Hi Everyone,
Many of the people were confused, and even I was a bit confused regarding the Identity Attribute and Display Attribute in application configuration (Schema). I just want to give some clarity. Please let me know if I am wrong. Let’s get started.
Let’s talk about Identity Attribute first,
The Identity Attribute is used to take or pick up the unique data from the application that is to be onboarding to get the unique users with the link to the application along with the usage of nativeIdentity in the application. It means this is the unique attribute in the application for creating an account. If it contains duplicate data in the attribute value’s list, then it will take the last/latest value, which creates the link object of the application to the identity only. The rest of the duplicated identities will be aggregated, but the link from the application to the identities will not be created. Consider the following sample as data for better understanding. Assume Customer1.csv, which contains CNumber, CName, and Ccountry attributes. In the CNumber, we have duplicate CNumber values of “67254”. CNumber (67254) is the same for Menno.Peters, link to the Customer1 application. The rest of the duplicate identities will be created without creating a link from the application to the identities. As shown below. Note: This is a required field.
Customer1.csv
| CNumber | CName | Ccountry |
|---|---|---|
| 10983 | Aravind.Golla | India |
| 18753 | Juhe.Begam | Pakistan |
| 23254 | Karanam.Karthik | Germany |
| 99355 | Rajesh.Illa | Germany |
| 67254 | Menno.Peters | USA |
| 67254 | Paul.Mayer | SA |
| 67254 | Nitesh.Kunwar | India |
Now, we will be onboarding the application by specifying the CNumber attribute as the Identity Attribute as shown in the below diagrams.
If you aggregate the application, you will see the results as follows: Identities created 7.
But if we look at the application accounts, we can see that only 5 accounts have been created under the application instead of 7 since we have task results because the rest of the two accounts are duplicated. Identity Attribute will exclude those duplicate values and will take the latest or last value and aggregate the identity with the link to the application.
I hope you understand the importance of Identity Attribute clearly.
It’s time to know the usage Display Attribute,
The Display Attribute is used as the object name as it appears throughout the IdentityIQ application, and default correlation is done based on it. Which attribute do we specify over there.
Let’s try to understand with some examples.
Let’s onboard the application Employee1, specifying “employeeName” as the Display Attribute and run the account aggregation as follows:
Employee1.csv
| employeeId | employeeName | empLocation |
|---|---|---|
| 201 | Rohit.Sharma | Hyd |
| 202 | Virat.Kolhi | Krl |
| 203 | Dhoni.Ms | Che |
| 204 | Dhoni.Ms | MH |
In correlation, not selected account correlation and not correlation rule also. Run the account aggregation task by enabling the Detect deleted accounts and Disable optimization of unchanged accounts options.
See the results:
If we observe the above result screenshot, we can see that 201 (Rohit.Sharma), 202 (Virat.Kohli), and 203 (Dhoni.Ms) were created. 204 (Dhoni.Ms) was not created newly. It is a CorrelateNewAccount with Dhoni.Ms because the identity contains Dhoni.Ms was created before it (specified employeeName attribute in Display Attribute). So, it is correlating. By doing so, we can come to know, based on which attribute we specify in the Display Attribute. Make sense or not?
Observe the below screenshots.
Cool, let’s try in another way to get clarity on whether correlation is going to be done by the by the Identity Attribute or the Display Attribute.
Consider Employee2.csv
| employeeId | employeeName | empLocation |
|---|---|---|
| 203 | Dhoni.Ms | MH |
| 204 | Adharsh.Katte | Joburg |
| 208 | Amar.Nath | Santon |
| 334 | Karthik.Kota | RoseBank |
Let’s configure the application. But just consider this: select Identity Attribute as employeeID and Display Attribute as empLocation and run the aggregation task.
See the results:
By this result, we can come to know that the correlation is not going to be done based on the Identity Attribute because it is mentioned in the schema as employeeId. 203 and 204 were already present in IIQ, so we should not create a new one. It should simply correlate and give results like this.
Accounts scanned :4
Identities created :2
Identities updated :2
But couldn’t happen means correlation is not happening based on the Identity Attribute. Then, how are identities being created?
Cool! See the below screenshots.
Identities were created based on the attributes we specified in the Display Attribute.
Let’s take another example:
Consider Employee3.csv
| employeeId | employeeName | empLocation |
|---|---|---|
| 7645 | Adharsh.Katte | Joburg |
| 9856 | Amar.Nath | Santon |
| 12345 | Karthik.Kota | RoseBank |
| 987 | Harish.Kandha | USA |
Configure the application by specifying the employeeId as the Identity Attribute and employeeName as the Display Attribute then run the account aggregation and see the results.
Task Results:
Four accounts are created without correlation because, in any of the previous applications (Customer1, Employee1, and Employee2), those accounts were not created with the names. The accounts ‘Amar.Nath’ and ‘Karthik.Kotta’ were there in Employee 2. In the Employee2 example, ‘empLocation’ is set as the Display Attribute. So those accounts were created with employeeLocation only, and hence no matching identity is found in the Employee3 example.
Conclusion:
So, from this entire explanation, we can come to know a few things.
- Identity is created based on Display attribute (search in the identity warehouse).
- Correlation is not happening based on the Identity Attribute if we don’t select any Account Correlation or Correlation Rule.
- The correlation is going to be done based on Display Attribute only.
- Identity Attribute is used for pulling unique data from the application and aggregating it into IIQ.
- If you do not provide any value in the Display Attribute, then an account will be created in SailPoint with the value you provided in the Identity Attribute.
- Irrespective of whether you select the option Authoritative Application, it will apply to both cases.
How does correlation work if we specify Account Correlation, Display Attribute and Correlation Rule?
Correlation: It is the process of finding an identity to link or add the accounts from the application in SailPoint. Because of this, we can avoid duplicate identities with different application links (ideally, those accounts should link to a single identity only because all those accounts are related to only one person or identity).
If you specify all options, like Display Attribute, Account Correlation, and Correlation Rule, SailPoint will follow the hierarchy. It will execute as follows:
-
Correlation Rule in Aggregation Rules
-
Account Correlation in Correlation (based on how many attributes you specify from top to bottom)
-
Display Attribute in Schema
If any of the above is not satisfied, it means the identity was not found. Then, a separate identity (Uncorrelated Accounts) will be created with the link. So later, you have to manually correlate it with an existing identity by using Identity Correlation. So that account will be linked to that identity. Later, you can run the Prune Identity Cube task to delete the identity that does not have any accounts.