Step-by-Step SailPoint Identity Governance Workflow (detailed)

A. Typical SailPoint Capabilities used

• Identity Repo: central source of truth for identities and entitlements (synced to Azure AD / HR systems).

• Access Request Portal: user-facing portal where staff request entitlements/roles.

• Provisioning Connectors: SCIM / LDAP / AD / Azure AD / custom APIs to provision/un-provision.

• Access Certifications: periodic recertification campaigns for managers to attest.

• Policy Engine: SoD and risk policy enforcement.

• Password / Credential Manager: integration for privileged credentials and vaulting.

• Lifecycle & Onboarding: joiner/mover/leaver automation.

  
  

B. SailPoint Flow — Step by step (how an employee/operator gets access to a service)

1. Identity Sync & Role Mapping

   • HR system + Azure AD sync to SailPoint Identity Store.

   • Roles & entitlements (e.g., LoanOfficer, OpsCompliance, KafkaProducer) mapped with business owners.

2. Access Request

   • Employee logs into SailPoint Access Request Portal (IdentityNow or IdentityIQ).

   • Searches catalog and requests entitlement (e.g., LoanDecisionOverride or KafkaTopicProducer:loan-initiated).

   • Request includes justification; a temporary access window can be requested for JIT access.

3. Approval Workflow

   • Request routed to approver(s): direct manager and data owner (policy enforced).

   • SoD checks executed in real time: if conflict (e.g., request would give ability to both create and approve loans), request blocked or routed to special approval.

4. Provisioning

   • On approval SailPoint issues provisioning call to target system (Azure AD / Postgres role / Kubernetes RBAC or connector) via SCIM/API.

   • Provisioned identity/entitlement created; audit record stored.

5. Certification

   • Periodic campaign: managers review entitlements. Approve / revoke; SailPoint enforces changes.

6. Privileged Access / Emergency

   • For privileged actions, employee requests temporary elevated access (just-in-time).

   • PAM integration (CyberArk/others) issues a temporary credential; all session activity is logged.

7. Deprovision / Leaver

   • On offboarding SailPoint triggers deprovision flows to remove entitlements, terminate sessions, revoke tokens.

8. Auditing & Reporting

   • All actions recorded. Compliance reports generated for auditors and regulators.

Portal specifics

• IdentityNow: cloud portal (Access Request Portal) for employees; modern UI, out-of-box connectors for Azure AD, work well for cloud deployments.

• IdentityIQ: on-prem/managed; richer customization for complex enterprise workflows and integrations with legacy systems.

How SailPoint integrates in the lending flow

• SailPoint provisions service identities used by microservices (service principals) and human roles (Underwriter, Compliance Officer).

• It controls who can approve manual loan reviews, create or publish Kafka topics, access production ML model registry, view PII, and submit regulatory reports.

• SailPoint also manages privileged credentials for the Compliance Officer who uploads reports to RBI portal; those credentials are retrieved via a vault and sessions recorded.

Summary (one-paragraph)

This regenerated flow is a production-grade, event-driven lending architecture: Amit R authenticates via Azure AD; loan application is persisted and emitted as a Kafka event (secure mTLS + topic ACLs); parallel adapters call Fenergo/CIBIL/Experian/Actimize; vendor results update the Feature Store; a single ML endpoint (internal) receives {customerId, extCredit, extFraud} then fetches features from Feature Store to return PD & fraud scores; LOS combines ML outputs with LTV/EMI/regulatory rules to decide; on approval loan agreement is eSigned and TCS BaNCS account created; disbursement is orchestrated as a Saga; compliance reporting is orchestrated (SFTP → Actimize → CTR/STR/NTR/CBWR → RBI/FIU submission) with audit and ACK capture. Every hop is secured: TLS/mTLS, JWT + refresh, SailPoint governance, Private Links, Kafka ACLs, WAF/DDOS, SFTP via SSH keys + signed files, TDE at rest, SIEM logging and immutable audits.