CorrelateManual

Vardhan211 · December 3, 2024, 12:41pm

IIQ version : 8.4
Hello,

Recently I got a use case where I should be performing Conversion of a user from Contractor to Employee.

The User with contractor type got created using SailPoint in Joiner Workflow and a role has been assigned to the user, after some time the same user got converted to FullTime Employee.

There will be two accounts in Authoritative Application one for Contractor and one for FullTime Employee, the new account should be correlated to the AD Account which has been created at the time of Joiner.

At the time of conversion, the email of the old contractor account will be assigned to new employee account, and the old Contractor account’s email will be removed/changed. In ActiveDirectory the account with contractor’s email should be correlated to the new Authoritative Employee account as the account was created with the contractor account’s email at the time of joiner event.

But here the two authoritative app accounts are getting correlated to same identity, ideally the AD should be correlated to new authoritative Account. When I have observed in taskresults report, the correlation for this account is showing as “CorrelateManual” and attribute Undetermined.

My correlation is “Attribute based” and the attribute is email. I have tried even writing a Correlation rule and aggregating by checking “Disable optimization of unchanged accounts”.

The Aggregation rule is:

import sailpoint.object.Identity;
import sailpoint.tools.Util;
import sailpoint.object.QueryOptions;

import sailpoint.object.Filter;
import org.apache.log4j.Logger;

Logger log = Logger.getLogger("ActiveDirectory.log");

email = account.getAttribute("email");       

QueryOptions qo = new QueryOptions(); 

HashMap returnMap = new HashMap();

if(Util.isNotNullOrEmpty(email)){

Filter filter = Filter.eq("email", email);

qo.addFilter(filter);

Identity idty = (Identity) context.getUniqueObject(Identity.class, filter); 
if(idty != null){
  if(idty.isCorrelated()){
    return returnMap.put("identity" ,idty);    
   } 
  }
 }
return returnMap;

Please guide me in this.

Thanks in advance

vinnysail · December 3, 2024, 3:19pm

Hi @Vardhan211

When correlating, prioritize the employee account over the contractor account if both exist. You can do this by checking if the identity type is “Employee” before returning it.

Consider returning additional information about the identity’s correlation status, which could provide insights.

You can fetch all identities matching the email, Using context.getObjects. Based on iscorrelated status return the employee identity or contractor identity accordingly.

Once done, consider implementing a cleanup process that ensures the old contractor account is either disabled or appropriately modified

system · February 1, 2025, 3:20pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Remove correlation between an account and an Identity - “manuallyCorrelated” set to TRUE ISC Discussion and Questions identity-security-cloud	5	135	August 20, 2025
How to uncorrelate account to old identity and correlate it to new identity ISC Discussion and Questions identity-security-cloud , correlation	12	306	November 16, 2024
Two identities need to be correlated to same AD account ISC Discussion and Questions identity-security-cloud	11	248	March 11, 2025
Rejoiner correlation rule IIQ Discussion and Questions rules , aggregation , identityiq	2	60	December 9, 2024
Identity Corelation issue in Sailpoint IIQ 8.3p2 IIQ Discussion and Questions identityiq	5	62	April 14, 2025

CorrelateManual

Related topics