Our company has many employees that will transfer to our sister companies, and we treat these users like contractors when they leave, so we build out a NERM account for those users so they are add into the NERM authoritative source in ISC. The problem is they will still show in our HR Identity Profile due to us wanting this to have a higher priority than our NERM Identity Profile. When a User does move to a sister company they are moved into the “Company Transfer” lifecycle state in our HR Identity Profile. Is there an easy way to move those identities down to the NERM Identity Profile, or should we look to filter users in that lifecycle state so they become uncorrelated and hopefully they will be come correlated if the NERM Account is not created before they move?
Please be sure you’ve read the docs and API specs before asking for help. Also, please be sure you’ve searched the forum for your answer before you create a new topic.
Please consider addressing the following when creating your topic:
What have you tried?
What errors did you face (share screenshots)?
Share the details of your efforts (code / search query, workflow json etc.)?
What is the result you are getting and what were you expecting?
@SivaLankapalli There are going to be 3 in total, the IDN Admins profile, our HR system, and NERM Identity Profile with IDN being the highest priority followed by the HR System Identity Profile, then the NERM Identity Profile.
With that priority model in SailPoint Identity Security Cloud, the HR Identity Profile will continue to “own” the identity as long as the user still matches its profile criteria, even if the NERM account exists.
A cleaner approach would usually be:
Exclude/filter users in the “Company Transfer” lifecycle state from the HR Identity Profile criteria
Allow them to naturally correlate into the NERM Identity Profile afterward
That tends to work better than trying to “move” identities between profiles directly, since identity ownership is driven by profile matching + priority.
A couple things to watch for:
Ensure the NERM account exists before removing HR correlation (to avoid temporary orphan/unmatched identities)
Make sure correlation logic between HR ↔ NERM is strong enough (employee ID, email, etc.)
So overall, adjusting the HR profile filter for the transfer lifecycle state is probably the safer and more scalable design here.
Please be sure you’ve read the docs and API specs before asking for help. Also, please be sure you’ve searched the forum for your answer before you create a new topic.