Correlation rule does not correlate uncorrelated accounts

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Which IIQ version are you inquiring about?

Version 8.3

Share all details related to your problem, including any error messages you may have received.

We have following code for our correlation logic.

Map returnMap = new HashMap();
String email= account.getStringAttribute( "email" );
QueryOptions qo = new QueryOptions();
qo.addFilter( Filter.eq("email", email) );

List foundIdentity = context.getObjects(Identity.class, QueryOptions);

for ( Identity iden : foundIdentity  ){
  if (iden.getAttribute("status").equals("active")) {
    returnMap.put( "identity", iden);
  }
}

log.debug(returnMap);

return returnMap;

I can see identities getting returned in the map. However still, post aggregation the accounts are not getting correlated.

2

Hi @zeel_sinojia,

first of all, i have 2 questions:
1-> why you declare lcs variable if you dont use it?
2-> why don’t you put the in the filter the status check? (you can use the inactive attribute too)

Later, the problem is putting all the identity with this conditions in the map.
This rule will be execute for every account, so every time you return a list of identities.

3

Hi @zeel_sinojia,

Once your account has been uncorrelated then it will need manual intervention. Is it the case with all account or only the old account?

Thanks

4

Hi @zeel_sinojia,
Are you getting multiple identities with email query option please check if you have multiple identities with same email check this via adv analytics. If that’s the case add more filters where you get unique identity object.

5

Hello,

  1. We don’t need lcs attribute.
  2. I’ll add the status as a filter in the query options.

I am putting all the identities in a map, it is not getting returned as a Map with keys as string and values as list. I also added a log to see what is actually getting returned for every account.

It’s a single identity that gets returned.

6

Hello Ashutosh,

Yes, the older accounts are uncorrelated. I was hoping through this script I would be able to correlate them to the identities.

So if the accounts are uncorrelated once? SailPoint won’t correlate them back through this rule? We would need to manually do correlate them?

7

Hi Vinod, I did check it.

There are identities with same email. However, that’s the reason I am fetching a list of objects instead of fetching a unique one. Once I get that list, I’ll iterate over it and the first match I get, I am returning that Identity.

1 Like
8

Hi @zeel_sinojia,

Please use below check box as shown in the screenshot in account aggregation task to force account and see if it correlates your account.

image
image1039×193 8.85 KB

Thanks

1 Like
9

We do have it marked for our account aggregation.

10

Hi @zeel_sinojia ,

If you have enable the options then it should have aggregated all users and fixed the issue. Can you try enabling the aggregation logs and verify for the uncorrelated accounts.

11

Add the log.debug statement in the correlation rule and see why it’s not correlating

This should give a clue on the correlation issue.

12

An update on this, the logic written here was correct. However it was still not getting correlated. I am not sure what was the reason but we tried running the same piece of code in another environment and it worked. I am not sure what’s the correct answer here but it worked in higher environment. Thank you all for your responses!

1 Like
13

Hi @zeel_sinojia,
In the worst case you could have deleted all the uncorrelated accounts and rerun the correlation logic via aggregation which would have correlated the accounts.

14

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.