Scenario:
The customer has an HR Active Directory (AD) that is integrated with SailPoint Identity Security Cloud (ISC) for account correlation. However, the HR data does not consistently follow a fixed pattern, making it difficult to automatically correlate all accounts using defined rules.
According to the official documentation, it is possible to export the list of uncorrelated accounts from the source, manually match them with the corresponding identity data, and then re-upload the completed CSV file to perform the correlation.
Questions:
Is there a way to perform batch correlation or use an API to update the data? Since the number of uncorrelated accounts often exceeds 3,000, manually updating the CSV file is not an efficient approach.
Are there better or more recommended methods for handling this situation? How is this typically handled in similar cases?
Yes, batch correlation is possible.SailPoint provides REST APIs that allow for account correlation without relying on manual CSV uploads. Here are the high level steps that you may follow
1.Retrieve uncorrelated accounts.
2.Programmatically correlate accounts to identities using identity IDs.
3.Automate the correlation process for thousands of accounts in a batch.
This approach requires scripting (Python/Java/PowerShell, etc.)
First get accounts using the “/v3/accounts” or v2025/accounts endpoints. While retriving you may use the filters
uncorrelated eq true
You can add additional filters to narrow down your search results
In environments where HR data does not follow a consistent structure. You can try this approach
a. Pre-Processing and Data Normalization
Before the data reaches SailPoint:
Use middleware to cleanse, normalize, and enrich HR data.
Ensure common identifiers (email, employee ID, UPN) are consistent across systems. Or create a attribute which would be a combination of multiple account attributes to match with correlation attribute in sailpoint.
b. Use of Custom Correlation Rules in SailPoint
When simple attribute matching is not feasible:
Implement custom correlation logic using Correlation rule.
Use logic to return the matching attribute and scripting logic in the correlation configuration to handle edge cases.
Using this approachs you can resolve uncorrelated account problem
Thank you for providing the method and helping to clarify the issue.
For this scenario, the following has been completed:
Successfully retrieved uncorrelated accounts from AD via API, and the number of records matches exactly with the data exported directly from the ISC platform.
Currently, I would like to directly match the data exported from ISC with the data retrieved via API. However, the issue is that the API data has already been processed by the Correlation Rule, making it impossible to match with the uncorrelated accounts.
Given this situation, how should I proceed? Should I continue working through the Correlation Rule process?
Attached is a screenshot showing the fields from the ISC export.
As you are able to retrive all the uncorrelated accounts using API. Now you can find the identity id using search API using the pattern that you want and use correlation API to correlate accounts to correct identities.
In SailPoint IIQ, we typically manage accounts that cannot be correlated using a Correlation Rule by assigning them to a custom, standalone identity for centralized oversight.
However, in the current ISC (Identity Security Cloud) platform, what are the common practices for managing a large volume of uncorrelated accounts?
So far, we have tried the following:
Using the ISC interface to export a list of uncorrelated accounts. The list only contains the account and displayName fields.
Comparing the account and displayName fields with existing identities in ISC and attempting to batch update or correlate them.
However, the comparison yielded no matches at all.
Are there any recommended approaches or directions we should consider to address this issue?
