SailPoint: Role Request Modernization

As part of the modernization of the University of Florida’s identity and access management setup, a decision was made to move from the legacy system (Home-grown ARS system in PeopleSoft) to Sailpoint. As part of this transition, there will be a few changes to existing processes, procedures and access methods. This FAQ will provide some information as to what is changing and define some common-use terms in the new system.

Glossary –

This is not an all-inclusive glossary and additional terms will be added / clarity provided as the need arise.

  • Department Security Administrator (DSA):  Designated College and / or Department staff members who will use Sailpoint initiate requests to grant access to administrative computer applications for people in the UF registry.
  • Primary Department Security Administrator (Primary DSA):  Designated College and Department staff members will use Sailpoint to initiate requests to grant or remove access to administrative computer applications for people in the UF registry. Primary DSAs will also be responsible for recertification of “movers”.
  • Role Approver:   Designated members of the UF Core offices who approve or deny access to specific roles related to their functional area. Role approvers are grouped together into Governance groups.
  • Mover: UF staff, faculty, or employee who has moved to a new department or taken / left an additional position. When an individual is identified as a mover, the Primary DSA will be required to perform a recertification.
  • Leaver: UF staff, faculty or employee who has ended their working relationship with the University of Florida. Most access will be removed by Sailpoint at time of termination.
  • Role: Representation of the access that is granted to an individual in the Sailpoint system. Roles are requested by a DSA (unless birthright role rule applies), approved by a role approver (if needed) and then assigned to the end-user.
  • Birthright Role: Representation of the access that is granted to an individual in the Sailpoint System based on identity attributes (Affiliation, job code, department id, eg).

Changes from ARS to Sailpoint

For the most part, the abilities currently in place for DSAs and Role approvers stay the same, with a few notable exceptions.

DSAs

  • Role requests to add access are no longer bound by departmental authority.
    • Any DSA can request for any user in the UF Registry
    • All requests are logged and will be carefully audited by the IAM and department of internal audits
  • Role requests to remove access can no longer be requested by the non-primary DSA
  • Annual certification will no longer be completed by the DSA.

Primary DSAs

  • New concept in Sailpoint. Primary DSAs have all of the abilities of a DSA, with a few added roles / responsibilities
    • Recertifications
    • Role removal requests

Role approver

  • Current abilities regarding approval stays the same
    • Role approvers are assigned to specific roles to approve / deny
  • Training is no longer a blocker for requests
    • Role approvers are expected to check for completed training prior to approving roles
  • Can now request roles
    • The role approver can now request roles as a DSA can (not primary DSA).
    • Role approvers cannot approve roles they request
  • Recertification
    • Role approvers will be responsible for re-certification of roles that have been approved on some regular interval for high-impact or high-security roles.

For questions, please reach out to the Identity team via: ufit-ars@ad.ufl.edu