Register Sign in Need help? FAQ SailPoint directory
Help
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Managing uncorrelated accounts

Managing uncorrelated accounts

In general, Identities are created to represent an organization’s personnel (as represented in the authoritative data source(s)) and each user's application accounts are associated to their Identity as the accounts are aggregated. In fact, the IdentityIQ data model requires that all accounts be tied to an Identity.  When an account is aggregated into IdentityIQ from a non-authoritative source and cannot be correlated to an existing Identity in the system, IdentityIQ still needs to record the existence of the account and still needs an Identity to support the account, so it creates a new, uncorrelated Identity.  (These uncorrelated accounts are often referred to as “orphaned” accounts since they lack an authoritative “parent” Identity.)

 

Uncorrelated Account / Orphaned Account: an account from a non-authoritative system which cannot be correlated to an existing authoritative Identity
Uncorrelated Identity: a non-authoritative Identity created solely to support an uncorrelated account until it can be correlated to an authoritative Identity

 

Organizations have several choices for addressing these uncorrelated accounts.

  • Manually correlate the accounts to existing authoritative Identities.
  • Alter the correlation configuration/rule so it will correctly correlate these accounts to the appropriate authoritative Identity and re-run the aggregation.
  • Clean up the data in the native system, deleting any invalid accounts, and re-run the aggregation with the Detect deleted accounts option selected; IdentityIQ then recognizes that the accounts do not exist and deletes the accounts from its records.

 

In all of these cases, once the accounts have been disassociated from the non-authoritative Identities, the uncorrelated Identities still exist in the system but no longer have any accounts associated to them and are therefore no longer needed.  The Prune Identity Cubes task can be run to delete those Identities.

Labels (1)
Labels:
Comments
‎Oct 09, 2013 03:52 PM
‎Oct 09, 2013 03:52 PM

So an agregation needs to be run to ensure those accounts are merged?  Is that a correct statement?

Thank you.

James "Jim" Sorace

jennifer_mitchell
‎Oct 09, 2013 05:32 PM
‎Oct 09, 2013 05:32 PM

Depends on the method you have chosen for addressing the uncorrelated accounts.  Each of the three bullet points in the list are independent choices and only 2 of them require reaggregation.

 

If you manually correlate them on the Manage -> Identity Correlation page, no, you don't have to reaggregate.  If, on the other hand, you realized your correlation rule/config was bad and you fixed that correlation rule/config, you do need to re-run the aggregation to make it correlate the accounts correctly.  And if you discovered the reason you had uncorrelated accounts is that you had bad data in the source system and you fixed that, you would have to reaggregate with Detect Deleted Accounts turned on to make IdentityIQ discover the accounts to be deleted.

You do still need to run the pruning task in all cases to make the identities created to support the uncorrelated accounts disappear (because once their accounts are appropriately correlated, the identities no longer have accounts hanging on them and are therefore no longer needed).

‎Mar 11, 2015 12:17 PM
‎Mar 11, 2015 12:17 PM

The following option in an aggregation task - "Check to update existing identities, but not create new identities if a match is not found" - shouldn't this inhibit uncorrelated accounts from getting created during aggregation?

Additionally, is there a way to clean up identities without cleaning the application data source / correlating the identities? I do not want them in IIQ.

Thank you.

Varun

daniel_aronoff
‎Mar 11, 2015 12:22 PM
‎Mar 11, 2015 12:22 PM

Hey Varun,

Identities without any accounts or history can be deleted by running the

Prune Identity Cube task.

That option should indeed inhibit the creation of identity objects with

only that account on them.

‎Mar 11, 2015 12:45 PM
‎Mar 11, 2015 12:45 PM

Thanks Dan!

What about application accounts that have been created in IIQ because the option was not checked the first time we ran aggregation? They are now in IIQ and have the application's accounts.

ericmendillo
‎Mar 21, 2018 05:08 AM
‎Mar 21, 2018 05:08 AM

You could delete them with the Terminator class and queryting "Uncorrelated" Atrribute in the identity

KidusKebede
‎Mar 12, 2024 03:03 PM
‎Mar 12, 2024 03:03 PM

I used extended attribute for correlation but the accounts was uncorrelated. The third option helps me to solve the issue. "Clean up the data in the native system, deleting any invalid accounts, and re-run the aggregation". I reset the source and aggregate again then the accounts correlates. 

ArpitaSB
‎May 22, 2024 08:32 AM
‎May 22, 2024 08:32 AM

Hello @jennifer_mitchell 

Can I please have any example for the second and third cases?

Thank you!

 

anchal_dube
‎May 22, 2024 05:28 PM
‎May 22, 2024 05:28 PM

Hi @ArpitaSB 

I was able to find help internally on your request for examples:

  1. Your correlation logic is connecting accounts to identities based on firstname.lastname but some accounts follow a different naming convention, so you need additional options in your config or rule for correlating those accounts.
  2. There are old records in your source system that are no longer valid accounts, which you identify based on this failed correlation. If your organization wants to delete them from the source system, after that's done, when you reaggregate accounts from the source, we can auto-delete them from IIQ if you chose that Detect deleted accounts option.

Thanks,

Anchal

Version history
Revision #:
2 of 2
Last update:
‎Jul 28, 2023 12:24 AM
Updated by:
Community Administrator
 
View Article History
Top