Hope you all are doing well.
Currently we’re having an issue where the authoritative source has two accounts for the same user. The first one is disabled and the new one is enabled, and as SailPoint is reading both, it often causes issues disabling the identity and the accounts, etc.
My question is, is there a way to tell SailPoint which account to use? Like some priority over the other, or something like that?
We don’t really want to use a filter because we’re worried about having orphaned identities if the auth source first deletes the account before creating the new record.
Hi Nicolas,
This is not a good practice to have 2 accounts with same user, one is disabled and other is enabled. We also had this and the issue we saw that any account will be picked during account aggregation and as the accountID is unique it may be either enabled or a disabled account.
To rectify this issue what we did is made sure that we have only one account coming from authorative source. IDN is not good at handling this issue.
I second what Rakesh is saying, but if you are unable to remove those duplicate accounts for some reason, then there may be another solution. What type of source is your authoritative source? Active Directory, Workday, … ? I ask because some connectors have the ability to filter the accounts that are aggregated through an option called filterString. If your source connector supports it, and there is an account attribute we can key off of that indicates if the account is enabled/disabled, then we could potentially filter out the disabled accounts.
Your scenario is totally make sense, nothing wrong with that. A user will have multiple accounts in some HR products. I have faced same scenario in SuccessFactors.
You can filter accounts from Authoritative source while aggregation if it is ok to not to read that account at all, but it might have consequences like you might not know when a user gets disabled and if it doesn’t have one more account.
If you need to have both accounts (enabled, disabled) in Identity, then update your transforms (Account Attribute) to read enable account data using filter attributes accountPropertyFilter, check the optional attributes in Transform.