PingOne Advanced Identity Cloud

General IGA setup

The foundational process for onboarding and managing identities in Identity Governance involves several key steps, starting with initial configuration and progressing through the onboarding of various application types and the setup of access management features. It’s important to note that while there’s a general flow, not all steps are strictly sequential as governance priorities can vary for different customers.

Here’s a breakdown of the foundational process:

  1. Configure Identity Schema: Your first step is to configure the identity schema. The identity schema is the blueprint for every user profile in Identity Governance, defining all the attributes that describe a user (such as name, email, department, and employee ID). This central profile acts as the foundation for all governance activities.

    To protect sensitive user data and comply with privacy regulations, store only essential business attributes in Advanced Identity Cloud. This practice helps you avoid regulatory conflicts like the General Data Protection Regulation (GDPR), which governs data privacy for individuals in the European Union (EU), and prevents the mishandling of Personally Identifiable Information (PII)—any data that can be used to identify a specific person.

    Before you onboard any applications, you must decide if the default Advanced Identity Cloud schema meets your needs or if you need to extend it.

    Often, your company can have attributes not present in the Advanced Identity Cloud to store them. You can add custom attributes to extend the schema.

    Learn more in Customize user identities using custom attributes.

    You can also customize the general purpose extension attributes in the schema. Learn more in Customize user identities using general purpose extension attributes.

  2. Onboard Authoritative Applications:

    Your next step is to onboard an authoritative application, which acts as the primary source of truth for your organization’s identity data. Common examples include HR systems like Workday or ADP. You onboard these applications to populate IGA with user identities and keep them updated.

    To begin, you select the application from the catalog, assign an owner, and provide the necessary configuration details to connect to it.

    For additional information, learn more in Choose an application to connect.

    During this process, you map the attributes from the application (like name and department) to the corresponding fields in the user’s IGA profile. You also define correlation rules that tell IGA how to match incoming data to the correct user accounts. Data flows one way: from the authoritative application into Advanced Identity Cloud and out to one or more targeted applications.

    Learn more in Correlate source objects with existing target objects.

    For advanced automation, you can configure event hooks. Event hooks are webhooks that trigger custom business logic in your external systems whenever a specific event occurs in IGA, such as creating a user. This allows you to integrate IGA with other tools and automate processes unique to your organization.

    Learn more in Event hooks.

    After you complete the configuration, you run a reconciliation process. Reconciliation compares the data in the authoritative application against the data in IGA and synchronizes any differences. This ensures your identity data in IGA remains a complete and accurate mirror of your source system.

    For more background information, learn more in Synchronization types.

    For information on managing reconciliation, learn more in Manage reconciliation.

  3. Advanced Sync (Optional but common):

    You can use the advanced sync feature to write specific user data from IGA back to your authoritative source, such as an HR system. While an authoritative source provides most of your identity data, you might manage certain attributes, like a user’s email address, directly within IGA. Advanced sync allows you to push these specific attributes back to the source system, which keeps all your data consistent and synchronized. For example, you can generate a user’s email address in IGA and use advanced sync to write it back to their profile in the HR system.

    For additional information, learn more in Manage advanced sync.

  4. Onboard Target Applications:

    After you set up your authoritative source, you onboard target applications. These are the downstream systems where your users need accounts to do their work, such as Salesforce, Office 365, or ServiceNow. You onboard these applications so IGA can automate the full lifecycle of user accounts within them, from creation and updates to deactivation when a user leaves.

    Learn more in Provision an application.

    As you onboard a target application, IGA discovers and imports its entitlements— the specific permissions, licenses, or group memberships available within that application. This discovery process populates your access catalog with a detailed inventory of all available access rights, which you then use to build roles, process access requests, and conduct certification campaigns.

    Learn more in Manage application attributes.

  5. Define Roles: After you onboard target applications and their entitlements, you can define roles to simplify access management. Roles bundle entitlements from one or more applications into a single, manageable unit that you can assign to users. You can create different types of roles, including birthright roles, which refers to the foundational access and permissions automatically granted to users based on their identity attributes.

    Learn more in Roles and assignments.

  6. Access Request Process and Catalog: After you configure roles, define your access request process and set up your access catalog. An access request is the formal process a user follows to ask for permissions that aren’t automatically assigned to them through birthright roles.

    For example, a user might need temporary access to a specific project folder or a special license for a design tool. The user finds the item they need in a self-service access catalog and submits a request. This request can trigger an approval workflow, where a manager or application owner must approve it before the system automatically grants the access. This process gives you control and visibility over ad-hoc access grants while empowering users to get the tools they need.

    Learn more in Access requests overview.

  7. Configure Optional Workflows: A workflow is a sequence of automated actions you design to handle specific business processes. While IGA handles many standard procedures out-of-the-box, you use workflows to enforce your organization’s unique operational and security policies.

    Workflows give you the flexibility to automate almost any multi-step process, such as sending custom notifications, opening a support ticket if a task fails, or adding a delay before deactivating an account. By configuring workflows, you ensure that even your most complex identity processes run consistently and automatically. For example, you can build a workflow that routes a request for a high-risk application to multiple people for approval—first the user’s manager, then the application owner.

    Learn more in Manage workflows.

  8. Glossary Configuration: After you onboard entitlements, you can configure the governance glossary. In IGA, the glossary is a feature you use to create and manage custom attributes (metadata) for applications, roles, and entitlements. You use these custom attributes to enrich your governance objects with business-specific context.

    Learn more in Manage governance glossary.

  9. Access Certification and Cleanup: After you configure the identity schema, onboard authoritative and target applications, and set up accounts and entitlements, you can perform access certifications and begin cleanup. The cleanup process gives business users visibility into "who has access to what" and allows them to remediate access, ensuring only the right people have the correct permissions.

    Learn more in Access certification overview.

  10. Configure Governance Lifecycle Management: Enable the Governance Lifecycle Management (Governance LCM) feature to empower non-technical business users to manage users and entitlements directly. This feature delegates specific administrative tasks to the non-technical people who know the business context best, through an intuitive UI.

    Learn more in Governance lifecycle management overview.

Although these steps outline a typical flow, you don’t need to perform them sequentially. The order can change depending on your governance priorities, such as whether you want to focus first on certifications, lifecycle management, or events, or others.