What is Provisioning Plan in SailPoint
Before we start our discussion about the Provisioning plan, Let’s first understand what is provisioning.
In simple words, Provisioning equals adding access, modifying access, and removing access of a user from any target system.
Below are a few examples of provisioning -
- Add the role of “Network Administrator” to John Smith.
- Create a new account on Active Directory for John Smith.
- Disable the account on Service Now for John Smith.
- Add John Smith to the group “Domain Admins” in AD.
A Provisioning Plan basically answers three things -
- Who — The Identity on which the entire operation needs to be performed.
- What — For Which Application/Account and what operation needs to be performed
- Any Additional details — In order to support a specific operation, If we need some data, then that will be provided as part of the Attribute request.
Sample Provisioning Plan Object in XML
<!DOCTYPE ProvisioningPlan PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ProvisioningPlan nativeIdentity="1c" targetIntegration="Active Directory" trackingId="770e844f8d0a42b0b4185afa61e7e440">
<AccountRequest application="Active Directory" nativeIdentity="cn=1c,OU=activeUsers,OU=people,DC=acme,DC=local" op="Create">
<Attributes>
<Map>
<entry key="flow" value="AccountsRequest"/>
<entry key="interface" value="LCM"/>
<entry key="operation" value="Create"/>
</Map>
</Attributes>
<AttributeRequest name="objectType" op="Set" value="User"/>
<AttributeRequest name="sAMAccountName" op="Set" value="1c"/>
<AttributeRequest name="password" op="Set" value="Oracle@123">
<Attributes>
<Map>
<entry key="secret" value="true"/>
</Map>
</Attributes>
</AttributeRequest>
<AttributeRequest name="pwdLastSet" op="Add">
<Value>
<Boolean>true</Boolean>
</Value>
</AttributeRequest>
<AttributeRequest name="IIQDisabled" op="Set">
<Value>
<Boolean></Boolean>
</Value>
</AttributeRequest>
<AttributeRequest name="givenName" op="Set" value="Aaron"/>
<AttributeRequest name="sn" op="Set" value="Nichols"/>
<AttributeRequest name="mail" op="Set" value="Aaron.Nichols@demoexample.com"/>
</AccountRequest>
<Attributes>
<Map>
<entry key="identityRequestId" value="0000000019"/>
<entry key="requester" value="spadmin"/>
<entry key="source" value="LCM"/>
</Map>
</Attributes>
<Requesters>
<Reference class="sailpoint.object.Identity" id="c0a84a0382f6191b8182f6f9eb5100eb" name="spadmin"/>
</Requesters>
</ProvisioningPlan>In the XML, A provisioning plan attribute contains the nativeIdentity which implies that this provisioning plan belongs to which user in Sailpoint. In our case, it is for 1C.
<ProvisioningPlan nativeIdentity="1c" targetIntegration="Active Directory" trackingId="770e844f8d0a42b0b4185afa61e7e440">Next is the AccountRequest attribute which contains multiple details -
- For which application, the plan is applicable? In our case, it’s the Active Directory.
- What is the native identifier for the account? In our case, It’s the distinguished name of the user in AD.
- Which operation needs to be performed? In our case, It’s the create operation.
<AccountRequest application="Active Directory" nativeIdentity="cn=1c,OU=activeUsers,OU=people,DC=acme,DC=local" op="Create">Inside the AccountRequest attribute, we have multiple AttributeRequest attributes. AttributeRequest basically contains the attributes which are required to support the operation. For example — If we want to create a user in Active Directory, We need to pass the basic details of the user like — givenName, sn, sAMAccountName, userPrincipalName, email, password, etc.
If the post explains to you the concept of the Provisioning plan in Sailpoint in laymen’s terms, Hit a clap. Also, do comment us for any suggestions/feedback.
