The SailPoint IIQ user interface is far more user-friendly and reliable than the interface of competing identity managers. However, from time to time, it still encounters limitations. IdentityWorksLLC has created an IIQ plugin, the UI Enhancer, to insert many useful features and security enhancements to the existing user interface, filling in the gaps.
Identity Page Enhancements
The screenshot below indicates several enhancements to the View Identity page, described in the sections below.
The Identity page enhancements are largely calculated server-side, for security purposes. Buttons, fields, or labels that a user should not be able to see are never sent to the browser. The client-side portions simply update the existing SailPoint user interfaces.
Action buttons (aka Fancy Buttons)
The Fancy Buttons feature adds custom action buttons to each page in the Identity Warehouse and LCM View Identity pages.
Buttons can be configured to execute virtually any action, including actions usually performed via QuickLink, custom REST API endpoints, and Beanshell scripts. The Plugin also includes a number of out-of-box default buttons, shown in the screenshot. These are common actions useful to administrators and developers, especially in non-Production systems.
- Full Refresh / Role Refresh / Process Events: Executes an individual Identity Cube Refresh against only the current Identity with different flags set, depending on the button used.
- Aggregate: Performs a single-account aggregation (getObject) on each of the accounts correlated with the current Identity.
- Enable/Disable: Enables or Disables the current Identity.
- Admin Notes: Allows administrators to add permanent admin-only text notes to any Identity. For example, this could be used to describe historical problems with a particular Identity’s accounts for future reference.
- Add Role/Account/Entitlement: Allows administrators to provision various items to the current user.
Buttons (including the defaults) can be shown or hidden individually, depending on the rights, capabilities, workgroups, or other properties of the logged in IIQ user or the identity being viewed. Button security is always double-checked before allowing the action to proceed, preventing users from simulating a button action via the browser’s developer console.
Buttons can display “Are you sure?” messages when clicked. Buttons can also prompt for justification or other custom form fields, which will be provided to a Beanshell script (if that is the action your Button uses).
Certain provided buttons have custom functions, such as the Open Items and Add Entitlement views.
Advanced and Dynamic Identity Fields
The Identity attributes displayed in the screenshot above are all dynamically generated and displayed by the Plugin.
The only attribute shown that SailPoint is rendering in the usual way is User Name, as illustrated in the screenshot below.
The Plugin can show its dynamic fields on both the Identity Warehouse and LCM View Identity pages.
The plugin implements field-level security. Fields may be shown or hidden individually, depending on the rights, capabilities, workgroups, or other properties of the logged in IIQ user or the identity being viewed. For example, a university may not want student Help Desk workers being able to view certain PII fields, while administrators may need to be able to view them. The PII fields could be hidden by excluding a workgroup or capability assigned to students or using a filter matching student identities. This is not a function available in SailPoint IIQ out-of-box.
Attribute values may reflect an underlying Identity attribute or may be dynamically calculated (as in the “Descriptions” field in the screenshot”) using a Beanshell script. Fields may be arbitrarily colored using CSS styles and classes. Fields can be grouped into sections, such as the “Demographic Data” section in the screenshot.
Fields can be asynchronous, meaning that the page will load while the field value is calculated in the background. For example, some Identity Works customers use this to pull a live status from a connector. (“Did this user recently change their password?”)
Fields may also have custom help text, displayed when the user hovers over the [?] icon.
The Plugin can add labels to the View Identity or Identity Warehouse pages for an individual user. These colored tags can quickly communicate vital information to those viewing the Identity.
Default labels include a status indicator (which can be customized using a Beanshell script) and a warning flag indicating that a refresh workflow is in progress for this user. You may add as many custom labels as you wish, as shown in the example below.
The Plugin adds recently viewed Identities to the “Identities” dropdown menu, as well as breadcrumbs on the Identity Warehouse page.
For administrators, the Plugin adds a Toolbox button in the upper right of the user interface.
Click the button to open a panel with a number of useful administrator features. Our intention is to continue adding items to the Toolbox panel as we find them useful.
For administrators, the Plugin adds a pop-up XML Viewer, triggered by a keypress, to identity, application, role, task result, and other pages. This prevents you from having to go into the Debug page to locate the XML for your object.
The Plugin adds many other minor enhancements to other parts of the user interface.
How to get the plugin
Please contact IdentityWorksLLC using our Contact form if you are interested in this plugin or any of our other SailPoint IIQ work!