Splitting Identity Profiles

I have a client who needs to create a separate Identity Profile for their European users due to compliance needs. Configuring the auth source’s to handle this is easy enough but we have a few concerns:
-Duplicate identity cubes being created and new LAN IDs/AD accounts being assigned.
-Almost all access is obtained through Access Requests. New cubes being created would make this extremely hard to track and duplicate “who has what” in terms of requested Roles.

I am not seeing the ability to transfer identity cubes from one profile to another. Does anyone have any workarounds/best practices for doing something like this? Ideally would like to keep the same cubes just have different auth flows.

Hi @curtis_phastetwo

Welcome to SailPoint Developer community.

If I understood correctly, you have only one authoritative source for both the Identity Profiles ?

Once the account from Authoritative source with high priority is deleted then automatically Identity moves to the next high priority authoritative source.

Thanks
Krish

@MVKR7T thank you for the quick response!

Correct we have one authoritative source. Its a JDBC connector so would just duplicate the source config and adjust the queries.

If I am understanding correctly it sounds like I would create the new source with only EU users and have it correlate to the existing identity cubes.
After they are aggregated and added to the cube I would then adjust the query on the original source to remove these EU user accounts?

Appreciate the guidance.

Correct.

  1. Create another source for only EU users, adjust queries. If it is not JDBC we can make use of filterString to filter accounts while aggregating.

  2. Create one more Identity Profile with priority lesser (higher in number) than current Identity profile.

  3. Run Aggregation in EU Source.

  4. EU users will have 2 accounts (one from all users source and other one from EU users Source) with Identity Profile set to the first one.

  5. Adjust queries in all users Source, don’t enable Disable Account Deletion, increase the % as well, so that it won’t generate warning while deleting.

  6. For EU users, once the account is deleted in all users source, automatically Identity Profile switch to the 2nd one.

Thanks
Krish

1 Like

Perfect @MVKR7T! Thank you!