AD account getting uncorrelated

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

Hi All,

We have been facing issues with their accounts getting uncorrelated when they transition through different lifecycle states.

So lets say, when a user move from inactive to archived LCS, the existing AD account gets uncorrelated, which cause IDN to provision a new account and thus we have an active AD account for a leaver.

This is only happening with some users and not everyone, and we dont have any similarity between them, but once in a while we come across such cases.

Has anyone faced this issue? Happy to share more details if anyone has any inputs.

Thanks

2

Hi @namangpt

I do think we’ll need more details like what the correlation logic is, but a few thoughts I have are if the AD accounts are being provisioned by birthright roles, make sure you have criteria that checks for the LCS to be active. Another thought is if the AD account is changing OUs during the LCS change, how is that happening?

1 Like
3

Hi @vkashat, thanks for the reply.

  1. The correlation logic is to give preference to mail, then samaccountname and then employeeid. I do suspect that the issue maybe related to accounts first being correlated using mail and when the mailbox is deprovisioned on inactive states, it gets unccorelated. but I am not so sure as we are not seeing this behaviour for all accounts.

  2. The AD accounts are provisioned using birthright roles, and it does have the active LCS criteria, it even has inactive LCS criteria as we want the user to hold the roles until inactive30plus LCS.

However, we do have legacy accounts which were provisioned before we had IDN, and most of the users we have seen issues with belong to this category.

  1. AD account goes to disabled OU 7 days after the end date.

Thanks

4

When they move to the disabled OU, is that OU still within the scope of the Active Directory connector? If not, it may appear as though the account is deleted from AD once it moves, which would trigger a new account creation, based on your role criteria.

2 Likes
5

When does the issue occur, is it any LCS change? Or specifically when going from inactive to inactive30plus?

And is the disabled OU in your configuration search DNs? If not, IDN will not see the account anymore and reprovision it.

6

The disabled OU is part of search DN, so we have the accounts in disabled OU available and correlated for most users.

The issue mostly has been seen when users goes from inactive to inactive7plus (thats when we remove the mailbox)

Thanks

7

Do you have access history enabled? Can you look at the access history to see when the account gets removed/uncorrelated?

8

Hey,

When disabling the mailbox, I think the extension attributes are dumped.
As such, if you use one of them as a correlation rule and the account is moved, you can lose the correlation.

You can try to do a backup of the attribute in a csv in a beforeModify script before restoring it through an AfterModfiy.

9

Hi @namangpt

IMHO, It’s best not to think about accounts getting “uncorrelated”. Correlation is a one-time event to create a “linkage” between Account and Identity, based on Account ID (ok, it can be re-run using unoptimised aggregation). Assuming you use DN as Account ID, moving the Account will “un-link” the Account.

Depending on your aggregation settings and timings and ordering, AFAIK, the moved account will either get re-linked via correlation (a new Account ID), or marked as deleted (the old Account ID doesn’t exist anymore) thus triggering another account creation.

How are you doing the Account move?