Understanding Identity and Account Management in SailPoint: Authoritative vs. Target Applications.

Applications are of two types:

1. Authoritative Source Application

2. Target Application

1. Authoritative Source Application

An authoritative source application is a trusted HR system that stores employee data. Accounts from this system are created as identities in SailPoint.

2. Target Application

A target application is a system where employees need access to perform their job roles. These applications manage user accounts, entitlements, and access permissions.

---

What is an Account? What is an Identity?

• Identity (the highest form of an HR source app account) is an object that represents an employee in the organization. It contains required attributes as per company policies, such as username, firstname, lastname, email, employment type, and manager.

• Account is also an object representing an employee, but it is created directly from the application during account aggregation.And it will map to corresponding Identity.

---

How Are Accounts Mapped to Identities?

1. How HR Source Application Accounts Are Turned into Identities

1. Mark the HR application as an authoritative source in SailPoint.

2. Complete the basic application configuration (e.g., define the schema).

3. Set up correlation configuration:

   • Map Identity Attributes in SailPoint to corresponding account attributes in the HR system.

     This help to skip Identity creation if already exists in SailPoint.

   • Configure Manager Correlation, where the manager field in the HR system is mapped to the Manager identity attribute in SailPoint.

   • During account aggregation, SailPoint checks each account and assigns managers accordingly when creating identities.

4. Configure required settings and start account aggregation.

5. All HR application accounts will be aggregated into SailPoint. If errors occur, check the logs.

---

2. Identity Profiles and Identity Creation

Identity Profiles define how identities are created in SailPoint IdentityNow (IDN).

• One Identity Profile manages one HR Source Application.

• If multiple HR systems exist, each needs a separate Identity Profile.

• Once an Identity Profile is created and saved, all accounts from the mapped HR application are converted into Identities in SailPoint.

This process ensures every employee in the HR system has a corresponding identity in SailPoint.

---

3. Mapping Accounts to Existing Identities

When onboarding a Target Application (non-authoritative source), we need to map its accounts to existing identities.

1. Create a source for the target application.

   • Since it is not an authoritative source, do not check the "Authoritative Source" option.

2. Set up the basic application configuration.

3. Configure correlation settings:

   • Map an Identity Attribute in SailPoint to the corresponding Account Attribute from the target application.

   • Example: If an employee’s identity in SailPoint has an empid, the target application's accounts must also have an empid field for correlation.

   • If a match is found, the account is linked to the corresponding identity in SailPoint.

4. Once mapped, an identity (employee) now has an account in that application.

5. The employee (Identity) can request entitlements (access permissions) for that application.

Example:

• John is an employee (Identity) in SailPoint.

• John already has an account in the Finance Application with the username john.

• John needs READ access to the Finance Application.

The request structure:

John (Identity) → READ (Entitlement) → Finance (Target Application) → john (Account)

So, John raises an access request for READ access in the Finance application for his account "john".

I appreciate you reading till the end! Let me know your thoughts or if there's anything I should add. Cheers! 🎉