Hi Team,
Is there a possible way where we can change identity profile and uid of an identity?
Thanks,
Abhinov
Hi Team,
Is there a possible way where we can change identity profile and uid of an identity?
Thanks,
Abhinov
The UID of an identity is tied to the authoritative source they reside in. I would think the only way to change the UID is to update the source attribute that is mapped to UID for that particular identity.
Each identity profile is tied to a single source. In order to change the identity profile of an identity, you will need to remove the identity from the current source and add them to the target source that has the identity profile you want.
Hi Abhinov,
I wanted to clarify because Colin’s answer is not accurate… I believe Colin was thinking about the identity.name of the identity, not the uid (SailPoint user name). The uid can be changed after you’ve created the identity - you can change the mapping on the identity profile or you can use a transform. It’s actually very common to implement transforms for this attribute - for example, identities are created based on an authoritative HR source, but the customer wants their uid to be their Active Directory sAMAccountName because they’re using AD pass-through authentication and they don’t want to confuse their users. In that case, I usually implement a firstValid transform on the uid – where it’s looking for AD sAMAccountName, and if not present, it uses HR employee ID, and then just as a fall back, I use static NONE (but it should never get to level 3 because all users require an HR employee ID).
The identity.name (account ID) of identity is immutable and cannot be changed – it’s created based on the authoritative source account’s display name during that initial aggregation that creates the identity… even if the authoritative account changes display names later, the identity.name won’t change.
You can also change the identity profile of the identity. Identities can only be associated with 1 identity profile, but if you have several authoritative sources, and the identity has an account on 2+ authoritative sources, their SailPoint identity is created based the identity profile with the highest priority. If you want to switch profiles, you would need to either delete their accounts on some authoritative sources or use the API to change the identity profile priorities so the other one is higher. See here for more details: How to migrate Identities from one Identity Profile to another?.
Thanks,
Lisa Ivy
Hi @lisa.ivy,
Thank you for the clear explanation .
After colin’s reply I tried to change the UID(SailPoint user name) of one identity in an authoritative source. When I aggregated the updated file, it deleted the old account and created a new account in authoritative source. As the UID(SailPoint user name) is changed, IDN treating this as a new account and trying to provision as per the RBA codes in my delimited file. But we already placed a correlation logic based on employee number and work email so new accounts were not created for this identity in target application.
This approach somehow satisfy my query but I know its not a suggestable approach.
Thank you,
Abhinov
Hi @colin_mckibben,
How to change the Account Name ?
We have a case here,
Thaks
Navin
@naveensingiri419 you would need to remove the Identity and re-aggregate them from the authoritative source. If the identity is not an owner of any sources, access profiles nor a member of any governance groups, doing that shouldn’t cause any issues. If they’re linked to any objects, the removing the identity and re-aggregating will break those links.
Identity Name (or account name on your screenshot) can’t be changed. I don’t understand why the internally generated alphanumeric ID isn’t used as a unique identifier instead, but that account Name field is immutable. Makes going through a re-brand a fun exercise if you’re using email addresses as essentially every identity needs to be removed and re-created, which breaks every linked object(source owners, governance group membership etc). At least that’s the info I got from expert services.
Hi @M_rtenH this is fun excerice to do it in production. I think there should be any transformation/rule/API to change the account name or it should get update with respect to authoritative source application account name.
Yeah I absolutely agree, I’m not sure what’s the reasoning behind identity.name being immutable. Identity ID exists and would suit the purpose of a unique ID much better.
Perhaps the expectation is that you would use something like employee ID for the identity.name field? Not sure.
Hi @M_rtenH,
If we see in IIQ we could modify identity.name to any name in coding. but here it is immutable.
Intially identity.name is C1234 as contractor but same user will convert to employee then it should update to 5566 or some value but didn’t…
Thanks
Navin
Hello. What is the impact on Sailpoint IDN and users when uid is changed this way (from HR id to AD sAMAccountName)? what is the recommended approach to do that?