Delta Aggregation
SailPoint's Identity Governance connector for ServiceNow supports the delta aggregation of accounts.
Prerequisites
To support the delta aggregation, you must create the following Access Control List (ACL) in global scope and assign it to the x_sapo_iiq_connect.admin role:
|
ACL |
Type |
Operation |
Name |
Attribute |
|
sys_audit_delete |
record |
read |
Audit Deleted Record[sys_audit_delete] |
None |
To support the delta aggregation, ensure you have created the ACL in global scope and assigned it to the x_sapo_iiq_connect.admin role.
Delta Aggregation does not detect the deleted accounts. SailPoint recommends performing a full aggregation to detect the deleted accounts on ServiceNow.
Note
-
The delta aggregation will not fail when the sys_user_grmember table returns bad data. For example, if a record in the sys_user_grmember table has a missing value for the Group or User column the delta aggregation still completes operation.
-
Delta aggregation is not supported for groups.
-
If this ACL is not created, then deleted connections from the users are not detected during delta aggregation.
-
For delta aggregation, SailPoint reads the deleted user's connection from the sys_audit_delete table in SailPoint Identity Governance connector version 1.0.5 or prior.
-
For improved delta aggregation performance, ensure you have the SailPoint Identity Governance connector version 1.0.6 or later.
-
To improve the performance further Deleting With Table Cleanup Policies can be configured on the
x_sapo_iiq_connect_user_roles_and_group_deletestable. For more information on table cleanup policies, refer to Deleting With Table Cleanup Policies.
Improving Delta Aggregation
To improve the delta aggregation
Upgrading to the latest version enables SailPoint to read only the deleted events (such as removing group/ role) of user's connection from the x_sapo_iiq_connect_user_roles_and_group_deletes table.