Disable Default Correlation Rule

Hi,

As we all know there is a Default correlation Rule withe Account Name and the Name attribute from the Identity. My question is, there is a way to disable this default correlation?

Me case is that we are using the Account Name as the full name from the Authoritative Source, so when a user is disable and is created again for a hiring process or something similar, IDN did not create a new Identity just correlates to the existing one.

Regards

1 Like

Asking the same question via the Support case last year we were told the only chance to overwrite that back end ‘default correlation’, a ‘real hell’ within a switching of the autoritative sources we did, at IDN is to use a custom correlation cloud executed rule. We never tested it but will be happy to know whether it is true or not, and find a Rule sample that does it…

So with this response in my understanding, we can only remove this default correlation rule if we deploy a new correlation rule via ES? :confused:

Hi Felipe,

My understanding that is not possible to switch off the 'back end ‘default correlation’ in IDN (or IIQ) . It looks it’s a hard coded heritage of old initial model of IIQ reused in IDN since 2017.

Nevertheless the individual identity mapping could be amended under a tenant request in IDN in a back end XML.

Role, certification and other internal object links to the amended identity cude might disappear after that. We found that case sometimes is protected by using aliasname as an additional identity attribute to the user ID, but only for some objects and settings.

Sample of the identity assigned to a Role.

    {
        "id": "1122334456",
        "name": "AAAABBBBCCC",
        **"aliasName"**: "52017855",
        "email": "[email protected]",
        "roleAssignmentSource": "ACCESS_REQUEST"
    }

So it is a complex way with an extra job to do a lot of child object link corrections after the identity cube initial mapping change for individual identities with a Sailpoint premium support help, but it does not look like “a mission is impossible”.

  • If IdentityNow is unable to correlate an account to an identity using your configuration, it will attempt to use a default correlation configuration by matching the account attribute marked as name to the identity’s Account Name. You can find the Account Name by clicking the Identity in the Identity List and viewing the Account Name in the attributes section.
  • If you don’t have a custom correlation configuration, or if your configuration doesn’t find an Identity for an account, IdentityNow automatically attempts to correlate the accounts to Identities by matching the Account Name with the Identity’s Account ID.

Second way as we interpret the answer above, is to make a complex custom correlation rule that will prevent a back end default correlation to be fired. That is what I would like to see a working sample.

Perhaps the idea would be to define inside the rule own default correlation for all uncorrelared accounts to link them to the same one special ‘helper’ identity we could create.