Not just checking access — controlling it.
Zero Trust governs how access is granted, reviewed, and removed.
Every action permanently audit-logged.
Entitlement provisioning
Formal process for granting access, with full audit trail.
Certification campaigns
Periodic reviews where managers confirm each team member's access is still appropriate.
Access requests
Employees request new access with business justification; managers approve or deny.
Segregation of duties (SOD)
Prevents dangerous combinations — no one can both trade and approve trades.
Audit logging
Every governance action permanently recorded — immutable evidence trail.
Governance algorithms
BeforeProvisioningRule pre-checks SoD before any grant. Certification scope: all / high-risk / node / department. Access requests follow a formal state machine: Pending → Approved / Denied.
SailPoint data models in production use
Every employee is represented as a real SailPoint SDK object — the same objects that drive IdentityNow and IdentityIQ in production.
The person and their attributes — name, role, department, clearance, hire date.
Link between identity and downstream system — connects the person to their applications.
Permission with risk level and requestability flag — the atom of access control.
Bundle of entitlements with assignment rules — groups related permissions for easier management.
Conflict-detection rule — prevents dangerous combinations of permissions across roles.
Four governance workflows
| Workflow | Implementation |
|---|---|
| Provision entitlement | BeforeProvisioningRule checks SoD conflicts first |
| Run certification campaign | Scope by all / high-risk / node / department, reviewed by manager |
| Submit access request | Pending → Approved / Denied state transitions |
| Revoke entitlement | Full audit event logged — grant and revocation both permanent |