Custom Report for Orphan Accounts

Version

8.4

Question and Goal

Hi everyone,

I’d like to ask for your help in creating a Custom Report that can display Orphan Accounts — accounts that are not linked to any Identity.

My goal is to generate a report that shows all accounts in the system that are currently not associated with any Identity object. If anyone has experience with this or can point me in the right direction, I’d really appreciate your support.

Thank you!

I tried the default report named Uncorrelated Accounts Report and it doesn’t work

Report Doesn't show the data1866×949 35.6 KB

you dont need a custom report using HQL. you can simply search in the advance analitics with the field correlated = false. this will pull all the non-corelated accounts.

However if you are not pulling those, will need a custom report using QueryOptions to find the uncorrelated Links.

@pattabhi if the devrel team wanted AI/bot-generated responses, they could just have their bots auto-reply to posts. please stop posting chatGPT-generated responses with incorrect answers.

Apologies, I will stop posting without validation going forward.
this is my mistake.

image1443×971 62.4 KB

Hi @ipobeidi , I can not found the field correlated in the advanced analytics.

Add any value on the filter, edit the source. and add the correlated

Hi @fewthiraphat

I have tested the report on IIQ Version: 7.2p2, I am getting the expected result of 6 orphan accounts from three non-authoritative applications.

I will test against 8.4 and give you an update.

image1721×610 93.8 KB

image1622×283 16.1 KB

The report which I have used is: Uncorrelated Accounts Report

JFYI:
on the second page: Uncorrelated Accounts Parameters of the report allows to select only non-authoritative applications, so selected non authoritative application which are having orphan accounts.

image990×306 31 KB

Hi @sup3rmark

Thanks for pointing out incorrect answers, now I have tested and updated the correct answers.

Below is my TaskDefinition.

Note: Line numbers 13,14,15 are the application ID values which you need to replace your application ID’s

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE TaskDefinition PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<TaskDefinition name="Uncorrelated Accounts Report - Pattabhi TEST" resultAction="Rename" subType="Identity and User Reports" type="LiveReport">
  <Attributes>
    <Map>
      <entry key="TaskDefinition.runLengthAverage" value="2"/>
      <entry key="TaskDefinition.runLengthTotal" value="2"/>
      <entry key="TaskDefinition.runs" value="1"/>
      <entry key="TaskSchedule.host"/>
      <entry key="correlatedApps">
        <value>
          <List>
            <String>ff80808191dda77e01920bd939cc0229</String>
            <String>ff80808191dda77e01920be5305f0311</String>
            <String>ff80808191dda77e0192114651580553</String>
          </List>
        </value>
      </entry>
      <entry key="disableDetail" value="false"/>
      <entry key="disableSummary" value="false"/>
      <entry key="emailFileFormat">
        <value>
          <List>
            <String>PDF</String>
            <String>CSV</String>
          </List>
        </value>
      </entry>
      <entry key="reportColumnOrder" value="identity, account, firstName, lastName, applicationName"/>
    </Map>
  </Attributes>
  <Description>A detailed view of the uncorrelated user accounts in the system.</Description>
  <Owner>
    <Reference class="sailpoint.object.Identity" name="spadmin"/>
  </Owner>
  <Parent>
    <Reference class="sailpoint.object.TaskDefinition" name="Uncorrelated Accounts Report"/>
  </Parent>
</TaskDefinition>

Hi @pattabhi, Thanks for your code, this looks work well on my lab, but I wonder know if we can do a filter on the default xml to make it can do to all application, by not adding for the application id?

From your code I can find my application after I put it on your code

<entry key="correlatedApps">
        <value>
          <List>
            <String>7f0001019616110f81961662c5f3000b</String>
           // more 40 applications and can add or edit anytime
          </List>
        </value>
      </entry>

Hi @fewthiraphat

Thanks for the update, you can hardcode all the application ID’s , Use below
DB query to fetch all application ID’s

select '<String>'+id+'</String>' from spt_application;

This is what I tried, but can not import

 <entry key="correlatedApps">
        <value>
          <List>
            select  '<String>'+id+'</String>' from spt_application;
          </List>
        </value>
      </entry>

image1907×477 39 KB

and one question please, this

select  '<String>'+id+'</String>' from spt_application;

is work when use with correlatedApps in the default one, like prepare input? and how to implement with this

<Signature>
    <Inputs>
      <Argument multi="true" name="correlatedApps" type="Application">
        <Description>rept_input_uncorrelated_ident_report_correlated_apps</Description>
        <Prompt>report_input_correlated_apps</Prompt>
      </Argument>
      <Argument name="resultScope" type="Scope">
        <Description>rept_input_result_scope</Description>
      </Argument>
      <Argument multi="true" name="emailIdentities" type="Identity">
        <Description>rept_input_email_recips</Description>
      </Argument>
    </Inputs>
  </Signature>

Hi @fewthiraphat

The query you need to run against DB then copy paste all the value’s to XML like below

<entry key="correlatedApps">
     <value>
          <List>
	       <String>001</String>      
	       <String>002</String>
	       <String>003</String>
	       <String>004</String>
             ..
             ..
             ..
 	        <String>40</String>
          </List>
     </value>
</entry>

let me check is there a way to simplify with filter instead of hardcoding each application id

Hi @fewthiraphat

I found the easy logic to fetch all applications, it works perfectly fine, I have tested against 8.4p2

The out-of-the-box “Uncorrelated Accounts Report” in SailPoint IIQ already has the capability to include all applications. The key is in how you configure its parameters.

• Uncorrelated Account Parameters This is the crucial parameter for the Uncorrelated Accounts Report.

If you leave this parameter blank or unselected, the report will, by default, include ALL applications in your IdentityIQ environment.** This is the simplest way to achieve your goal without any custom coding.

Below is the Task Definition for All Applications.

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE TaskDefinition PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<TaskDefinition name="Uncorrelated Accounts Report - ALL APPLICATIONS" resultAction="Rename" subType="Identity and User Reports" type="LiveReport">
  <Attributes>
    <Map>
      <entry key="TaskSchedule.host"/>
      <entry key="disableDetail" value="false"/>
      <entry key="disableHeader" value="false"/>
      <entry key="disableSummary" value="false"/>
      <entry key="dontEmailEmptyReport"/>
         <value>
          <Boolean></Boolean>
         </value>
      <entry key="enableCsvHeader" value="false"/>
      <entry key="reportColumnOrder" value="identity, account, firstName, lastName, applicationName"/>
    </Map>
  </Attributes>
  <Description>A detailed view of the uncorrelated user accounts in the system for all application</Description>
  <Owner>
    <Reference class="sailpoint.object.Identity" name="spadmin"/>
  </Owner>
  <Parent>
    <Reference class="sailpoint.object.TaskDefinition" name="Uncorrelated Accounts Report"/>
  </Parent>
</TaskDefinition>

Hi @fewthiraphat, it is unusual to have an account link that is not associated with an identity cube. Essentially, it shouldn’t happen.

Are you sure that is what you are wanting to report on?

You could try a query in your IdentityIQ database to see if you have any orphan accounts. eg:
select * from identityiq.spt_link where identity_id is null;

Hello @paul_hilchey, this one match with my requirement, can I ask you something more?

the account will keep in the table spt_link in the database even it linked with identity or not is it correct?

Hi @paul_hilchey

The query will not give any result, because identity_id attribute always has values in spt_link table and it has object id values of identity.

For the correct orphan(uncorrelated) accounts use the above-mentioned report: Uncorrelated Accounts Report. these accounts are from non-authoritative source/application which are uncorrelated with Authoritative source: application identity. {refers to an account in a managed application (like Active Directory, Salesforce, Workday, etc.) that does not have a corresponding, active identity in SailPoint. Essentially, it's an account that doesn't have a known, valid owner within your organization's authoritative source (like an HR system).}

uncorrelated accounts from non-authoritative application which are basically orphan accounts, we call it as orphan accounts because these accounts not mapped with authoritative source identities, these details we can find it in spt_identity table

if we look at Identities – > Identity Correlation
Here you find the uncorrelated accounts once you select the application from the drop down.

select * from spt_identity where correlated=0;

{it includes extra records likes work groups and other objects as well}

Hi @fewthiraphat No, spt_link table doesn’t contain the uncorrelated accounts, as explained above those are available in the spt_identity table, only correlated accounts are available in the spt_link table.

it is little bit confusing, in UI(report-uncorrelated account report or Identites → Identity Correlation) it says uncorrelated accounts, in backend these objects are available in the spt_identity table.

Hi @pattabhi , Thank you, I tired this query an it’s working an i wanted

select * from spt_identity where correlated=0;

now I can see the Identity that uncorrelated, in mysql.