SAILPOINT LCM MODULE AND JML EVENTS Flashcards
Can you define Life Cycle Manager (LCM)?
SailPoint’s LCM provides a comprehensive solution for managing the entire identity lifecycle, from onboarding to offboarding, in a user friendly, automated, and policy driven manner. It integrates identity
governance, access request, automated provisioning, and password management into a single, unified solution. Here are the key components of LCM:
- Joiner: When a new employee joins the company, LCM automates the process of providing the appropriate access rights. It uses role-based access control (RBAC) and access policies to determine which rights the new employee should have, based on their role, department, location, etc.
- Mover: When an employee changes roles within the organization, LCM handles the process of updating their access rights. It can remove access rights that are no longer needed and provide new ones that are required for the new role.
- Certifications and Audits: LCM supports the process of periodically reviewing and certifying access rights. This can help the organization stay compliant with various regulations and maintain a strong security posture.
- Leaver: When an employee leaves the company, LCM automates the process of revoking their access rights. This helps to minimize the risk of unauthorized access.
- Self-Service and Delegated Administration: LCM provides a self-service portal where users can request additional access, manage their own passwords, etc. It also supports delegated administration, allowing managers or department heads to handle access requests for their teams.
- Provisioning and Deprovisioning: With integration to various IT resources, LCM can automatically provision and deprovision access on various systems and applications, reducing the manual workload on the IT team.
When Joiner Mover Leaver (JML) events are triggered what happens to HRMS?
In the context of an Identity Governance and Administration (IGA) system such as SailPoint IdentityIQ, Joiner Mover Leaver (JML) processes refer to the lifecycle events of users in an organization.
- Joiners are new employees who are joining the organization.
- Movers are existing employees who are changing roles within the organization.
- Leavers are employees who are leaving the organization.
These JML events often trigger updates in both the Human Resource Management System (HRMS) and the IGA system, like IdentityIQ, because changes in an employee’s status or role typically require changes in their access rights.
When a JML event is triggered:
- For a Joiner, a new record is created in the HRMS database reflecting the details of the new employee. This record includes all necessary attributes like name, department, role, manager, etc.
- For a Mover, the existing employee’s record in the HRMS database is updated to reflect the change in their role, department, manager, location, etc.
- For a Leaver, the employee’s record is typically updated in the HRMS to indicate their departure. Depending on the organization’s policy, the record might be later archived or deleted.
Once these changes are reflected in the HRMS, they also need to be reflected in the IGA system to ensure that the employees’ access rights are appropriately adjusted. This is typically done by a process known as reconciliation or aggregation, where the IGA system periodically synchronizes with the HRMS database to detect any changes and adjust access rights accordingly.
For example, when a new joiner record is detected in the HRMS database, the Identity Governance and Administration (IGA) system would initiate the onboarding process, provisioning the new user with the access rights appropriate for their role. For a mover, the system would adjust their access rights according to their new role, possibly revoking some access and granting other access. For a leaver, the system would initiate the offboarding process, revoking all their access to prevent any potential security risks
Provide additional details on how JML events are triggered and executed in SAILPOINT IDENTITY IQ?
A JML event is typically triggered based on changes in the HRMS (Human Resource Management System) database. The HRMS database contains the data about employees, including their roles,
departments, employment status, etc. When an employee joins the company, changes roles, or leaves the company, this information is updated in the HRMS database. Here is a more detailed look at how these events are triggered and what happens:
- Joiner: When a new employee is added to the HRMS database, a Joiner event is triggered. The IAM system (like SailPoint IIQ) receives this event, typically through an automated process like a scheduled import or via a realtime API call. Based on the new employee’s role, department, and other attributes, the IAM system determines which access rights the employee should have. The IAM system then provisions these access rights on the various IT systems and applications that the employee needs to use.
- Mover: When an employee’s role, department, or other attribute changes in the HRMS database, a Mover event is triggered. The IAM system receives this event and reevaluates the employee’s access rights. It may revoke some access rights that are no longer
appropriate, and provision new ones that are required for the new role or department. - Leaver: When an employee is marked as having left the company in the HRMS database, a Leaver event is triggered. The IAM system receives this event and revokes all the access rights associated with the employee, ensuring that they can no longer access the company’s IT systems and applications.
These JML events help automate the management of access rights, ensuring that each employee always has the appropriate access. They also help improve security by ensuring that access is revoked promptly when an employee leaves the company. Additionally, by automating these processes, the JML events help reduce the workload on the IT department and reduce the risk of human error.
