Tasks for Aggregation

Tasks drive the actual work of retrieving info from the data source. There is a task type for aggregating accounts, and a task type for aggregating groups. You use the task type as a template to set up your own specific tasks, and you can have many defined tasks for each type – for example, it typical to have a separate account aggregation task for each one of your source systems.

You can also have more than one aggregation task for a given system – for example, one that runs daily to only pick up changes from that day (Delta Aggregation ), and a more thorough one that runs monthly to refresh all your data from that specific source.

The aggregation tasks can be configured with options that determine which of the task's available actions are performed in the aggregation.

An Account aggregation task is responsible for:

  • Reading the account data from the designated data source

  • Creating a Link object to represent the account or updating an existing Link object with any data changes for the account

  • Associating the accounts (Links) to an existing Identity in the system or creating new Identities to hold the accounts

There are several additional options that an Account aggregation task can be configured to perform, such as:

  • Deleting any Links for accounts that no longer exist

  • Recalculating active scopes for the installation when scoping is enabled

  • Executing some of the Identity Refresh task options

An Account Group aggregation task aggregates information about groups. Group aggregation can only be done for applications which have a group schema defined. IdentityIQ aggregates group data from one application at a time, repeating this process for each application specified in the aggregation task (in the "applications" parameter of the task).

Other tasks make updates based on aggregated data, and therefore should be run after aggregation:

  • Identity Refresh: This task scans all identities to ensure that all identity information is up-to-date and accurate. Identity Refresh scans are also used to detect and report on policy violations, which may arise due to changes in account or group associations.

  • Effective Access Indexing: Effective Access is any indirect access that was granted through another object, such as a nested group, an unstructured target, or another role. This task indexes effective access so that it can be shown on a single view of an identity.

For more information, see: