Correlate Non-Personal Accounts to a Non-Personal Identity

IdentityIQ (IIQ) IIQ Community Knowledge Base
, ,
1

Correlation of Non-Personal Accounts into an NPA-Identity

Uncorrelated non-personal accounts

Almost every application holds non-personal accounts (NPAs):

  • Build-in Administrator accounts (Like: Administrator, root, enable, SYS, SA)
  • Service Accounts (to connect to/from other components, run services, etc.)
  • Guest Account (should be disabled, but still exists in some applications)

Within most IdentityIQ environments a correlation config/correlation rule will not be used for these accounts as there is no Identity available to correlate to. To validate if the correlation configs/rules correctly correlate all personal accounts or to clean up the uncorrelated account list, creation of an NPA-identity might be a solution.

An NPA-Identity

This is a new identity (cube) which is not aggregated from the HR-source (authoritative source), while still hold the correlated property. By correlating non-personal accounts to this NPA-Identity the accounts are removed from the uncorrelated accounts list.

Create NPA-Identity

  • Create a new Identity
  • Set Identity as correlated
    • Open the new identity using debug (<instance-url>/debug → Type Identity → click on the NPA-Identity)
      image
    • Add XML-attributes correlated="true" correlatedOverridden="true" to the XML-element Identity:
      image
    • Save

Use of an NPA-Identity

By correlation uncorrelated accounts to the NPA-Identity will make the uncorrelated account correlated :slight_smile:

The correlation can be manually or automatic using a correlation config or correlation rule.
An example of manually correlating accounts:

  • Goto: Identities → Identity Correlation
  • Select Uncorrelated Account to correlate
  • Select Target Identity: NPA-Identity
    image
    image980×783 31 KB

Result

When viewing the NPA-Identity in the Identity Warehouse:

image
image814×305 11.3 KB

The NPA Account is now removed from the uncorrelated account:

image
image760×326 8.88 KB

Additional/Advanced information

correlatedOverridden attribute

The attribute correlated is set to true only for identity-cubes aggregated from the authoritative source. All other identity-cubes have the attribute correlated is set to false. During a refresh of an identity-cube the correlated-attribute will be reset.

The attribute correlatedOverridden is used to block the reset of the correlated-attribute.

Using correlated="true" correlatedOverridden="true" will set the identity-cube to correlated for identity-cubes not aggregated from the authoritative source.

I hope this information helps to keep your IdentityIQ environment a bit more clean and lean :slight_smile:

– Remold

4 Likes