Correlation behavior

josephcasale · April 27, 2025, 12:17pm

I have a temporary scenario where we load Entra ID and ServiceNow accounts and correlate the ServiceNow account based on Entra ID account data.

The Entra ID id account attribute is propagated to an identity attribute.

The ServiceNow account contains a custom attribute that is set to the corresponding Entra ID id account attribute value, and we correlate that ServiceNow account attribute to the identity attribute with the Entra ID value.

Why does deleting the Entra ID account (which clears the identity attribute) uncorrelate the ServiceNow account?

I understood that correlation was not reevaluated once set unless an unoptimized aggregation was performed?

sidharth_tarlapally · April 27, 2025, 12:47pm

Hi @josephcasale,

Based on my understanding, only an unoptimized aggregation will trigger a reevaluation of the correlation logic. This means that if the correlation configuration changes (but not the associated values), the recalculation won’t take place until an unoptimized aggregation is executed.

For example, modifying the attributes in the below section will not result in recalculation unless an unoptimized aggregation is performed.

In your case , the change is happening with Identity-Attribute but not with the correlation logic .
I hope this clears up your query!

Thanks,
Sid

josephcasale · April 27, 2025, 2:20pm

Hi Sid,
I appreciate the response, but I don’t follow you.

Correlation is a product of potentially several factors, account attributes, identity attributes, and either a static configuration or a rule.

Your answer suggests that correlation is conditionally maintained, so I guess I am interested in knowing the complete criteria.

I don’t see the underlying semantic difference between an attribute value change vs a policy/rule change, and why only one is considered justified in removing the correlation.

j_place · April 27, 2025, 3:50pm

Hi Joseph. Do you have any attribute sync with SNOW and, also, what SNOW attribute is the account name?

josephcasale · April 27, 2025, 4:12pm

Hi Jeremy,
I do not have any synchronization enabled (we are not creating accounts on this connector).

We are using the sys_id as the account id, and the user_name as the account name.

Thank you.

j_place · April 27, 2025, 4:46pm

Hi Joseph.

My understanding is the same as your’s - ie ISC should not be un-linking these accounts.

The only scenario I can imagine matching your experience would be that the SNOW account is getting deleted and re-created on the SNOW side generating a new sys_id - can you see the account creation time stamp? The ISC logs should have exposed that, though.

I take it SNOW is running scripts to import from Entra, could there be something funky going on on their side? It’s possible, for instance, that for a deleted Entra account, the script may be creating a new “archived” SNOW account for post-departure tickets.