cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Pruning identity cubes

Pruning identity cubes

 

Introduction

When IdentityIQ reads an account from a connected application, it will try to correlate it to an existing identity cube and if that fails, create a new identity cube. When an account is removed from the source, IdentityIQ will also remove the account from the cube if the option to detect deleted accounts has been enabled on the aggregation task. If all accounts are removed from an identity cube, it will leave an "empty shell".

 

Other reasons for an identity cube to become empty are:

  • All accounts are automatically re-correlated to another identity cube,
  • An uncorrelated account is manually correlated to another identity cube,
  • All accounts are manually moved to another or new identity,
  • All accounts are remove through LCM,
  • As part of the lifecycle, all accounts are disabled and later removed using lifecycle events and workflows.

 

These empty identity cubes most of the time do not serve any purpose and should be cleaned up. This is what the pruning feature in IdentityIQ is designed for.

 

The prune task

Out of the box, IdentityIQ comes with a task called "Prune Identity Cubes".

Tasks.png

This task has four configuration options.

Edit_Task.png

  • The first option is similar to the filters that can be applied to the task Refresh Identity Cubes and derivatives of that task.
  • The option Analyze but to not delete provides an option to perform a dry-run. If enabled, the task will only count the identities that would otherwise be deleted.
  • If enabled the option Do not delete identities being certified prevents identities that are currently being reviewed as part of a certification (certification has not been completed) will not (yet) be deleted.
  • If enabled the option Do not delete identities that have been manually marked as correlated prevents cubes that have been marked as manually correlated from being deleted.

 

Factors preventing pruning

First of all when the option Analyze but to not delete is enabled, it will not delete any identity. If that option is not enabled, it will process all identities, or those selected by the filter and evaluate whether or not to delete the identity cube.  An Identity will not be deleted by the prune task if it:

  • Has accounts in any connected application,
  • Is a manager of other identities,
  • Has any capability (set of SPRights), either directly or though a work group,
  • Is manually correlated (and the option Do not delete identities that have been manually marked as correlated is ticked on the task),
  • Has a “use by” date (e.g. set when creating an identity through the dashboard quicklink or self-registration),
  • Is a direct owner (not through a work group) of:
    • A role (bundle),
    • An application,
    • A work item (i.e. needs to perform work),
    • A task result,
  • Is a requester of any open work item,
  • Is a secondary owner of any application,
  • Is the remediator of any application,
  • Is the mitigator of any policy violation or certification decision,
  • Is being certified as part of any unfinished, non-continuous identity certification (and the option Do not delete identities being certified is ticked on the task)
Comments

If an identity cube has info on the Policy, History, and/or Events tabs will it be pruned?

Yes, that information will be pruned. The Terminator class, a.k.a. "Arnold" will take care of that.

- Menno

Does Prune identities impact the system performance etc. Or, can you tell me the drawbacks or issues caused because of prune identities in the system.

Like anything you do, it will take system resources to run. Pruning will iterate over each and every identity in the system, so may take a long time to run, depending on the number of identities in your environment. Not pruning once in a while will leave you with "empty shells", identities without any accounts and probably with no or hardly any identifying attributes. It is therefore a good idea to run the prune task once in a while.

It may run faster if you limit the set of identities to iterate over. E.g. it is very likely that your candidates for pruning are not correlated (unless manually), so you could set "correlated == false" as the filter for the prune task. Any correlated, active identity will then be skipped. Only uncorrelated identities will be evaluated.

- Menno

I was more looking from client's perspective, if we are recommending client to delete prune identities. We need a few pointers in terms of, why should prune identities be deleted from the system.

Clearly, you should ​not​ delete the task, but schedule it to run periodically, e.g. as part of your daily aggregation cycle, or once a week. The task exists to keep your system clean.

How "Prevent pruning of new identities for this many days" in the lifecycle manager global configuration works with this feature? It does not seem to work. 

Does anyone have the full database query to get the list of identities that will be pruned by the task? We need to see them prior to running the task. So far I have:

SELECT ident.name FROM identityiq.spt_identity ident WHERE NOT EXISTS (SELECT 1 FROM identityiq.spt_link acct WHERE acct.identity_id = ident.id AND MANUALLY_CORRELATED=0) AND ident.workgroup = 0 ORDER BY ident.name.

 

But I'm not sure what other tables are involved in determining the above criteria.  

It says that the filter is similar to that of the "Refresh Identity Cube" task. In the refresh task you have the option to select Group Definitions. Does the prune task also let you choose populations? If so how do you put the population in the search filter?

Version history
Revision #:
4 of 4
Last update:
‎Jul 25, 2023 06:19 PM
Updated by: