I am currently facing a challenge and would appreciate your insights and suggestions.
I need to manage an attribute of type list within an identity profile, which contains multiple accounts associated with a specific identity. This attribute is sourced from an authoritative source.
My goal is to iterate through this list of accounts received from the authoritative source during the aggregation phase. I need to determine how to utilize this list to correlate the appropriate account to a specific identity.
Additionally, I am interested in understanding if it is possible to manage a list-type attribute within the identity profile itself.
Has anyone encountered a similar scenario or can provide guidance on how to achieve this within SailPoint? Any examples or best practices would be greatly appreciated.
Can you clarify what you mean by a list-type attribute? AFAIK, multi-valued attributes aren’t supported on an Identity, but you could encapsulate a string list with a delimiter.
Also, could you provide a bit more detail on your correlation logic? Bear in mind correlation occurs “per account”, so you wouldn’t be able to correlate an account different to the one that is being iterated, if that is what you are after. Also the Identity correlation attribute has to be searchable, so it couldn’t match on a sub-string of an Identity attribute.
To clarify, the correlation logic I am aiming for is as follows:
During the aggregation from the target, I need to read the account identifier and verify if it is present in the “multi-value” string attribute mentioned earlier.
If the account identifier is present in this multi-value attribute, I would then associate that specific account with the identity that has the multi-value field populated. Essentially, it should iterate through all identities and correlate the account to the one that has the identifier in the source matching one of the elements in the multi-value string.
I understand that multi-valued attributes aren’t supported directly on an Identity, but encapsulating a string list with a delimiter could be a workaround.
I am not looking for the detailed implementation, but rather to understand which ISC tools or features combination (e.g. Rule or similar), if any, would allow me to achieve this logic.
Hi Paolo - one more question if I may. I understand that the “associated accounts” list attribute comes from the Auth Source; is it the Auth Source accounts that you are then attempting to correlate against that list or a separate source?
Hi Jeremy,
this is a separate source (target system), the goal is to read these “multiple accounts” from the authoritative source, then insert them - through an appropriate query - into a multi-value string attribute to be used later in correlation in order to correlate the multiple account(s) from the target system to the correct identity.
Do you think this is a scenario that can be implemented in IdentityNow? If so, with which tools/features?
Hi Paolo - I’m afraid, AFAIK, this would not be supported out of the box, because of 2 constraints for automatic correlation:
The Identity Attribute value for correlation has to be searchable
The Identity Attribute value for correlation has to be unique
Without automatic correlation, the accounts could be aggregated as orphans. I can then see that there would be enough information to do the linking via scripting some API calls (see Correlate account through API), but that’s getting into complexities beyond my scope, so I’m going to step back and see if anyone else from the community has some bright ideas.