cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Identity processing threshold in IdentityIQ 8.2

Identity processing threshold in IdentityIQ 8.2

 

The Identity Processing Threshold feature gives you the ability to stop lifecycle events before they are fully processed, to protect against  dangerous or accidentally-triggered workflows from completing. For example, if someone makes a change in the Human Resources database that accidentally changes the status of an entire department's employees to "terminated", the identity processing threshold can stop IdentityIQ from running a Leaver workflow for hundreds of employees.

Thresholds can be set either as a fixed number, or as a percentage of identities. When a threshold is set, the Identity Refresh task will terminate when the threshold is met, without updating any identities.

Identity Processing Threshold can be configured both in Rapid Setup (as global setting) and in Lifecycle Events, for specific workflows. In addition, there are some settings in the Identity Refresh task that must be set to fully enable this feature.

 

Setting an identity processing threshold in Rapid Setup

The Identity Processing Threshold in Rapid Setup is configured as a global setting, for each type of processing event.

  1. Click gear > Global Settings > Rapid Setup Configuration.
  2. Choose the type of process (for example, Joiner, Mover, or Leaver) that you want to set a threshold for. Note that the process must be enabled before you can set an identity processing threshold.
  3. In the Identity Processing Threshold area, set your threshold preferences
    • Choose whether to use a Fixed number or a Percentage of identities as the threshold.
    • Enter the threshold value. Fixed numbers must be whole; decimal values are not supported. Percentages must be between 1 and 100.

ThresholdRS.png

  1. Save your changes.
  2. Ensure that the Process events setting is selected in the Identity Refresh task; the identity processing threshold will not take effect if this option is not selected. See the section below for more information.

 

Setting an identity processing threshold in Lifecycle Events

Identity Processing Thresholds are set individually for different types of Lifecycle Events.

  1. Click Setup > Lifecycle Events.
  2. Choose the type of process (for example, Joiner, Mover, or Leaver) that you want to set a threshold for.
  3. Choose a Threshold Type: a Fixed number or a Percentage of identities as the threshold.

ThresholdLCE.png

  1. Enter the Threshold value. Fixed numbers must be whole; decimal values are not supported. Percentages must be between 1 and 100.
  2. Save your changes.
  3. Ensure that the Process events setting is selected in the Identity Refresh task; the identity processing threshold will not take effect if this option is not selected. See the section below for more information.

 

Enabling identity processing threshold in the identity refresh task

The Identity Refresh task must be set to process events in order for the Identity Processing Threshold to work as intended.

  1. Click Setup > Tasks
  2. Select the task you use for refreshing identities to edit it. This is a task of type Refresh Identities.
  3. Ensure that the Process events option is enabled. If you want to process events for other purposes but disable the Identity Processing Threshold feature, you can check the Disable identity processing threshold option.
  4. Save your changes.
Labels (1)
Comments

@cathy_mallet ,

This is a great and much anticipated enhancement. 

Question: How does the threshold work for partitioned Identity Refreshes ? Is the value cumulative of events triggered across partitions ?

is there any notification that the processes were not running because of exceeded threshold ?

And can we increase the threshold and run the processes again without changing any trigger attribute ?

@yatharth_singhal , I ran your Q by one of the engineers and he says:

 

@uensal_ilhan , I ran your Q by one of the engineers - here is his response:

Yes, the notification is via the task results. The task would be a failure and a localized message would give feedback. You could increase the threshold and run the processes again, but it is probably better to determine what the real problem was and address it in the data.

This is great feature, @cathy_mallet 

but is there a way to get the list of users impacted due to this threshold and their corresponding event details ? 

If we don't have this feature OOTB, any ideas from engineering team to get this data from Sailpoint( Like this data will be stored in some table or objects)? 

Is the Identity Threshold Feature introduced from IdentityIQ 8.2? Was is present in any 8.0 versions say Patch 5?

What is the denominator for the Percentage option? Is it a percentage of the total number of Identities in the system, the total number of Identities scanned in the refresh, or something else? How is this actually calculated?

Version history
Revision #:
7 of 7
Last update:
‎Mar 20, 2023 08:12 PM
Updated by: