What is Provisioning Plan in SailPoint
--
Before we start our discussion about the Provisioning plan, Let’s first understand what is provisioning.
In simple words, Provisioning equals adding access, modifying access, and removing access of a user from any target system.
Below are a few examples of provisioning -
- Add the role of “Network Administrator” to John Smith.
- Create a new account on Active Directory for John Smith.
- Disable the account on Service Now for John Smith.
- Add John Smith to the group “Domain Admins” in AD.
A Provisioning Plan basically answers three things -
- Who — The Identity on which the entire operation needs to be performed.
- What — For Which Application/Account and what operation needs to be performed
- Any Additional details — In order to support a specific operation, If we need some data, then that will be provided as part of the Attribute request.
Sample Provisioning Plan Object in XML
<!DOCTYPE ProvisioningPlan PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ProvisioningPlan nativeIdentity="1c" targetIntegration="Active Directory" trackingId="770e844f8d0a42b0b4185afa61e7e440">
<AccountRequest application="Active Directory" nativeIdentity="cn=1c,OU=activeUsers,OU=people,DC=acme,DC=local" op="Create">
<Attributes>
<Map>
<entry key="flow" value="AccountsRequest"/>
<entry key="interface" value="LCM"/>
<entry key="operation" value="Create"/>
</Map>
</Attributes>
<AttributeRequest name="objectType" op="Set" value="User"/>
<AttributeRequest name="sAMAccountName" op="Set" value="1c"/>
<AttributeRequest name="password" op="Set" value="Oracle@123">
<Attributes>
<Map>
<entry key="secret" value="true"/>
</Map>
</Attributes>
</AttributeRequest>
<AttributeRequest name="pwdLastSet" op="Add">
<Value>
<Boolean>true</Boolean>
</Value>
</AttributeRequest>
<AttributeRequest name="IIQDisabled" op="Set">
<Value>
<Boolean></Boolean>
</Value>
</AttributeRequest>
<AttributeRequest name="givenName" op="Set" value="Aaron"/>
<AttributeRequest name="sn" op="Set" value="Nichols"/>
<AttributeRequest name="mail" op="Set" value="Aaron.Nichols@demoexample.com"/>
</AccountRequest>
<Attributes>
<Map>
<entry key="identityRequestId" value="0000000019"/>
<entry key="requester" value="spadmin"/>
<entry key="source" value="LCM"/>
</Map>
</Attributes>
<Requesters>
<Reference class="sailpoint.object.Identity" id="c0a84a0382f6191b8182f6f9eb5100eb" name="spadmin"/>
</Requesters>
</ProvisioningPlan>In the XML, A provisioning plan attribute contains the nativeIdentity which implies that this provisioning plan belongs to which user in Sailpoint. In our case, it is for 1C.
<ProvisioningPlan nativeIdentity="1c" targetIntegration="Active Directory" trackingId="770e844f8d0a42b0b4185afa61e7e440">Next is the AccountRequest attribute which contains multiple details -
- For which application, the plan is applicable? In our case, it’s the Active Directory.
- What is the native identifier for the account? In our case, It’s the distinguished name of the user in AD.
- Which operation needs to be performed? In our case, It’s the create operation.
<AccountRequest application="Active Directory" nativeIdentity="cn=1c,OU=activeUsers,OU=people,DC=acme,DC=local" op="Create">Inside the AccountRequest attribute, we have multiple AttributeRequest attributes. AttributeRequest basically contains the attributes which are required to support the operation. For example — If we want to create a user in Active Directory, We need to pass the basic details of the user like — givenName, sn, sAMAccountName, userPrincipalName, email, password, etc.
If the post explains to you the concept of the Provisioning plan in Sailpoint in laymen’s terms, Hit a clap. Also, do comment us for any suggestions/feedback.
![Provisioning plan [high-Level design]](https://miro.medium.com/v2/resize:fit:1358/1*ypKNpGEdU9dZtfzbcf-UcA.jpeg)
