DocumentationRelease Notes
Log In
Documentation

SailPoint Identity IQ

Suggest Edits

SailPoint IdentityIQ delivers full lifecycle and compliance management for comprehensive identity security. IdentityIQ is an on-premises product, used by large and small organizations.

BeyondTrust Privileged Remote Access provides identity-secure, just-in-time access to all enterprise environments including cloud, on-premises, and OT.

Many organizations are looking for an integration between SailPoint IdentityIQ and Privileged Remote Access. This guide provides a connector, based on the Web Services Connector in IdentityIQ, and includes step-by-step instructions for importing the connector and associated rules, and configuration.

Supported use cases

  • Accounts Aggregation with Pagination support
  • Groups Aggregation for Group Policies
  • Create Account
  • Add/Remove Group Policy for Accounts
  • Enable/Disable Account
  • Change Password
  • Update Account
  • Delete Account

Requirements

  • IdentityIQ 8.1+, patched
  • BeyondTrust Privileged Remote Access 23.1+

Create API account

In BeyondTrust Privileged Remote Access , navigate to Management - API Configuration, and Add an API account:

  • For the Configuration API, check Allow Access.
  • Copy the OAuth Client ID and OAuth Client Secret, as these are needed later.

Import the Rules and the BTSRA Connector

  1. Download the zip archive from the SailPoint Developer Community.
  2. The zip archive includes two rules and the application or connector.
  3. Edit the application xml file and replace the name with a name you want to use for your application. This must be done before importing the Application xml.
  4. In SailPoint, go to Global Settings, then select Import from File. Import the two rules and the application.

Configure SailPoint

  1. Go to Applications, Application Definition.
  2. Under Configuration, Settings, replace the example Base URL and Token URL with the correct values for your BeyondTrust instance.
  3. Enter the Client Id and Client Secret for the API account.
  4. Under Correlation, assign a correlation rule, so accounts can be correlated to identities within IdentityIQ.
  5. Before you can save your changes, an owner must be assigned to the Details page.
  6. Now you should be able to successfully test the connection for the application.

Aggregate accounts and groups

  1. Go to Setup, then Tasks.
  2. Create an aggregation task for accounts and one for groups.
  3. Execute both tasks.
  4. You can now view the accounts with one or multiple group policies.
  5. Under Applications > Entitlement Catalog, you can view the group policies.
  6. For each group policy, you can view the members.

Advanced configuration

The Application Configuration includes pairs of HTTP operations for account aggregation, and add/remove entitlements:

  • Account Aggregation – 1: includes support for pagination.
  • Account Aggregation – 2: used to resolve the multi-value groups account attribute. Accounts can have multiple group policies assigned. A beanshell rule, imported previously, is used to properly update the multi-value groups' attributes.
  • Remove Entitlement – 1: includes the other beanshell rule to resolve the unique membership ID for each account to group policy assignment. The membership ID is required by the Remove Entitlement – 2 endpoint.
  • Remove Entitlement – 2: sets the nativeIdentity header value. This is not used by the BeyondTrust API but is used to extract the account ID within the beanshell After Rule.

Updated 28 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.