Share all details about your problem, including any error messages you may have received.
Hello,
Recently, we have connected SharePoint Online to IIQ via the SharePoint Online connector.
However, after running the aggregation, we noticed there are a huge amount of “SharingLinks” and “Limited Access System Group” entitlements being aggregated which are useless.
I heard that the customization rule for aggregation might be able to filter out those entitlements completely. Is it the only way to do so? If yes, how can we achieve that for both the group and account aggregation tasks?
Customization Rule during aggregation is the primary and most robust way to filter out these unwanted entitlements in IdentityIQ.
Is it the only way?
A Customization Rule is the most direct and recommended way within IdentityIQ to filter out unwanted data during aggregation.
Why a Customization Rule is the Best Way
Granular Control: A Customization Rule (ResourceObjectCustomization for accounts or GroupAggregationRule for groups/entitlements, depending on where they appear in your schema) allows you to inspect each incoming object from the connector before it’s saved into IdentityIQ.
Dynamic Filtering: You can write logic (in Beanshell) to identify specific patterns in the entitlement names or types and return null for those objects, effectively preventing them from being aggregated.
Flexibility: It’s more flexible than connector settings, as you can implement complex logic if needed.
Therefore, for your scenario, using Customization Rules (specifically ResourceObjectCustomization and GroupAggregationRule) is indeed the most effective and common method to achieve the desired exclusion.