Configure the BeyondTrust Source Type in IdentityNow
BeyondTrust provides an access data source supported by default with IdentityNow. Once IdentityNow has visibility into a data source, it can manage information at the source location.
Users must have the appropriate credentials to log in to IdentityNow.
Configure a Source Type for BeyondTrust
- In the IdentityNow console, go to Admin > Connections > Sources.
- Click the New button in the top right corner.
- Under Source Type select BeyondTrustPassword Safe - Cloud.
- Include a Source Name, Description, Source Owner, and Connection Type.
- Click Continue.
- On the next screen, under Base Configuration, select a Virtual Appliance Cluster.
- Click Save.
Update Connection Settings
- In the IdentityNow console, go to Admin > Connections > Sources. Select the test source.
- On the next screen, click the Edit Configuration button in the top right corner.
- On the next screen, select Connection Settings on the left hand side.
- For a production environment, select the API Token option. For a test environment, select the OAuth 2.0 option.
- Fill out the rest of the form as required with information saved earlier when configuring an OAuth service account in BeyondInsight for SailPoint IdentityNow.
- Click Save.
- Once connection settings have been saved, test the connection:
- Select Review and Test on the right hand side of the screen.
- Click Test Connection on the upper left hand side of the screen.
Aggregate Accounts and Entitlements
- In the IdentityNow console, go to Admin > Connections > Sources. Select the test source.
- On the next screen, select the Import Data tab.
- Select Account Aggregation and enter the necessary information.
- Click Save.
- Select Entitlement Aggregation and enter the necessary information.
- Click Save.
Smart Group Permissions
Within Password Safe, permissions are granted via groups. A Smart Group is a filtered list of managed accounts. All managed accounts are granted the read only permission.
- In the Password Safe console, go to Configuration > Role Based Access > User Management > Groups. Select the group and then click on the corresponding ellipsis to right of the group.
- Select View Group Details.
- Select Smart Groups under Group Details.
- Select a managed account and then Assign Permissions.
- Assign permissions as read only.
- Select the managed account again and then click on the corresponding ellipsis to right of the account.
- Select Edit Password Safe Roles.
- Assign role as Requestor.
- Select Access Policy for Requestor from the drop down.
- Click Save Roles.
View User Entitlements
To view user entitlements and Password Safe groups assigned to the user:
- In the IdentityNow console, go to Admin > Connections > Sources. Select the test source.
- Select Accounts.
- Select the user.
- Select Accounts.
- Select the Source Name.
- Scroll to the bottom of the screen to view entitlements.
- To view Entitlement Details and Permissions, expand the appropriate user group.
- Select either the Details tab or Permissions tab to view information. Here you can find the target (Smart Group/Rule All Managed Accounts), Smart Group Permissions (Read or Write), and the Password Safe Role (Requestor).
Create Profile
BeyondTrust source types come with a preconfigured Create Profile.
- In the IdentityNow console, go to Admin > Connections > Sources. Select the test source.
- Select Accounts.
- Select Create Profile.
Correlation
BeyondTrust source types come with a preconfigured Correlation.
- In the IdentityNow console, go to Admin > Connections > Sources. Select the test source.
- Select Import Data.
- Select Correlation.
Schema
BeyondTrust source types come with a preconfigured Schema.
- In the IdentityNow console, go to Admin > Connections > Sources. Select the test source.
- Select Import Data.
- Select Correlation.
Once the BeyondTrust source is in place, you have access to IdentityNow business processes including Access Request, Access Certification, automated provisioning for Joiner, Mover, Leaver, Search and Analytics, and more.
It is possible to create Access Profiles that consume Password Safe Groups and then assign the Access Profiles to Roles or Applications.
For more information on assigning Access Profiles to Roles or Applications, see SaaS Product Documentation / IdentityNow at https://documentation.sailpoint.com.