My organization is migrating from using one HR source to another HR source. What I am trying to discern when combing through ISC documentation is: what is the point of marking an HR source as authoritative? Identities are created via identity profiles, and we can source attributes for identity profiles from sources not marked as authoritative.
When I create the new HR source: what happens if I do not mark it as authoritative and instead just populate attributes on the identity profile using the new HR source? Is there any benefit or use case for marking a source as authoritative in ISC?
Note: I know in IIQ the auth source immediately created identities but it seems in ISC this identity creation process is tied to identity profiles and designating a source as an auth source does not seem to matter.
Hi @dominick-miller, the concept from IIQ is the same in ISC as I see it. The difference is instead of having to mark the source as authoritative in the source configuration, you have to link it to the identity profile. While creating the identity profile, you have to specify which source is your authoritative source. That means that an account aggregation from that source will create identities.
Hey @MeKhalbi - I disagree. The concept is fundamentally different with the introduction of identity profiles, unless I am missing something. Even if I say the account source on the identity profile is HR source 1, if all the attributes are pulled in from HR source 2, then HR source 1 is not actually creating identities, right?
Identities are only created for sources that are linked to an identity profile. Even though you can map identity attributes from source 2 as an example but the identity itself won’t be created if there is no account on the HR source 1
Hey @MeKhalbi,
This is good to know, thanks for clarification.
However, this is controlled by selecting the account source on the identity profile, and we are able to designate non-authoritative applications as the account source on the identity profile.
So, back to the original question, is there any benefit or need for marking a source as authoritative in ISC?
The identity profile mapping is more to specify how to populate the identity attributes. I think it’s the same as the Identity Mappings UI in IIQ where you specify the applications and application attributes from which the identity data is derived.
As an example, the HR source account doesn’t have the email attribute populated so you map the email attribute to be populated from your AD source instead. However, your authoritative source is still your HR source.
I agree 100%, but again: is there any benefit or need for marking a source as authoritative in ISC? It seems to be a legacy of how IIQ did things. Now we just need to specify the identity profile account source application, which does not need to be authoritative.
I agree this is confusing as the new way in ISC of making something authoritative to me was creating the identity profile. I tried this out in a demo tenant and it seems like it just gives you this reminder to go create the identity profile. I didn’t do any other testing besides that though.
UPDATE: Adding a little bit more here. I looked at the sources via API and found that there is an attribute set: "uiMarkAsAuthoritative": true. However the true authoritative flag is set as false still until you actually create the identity profile. So this flag is essentially pointless when creating a new source besides being a reminder to go create the identity profile.
