How to prevent if same users come form Authoritative source?

Hi
I have a user who is having 2 same account from auth source but with different worker_type.

  1. When the ISC aggregate the user at first time the Emp record is pulled back and ISC will do the provisioning for this user.
  2. When the next scheduled aggregation is happened ISC pulls the Contingent worker record and do the provisioning and deprovisioning for Emp users. And vice-versa.
  3. This is happening continuously when the aggregation happened.
  4. How to solve this issue? I don’t want to use the filters that mentioned in below post.
    Authoritative source having two accounts for same user, how to select only one? - #7 by MVKR7T

Thanks,
Shantha Kumar

Why does the user have two records - one for employee and one for contractor?

What type of connector is your source?

@agutschow The source type is Workday, it was coming from the HR itself. Somehow they have a different workertype.

Hi @Santhakumar,

in workday Employee and contigent worker are 2 distinct type of account(more or less).

I think the problem is on the account ID, usually the filenumber. The same person can have the same FILENUMBER for employee and contigent account, this depends on organization configuration.

You can try to set userID like account ID, but like FILENUMBER could be not unique.

1 Like

Hey Shantha,

To resolve this we have explored around the concept of multi-valued identity attribute and handle the worker_type scenario.

You can update the attribute as multivalued on the source level and define the same on the identity attribute level latest API below.
put-identity-attribute | SailPoint Developer Community
Mentioning multi as true.

Now that you have configured the identityAttribute on the Role Assignment definition you can use the Contains keyword.
That should sort the problem.

Please do let me know if this is helpful.

Thanks,
Aman

1 Like

Thanks @amansingh & @enistri_devo will let you know if its works

2 Likes

Hi Shantha,

This happens sometimes when a person is converted from contractor to employee and vice versa.

Workaround was to pull record from workday based on the latest assignment type. I dont have a solution on how it can be done in workday connector, but this filter was used by the workday team to generate the data for us.

Hope it helps.

Regards
Arjun

1 Like

Hi @arjun_sengupta The attribute you mentioned is from Workday side, in ISC we can’t do this right?

Hi Shantha,

its a workday attribute.

Regards
Arjun

1 Like

@arjun_sengupta @amansingh Is there any other way to stop this? Can we do anything with the help of workflows?

Hi @Santhakumar,

Maybe you can try creating 2 separate workday sources (cloned connector for same source).

  • One aggregates only worker type (can filter easily from aggregation settings) and set FILENUMBER as accountID for this.
  • Second one to aggregate only contingent workers (to filter you may need to set Exclude Employees to ‘true’ in the Response group setting) and set UserID (or any unique attribute other than FILENUMBER) as accountID for this.

For each of these user types, create:

  • Separate identity profiles
  • Separate access models (access policies, roles) to create separate accounts and manage them without interfering.
1 Like

@at2410 Yep this is one of the option. But is there a way to use workflows to stop/prevent this.

In your setup, do both the records for a user have same FILENUMBER value in workday? If yes, then it is working expectedly. It is not going to create another identity (contingent) record for the same user and instead will always link earlier created worker identity, based on FILENUMBER (accountID).

You need to tell sailpoint how two records from workday are different from each other and provisioning/aggregation for both have to be done on respective records.

I doubt workflows can help achieve anything here (or maybe I am not able to think of any solution using workflow). Workflows are meant to automate an operation in ISC, it may not be able to manipulate internal working of provisioning engine or aggregation engine in ISC.

1 Like

@at2410
Thanks for the info. Yes the both records have same FILENUMBER. Will try the first method you have given and let u know if it works.

Thanks
Shantha Kumar

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.