August 19, 2020

IdentityWorks Sailpoint IIQ UI Enhancer Plugin

The SailPoint IIQ user interface is far more user-friendly and reliable than the interface of competing identity managers. However, from time to time, it still encounters limitations. IdentityWorksLLC has created an IIQ plugin, the UI Enhancer, to insert many useful features and security enhancements to the existing user interface, filling in the gaps.

Contact IdentityWorksLLC if you are interested in this software!

Identity Page Enhancements

The screenshot below indicates several enhancements to the View Identity page, described in the sections below.

The Identity page enhancements are largely calculated server-side, for security purposes. Buttons, fields, or labels that a user should not be able to see are never sent to the browser. The client-side portions simply update the existing SailPoint user interfaces.

A screenshot showing some of the user page enhancing features

Action buttons (aka Fancy Buttons)

The Fancy Buttons feature adds custom action buttons to each page in the Identity Warehouse and LCM View Identity pages.

These are the default buttons included with the Plugin. Note that the IDW History Plugin is required to see the History Viewer button.

Buttons can be configured to execute virtually any action, including actions usually performed via QuickLink, custom REST API endpoints, and Beanshell scripts. The Plugin also includes a number of out-of-box default buttons, shown in the screenshot. These are common actions useful to administrators and developers, especially in non-Production systems.

  • Full Refresh / Role Refresh / Process Events: Executes an individual Identity Cube Refresh against only the current Identity with different flags set, depending on the button used.
  • Aggregate: Performs a single-account aggregation (getObject) on each of the accounts correlated with the current Identity.
  • Enable/Disable: Enables or Disables the current Identity.
  • Admin Notes: Allows administrators to add permanent admin-only text notes to any Identity. For example, this could be used to describe historical problems with a particular Identity’s accounts for future reference.
  • Add Role/Account/Entitlement: Allows administrators to provision various items to the current user.

Buttons (including the defaults) can be shown or hidden individually, depending on the rights, capabilities, workgroups, or other properties of the logged in IIQ user or the identity being viewed. Button security is always double-checked before allowing the action to proceed, preventing users from simulating a button action via the browser’s developer console.

Buttons can display “Are you sure?” messages when clicked. Buttons can also prompt for justification or other custom form fields, which will be provided to a Beanshell script (if that is the action your Button uses).

The confirmation screen prompts the user to verify that they wanted to actually do the action.

Certain provided buttons have custom functions, such as the Open Items and Add Entitlement views.

This button can add an arbitrary entitlement to the currently viewed user, useful during development.
This button shows any pending workflows attached to this user, including refresh workflows that are blocking further refreshes of the user. You can delete or forward any work items from this view, or go to the specific page for the TaskResult or Work Item.

Advanced and Dynamic Identity Fields

The Identity attributes displayed in the screenshot above are all dynamically generated and displayed by the Plugin.

The only attribute shown that SailPoint is rendering in the usual way is User Name, as illustrated in the screenshot below.

This is the same Identity viewed with the Plugin disabled, showing that none of the Identity attributes are displayed.

The Plugin can show its dynamic fields on both the Identity Warehouse and LCM View Identity pages. 

The plugin implements field-level security. Fields may be shown or hidden individually, depending on the rights, capabilities, workgroups, or other properties of the logged in IIQ user or the identity being viewed. For example, a university may not want student Help Desk workers being able to view certain PII fields, while administrators may need to be able to view them. The PII fields could be hidden by excluding a workgroup or capability assigned to students or using a filter matching student identities. This is not a function available in SailPoint IIQ out-of-box.

Attribute values may reflect an underlying Identity attribute or may be dynamically calculated (as in the “Descriptions” field in the screenshot”) using a Beanshell script. Fields may be arbitrarily colored using CSS styles and classes. Fields can be grouped into sections, such as the “Demographic Data” section in the screenshot.

Fields can be asynchronous, meaning that the page will load while the field value is calculated in the background. For example, some Identity Works customers use this to pull a live status from a connector. (“Did this user recently change their password?”)

Fields may also have custom help text, displayed when the user hovers over the [?] icon.

The caption is displayed when the user hovers over the [?] icon next to the Descriptions field.

Labels

The Plugin can add labels to the View Identity or Identity Warehouse pages for an individual user. These colored tags can quickly communicate vital information to those viewing the Identity.

Labels showing that the user is Active and that she has pending refresh workflows blocking future refreshes.

Default labels include a status indicator (which can be customized using a Beanshell script) and a warning flag indicating that a refresh workflow is in progress for this user. You may add as many custom labels as you wish, as shown in the example below.

Recent Identities

The Plugin adds recently viewed Identities to the “Identities” dropdown menu, as well as breadcrumbs on the Identity Warehouse page.

The recently viewed user Irma Arrendell can be accessed quickly using the Recent section of the drop-down menu.
Breadcrumbs also show the most recently viewed users on the Identity Warehouse search page.

Toolbox

For administrators, the Plugin adds a Toolbox button in the upper right of the user interface.

Click the button to open a panel with a number of useful administrator features. Our intention is to continue adding items to the Toolbox panel as we find them useful.

This is the sliding menu produced by clicking the Toolbox button. It has two action buttons (which should be self-explanatory), as well as live views for recently executed Tasks and Provisioning Transactions. These views can be easily filtered.

XML Viewer

For administrators, the Plugin adds a pop-up XML Viewer, triggered by a keypress, to identity, application, role, task result, and other pages. This prevents you from having to go into the Debug page to locate the XML for your object.

This view was triggered by a keypress while viewing a particular identity. The underlined dates (such as 'created') will show a human-readable translation on hover.

Other enhancements

The Plugin adds many other minor enhancements to other parts of the user interface.

Administrators can retry failed provisioning transactions directly from the Admin Console.
Administrators can delete work items (and the associated workflows and requests) directly from the Work Items screen. We will also be adding a cancel button here.
Recently viewed Applications, Roles, and Task Results will be quickly accessible for admins from this menu.

How to get the plugin

Please contact IdentityWorksLLC using our Contact form if you are interested in this plugin or any of our other SailPoint IIQ work!