Role Request Modernization: FAQ

How are primary DSAs being determined?  
We’re working with the HR Liaisons to determine this.  

Can we have two primary DSAs if we need a backup?  
No, but you can have multiple DSAs. On the request side, any DSA can make requests. The only time the primary is key is when requesting role removal or with recertifications. If primary is unavailable when someone leaves, you can reach out to the UF IAM team to assist from the system administrator standpoint to make those changes. Recertifications will be available for a month, so the primary DSA should be able to do it within timeframe. Primary DSAs can also reassign campaigns to any other DSA. For planned leave, a primary DSA can set work reassignment for the out of office period. IAM can also reassign on a primary DSA’s behalf if something urgent comes up.  

I thought I was a primary DSA already. Is this new?  
Yes, in the current system, primary DSAs do not exist, but a primary identity coordinator does currently exist. Because Department IDs are hierarchical in the current system, you may be the only DSA in your office, but there are people at the larger division or college level who have broader access above you who can intervene on your behalf in the current system.  

If I set up automatic work reassignment to another DSA to handle recertifications while I’m on leave, does he or she have to reassign the work back to me when I return? 
It’s a best practice to set an end-date on automatic work reassignments during leave.  Any work that has already been reassigned will stay with the person to whom it was assigned, but any new recertifications will come to you. 

We struggle with old roles becoming defunct and we don’t know why. When we move to Sailpoint will you get rid of the old ones?  
Yes, we are doing a lot of role cleanup, looking at those that haven’t been used in a couple of years to clean up the glossary and make unused roles unavailable.  

Is there a way we can reword role descriptions to make them easier to understand? 
Yes, IAM and role owners are working to improve this. 

Do all people who have a UFID have access to Sailpoint?  
Sailpoint’s functionality is to have people request for themselves or their team. We’re not at the point where we are comfortable having self-service available. So at this point, only DSAs, approvers, auditors and the DSA team will have access. For now, please ignore the “request for yourself” feature. Having said that, if you are a DSA and you do need a role, you can do so fairly easily.  

Aren’t the auditors going to have a problem with that?  
No, because the way the system is set up is that if it’s a common role that doesn’t require approval, DSAs are trusted to request. For those that need approval, it’s on the approver groups to do their due diligence.  

Does that apply to recertifications as well? 
No, nor removals.  

If you’re the sole DSA in the department, do you need another?  
No. While you can’t recertify yourself, we will need to identify another DSA to fill that role for you.  

Will the form be updated/simplified since we don’t have to specify which department IDs we need access to? 
That may be an enhancement in a future version. For now, the form will stay the same and will still require departmental IDs so audits can verify that access is being requested in an expected manner in accordance with assigned departments. 

Can we have two primary DSAs? We have a small department and the backup would need the same rights as the primary. 
Unfortunately no, but reassignment is an option. 

Will SailPoint populate an error message when a request is being made and the employee has not completed the assigned training, like ARS does currently? 
It does not, unfortunately. We are working with Training / Audits / the role owners on this. 

After the original request goes in and we have to add another role, will we be locked out until the original request is approved? 
Lockouts are a thing of the past. 

Are any roles set to be auto-approved? 
Yes. All the auto-approved roles will stay the same and we hope to automate more. 

What will happen with the DSO accounts? 
DSO accounts (DSO####) will not exist in SailPoint, as they are not gatorlink accounts. DSO account PeopleSoft access will have to go through UFIT’s ADI App Security team until Workday goes live. 

How do I find out who my security role approver is? I’m the DSA, but nobody currently working in our department as the SEC Approver role. 
The SEC approver is assigned to roles specifically. For example, all role requests for UF_PA_IDM roles come to the IAM team regardless of who requests it. All denials will now have a required comment that will be sent to the DSA. For example, if the role approver denies because training is missing, they will be required to enter that information so the role can be requested correctly in the future.   

If the Primary DSA is the only DSA who can certify, who certifies the Primary DSA? 
We will assign either another DSA or the IAM team. 

Is the goal to have Security Set-Ups in SailPoint? 
The additional security setups for T&L, HRMS, ePAF, etc will remain in myUFL. 

Will access be given automatically or still have to run over night? 
Access will be granted automatically within 15 minutes after approval. No more overnight waits, barring some edge systems like Equifax and PageUp that require an overnight process. 

Will you be able to add the department field to roles that require it? It is not always obvious which roles require a department. 
For roles that require additional information, we will note that in the role description and require a comment be populated with the information.