Correlate accounts without triggering an aggregation

Our team collects data at a point in time for access reviews. We do not have the entire population from HR in IDN as identities to correlate accounts to. We pull those in programmatically after account aggregation and then add the identity to IDN. Is there a way to correlate accounts to Identities without triggering a user account aggregation?

Account aggregation is the process which will load the accounts into IDN. Only once it’s loaded you can correlate them to an identity. If there’s no aggregation the account won’t even exist i guess.

If your account already exists in IDN, you can use Update Account API to correlate it to any identity.

PATCH {{api-url}}/v3/accounts/772a2d150055462ca2e3d9578521d846

Request Body
      "op": "replace",
      "path": "/identityId",
      "value": "d0840fbf5bcd449396479612c5e1d792"

Replace the acocunt Id and Identity Id with your values.

Let me attempt to explain better.
Let’s say there is a source (Bobs Killer App) the application contains 500 user accounts and IDN pulls those accounts in, all of the accounts have a valid identifier to associate the user to an Identity. However IDN does not have 10 of the users accounts in the identity cube store. That will leave 10 uncorrelated accounts to figure out.
Our scripts will identify those accounts and add them to the source for the identity cube aggregation, then aggregate the identity cube source. In theory now all of the uncorrelated accounts have an identity cube to correlate with.

  1. Will those uncorrelated accounts become correlated with no additional action over a period of time?
  2. Is there an API to trigger just the correlation of those uncorrelated accounts to an identity cube?

We do not want to aggregate the account data again from Bob’s Killer App because we have already provided other teams with the aggregation data, if we do aggregate the app data again the user count might have changed forcing us to explain discrepancies to SOX compliance auditors.
I hope that helps explain the situation.

refer this Assigning Source Accounts… - SailPoint Identity Services

Hi @ChrisOlsen,

From my understanding, the scenario is:

  • 2 sources - Bob’s Killer App (non-auth), Employee source (auth)
  • When Bob’s Killer App source is aggregated, there is a chance that there might be more accounts than the existing identities on the Employee source, leading to uncorrelated accounts.
  • To fix this, scripts will detect uncorrelated accounts (on Bob’s Killer App) and create these on the Employee source and aggregate the authoritative source.

I have tested the scenario with 2 delimited sources and the steps were as follows:

  • Set up correlation logic (work email = email) and aggregated accounts for Non-Auth source with an additional account, resulting in an uncorrelated account.
  • Then, the same account was recreated on the Auth source and aggregated. This resulted in the account being correlated without the need to aggregate the Non-Authoritative source.

This would have to be tested on other sources.

Hope this helps!

Hello Kartik, @ksbagade
What you are suggesting is that the uncorrelated account gets correlated once the identity source has been updated?
We have not experienced that with our instance. If it does work like that it may be taking longer than we have time to wait. Hence the reason I was looking for a trigger to correlate a source without aggregation.
Thanks for the feedback.

I am not sure if this approach would be acceptable/feasible. But have you considered the option of manual correlation of the uncorrelated accounts from Source/Import Data/Uncorrelated Accounts?

Hello Nithesh,
Can you elaborate? The key takeaway is that we do not want to re-aggregate the original source data.
I understand what you are suggesting, adding any flat flies whatsoever is not an option for our team. Out mission is to have 100% end-to-end integration. Very pioneering from what I have seen in the IDN space.
Thanks for your input.
Hope that helps.

Kind regards,

1 Like

Okay just another thought…

Using a Workflow:
Trigger: Identity Created (when accounts are added to the Auth Source)

  1. Get Identity, using the ID picked from the Trigger
  2. Get Accounts from Non-Auth Source using Source ID of Bobs Killer App
  3. Loop through the accounts and check below conditions
  • If the account is Uncorrelated
  • Check if Correlating attributes of the account match with that of Identity created (one or more as you need)
  1. If both conditions are met, send an HTTP Request to the API suggested by @sharvari in post #2 with 2 replace operations
  • "manuallyCorrelated" : true
  • "identityId" : "idOfNewCreatedIdentity"
1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.