Hi Experts
This all started as a user account on AD not correlating and thus could not do password sync.
Users AD account was showing up as an identity exception on IDN
Never knew this can happen.
Does it mean record is missing something on AD?
THe record is perfect on AD matches to an account created by IDN
is there a report i can consult like for identities?
1 Like
Hi Peter,
You can download the Identity Exception Report by
- Going to Admin > Identities > Identity Profiles
- Find the Identity Profile with the Exception Icon (!)
- Select the icon and choose either Download CSV or Download PDF to download the report
The report should then show the identity that has the exception, and the reason for the exception
Hope this helps!
Hi Franklin
I thought this too but this is not the authoritative Source its an added Source(Active Directory)
This account is not linking despite several Unoptimized aggregations.
Account for user from Authoritative Source comes in fine and creates an identity profile, creates a second AD account and correlates correctly accounts from other sources
We frequently experience an issue with the same symptoms on our Okta source (non-authoritative).
What we find is that the manuallyCorrelated flag is set to true on the account, despite it not currently being correlated to an identity cube.
To verify if this is your issue, use the V3 List Accounts API (list-accounts | SailPoint Developer Community), preferably with a filter to show only the individual account you’re interested in.
Check for the following line:
"manuallyCorrelated": true,
If it is, grab the id of the account (should be in the id attribute from the above call) and use the Update Account API (update-account | SailPoint Developer Community) to change this setting to false, here’s an example body for that API call:
[
{
"op": "replace",
"path": "/manuallyCorrelated",
"value": "false"
}
]
Just make sure that you’re targeting the individual account you want with the Patch Account API.
Once you’ve completed this step, the account should no longer show as an identity exception, but you may need to do more to correlate the account automatically. If the Reload Account API (reload-account | SailPoint Developer Community) works for the Active Directory source you can try using that, or else you may need to perform an un-optimised aggregation of the source to trigger a new correlation attempt.
1 Like
Thank You.
help me with how to filter out all users affected.
I was able to filter for the one user but i have a feeling there could me more have seen some but with 500+ page of users it is not sustainable to manually search
any way to filter affected users?
Unfortunately the manuallyCorrelated attribute is not available as a filter attribute on the accounts search endpoint. It is available as a sort attribute, so you could do an account search for uncorrelated accounts and sort by manuallyCorrelated so that all accounts with manuallyCorrelated=true appear first and then do some clever pagination that ends when manuallyCorrelated=false. Or export the list and do your data filtering after the results are received.
Here’s an example of the above search using list-accounts | SailPoint Developer Community
/accounts?filters=uncorrelated eq true and sourceId eq "{{sourceId}}"&sorters=-manuallyCorrelated
1 Like
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.