Skip to content

Application Concepts

Here are some general concepts you should be familiar with as part of planning your application onboarding and configuring your applications.

Aggregation

Aggregation is the process wherein information that resides on the target system is discovered and read in to IdentityIQ. The specific information that is brought into IdentityIQ through aggregation will vary depending on the type and purpose of the target system, what data is available in the target system, and how the application is configured.

For example, when reading from a system of record such as an Human Resources system, you might want to aggregate a lot of information about each user, such as full name, department, job title, manager, and location. For a business-specific system such as an Accounts Payable system, you may aggregate only a limited set of information, such as which groups your users belong to, and which features each user has access to.

While the details of what is aggregated is largely defined by your application configuration, the actual work of aggregation is accomplished by the Account Aggregation and Account Group Aggregation tasks. These tasks have many configuration options that allow you to fine-tune the behavior of the aggregation for each application. For more information, see:

  • Tasks Overview
  • Account Aggregation
  • Account Group Aggregation

Correlation

Correlation is the process of matching aggregated accounts to existing identities. When you aggregate from an authoritative source, IdentityIQ creates an Identity Cube for each account on that source. When you aggregate from a non-authoritative source, correlation logic helps match aggregated accounts to an authoritative Identity Cube.

Correlation logic can be implemented several ways:

  • Through direct mapping of attributes – for example, the application's account attribute "mail" is mapped directly to the identity's attribute "email." Attribute mapping can be defined both in the application configuration feature and in the Rapid Setup feature.

  • Using conditions that assign application accounts to existing identities by defining attribute conditions. For example, the root account on Unix typically does not have any identifying attributes that can help when trying to correlate it to an existing identity using direct attribute mapping, so you can use a condition, such as whether the identity is a Unix application owner, to drive the correlation. Condition-based correlation can only be defined in the application configuration feature. The correlation configurations you define based on conditions can be saved and shared across multiple applications.

  • Through rules – custom BeanShell rules let you create your own specialized logic for correlation. Rules for account and manager correlation are specified in the Rules tab of the application. Rules can be built outside of IdentityIQ and imported as XML objects, or can be defined using the rule editor that can be opened in the application configuration Rules tab. For more information on working with rules, see Rules and Scripts in IdentityIQ(LINK IN DOC).

Resolving Uncorrelated Accounts

The correlation logic you define in the application does not always successfully match newly-aggregated accounts to Identity Cubes. For example, accounts belonging to employees who are no longer part of your organization, or mismatched accounts that use variations on an employee's name, can result in accounts without a clear association to an existing identity.

The Identity Correlation feature lets you manually correlate these accounts to specific identities. Manual correlations are permanently retained; IdentityIQ does not change these correlations during subsequent aggregations. If a manual correlation has been made in error, it can be changed in the Identity Warehouse on the relevant Identity Cube's Application Account tab. For more information, see Identity Correlation(LINK IN DOC).

Provisioning

Provisioning is the process of writing information (that is, the attributes and values you want to update) back to your target system, based on changes made within IdentityIQ. For example, an access request managed in IdentityIQ may create a new account for the user in a target system, or a policy violation may result in a user having certain access on the target system revoked. Provisioning propagates these changes to target systems, using a Provisioning Policy as the instruction or a template for what to include as part of provisioning; this includes the creation of new accounts when new access is granted on a target system where a user does not already have an account.

Each application can have its own configurations that specify which attributes to include in provisioning, and how to set their values.

You can configure distinct provisioning policies for different actions, such as creating accounts, updating accounts, and deleting accounts.

Only some connectors support provisioning. For more information about specific connectors, refer to the IdentityIQ Connectors documentation on SailPoint's documentation portal.

For more information, see Provisioning(LINK IN DOC).

Attribute Synchronization

Attribute synchronization is an automated process of pushing changes in identity attributes (such as name, email, or department) to target systems. These identity attribute changes often come from aggregation from an authoritative source, but they also might come from edits made to identities directly in IdentityIQ.

Attribute synchronization is configured globally for IdentityIQ, in the gear menu > Global Settings > Identity Mappings UI.

When you set your identity mappings, you will select which configured application(s) are updated, and which attributes (defined in the configured application schema) store the values to be synchronized.

When an attribute change comes through aggregation, attribute synchronization is initiated through a refresh task that has the Synchronize Attributes option selected. See the Identity Refresh task for information about configuring and running this task.

For more information, see Attribute Synchronization(LINK IN DOC).

Rapid Setup

Rapid Setup provides an alternative way of defining application behavior and the events and processes for managing identities, in user-friendly, guided UI.

Rapid Setup lets you separate the technical and IT-centric steps of onboarding and configuring applications (such as defining connection parameters and schemas) from the business-centric steps of defining the business processes the application should follow (such as how to onboard applications and handle common identity management scenarios such as joiner, mover, leaver, and terminating identities). It provides preconfigured processes that follow best practices for managing identities.

Rapid Setup also provides a simple UI for defining attribute-based account and manager correlation.

For more information, see Rapid Setup(LINK IN DOC).