Correlation Rule Issue

Hi all, I encounter issues with correlation rule and thus posting in this forum seeking input.

The following is my correlation rule:

  Map returnMap = new HashMap();

  String sAMAccountName = account.getStringAttribute( "sAMAccountName" );
  String dn = account.getStringAttribute( "distinguishedName" );

  if (dn != null && !dn.contains("OU=Disabled") && !dn.contains("OU=Deleted")) {
      returnMap.put( "identityAttributeName", "adid");
      returnMap.put( "identityAttributeValue", sAMAccountName );
  }

  return returnMap;

The intention is to uncorrelate accounts from the identity which resides in certain OUs. Due to certain requirements, we will still need to place the certain OUs in search DNs and thus the configuration of this rule.

We have attached the correlation cloud rule by patching the source on the path “/accountCorrelationRule”. After running the POST /cc/api/source/loadAccounts/{id} with disableOptimization set as True, the account is still not uncorrelated from the identity. Appreciate any input on this matter, thank you!

This is a follow-up from this topic Correlation rule does not uncorrelate - IdentityNow (IDN) / IDN Discussion and Questions - SailPoint Developer Community Forum. We notice that the uncorrelation is working due to the OUs are not specified in the search DNs thus removing the accounts from IDN, and not because that the correlation rule is effective.

1 Like

Hi all.

We realized that the correlation rule is only working for those uncorrelated accounts after aggregation, and not those that was deprovisioned via IDN and remain attached to the identity.

We tested that if we manually remove the account resides in the Disabled OU, after aggregating from the AD source, this account will not be correlated to the identity, but if it is an Active User OU, it will be correlated as expected.

However, this is not the use case we want to achieve. We want to uncorrelate the accounts that move to the Disabled OU. We are not removing it the OU path from the search DNs as it needs to be included so that the generation of sAMAccountName via cloud rule is unique across the AD.

Appreciate any input to uncorrelate the current correlated accounts in the Disabled OU. Thanks.

Hi @sjoyee

If you does not have too many subtree base DNs to aggregate, you can make an account aggregation card for each base DN, so you can omit the Deleted OU accounts. Then, when you aggregate accounts, the ones under the Deleted OU will not be brought, causing to delete these accounts and uncorrelating them from identities (of course you have to let 100% of accounts to be deleted).

Hi Julian, thanks for the input!

However, we want to leave the account being uncorrelated in IDN. One of the reasons being, we need to iterate over these accounts when generating a unique sAMAccountName.

Hi my friend, so I came into an idea that can be helpful for you.

First, in the account LDAP filter, put something that forces connector to bring nothing, for example “(objectClass=Userxxxxxxxxxxxxxxxxxxxxxxxxxxx)”

Let the account deletio threshold in 100% and run aggregation. This will bring 0 accounts and delete all accounts (this will be temporarily).

After doing that, return the account LDAP filter (objectClass=User) or the one you had prior to the change, and run aggregation again.

This should link accounts to identities again, and the ones in the disabled OU, according to your correlation rule, should not.

1 Like

Hi Julian,

Thanks for the input. Yes this should work as this was noticed previously when we manage to remove the account from the identity when the search DNs is missing out one OU Path. However, since this requires manual work, I will take this back and discuss this with my team. But thanks a lot for the suggestion!

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.