I’m a bit confused regarding correlations and the unoptimized aggregation. Specifically working with salesforce. Salesforce does not recommend or make it easy to purge historical accounts. As a result of this, we have thousands of prior accounts in the application.
In our org we have seasonal help that comes and goes. That means when someone has been gone for a period of say 9 months, they drop off the systems, their identity comes back in during the next seasonal hire, but the old salesforce accounts does not seem to match back up to the identity.
We have a scheduled unoptimized aggregation running nightly which I thought was the solution to this, and it definitely used too work or so i thought.
However, there are alot of uncorrelated accounts that don’t seem to get picked up despite matching the correlation values.
Am i missing something about ‘orphaned’ accounts that belonged once to a different identity, since the user effective dropped off our platform entirely and although they are the same person, the identity is new.
this causes provisioning failures because the account exists in salesforce still, it can obviously be patched via api but thats tedium i don’t necessarily want to oversee.
Definitely seems tied to the manuallyCorrelated eq true value in testing. Is there any impact to setting that value to ‘false’ for every uncorrelated account? don’t want hunt and peck.
Following this thread, because we have a similar issue.
Out of curiosity @ndanjou, do you have concerns around uncorrelated accounts? We review our sources daily to ensure no uncorrelated accounts, because we want to ensure there are no missed terms.
But similar to what you’re talking about, we can’t filter disabled accounts from SalesForce, because it will create issues for returning employees or people that regain access, because SailPoint will attempt to build the account, fail and then we have to manually enable the account in SalesForce for it to showup again properly, which is not optimal.
So we generally validate correlation is working when sources are setup. And we have a pretty high confidence in the attribute set and rules we setup to correlate accounts so we don’t really monitor daily for uncorrelated accounts. We also don’t filter active/inactive from sources as we do still like the record to show up in the source, service accounts are not managed by sailpoint at our org, so most sources will always have a few accounts that are not human.
Salesforce is a bit an annoyance to manage for the reasons you stated and the fact they don’t support purging, and it fails on duplicate creation for all the common names that exist in society.
I do believe the issue can be resolved by patching uncorrelated accounts back to manuallyCorrellated eq false since unoptimized agg will then re-correlate to the new user. just need to write out the api script to do so.