Share all details related to your problem, including any error messages you may have received.
We want to create empty identity cubes to ‘store’ non personal accounts (NPAs).
During account aggregation accounts are aggregated which can not be correlated to identities. These NPAs are accounts like service accounts or build in accounts (like Administrator/Guest in AD).
To clean up the uncorrelated account list (Identities->Identity Correlation), we want to correlate the NPAs to an identity cube pr application. This will reduce the list of uncorrelated accounts and show more easily if there are personal accounts which have not been correlated correctly. It will also clean up the 'Uncorrelated Accounts Report) and fix the KPI on correlation failures
What might be the easiest way to create multiple ‘empty’ uncorrelated identity cubes? Also looking at a way to have these created by less technical people in the future (when I am off the project).
– Remold
Hi Remold,
Did you think about using Conditional Correlation? for example to configure all NPAs (with assumption they might have some common attribute or entitlement) like this
And then you can make them correlated to some kind of “owner” who will take care of them?
Second option would be to use ServiceAccount identity type and set real identity as Administrator so this person would be able to act as a manager to this identities. (it will not decrease ammount of ids).
That sounds like an idea, however I am more looking into a ‘simpler’ solution. The IGA Administrators are not so technical to use postman
I am more thinking on something like import of an XMLs, batch request, a simple quicklink.
You just want to create a empty identity?
All i can think is a quicklink calling a simple workflow that send a IdentityModel with just the IdentityName to the LCM Identity create Workflow.
@Remold In one of implementation, we put some logic in Creation Rule that check for objectClass → if it’s computer then we create computer objects that was treated as identity so we can add in AD Groups else we create Service account .
in this way, we don’t need to do build any WF, creation Rule will handle creation of Service account during account aggregation easily.
Code should be like
List objectClass = account.getAttribute("objectClass");
String comp = "no";
for (String objectc : objectClass) {
if(objectc.toLowerCase().contains("computer") {
comp = "yes"
}
}
if("yes".equals(comp) {
//Set Attribute in computer obect
}else {
//Set Attrubute for Service account
}
Thanks @Remold , reason for asking this is if the admin team have capabilities to run job in future thought of suggesting a simple job which does both in automated fashion ( creation and correlation ) which requires very minimal technical skills as you that’s your need
Anyhow if the approach is manual batch request can be used as other suggested
