We have two authoritative sources, one for employees(Oracle HCM) and one for contractors(NERM). Account correlation is based on the Peron IDs on these systems.
When a contractor converts to a full time employee, the person ID on the account is changed to the HCM Person ID, but it is still linked to the NERM identity.
We have realized that when the provisioning of an account is done via ISC, the account has the field “manuallyCorrelated” set to TRUE and remains attached to the NERM Identity.
Is there a way to remove the correlation between and Identity and an account and set the field manuallyCorrelated to False, so that it is linked to the correct employee identity?
We do not require a manual workaround because we have a lot of users for whom we would like to link their accounts to their new identity automatically.
You need to check the priority of your two authoritative sources identity profiles and ensure that the Employees source has a higher priority than the Contractors source. This way, SailPoint Identity Security Cloud (ISC) will always assign the identity to the profile with the highest priority when there are multiple matches.
Old Identity accounts will not be moved to new Identity because of this flag manuallyCorrelated: true
The reason ISC sets it as true is, if an account moved to different Identity, a new account provisioning will trigger for the old identity due to Automated Roles or Requested Access, which will create duplications. To avoid that ISC setting it as true, if it is true, aggregation process will not re-calculate.
Delete those accounts from old Identity, when you run aggregation next time, it will calculate correlation again and move to new identity.
Set this flag as false using some customizations.
For customizations, you can utilize either workflows or APIs, if you go with APIs, you can run those Scripts in IQ Service.
