- Products & services Products & services
- Resources ResourcesLearning
- Learning
- Identity University Get technical training to ensure a successful implementation
- SailPoint professional certifications & credentials Advance your career or validate your identity security knowledge
- SailPoint recertification program Get recertified by demonstrating ongoing learning
- Training onboarding guide Make of the most of training with our step-by-step guide
- Training FAQs Find answers to common training questions
- Community Community
- Compass
- :
- Discuss
- :
- Community Wiki
- :
- IdentityIQ Wiki
- :
- Managing uncorrelated accounts
- Article History
- Subscribe to RSS Feed
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Content to Moderator
Managing uncorrelated accounts
Managing uncorrelated accounts
In general, Identities are created to represent an organization’s personnel (as represented in the authoritative data source(s)) and each user's application accounts are associated to their Identity as the accounts are aggregated. In fact, the IdentityIQ data model requires that all accounts be tied to an Identity. When an account is aggregated into IdentityIQ from a non-authoritative source and cannot be correlated to an existing Identity in the system, IdentityIQ still needs to record the existence of the account and still needs an Identity to support the account, so it creates a new, uncorrelated Identity. (These uncorrelated accounts are often referred to as “orphaned” accounts since they lack an authoritative “parent” Identity.)
| Uncorrelated Account / Orphaned Account: an account from a non-authoritative system which cannot be correlated to an existing authoritative Identity |
| Uncorrelated Identity: a non-authoritative Identity created solely to support an uncorrelated account until it can be correlated to an authoritative Identity |
Organizations have several choices for addressing these uncorrelated accounts.
- Manually correlate the accounts to existing authoritative Identities.
- Alter the correlation configuration/rule so it will correctly correlate these accounts to the appropriate authoritative Identity and re-run the aggregation.
- Clean up the data in the native system, deleting any invalid accounts, and re-run the aggregation with the Detect deleted accounts option selected; IdentityIQ then recognizes that the accounts do not exist and deletes the accounts from its records.
In all of these cases, once the accounts have been disassociated from the non-authoritative Identities, the uncorrelated Identities still exist in the system but no longer have any accounts associated to them and are therefore no longer needed. The Prune Identity Cubes task can be run to delete those Identities.
