We schedule aggregations to automatically load new data on the source into Identity Now on a regular basis. If the source supports delta aggregation, we prefer using that option to lower the aggregation times and minimize load on the system. But, there are times when the system demands a full source aggregation to be run to pick up certain changes else the account in IDN remains unchanged. Example: OU Moves or Account deletions are only processed during full source aggregations.
When delta aggregation is Enabled in Source configuration, all the scheduled aggregation by default will run as deltas, there is no option to specify an additional full aggregation run on a different schedule.
Solution
To handle this problem, I came up with a workflow that will trigger an additional full source aggregation on schedule.
Configuration Steps
Create a Personal Access Token (PAT) to call the Identity Now Rest APIs from the workflow.
Create a Workflow with a Scheduled Trigger
Create a HTTP Request Action to Disable Delta Aggregation in Source Configuration
Create a HTTP Request Action to Run the Full Source Aggregation (Optimization flag optional)
Create n HTTP Request Action to Enable Delta Aggregation in Source Configuration
Here is the workflow script you can use. Please update the HTTP steps to your environment URL and credentials, also update the Source IDs and aggregation schedule trigger as per your needs. You can disable optimization in the HTTP request action for full aggregation if required.
I love your efforts @sharvari and the content is detailed as always.
Just an addition, incase if tenant doesn’t have workflow license then
I guess we can create a PowerShell or Python script and schedule it in IQ Service which will run API calls for full aggregation or whatever the operations we need in a sequence.
We have sequential task launcher in IIQ but not in IDN, guess we can build the same in your workflow or in scripting as i mentioned.
Yes, we used powershell to accomplish this before getting workflows in IDN.
Another thing that will have to be modified in this solution is the replacement of /cc/loadAccounts API with its equivalent v3 or beta API once it’s available.
Not sure if you have observed this. OU changes does not require full aggregation anymore. SailPoint released a fix in AD connector in August 14, 2023. https://community.sailpoint.com/t5/SaaS-Release-Notes/tkb-p/saas-release-notes?date=2023-08-14&env=production
According to this the Active Directory connector now instantly returns the Resource Object to IdentityNow on any OU changes done by the AC_New Parent, which can be further utilized to any rule to work with the updated Resource Object data values.
I’m just chucking a comment in here that I found and used this today in ISC. Thank you! I needed to do this for our Okta source. In case anyone else comes upon this use-case and is new to Sailpoint like me: The loadAccounts API isn’t advertised in the main API suite (is some super-secret one?) and uses the source’s cloudExternalId (can be viewed from vscode or API I imagine) vs. the usual SourceID.
Earlier Delta Aggregation Events were updated but later they were removed (not sure how). I have enabled Delta aggregation again and added events but still not able to Disable Delta aggregation through API but getting 200OK response.
The disable delta agg is removing the events i guess. If yes, you need to add the events back each time using the same API call when you are enabling delta agg.
Have you tried executing the same APIs in Postman Or even if you do things through UI were you able to run a delta agg successfully anytime? If UI works you can monitor the API calls it is making using the Network tab in Developer tools. You can then call the same APIs from your script.