When IdentityIQ reads an account from a connected application, it will try to correlate it to an existing identity cube and if that fails, create a new identity cube. When an account is removed from the source, IdentityIQ will also remove the account from the cube if the option to detect deleted accounts has been enabled on the aggregation task. If all accounts are removed from an identity cube, it will leave an "empty shell".
Other reasons for an identity cube to become empty are:
These empty identity cubes most of the time do not serve any purpose and should be cleaned up. This is what the pruning feature in IdentityIQ is designed for.
Out of the box, IdentityIQ comes with a task called "Prune Identity Cubes".
This task has four configuration options.
First of all when the option Analyze but to not delete is enabled, it will not delete any identity. If that option is not enabled, it will process all identities, or those selected by the filter and evaluate whether or not to delete the identity cube. An Identity will not be deleted by the prune task if it:
If an identity cube has info on the Policy, History, and/or Events tabs will it be pruned?
Yes, that information will be pruned. The Terminator class, a.k.a. "Arnold" will take care of that.
- Menno
Does Prune identities impact the system performance etc. Or, can you tell me the drawbacks or issues caused because of prune identities in the system.
Like anything you do, it will take system resources to run. Pruning will iterate over each and every identity in the system, so may take a long time to run, depending on the number of identities in your environment. Not pruning once in a while will leave you with "empty shells", identities without any accounts and probably with no or hardly any identifying attributes. It is therefore a good idea to run the prune task once in a while.
It may run faster if you limit the set of identities to iterate over. E.g. it is very likely that your candidates for pruning are not correlated (unless manually), so you could set "correlated == false" as the filter for the prune task. Any correlated, active identity will then be skipped. Only uncorrelated identities will be evaluated.
- Menno
I was more looking from client's perspective, if we are recommending client to delete prune identities. We need a few pointers in terms of, why should prune identities be deleted from the system.
Clearly, you should not delete the task, but schedule it to run periodically, e.g. as part of your daily aggregation cycle, or once a week. The task exists to keep your system clean.
How "Prevent pruning of new identities for this many days" in the lifecycle manager global configuration works with this feature? It does not seem to work.
Does anyone have the full database query to get the list of identities that will be pruned by the task? We need to see them prior to running the task. So far I have:
SELECT ident.name FROM identityiq.spt_identity ident WHERE NOT EXISTS (SELECT 1 FROM identityiq.spt_link acct WHERE acct.identity_id = ident.id AND MANUALLY_CORRELATED=0) AND ident.workgroup = 0 ORDER BY ident.name.
But I'm not sure what other tables are involved in determining the above criteria.
It says that the filter is similar to that of the "Refresh Identity Cube" task. In the refresh task you have the option to select Group Definitions. Does the prune task also let you choose populations? If so how do you put the population in the search filter?