Business functional and non-functional requirements for SailPoint Identity Security Cloud (ISC) implementation

✅ Functional Requirements

These are the core business capabilities that SailPoint ISC must support.

1. Identity Lifecycle Management

• Automate provisioning/deprovisioning for employees, contractors, and partners.
• Support identity creation from authoritative sources like Workday, Oracle DB, Flat files.
• Identity updates upon lifecycle events (hire, rehire, transfer, termination).

2. Access Request Management

• Self-service access request portal.
• Approval workflows based on roles, policies, or managers.
• Delegation and multi-level approval support.

3. Access Certification

• Periodic access review campaigns for users, roles, entitlements, applications.
• Support for manager, application owner, or entitlement owner certification.
• Ability to revoke access during certification.

4. Role Management

• Define and manage business roles (job function-based).
• Role mining and role modeling.
• Role composition: entitlements, applications, conditions.

5. Policy Enforcement

• Separation of Duties (SoD) policy enforcement during provisioning or access requests.
• Identity uniqueness and birthright access policies.

6. Access Intelligence & Reporting

• Predefined and custom reports on identity, access, certifications.
• Audit logs for compliance.
• Access anomaly detection.

7. Application Integration

• Connect to enterprise apps like AD, Azure AD, Salesforce, ServiceNow, Okta, etc.
• Support for provisioning, aggregation, and password management.
• Support for cloud-native and on-prem connectors.

8. Password Management

• Self-service password reset.
• Password synchronization across systems.
• Forgotten password workflows with MFA support.

9. Governance for Non-Employee Identities

• Onboard and manage contractor and partner identities from non-authoritative sources.
• Define lifecycle events and provisioning logic.

⚙️ Non-Functional Requirements

These define the system's quality attributes, performance, and behavior under constraints.

1. Scalability

• Must support growth in the number of identities (e.g., 100k+ users).
• Ability to scale to support high volumes of access requests and certifications.

2. Performance

• Access requests, provisioning jobs, and certifications must complete within defined SLAs.
• API response times should meet performance thresholds.

3. Availability

• Ensure high availability of ISC platform (99.9% or higher).
• Disaster recovery and failover strategies in place.

4. Security

• Data encrypted at rest and in transit.
• Integration with enterprise MFA, SSO, and SIEM.
• Role-based access control (RBAC) within SailPoint.

5. Compliance

• Compliant with GDPR, SOX, HIPAA, etc., as applicable.
• Audit trails maintained for at least 1–7 years (configurable).

6. Maintainability

• Easy to update configurations, connectors, and workflows via UI or APIs.
• Well-documented admin interface and developer tools.

7. Extensibility

• Support for plugin/connector development or extension using IDN Workflows and APIs.
• Flexible data model to onboard new authoritative/non-authoritative sources.

8. Usability

• Clean, intuitive UI for end users, approvers, and administrators.
• Mobile-friendly user access portal.

9. Integration Capabilities

• REST API, SCIM, webhook support for event-based integrations.
• Integration with ticketing systems (e.g., ServiceNow), SIEM, and email servers.

Happy Learning!!