This is a basic question regarding Delta Aggregation. Is delta aggregation intended to detect changes to accounts that IIQ already knows about in addition to picking up new accounts as well? I ask because I have been running delta aggregations using the Okta connector for a couple of weeks (after having initially run a full aggregation). Last week I added an additional okta tenant to our configuration and when I ran the account aggregation task including the new tenant, no accounts within that new tenant were detected. Only after I ran a full aggregation did the accounts from within that tenant get added to the system. I’m afraid that if I run a delta aggregation that I will be missing accounts when new accounts are added to the tenant.
SailPoint keeps track of timestamp of last full account aggregation. Thats why before running delta aggregation you need to run full account aggregation once. This timestamp will be used in subsequent delta aggregations to pull accounts that are modified. Since you have ran full aggregation there is no need to worry. Delta aggregation should not delte those unless there are changes in configs and filters.
Thanks for the reply, good to know. Do you know where it tracks this information? Is it tracked on the Application object, if so do you know which field?
Sure I’ve seen those elements, but how does that track “Full vs. Delta”. Again the root of my concern here is I have an aggregation task that aggregates ALL of our Okta Tenants (we have several), and this task is set to Enable Delta. I added an additional Okta Application last week and added that application to the list of applications to aggregate on the Account Aggregation Task. Remember this task is set to Enable Delta. When I ran the aggregation accounts from the newly created Okta Application were not aggregated. I had to switch the aggregation task from delta to full. The full aggregation is SLOW, extremely SLOW. It took 17+ hours to aggregate about 30K accounts. Another responded to this thread saying that IIQ keeps track of the “Full” Aggregation, but didn’t see where it tracks that a full aggregation has taken place.
I did however, find the below info in the documentation, but I need to get assurance that aggregation in Delta will pick up on new accounts and not just detect deltas on accounts IIQ is aware of.
By default, delta aggregation fetches changes to accounts’ user profile attributes and entitlements. In order to aggregate the complete list of attributes present in a schema, add the following entry key to the application XML via the Identity IQ Debug page:
The delta for Okta user profile attributes is populated from the users API by comparing the timestamp of the last successful account aggregation against the last updated attribute.
To detect entitlement changes and deleted users, the data is populated from the logs API by comparing the timestamp of the last successful account aggregation against the published attribute.
