Correlating uncorrelated accounts before provisioning new accounts

Hi all,

For new identities, ISC will evaluate role criteria and provision source accounts without first checking to see if there is already an account in the source which would meet the correlation criteria for that identity. I was curious if anyone has developed a method for letting the source aggregate first and run correlation to the identity, such that a duplicate account doesn’t get created.

This would be helpful for rehire use cases, in which an identity is returning as a new identity but retains some attributes that can be used to find historical accounts, or a case in which an identity is accidentally deleted and restored by the system on next aggregation.

1 Like

Hi @chris-hogan ,

That is an interesting scenario. I don’t see a generic way to handle it for all the sources in the case of re-hire. Simple way to do it is to increase frequency of the aggregations, but like in the case of rehire scenarios we might need an immediate update of the account information.

I have few thoughts though if it is for selected applications.

  1. Use Workflow:

Detect the rehire user(Identity attributes updated) and initiate httpAction for Account Aggregation API as below for the needed sources such that the aggregations are immediately invoked after a rehire.

  1. Use the before provisioning rule
    One way is to initiate the same API above to have the aggregation initiated. Other way is we can use IdnRuleUtil’s accountExistsByNativeIdentity method which takes application name and nativeIdentity as the input(again here it would only work if the nativeidentity is a standard known value like email which is expected to be available via plan). If the return of the method is true, then the account exists. You can then update the provisioning plan operation and only have the necessary attribute requests relevant for a Modify operation.

Regards,
Uday Kilambi

1 Like

Hi Uday,

Thanks for the suggestions! I am going with option 1 and developing a workflow which will trigger when a new identity is created, wait for some period of time to allow scheduled aggregation to occur, then finally use “Manage Access” to add the user if they still don’t have an account correlated.

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.