Hi experts,
We have a requirement to uncorrelate disabled accounts that were provisioned via SailPoint. To achieve that, we tried to use the correlation rule to set a condition such that the identity attribute value will be returned as null if the account is under a disabled OU.
To test that, I ran an unoptimized aggregation after - but I still see the account correlated to the identity. Appreciate any ideas on why this happened and how we can go about achieving this.
Thank you!
Correlation will only apply to uncorrelated accounts.
Once correlated you can’t go back.
One way to do this is to remove the account from IDN.
Then on next aggregation it will come in again and be uncorrelated.
You might be able to trigger this remove account action via a workflow once a user gets disabled.
However the main question is… why… ?
Hi @mingsiewang
The best way will be not to aggregate these accounts in ISC. With correlation rule, I am afraid you will not be able to achieve this because there is an hidden functionality on correlation on display name. So if correlation rule you have specified does not match any identities, then the in built functionality will try to correlate the accounts with account name attribute and there could be possibility that eventually these accounts become correlated. This is also documented in the official documentation below
I hope this information helps.
Regards
vikas.
Hi Remi,
Understand that this is quite unorthodox, but we do have a requirement to uncorrelate disabled accounts for our mover flow. So when the user moves across organisation, we will uncorrelate their current disabled account and create a new one in their new organisation.
Why not simply exclude such accounts from aggregation?
This is because there is a dependency to have these account under disabled OUs in order to generate unique sAMAccountName.
So the idea of excluding the disabled OU from aggregation is not feasible.
Hi @mingsiewang
May be then you could so by calling the remove account API once the user gets disabled by using the ISC workflow (based on identity attribute trigger) . The workflow can use then HTTP operation to remove the account from ISC itself. But this way the accounts will not be available at all not even as un-correlated accounts.
Let me know if that helps your use case.
Thank You.
Regards
Vikas
Not sure if this is going to work for you, but I think if you change all account attributes that are part of current correlation, then the account will be uncorrelated
Hi all,
Thank you for your suggestions so far!! The correlation rule wasn’t working because the manualCorrelation flag was true for these accounts (since it was provisioned by SP). As a workaround, we have implemented a workflow to set that flag to false - with this, we can no uncorrelate these accounts via our rule.
Hi @mingsiewang,
Please mark your solution so that later on this can be referenced by others.
Thanks
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.
