One large issue I find in IDN is the default behavior to bring in uncorrelated accounts. It may not be obvious in the UI, but this requires a shell of an identity to be created to hold this uncorrelated account, which the uncorrelated account now basically sticks to, even though a new identity may have been aggregated in from a true auth source which we now expect that account to move over to but it does not. This could be the case for someone that was rehired many years after their original employment with the company and their underlying application accounts still stuck around. To force the correlation to happen to the new correct cube, you must perform an un-optimized account aggregation via a private /cc endpoint which is definitely not ideal.
In IdentityIQ, in an account aggregation’s options, we could check off an option to only bring in account links if they correlate to an existing identity cube. This option is not present today in the IDN UI and I tried putting the same backend IIQ option name in the source attributes with no luck. Has anyone figured if this is possible in IDN yet?
@MVKR7T I am talking about “Only create links if they can be correlated to an existing identity” option that can be checked in an Account Aggregation task in IIQ.
@KevinHarrington I don’t want to bring in accounts at all if they do not correlate. I am not creating dummy identities either. I am saying it happens in the backend by default in IDN.
I get it - I think this is just a slight difference in understanding how uncorrelated accounts are held by IDN.
I’ve never tried to do what you’re looking for as I think it’s generally better to have the uncorrelated accounts in IdentityNow though so you can more easily see which accounts aren’t being managed by IDN and troubleshoot why. Then I usually just give customers a script to run an unoptimized aggregation and tell them to run it weekly.
If you don’t enable this option, identities will be created. if not enabled, it will be just accounts (Links). If not correlated, you do have them as uncorrelated accounts. You can correlate manually using Identities → Identity Correlation.
When it comes to IDN,
You don’t need this option at all as we control identity creation through Identity Profile.
The representation might be different, but core concept is same in my opinion.
Then I would question, why do you have uncorrelated accounts in the first place ?
Your correlation config is not covered for all scenarios ?
You have duplicate accounts in target source ?
You have bad data in target source ?
May be you need to do cleanup ?
Identity Management Tool should control what accounts should be there in Target source rite as IDM tool is responsible for it.
Maybe this will give you some insights what needs to be done, hopefully
Still, If you don’t want to bring uncorrelated accounts at all, then there is a possibility if you can use filterString.
But how do you know that accounts will be uncorrelated if you filter them while aggregation ?
If you have some pre-defined conditions like department or any attribute you can use to filter, then it will work for your requirement.
Based on my experience, I would say leave the uncorrelated accounts. Only concern you should have is no user account should go uncorrelated.
There are IAM metrics to keep the uncorrelated account and identities as minimum as possible.
If you keep storing the uncorrelated accounts - this would be huge and come under leadership observation. Again its not a best practice.
Also, how would you control the accounts which are sure to be uncorrelated during the Day 0 migration ?
This all boils down to the option which is available in IIQ but not in IDN