Correlation Rule

Identity Security Cloud (ISC) ISC Discussion and Questions
, , ,
1

Hello, I need to create a correlation rule based on two attributes.

The first attribute is employeeNumber, which exists both as an Identity attribute in ISC and in my Web Services connector.

The second attribute is department, which is also an Identity attribute in ISC, but in my case it should match a static value: "Ohio". This department attribute does not exist in the target source; it exists only in ISC.

I was wondering how this should be handled in a Cloud Correlation Rule.

I initially thought about something like this:

returnMap.put("identityAttributeName", "department");
returnMap.put("identityAttributeValue", "Ohio");
returnMap.put("identityAttributeName", "employeeNumber");
returnMap.put("identityAttributeValue", "employeeNumber");

But I am not sure this is the right approach.

How can I properly write the rule so that the correlation works with:

  • employeeNumber matching between the source account and the ISC identity

  • and department = "Ohio" on the ISC identity side only?

    Thank you in advance,

2

No, you can’t correlate an account if the attribute doesn’t exist on the source.
And if you are matching on employeeNumber then you don’t need a 2nd value, especially if that is going to be static and not unique

3

Like in your web service source, you would two correlate only account for employees belong to department Ohio ?

All others should be uncorrelated ?

4

Hello @baoussounda @phil_awlings Thank you both for your replies,

For this specific Web Service source, I want to restrict correlation only to identities that belong to the Ohio department. It’s a very specific use case: unfortunately, the employeeNumber is not unique here (I’m aware it normally should be, but this situation is quite unusual).

5

@torry_salamat You can find an example of a correlation rule here: Correlation Rule | SailPoint Developer Community

What you can do is to add the folliwing logic :

  • Add An Identity Attribute called for example : webserviceCorrelationKey and concatenating : employeeNumber|departement with transforms for this Identity attribute.

  • Make your new Identity attribute searchable : simple with vscode plugin or you can use put-identity-attribute | SailPoint Developer Community

    image
    image789×164 10.4 KB

  • This will take time before (1 to 15 min max) but once applied you should see the identity attribute in the list of correlation configuration page. (you can add max 5 searchable attributes I think)

  • Then in your correlation rule you can use the following logic :

String empNumber = account.getStringAttribute("employeeNumber");
returnMap.put(“identityAttributeName”, “webserviceCorrelationKey”);
returnMap.put(“identityAttributeValue”, empNumber + “|Ohio”);

  • Note :

    • About the rule the documentation mention : “This rule associates or correlates an account to an identity, based on complex logic. The rule runs before configured account correlation including the default account correlation.”
    • Default account correlation cannot be removed and will always be evaluated after the rule
    • And if you would not like to add additional Identity attribute you can implement all logic in the rule directly : retrieve the account employeeNumber, search an exisiting Identity, and verify if the department is Ohio.

  • The general idea of the rule : ISC iterate to every account and called rule and wait in result the reference of Identity for whom the account shoud be associated :

image
image1295×209 16.8 KB

6

Hi @torry_salamat

Using the Web Services AOR for the aggregation operation, you could modify and add the ‘department’ attribute for each account to include the value you need. This would require you to code the logic to determine which accounts should receive the value for department.

Then, the source correlation configuration can be set up to handle the use case for the department and employeeNumber attributes.

This setup would not require a Correlation Rule.

Hope this helps!

7

Hi @torry_salamat Solution provided as-is, not tested,

If I read your requirement correctly:

The Correlation Rule has access to the idnRuleUtil model, so you need some logic to define your identityAttributeValue as the ID of the matching identity and as something that will not correlate for non-Ohio identities.

ie (pseudo-code):


if (exists (identity where employeeNumber = link.getAttribute(employeeNumber) and department=''Ohio"))
    then myID = get Identity ID
    else myID = "XXXXXXX"

returnMap.put("identityAttributeName", "id");
returnMap.put("identityAttributeValue", "myID");
8

Assuming there will not be more than one identity match for employeeNumber :

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule name="My_Correlation_Rule" type="Correlation">
  <Description>Correlates based on a employeeNumber and dept .</Description>
  <Source><![CDATA[

Map returnMap = new HashMap();

String srcEmployeeNumber = account.getStringAttribute( "employeeNumber" );

List<sailpoint.rule.Identity> identities = idn.findIdentitiesBySearchableIdentityAttribute("employeeNumber", "Equals", srcEmployeeNumber, "employeeNumber");

if (identities != null && !identities.isEmpty()) {
	for (sailpoint.rule.Identity identity : identities) {
		if (identity.getAttributes("department").equalsIgnoreCase("Ohio"){
	
			returnMap.put( "identityAttributeName", "employeeNumber");
			returnMap.put( "identityAttributeValue", srcEmployeeNumber );
	
		}
	
	}
}
return returnMap;

  ]]></Source>
</Rule>
9

Below link which discusses correlation rule issues in ISC will help you Correlation Rule issues