In the Auth source(Flat file), there is an Email column that serves as the correlation key for all non-auth source flat files. However, when a user’s last name changes, their Email also changes, causing all associated non-auth source flat-file accounts to become uncorrelated.
Is there a way to store the old email and let it correlate?
Hi Prasatha,
You should look at adding additional correlation logic for your non-authoritiative flat file accounts. In almost all cases, you will have multiple options for correlating. Using a unique identifier like an employee number is a common choice.
Try using the correlation recommendations as a starting point in your sandbox environment - it can provide some recommendations that are specific to your non-auth sources. Navigate to the ‘Account Correlation’ page on each non-auth source to launch the recommendations and view them.
Thanks,
Margo
In the flat file, we have only email and access information; no other attributes like employee ID, username, or displayname exist. We need to correlate with email only.
On top of Margo’s response, we use correlation attribute that never change (almost never). I see that you don’t have any other unique attribute, we do use display name attribute when we don’t have any other choice.
I would say, let them uncorrelated, email should be updated in your delimited files as well. Whenever there is an email updated, inform those application teams about that through a workflow or pull uncorrelated report, check if any email changed for those users and ask app team to update in delimited file.
If you can’t add attributes to your auth source, your options are to manually correlate the account that had an email change, or like @KRM7 mentioned, to have the email changed in the target sources. It’s easier to manually correlate now in the UI, if you go to Identity Management > Accounts > Uncorrelated Accounts, then find the uncorrelated account you can click the three dots to manually correlate it to an identity.
Agree with what was said above. I would also check if the team that is giving you your authoritative source data can add an extra column with a unique attribute like an employee number or a username that will not change - see if you can tackle it right at the source. If not, there are a lot of other good recommendations that people have made in this post for how you can remediate it manually.
App team is not willing to add any addition attribute on the flat file sources it will be only Email.
We have already explained to the application team that an uncorrelated account report is sent daily, requesting them to update the email and upload it back. However, they have not agreed to this approach.
We are planning to proceed with the following approach.
introduced an OldEmail column in the auth source flat file. This column follows a build map rule to handle the following two scenarios:
During the first account aggregation, all existing values in the Email column should be copied into the OldEmail column.
Once populated, the OldEmail value should remain unchanged indefinitely.
When a new user is onboarded, the Email column in the auth source is initially empty.
Once the user’s Active Directory (AD) account is created, the Auth Source team update the newly generated email into the Email column.
As soon as the Email field is updated for the new user, the same value should be stored in the OldEmail column.
Once set, the OldEmail value must remain unchanged.
Create an identity attribute, set it as searchable (true), and use both OldEmail and Email as correlation keys.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.
