Issue Description
I’m currently working on setting the account name identity attribute value in our system. We’re using Workday as the authoritative source.
In our configuration, the file number attribute (or file number schema attribute) is set as both the account ID and account name. The file number in Workday is the employee ID, which serves as our unique identifier.
However, we’re facing a problem during the audit process. When an access request is raised—for example, for employee 4121—the auditors have difficulty identifying who that user actually is, since the system only displays the employee ID. It’s not clear to the auditors which individual corresponds to that ID.
To make this easier, we’d like to replace the employee ID with something more recognizable—such as the account name or email ID—so auditors and approvers can easily identify the user.
We’ve already connected with the SailPoint support team, and they recommended that for Workday, we should always use the file number (employee number) as the account name, since that’s the authoritative identifier. Still, I want to explore what others are doing in their environments.
Questions to the Community
-
If you’re also using Workday as your authoritative source, what are your account ID and account name schema attribute values in your authoritative source configuration?
- Are you also using the file number (employee ID) only?
-
Considering the issue I mentioned, do you have any better approach or recommended best practice?
Additional Context
We understand that if we change the account name value, it’s an immutable field, meaning we’d have to delete all existing identities and then recreate them, which is something we want to avoid. So I’m not looking to go that deep into rebuilding identities — just trying to learn from others’ setups and best practices.
Thanks in advance for your input!