Role Request Modernization: FAQ
General
Where can I get information and training for UF SailPoint IdentityNow?
UF HR has provided an HR Toolkit for Security Roles which contains useful instruction sets for performing various tasks in the UF SailPoint IdentityNow system.
HR has also updated the training courses for DSAs (requestors), Primary DSAs (this is new), and Role Approvers:
- IAM100: Security Role Requesters (for all DSAs, including Primary DSAs)
- IAM200: Primary Requesters (for Primary DSAs)
- IAM300: Governance Groups (for all Approvers)
These are recommended for anyone who will be using UF’s SailPoint.
Who can access SailPoint?
Only Requestors (DSAs), Approvers (Governance Group members), and Auditors can log in to SailPoint.
DSAs / Primary DSAs
What is the difference between a DSA and a Primary DSA?
Each department can have multiple DSAs, and for role requests any DSA can make requests. However, each department can have only one Primary DSA who will serve as the “manager” for that department in UF SailPoint IdentityNow.
The current list of DSAs can be found here.
Primary DSAs have the added responsibility for ad-hoc role removal and “Mover” certifications for people in the departments for which they are specifically listed as primary DSA as well as any sub departments that do not have a Primary DSA specifically defined.
These differences are covered in the IAM100 and IAM200 training courses, which are required to obtain the UF_SEC_REQUESTOR role, but also, strongly recommended for all DSAs including those who had the role before the switch the UF SailPoint.
Is Primary DSA a new thing?
Yes, the old ARS system was able to support multiple DSAs with equal responsibility within a department, but SailPoint IdentityNow uses a more conventional single-manager model, where each person has a single manager within the system. This means we had to adopt this Primary DSA convention to serve a people’s managers within SailPoint.
Can we have two primary DSAs if we need a backup?
No, each department ID can have only one Primary DSA.
What should we do if our Primary DSA is unavailable?
In this case, please reach out to UFIT Identity and Access Management. We can assist in reassigning any certifications, aiding in role revocation, or assigning a new Primary DSA.
If the Primary DSA is the only DSA who can certify, who certifies the Primary DSA?
IAM will assign either another DSA or work to administratively certify the access.
How are Primary DSAs selected?
UFIT IAM worked with the HR Liaisons to determine who should be Primary DSA for each area in the run-up to our launch of the new system. Going forward we will work with the DSAs in their respective areas to make any changes to who will fill the Primary DSA role.
If you’re the sole DSA in the department, do you need another?
Not necessarily, but having multiple DSAs per department is recommended. This recommendation is because a person can’t certify themselves, so IAM will need to identify another DSA to perform certification for you
Will the DSA Authorization Form be updated/simplified since we don’t have to specify which department IDs we need access to?
That may be an enhancement in a future version. For now, the form will stay the same and will still require departmental IDs so audits can verify that access is being requested in an expected manner in accordance with assigned departments. The form can be found here.
Certifications
Is there a recommendation for how to process certifications?
Yes, in the HR Toolkit, the “Complete Certification Campaigns” instruction set is a very helpful visual guide (with screenshots) which provides a workflow that will help you process your assigned certifications quickly and efficiently.
Specifically, this four-step process is recommended:
- In SailPoint, Entitlements must be approved as part of the certification process. On the Entitlements tab, select all, and then click Approve – this will bulk approve all those Entitlements
- On the Roles tab, select all, and then click Acknowledge – this will acknowledge all the roles that are granted by birthright.
- Now, what’s left will be the Requestable Roles – this is where we ask you spend time scrutinizing the requested access that may no longer be needed or appropriate. You will decide to approve or revoke these. Note: If no Requestable Roles remain after completing steps 1 and 2, proceed directly to step 4.
- After submitting decisions on all item, be sure to “sign-off” on the recertification.
Who is responsible for certifications?
When someone moves (see “what triggers a certification below”), a “Mover” certification will be created and assigned to the Primary DSA of the person’s primary department.
When someone moves between primary departments (e.g. leaving one dept for another), typically the Primary DSA of the department that the person is leaving will be assigned the certification. This gives the Primary DSA in the former department the opportunity to revoke any access the person should no longer have.
Who will receive notification when a certification is created/assigned?
Only the person’s Primary DSA will be notified upon creation. If the Primary DSA reassigns the certification, the receiving DSA will be notified.
How do I reassign certifications?
Certifications can be reassigned on a one-by-one basis as needed:
- open the certification you wish to reassign
- on the left-hand side of the page, click the checkbox next to the person’s name, this will change the screen to the ‘reassign’ screen
- click ‘reassign’
- in the fly-out, enter the UFID of the person you wish to reassign the certification to (Make sure the person you are reassigning to is a DSA), then select their name once found. Then enter a helpful comment.
- click ‘Reassign’ at the bottom of the fly-out
In situations where a Primary DSA is going to be unavailable (vacation or other planned leave), the Primary DSA can set automatic reassignment to another appropriate DSA for the duration of their leave using the steps provided here in the HR Toolkit. Please note this will ONLY reassign new certifications. Any outstanding certifications will need to be completed or reassigned on a one-by-one basis.
If I set up automatic work reassignment of certifcations to another DSA while I’m on leave, does he or she have to reassign the work back to me when I return?
It’s a best practice to set an end-date on automatic work reassignments during leave. Any work that has already been reassigned will stay with the person to whom it was assigned, but any new recertifications will come to you.
What triggers a certification?
Mover certifications are triggered in three scenarios:
- Any change to a UF employee’s department ID or Job code in UF’s HR data will generate a Mover certification. This include the addition or departure of a secondary/additional job.
- If a UF employee who leaves employment, but retains an employee-like affiliation a Mover recertification will be generated.
- For non-employees with “employee-like” affiliations, changes in their primary department ID will generate a Mover certification.
Requesting Roles
Will SailPoint populate an error message when a request is being made and the employee has not completed the required training?
No. However, after the request is submitted, it will be denied by an automated process. Both the requesting DSA and the person for whom the role was requested will receive an email containing information about which training must be completed.
Are any roles set to be auto-approved?
Yes. Most of the auto-approved roles from the old ARS system will continue to be auto-approved.
I have a role request that has been pending approval for several days, who can I get to approve it?
Please contact IAM, we can help reach out to the Governance Group who approves the role.
About Roles
Will you be able to add the department field to roles that require it? It is not always obvious which roles require a department.
For roles that require additional information, we will note that in the role description and require a comment be populated with the request.
Is there a way we can reword role descriptions to make them easier to understand?
Yes, IAM and role owners can work to improve this. If you find a description that needs clarification, please reach out to IAM.
Will access be given automatically or still have to run over night?
Access will be granted automatically within 15 minutes after approval. No more overnight waits, barring some edge systems like Equifax and PageUp that require an overnight process.
Other Topics
How do DSO accounts work in SailPoint?
DSO accounts (DSO####) will not exist in SailPoint, as they are not gatorlink accounts. DSO account PeopleSoft access will have to go through UFIT’s ADI App Security team until Workday goes live.
Is the goal to have Security Set-Ups in SailPoint?
The additional security setups for T&L, HRMS, ePAF, etc will remain in myUFL (PeopleSoft).