Hi Experts,
Would like to understand should an identity holds multiple authoritative sources?
Example:
Identity: Bernard
Accounts: HRMS Record 1, HRMS Record 2, AD
Would like to know is this a best practice to configure identity holds multiple HRMS accounts? This usually happen when an employee is a rejoin user and organization is not utilizing the same HRMS record.
Ya user can have multiple HR accounts (Same or different HR Sources).
Couple of years back, we used to use inhouse HR applications, where we used to control to delete old HR record or re-activate it when an employee joins back.
But, today we are using products like SAP SuccessFactors or Workday or something similar. In which there will be new record for every employment. Leave about rejoining the organization, when a user has multiple employments (multiple job positions) then we will have multiple HR records.
Just ignore, let identity has multiple HR records. But problem is, you know update your Transforms to choose which account. If you don’t need a Transform, still you need to have one as IdentityProfile mapping doesn’t know which account to get the data.
If you would like to avoid this, if your current scenario is just old record and new record then definitely old record will inactive, so use FilterString to filter those records in Aggregation which will ignore all the old records.
Hope this helps 
Thanks
Krish
Hi Bernard,
You can define priority for identity profiles. The HR record from the higher identity profile shall be considered to create the identity and the other HR record shall remain as an account.
Refer to this link. Do note this link mentions the use of cc APIs. You can achieve the same with V3 APIs as well.
P.S. Lower the priority value, higher the priority. i.e. 1 is considered to be higher priority than 10
Hi Krishna,
Agree with your point. What if just let old records and new records to sit in 1 identity? What should I do to let SailPoint IDN to always read the new record.
Regards,
Bernard
Hi G,
What if there is only 1 identity profile mapping?
You need to use filters to choose which account for every attribute, for example
{
"attributes": {
"attributeName": "HIREDATE",
"sourceName": "Corporate HR",
"accountSortAttribute": "created",
"accountSortDescending": true,
"accountReturnFirstLink": true,
"accountPropertyFilter": "(WORKER_STATUS__c == \"active\")"
},
"type": "accountAttribute",
"name": "Account Attribute Transform"
}
For more information, refer this [Account Attribute | SailPoint Developer Community](https://Account Attribute Transform)
This is applicable when Identity has accounts from Multiple HR sources, then creating identity from which HR source is based on Identity Profile priority.
When user has multiple accounts in same HR source, there is the problem in reading data for each attribute as there will be ambiguity. It will read the data whichever it gets first. Sometimes, it will read the data from inactive account also which leads to disable/delete target source accounts.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.