Share all details related to your problem, including any error messages you may have received.
Hello Community,
Can we change the attribute of default correlation in IIQ?
Additionally,
If we set any correlation rule or configuration in application for any attribute (For example: email), while aggregating the data from non-auth source. If the attribute value of email is different then the one present in the iiq from trusted source, then also it will create orphan account? Or, it will jump to check the value that is set in default correlation attribute and then proceed with updation/creation?
The Default Correlation is the Accout Identity Attribute and the Identity Name.
This is the default one and as far as i know we cant change it . However for the “orphan account” you cana void this selecting the option "only correlate if a correspondent bla bla bla " on the account aggregation.,
Understanding Correlation Rule, Correlation Configuration and Default Correlation
Below are the 3 options with which the Correlation happens in the Sailpoint IIQ despite of the Application is Trusted or Target , Also below is the order in which different options takes preference.
Correlation rule supersedes the correlation configuration and correlation configuration supersedes the default correlation. The general behavior of IIQ is to find returned map first from rule; if it does not return anything it falls back on Correlation configuration. If correlation configuration too does not return anything, it falls back on default correlation. If default correlation fails, it creates an orphan account
Few Important point to note:
Identity is created based on Display attribute (search in identity warehouse) if the Orphan one is getting created.
Correlation doesn’t happens based on Identity Attribute if we don’t select any Account Correlation or Correlation rule
The correlation is going to be done based on Display Attribute only if we don’t select any Account Correlation or Correlation rule
Identity Attribute is used for pulling unique data from the application and aggregate it into IIQ Irrespective of selecting option Authoritative Application it will apply for both cases.
@ArpitaSB
You can always override the default correlation of an application.
Correlation config —> By defining direct relationship between a schema attribute and identity identity attribute.
Note: You can use multiple mappings in correlation config, however the priority is given to the top one.
Correlation rule → You can write your custom logic correlate between one/more value to identity attributes. Below is a sample rule
This example Correlation rule concatenates a firstname and lastname field from the account (resourceObject) to
build an Identity name for matching to an existing Identity.
Map returnMap = new HashMap();
String firstname = account.getStringAttribute("firstname");
String lastname = account.getStringAttribute("lastname");
if ( ( firstname != null ) && ( lastname != null ) ) {
String name= firstname + "." + lastname;
returnMap.put("identityName", name);
}
return returnMap;
This example correlation rule correlates the account to an Identity based on a combination of region and
employee ID from the application account, which together can be used to match the unique employee ID
recorded on the Identity.
import java.util.Map;
import java.util.HashMap;
String empNum = account.getStringAttribute("employeeId");
String region = account.getStringAttribute("region");
String empId = region + empNum;
Map returnMap = new HashMap();
if ( empId != null ) {
returnMap.put("identityAttributeName", "empId");
returnMap.put("identityAttributeValue", empId);
}
return returnMap;
Do we have any rule to correlate multiple accounts in one go? (For uncorrelated accounts that are already aggregated in the SailPoint IIQ)
For example, we have around 1000 uncorrelated accounts out of which 700 can be correlated with existing IDs which are from trusted source. So, do we have any rule to do so in 1 go?
Thank you!
@ArpitaSB
Yes, you can do so provided there should be at lease a common attribute value between application schema attribute and Identity attribute.
E.g.
For 600 accounts → there is an application attribute name which is same as identity attribute name.
For 400 accounts → there is an application attribute mail which is same as identity attribute name.
In this case you can use correlation config or rule to correlate to existing identity.
It’s always good to work on data first . If you think data in target system is not correct and consistent then I would recommend work with application owners .