or monthly (you can only use one schedule option at a time).
The user can add other identities as subscribers so when the scheduled search runs, the subscribers and the user all receive emails.
@@ -655,7 +655,7 @@ tags:
Including detailed results about user access in an email may expose sensitive information.
However, the subscription creator can choose to include the information in the emails.
By default, IdentityNow sends emails to the subscribers even when the searches do not return new results.
By default, Identity Security Cloud sends emails to the subscribers even when the searches do not return new results.
However, the subscription creator can choose to suppress these empty emails.
Users can also subscribe to saved searches that already have existing subscriptions so they receive emails when the searches run.
@@ -669,7 +669,7 @@ tags:
Use this API to implement search functionality.
With search functionality in place, users can search their tenants for nearly any information from throughout their organizations.
IdentityNow enables organizations to store user data from across all their connected sources and manage the users' access, so the ability to query and filter that data is essential.
Identity Security Cloud enables organizations to store user data from across all their connected sources and manage the users' access, so the ability to query and filter that data is essential.
Its search goes through all those sources and finds the results quickly and specifically.
The search query is flexible - it can be very broad or very narrow.
@@ -677,11 +677,11 @@ tags:
The following objects are searchable: identities, roles, access profiles, entitlements, events, and account activities.
By default, no filter is applied, so a search for "Ad" returns both the identity "Adam.Archer" as well as the role "Administrator."
Users can further narrow their results by using IdentityNow's specific syntax and punctuation to structure their queries.
Users can further narrow their results by using Identity Security Cloud's specific syntax and punctuation to structure their queries.
For example, the query "attributes.location:austin AND NOT manager.name:amanda.ross" returns all results associated with the Austin location, but it excludes those associated with the manager Amanda Ross.
Refer to [Building a Search Query](https://documentation.sailpoint.com/saas/help/search/building-query.html) for more information about how to construct specific search queries.
Refer to [Using Search](https://documentation.sailpoint.com/saas/help/search/index.html) for more information about IdentityNow's search and its different possibilities.
Refer to [Using Search](https://documentation.sailpoint.com/saas/help/search/index.html) for more information about Identity Security Cloud's search and its different possibilities.
The search feature uses Elasticsearch as a datastore and query engine.
The power of Elasticsearch makes this feature suitable for ad-hoc reporting.
@@ -699,7 +699,7 @@ tags:
For example, administrators could group all their organization's London office employees into one segment, "London Office Employees," by their shared location.
The administrators could then define the access items the London employees would need, and the identities in the "London Office Employees" would then only be able to see and access those items.
In IdentityNow, administrators can use the 'Access' drop-down menu and select 'Segments' to reach the 'Access Requests Segments' page.
In Identity Security Cloud, administrators can use the 'Access' drop-down menu and select 'Segments' to reach the 'Access Requests Segments' page.
This page lists all the existing access request segments, along with their statuses, enabled or disabled.
Administrators can use this page to create, edit, enable, disable, and delete segments.
To create a segment, an administrator must provide a name, define the identities grouped in the segment, and define the items the identities in the segment can access.
@@ -707,16 +707,16 @@ tags:
When administrators use the API to create and manage segments, they use a JSON expression in the `visibilityCriteria` object to define the segment's identities and access items.
Refer to [Managing Access Request Segments](https://documentation.sailpoint.com/saas/help/requests/segments.html) for more information about segments in IdentityNow.
Refer to [Managing Access Request Segments](https://documentation.sailpoint.com/saas/help/requests/segments.html) for more information about segments in Identity Security Cloud.
- name: Service Desk Integration
description: |
Use this API to build an integration between IdentityNow and a service desk ITSM (IT service management) solution.
Once an administrator builds this integration between IdentityNow and a service desk, users can use IdentityNow to raise and track tickets that are synchronized between IdentityNow and the service desk.
Use this API to build an integration between Identity Security Cloud and a service desk ITSM (IT service management) solution.
Once an administrator builds this integration between Identity Security Cloud and a service desk, users can use Identity Security Cloud to raise and track tickets that are synchronized between Identity Security Cloud and the service desk.
In IdentityNow, administrators can create a service desk integration (sometimes also called an SDIM, or Service Desk Integration Module) by going to Admin > Connections > Service Desk and selecting 'Create.'
In Identity Security Cloud, administrators can create a service desk integration (sometimes also called an SDIM, or Service Desk Integration Module) by going to Admin > Connections > Service Desk and selecting 'Create.'
To create a Generic Service Desk integration, for example, administrators must provide the required information on the General Settings page, the Connectivity and Authentication information, Ticket Creation information, Status Mapping information, and Requester Source information on the Configure page.
Refer to [Integrating SailPoint with Generic Service Desk](https://documentation.sailpoint.com/connectors/generic_sd/help/integrating_generic_service_desk/intro.html) for more information about the process of setting up a Generic Service Desk in IdentityNow.
Refer to [Integrating SailPoint with Generic Service Desk](https://documentation.sailpoint.com/connectors/generic_sd/help/integrating_generic_service_desk/intro.html) for more information about the process of setting up a Generic Service Desk in Identity Security Cloud.
Administrators can create various service desk integrations, all with their own nuances.
The following service desk integrations are available:
@@ -734,7 +734,7 @@ tags:
- [ServiceNow Service Desk](https://documentation.sailpoint.com/connectors/servicenow/sdim/help/integrating_servicenow_sdim/intro.html)
- [Zendesk Service Desk](https://documentation.sailpoint.com/connectors/zendesk/help/integrating_zendesk_sd/introduction.html)
- name: SOD Policy
- name: SOD Policies
description: |
Use this API to implement and manage "separation of duties" (SOD) policies.
With SOD policy functionality in place, administrators can organize the access in their tenants to prevent individuals from gaining conflicting or excessive access.
@@ -746,7 +746,7 @@ tags:
Organizations can use "separation of duties" (SOD) policies to enforce and track their internal security rules throughout their tenants.
These SOD policies limit each user's involvement in important processes and protects the organization from individuals gaining excessive access.
To create SOD policies in IdentityNow, administrators use 'Search' and then access 'Policies'.
To create SOD policies in Identity Security Cloud, administrators use 'Search' and then access 'Policies'.
To create a policy, they must configure two lists of access items. Each access item can only be added to one of the two lists.
They can search for the entitlements they want to add to these access lists.
@@ -756,7 +756,7 @@ tags:
These violations are included in SOD violation reports that other users will see in emails at regular intervals if they're subscribed to the SOD policy.
The other users can then better help to enforce these SOD policies.
To create a subscription to a SOD policy in IdentityNow, administrators use 'Search' and then access 'Layers'.
To create a subscription to a SOD policy in Identity Security Cloud, administrators use 'Search' and then access 'Layers'.
They can create a subscription to the policy and schedule it to run at a regular interval.
Refer to [Managing Policies](https://documentation.sailpoint.com/saas/help/sod/manage-policies.html) for more information about SOD policies.
@@ -781,26 +781,21 @@ tags:
Administrators can use the SOD violations APIs to check a set of identities for any current SOD violations, and they can use them to check whether adding an access item would potentially trigger a SOD violation.
This second option is a good way to prevent SOD violations from triggering at all.
Refer to [Handling Policy Violations](https://documentation.sailpoint.com/saas/help/sod/policy-violations.html) for more information about SOD policy violations.
- name: Source Usages
description: |
Use this API to implement source usage insight functionality.
With this functionality in place, administrators can gather information and insights about how their tenants' sources are being used.
This allows organizations to get the information they need to start optimizing and securing source usage.
Refer to [Handling Policy Violations](https://documentation.sailpoint.com/saas/help/sod/policy-violations.html) for more information about SOD policy violations.
- name: Sources
description: |
Use this API to implement and customize source functionality.
With source functionality in place, organizations can use IdentityNow to connect their various sources and user data sets and manage access across all those different sources in a secure, scalable way.
With source functionality in place, organizations can use Identity Security Cloud to connect their various sources and user data sets and manage access across all those different sources in a secure, scalable way.
[Sources](https://documentation.sailpoint.com/saas/help/sources/managing_sources.html) refer to the IdentityNow representations for external applications, databases, and directory management systems that maintain their own sets of users, like Dropbox, GitHub, and Workday, for example.
[Sources](https://documentation.sailpoint.com/saas/help/sources/managing_sources.html) refer to the Identity Security Cloud representations for external applications, databases, and directory management systems that maintain their own sets of users, like Dropbox, GitHub, and Workday, for example.
Organizations may use hundreds, if not thousands, of different source systems, and any one employee within an organization likely has a different user record on each source, often with different permissions on many of those records.
Connecting these sources to IdentityNow makes it possible to manage user access across them all.
Then, if a new hire starts at an organization, IdentityNow can grant the new hire access to all the sources they need.
If an employee moves to a new department and needs access to new sources but no longer needs access to others, IdentityNow can grant the necessary access and revoke the unnecessary access for all the employee's various sources.
If an employee leaves the company, IdentityNow can revoke access to all the employee's various source accounts immediately.
Connecting these sources to Identity Security Cloud makes it possible to manage user access across them all.
Then, if a new hire starts at an organization, Identity Security Cloud can grant the new hire access to all the sources they need.
If an employee moves to a new department and needs access to new sources but no longer needs access to others, Identity Security Cloud can grant the necessary access and revoke the unnecessary access for all the employee's various sources.
If an employee leaves the company, Identity Security Cloud can revoke access to all the employee's various source accounts immediately.
These are just a few examples of the many ways that source functionality makes identity governance easier, more efficient, and more secure.
In IdentityNow, administrators can create configure, manage, and edit sources, and they can designate other users as source admins to be able to do so.
In Identity Security Cloud, administrators can create configure, manage, and edit sources, and they can designate other users as source admins to be able to do so.
They can also designate users as source sub-admins, who can perform the same source actions but only on sources associated with their governance groups.
Admins go to Connections > Sources to see a list of the existing source representations in their organizations.
They can create new sources or select existing ones.
@@ -808,17 +803,17 @@ tags:
To create a new source, the following must be specified: Source Name, Description, Source Owner, and Connection Type.
Refer to [Configuring a Source](https://documentation.sailpoint.com/saas/help/accounts/loading_data.html#configuring-a-source) for more information about the source configuration process.
IdentityNow connects with its sources either by a direct communication with the source server (connection information specific to the source must be provided) or a flat file feed, a CSV file containing all the relevant information about the accounts to be loaded in.
Different sources use different connectors to share data with IdentityNow, and each connector's setup process is specific to that connector.
Identity Security Cloud connects with its sources either by a direct communication with the source server (connection information specific to the source must be provided) or a flat file feed, a CSV file containing all the relevant information about the accounts to be loaded in.
Different sources use different connectors to share data with Identity Security Cloud, and each connector's setup process is specific to that connector.
SailPoint has built a number of connectors to come out of the box and connect to the most common sources, and SailPoint actively maintains these connectors.
Refer to [IdentityNow Connectors](https://documentation.sailpoint.com/connectors/identitynow/landingpages/help/landingpages/identitynow_connectivity_landing.html) for more information about these SailPoint supported connectors.
Refer to [Identity Security Cloud Connectors](https://documentation.sailpoint.com/connectors/identitynow/landingpages/help/landingpages/identitynow_connectivity_landing.html) for more information about these SailPoint supported connectors.
Refer to the following links for more information about two useful connectors:
- [JDBC Connector](https://documentation.sailpoint.com/connectors/jdbc/help/integrating_jdbc/introduction.html): This customizable connector an directly connect to databases that support JDBC (Java Database Connectivity).
- [Web Services Connector](https://documentation.sailpoint.com/connectors/webservices/help/integrating_webservices/introduction.html): This connector can directly connect to databases that support Web Services.
Refer to [SaaS Connectivity](https://developer.sailpoint.com/idn/docs/saas-connectivity) for more information about SailPoint's new connectivity framework that makes it easy to build and manage custom connectors to SaaS sources.
Refer to [SaaS Connectivity](https://developer.sailpoint.com/docs/connectivity/saas-connectivity/) for more information about SailPoint's new connectivity framework that makes it easy to build and manage custom connectors to SaaS sources.
When admins select existing sources, they can view the following information about the source:
@@ -831,12 +826,12 @@ tags:
- Associated access profiles (groupings of entitlements).
The user account data and the entitlements update with each data aggregation from the source.
Organizations generally run scheduled, automated data aggregations to ensure that their data is always in sync between their sources and their IdentityNow tenants so an access change on a source is detected quickly in IdentityNow.
Organizations generally run scheduled, automated data aggregations to ensure that their data is always in sync between their sources and their Identity Security Cloud tenants so an access change on a source is detected quickly in Identity Security Cloud.
Admins can view a history of these aggregations, and they can also run manual imports.
Refer to [Loading Account Data](https://documentation.sailpoint.com/saas/help/accounts/loading_data.html) for more information about manual and scheduled aggregations.
Admins can also make changes to determine which user account data IdentityNow collects from the source and how it correlates that account data with identity data.
To define which account attributes the source shares with IdentityNow, admins can edit the account schema on the source.
Admins can also make changes to determine which user account data Identity Security Cloud collects from the source and how it correlates that account data with identity data.
To define which account attributes the source shares with Identity Security Cloud, admins can edit the account schema on the source.
Refer to [Managing Source Account Schemas](https://documentation.sailpoint.com/saas/help/accounts/schema.html) for more information about source account schemas and how to edit them.
To define the mapping between the source account attributes and their correlating identity attributes, admins can edit the correlation configuration on the source.
Refer to [Assigning Source Accounts to Identities](https://documentation.sailpoint.com/saas/help/accounts/correlation.html) for more information about this correlation process between source accounts and identities.
@@ -844,14 +839,19 @@ tags:
Admins can also delete sources, but they must first ensure that the sources no longer have any active connections: the source must not be associated with any identity profile or any app, and it must not be referenced by any transform.
Refer to [Deleting Sources](https://documentation.sailpoint.com/saas/help/sources/managing_sources.html#deleting-sources) for more information about deleting sources.
Well organized, mapped out connections between sources and IdentityNow are essential to achieving comprehensive identity access governance across all the source systems organizations need.
Well organized, mapped out connections between sources and Identity Security Cloud are essential to achieving comprehensive identity access governance across all the source systems organizations need.
Refer to [Managing Sources](https://documentation.sailpoint.com/saas/help/sources/managing_sources.html) for more information about all the different things admins can do with sources once they are connected.
- name: Source Usages
description: |
Use this API to implement source usage insight functionality.
With this functionality in place, administrators can gather information and insights about how their tenants' sources are being used.
This allows organizations to get the information they need to start optimizing and securing source usage.
- name: Tagged Objects
description: |
Use this API to implement object tagging functionality.
With object tagging functionality in place, any user in an organization can use tags as a way to group objects together and find them more quickly when the user searches IdentityNow.
With object tagging functionality in place, any user in an organization can use tags as a way to group objects together and find them more quickly when the user searches Identity Security Cloud.
In IdentityNow, users can search their tenants for information and add tags objects they find.
In Identity Security Cloud, users can search their tenants for information and add tags objects they find.
Tagging an object provides users with a way of grouping objects together and makes it easier to find these objects in the future.
For example, if a user is searching for an entitlement that grants a risky level of access to Active Directory, it's possible that the user may have to search through hundreds of entitlements to find the correct one.
@@ -859,7 +859,7 @@ tags:
The user can add the same tag to multiple objects the user wants to group together for an easy future search, and the user can also do so in bulk.
When the user wants to find that tagged entitlement again, the user can search for "tags:AD_RISKY" to find all objects with that tag.
With the API, you can tag even more different object types than you can in IdentityNow (access profiles, entitlements, identities, and roles).
With the API, you can tag even more different object types than you can in Identity Security Cloud (access profiles, entitlements, identities, and roles).
You can use the API to tag all these objects:
- Access profiles
@@ -888,7 +888,7 @@ tags:
- You can have up to 10,000 tag associations, pairings of 1 tag to 1 object, in your tenant.
Because of these limits, it is recommended that you work with your governance experts and security teams to establish a list of tags that are most expressive of governance objects and access managed by IdentityNow.
Because of these limits, it is recommended that you work with your governance experts and security teams to establish a list of tags that are most expressive of governance objects and access managed by Identity Security Cloud.
These are the types of information often expressed in tags:
@@ -900,7 +900,7 @@ tags:
- Risk levels
Refer to [Tagging Items in Search](https://documentation.sailpoint.com/saas/help/search/index.html?h=tags#tagging-items-in-search) for more information about tagging objects in IdentityNow.
Refer to [Tagging Items in Search](https://documentation.sailpoint.com/saas/help/search/index.html?h=tags#tagging-items-in-search) for more information about tagging objects in Identity Security Cloud.
- name: Transforms
description: |
The purpose of this API is to expose functionality for the manipulation of Transform objects.
@@ -908,13 +908,13 @@ tags:
to write code. These endpoints don't require API calls to other resources, audit service is used for keeping track
of which users have made changes to the Transforms.
Refer to [Transforms](https://developer.sailpoint.com/idn/docs/transforms) for more information about transforms.
Refer to [Transforms](https://developer.sailpoint.com/docs/extensibility/transforms/) for more information about transforms.
- name: Work Items
description: |
Use this API to implement work item functionality.
With this functionality in place, users can manage their work items (tasks).
Work items refer to the tasks users see in IdentityNow's Task Manager.
Work items refer to the tasks users see in Identity Security Cloud's Task Manager.
They can see the pending work items they need to complete, as well as the work items they have already completed.
Task Manager lists the work items along with the involved sources, identities, accounts, and the timestamp when the work item was created.
For example, a user may see a pending 'Create an Account' work item for the identity Fred.Astaire in GitHub for Fred's GitHub account, fred-astaire-sp.
@@ -927,7 +927,7 @@ tags:
Refer to [Task Manager](https://documentation.sailpoint.com/saas/user-help/task_manager.html) for more information about work items, including the different types of work items users may need to complete.
- name: Workflows
description: |
Workflows allow administrators to create custom automation scripts directly within IdentityNow. These automation scripts respond to [event triggers](https://developer.sailpoint.com/idn/docs/event-triggers#how-to-get-started-with-event-triggers) and perform a series of actions to perform tasks that are either too cumbersome or not available in the IdentityNow UI. Workflows can be configured via a graphical user interface within IdentityNow, or by creating and uploading a JSON formatted script to the Workflow service. The Workflows API collection provides the necessary functionality to create, manage, and test your workflows via REST.
Workflows allow administrators to create custom automation scripts directly within Identity Security Cloud. These automation scripts respond to [event triggers](https://developer.sailpoint.com/docs/extensibility/event-triggers/#how-to-get-started-with-event-triggers) and perform a series of actions to perform tasks that are either too cumbersome or not available in the Identity Security Cloud UI. Workflows can be configured via a graphical user interface within Identity Security Cloud, or by creating and uploading a JSON formatted script to the Workflow service. The Workflows API collection provides the necessary functionality to create, manage, and test your workflows via REST.
paths:
/access-profiles:
get:
@@ -153636,14 +153636,14 @@ components:
type: oauth2
description: |
OAuth2 Bearer token (JWT) generated using either a Personal Access token or through the Authorization Code flow.
See [IdentityNow REST API Authentication](https://developer.sailpoint.com/idn/api/authentication) for more information.
- Directions for generating a [personal access token](https://developer.sailpoint.com/idn/api/authentication#personal-access-tokens)
- Directions using [client credentials flow](https://developer.sailpoint.com/idn/api/authentication#client-credentials-grant-flow)
- Directions for using [authorization code flow](https://developer.sailpoint.com/idn/api/authentication#authorization-code-grant-flow)
See [Identity Security Cloud REST API Authentication](https://developer.sailpoint.com/docs/api/authentication/) for more information.
- Directions for generating a [personal access token](https://developer.sailpoint.com/docs/api/authentication/#personal-access-tokens)
- Directions using [client credentials flow](https://developer.sailpoint.com/docs/api/authentication/#client-credentials-grant-flow)
- Directions for using [authorization code flow](https://developer.sailpoint.com/docs/api/authentication/#authorization-code-grant-flow)
Which authentication method should I choose? See our [guide](https://developer.sailpoint.com/idn/api/authentication#which-oauth-20-grant-flow-should-i-use)
Which authentication method should I choose? See the [guide](https://developer.sailpoint.com/docs/api/authentication/#which-oauth-20-grant-flow-should-i-use).
Learn more about how to find your `tokenUrl` and `authorizationUrl` [in our docs](https://developer.sailpoint.com/idn/api/authentication#find-your-tenants-oauth-details)
Learn more about how to find your `tokenUrl` and `authorizationUrl` [in the docs](https://developer.sailpoint.com/docs/api/authentication/#find-your-tenants-oauth-details).
flows:
clientCredentials:
tokenUrl: 'https://tenant.api.identitynow.com/oauth/token'
@@ -153660,12 +153660,12 @@ components:
type: oauth2
description: |
OAuth2 Bearer token (JWT) generated using client credentials flow.
See [IdentityNow REST API Authentication](https://developer.sailpoint.com/idn/api/authentication) for more information.
- Directions using [client credentials flow](https://developer.sailpoint.com/idn/api/authentication#client-credentials-grant-flow)
See [Identity Security Cloud REST API Authentication](https://developer.sailpoint.com/docs/api/authentication/) for more information.
- Directions using [client credentials flow](https://developer.sailpoint.com/docs/api/authentication/#client-credentials-grant-flow)
Which authentication method should I choose? See our [guide](https://developer.sailpoint.com/idn/api/authentication#which-oauth-20-grant-flow-should-i-use)
Which authentication method should I choose? See the [guide](https://developer.sailpoint.com/docs/api/authentication/#which-oauth-20-grant-flow-should-i-use).
Learn more about how to find your `tokenUrl` and `authorizationUrl` [in our docs](https://developer.sailpoint.com/idn/api/authentication#find-your-tenants-oauth-details)
Learn more about how to find your `tokenUrl` and `authorizationUrl` [in the docs](https://developer.sailpoint.com/docs/api/authentication/#find-your-tenants-oauth-details).
flows:
clientCredentials:
tokenUrl: 'https://tenant.api.identitynow.com/oauth/token'

52833
postman/collections/sailpoint-api-beta.json
View File

File diff suppressed because one or more lines are too long

1694
postman/collections/sailpoint-api-nerm.json
View File

File diff suppressed because one or more lines are too long

59882
postman/collections/sailpoint-api-v3.json
View File

File diff suppressed because one or more lines are too long