Identity Profile Provisioning Settings for Multiple Accounts

Hey All,

I have a question i think i know the answer to that will most likely turn into a feature request.
The question i have is related to Identity Profile Provisioning Settings when you want to Enable accounts for “Active” lets just say. in my case lets say i have an Identity for John Doe that has two accounts in the same source lets call Application1. Both accounts are correlated to John’s identity. John’s identity is currently inactive as are both accounts in Application1. For this example lets say John is rehired and we have the Identity Profile Provisioning Setting for “Active” to enable accounts for Application1. Currently, this will result in both accounts John has in Application1 being enabled. What I’d like to see is an account selector by criteria or rule or something (similar to Multiple Account Options on Access Profiles) so that I can choose which account to enable. the criteria could even evaluate to enable both accounts but I would like some control on this. Ideally we’d have only one account on this app but that is not possible at this time.
So, given that example above, does anyone know if this is currently possible? Like I stated previously, i think i know the answer is it cannot be done today.

Hi Kirk, IDN can not deal when a human person has more than one account in one system, because it does not know which account provision. This scenario is for users that have an administarative and an end user account? If that is the case, you will need a second source, to manage this “service” accounts.

Hey Julian, I appreciate the response. I will say i disagree with your statement that IDN cannot deal with multiple accounts. This is evidenced by the fact that they have the Multiple Account Options in Access Profiles so that when someone has more than one account, you can specify criteria to determine which account or accounts get the access profile assigned. If a user has more that one account correlated onto an identity (which i have this use case now) and not for admin or other account types on an identity that is inactive, then becomes active, I’d like to specify criteria to only active one of those accounts.
The converse of this is if i have an active identity that goes inactive, i want and SailPoint does deactivate all accounts from one source specified in the provisioning settings.

I think this will turn into a feature request to add an option for multiple accounts on identity profile provisioning.

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.