Identity Correlation
Use the Identity Correlation page to maintain the IdentityIQ Identity Cubes which contain information about an individual user's entitlements, activity, and associated business context. Identity Cubes are created when identity aggregation is performed on your identity authoritative source. An example of an identity authoritative source is a human resources application that is the main repository for employee information and the data source that is used to build most Identity Cubes.
Note
If user accounts are discovered on at-risk applications that do not correlate to the IdentityIQ identities that were created based on the employee information in your identity authoritative sources, it may indicate a risk situation that needs to be addressed.
Because each Identity Cube is associated with an identity authoritative source, it provides a single representation of each managed identity and associated user accounts. However, user accounts on applications may not correlate to IdentityIQ identities. Some examples include the following:
-
An employee who no longer works for your enterprise. They were removed from the human resources application, however, their account was not removed from every application to which they had access.
-
Mismatched or redundant accounts. Accounts that were created on different applications at different times or by different administrators using variations of the employee's name; Tom Jones, Thomas Jones, and tjones.
To display detailed information about the account or identity, select an account ID or name. The details panels for an account and an identity can be open at the same time for comparison before you perform a merge.
Accounts that are manually assigned to identities from this page can be reassigned if necessary from the identity Application Accounts tab. Refer to Application Accounts Tab for more information.
Use the Correlated column of the Select Target Identity panel to manually change the correlation status of specific accounts.
The Identity Correlation page is divided into two panels:
-
Select Uncorrelated Accounts - a list of the accounts on a specific application that are not correlated with an account detected on an authoritative source. Refer to Select Uncorrelated Accounts Panel.
-
Select Target Identity - a list of all accounts detected on all applications monitored by IdentityIQ. See Select Target Identity Panel for more information.
Make selections in each panel to perform manual correlation. Refer to How to Perform Manual Identity Correlation for more information.
Select Uncorrelated Accounts Panel
The Select Uncorrelated Accounts panel displays a list of the accounts on a specific application that are not correlated with an account detected on an authoritative source. From this list you can select accounts to merge with identities.
Select an application from the Search dropdown list or enter the first few letters of an application name and make a selection from the suggest box to populate the table. Use the filtering options to reduce the number of accounts displayed at one time.
Use the Included Account Types filter to exclude specific account types from the uncorrelated list. For example, certain account types such as Service or Privileged accounts may never be assigned to specific users and, therefore, should never be correlated with a specific Identity Cube. To exclude a specific account type from the uncorrelated accounts list, select Included Account Types and clear the checkbox associated with that account type on the dropdown list.
Select an Account ID to display detailed account information.
The Select Uncorrelated Accounts panel contains the ID and user name associated with the account and the date the account was created, along with the following options:
Note
The columns on this page can be configured and may display differently in your enterprise.
| Column | Description |
|---|---|
| Account ID | Unique identifier associated with the account |
| Account Name | Name associated with the account. |
| Create Date | The date when the account was created. |
| Inactive Account | Inactive accounts have a value of true. This column can be used for account type filtering. |
| Last login | The date when the account was last accessed. |
| Service Account | Mark accounts as service accounts if appropriate. This column can be used for account type filtering. |
| Privileged Account | Privileged accounts have a value of true. This column can be used for account type filtering. |
Select Target Identity Panel
The Select Target Identity panel contains a list of all accounts detected on all applications that IdentityIQ monitors. From this list you can select an identity with which to merge the uncorrelated accounts on the selected application.
Use the filtering options to display specific identities or select the filter icon to display every identity in IdentityIQ. Enter a letter string and select the search icon to search by user name or select Advanced Search for more options.
Select a name to display detailed information about the selected identity.
The Select Target Identity panel contains the a variety of information about the identity, including the following:
Note
The columns on this page can be configured and may display differently in your enterprise.
| Column | Description |
| Correlated | Note: This column is read only. Making changes here does not change the state of the account. The correlation status of the identity. Accounts marked as correlated no longer display on the uncorrelated accounts list or reports. |
| Manager | Manager listed for this identity. |
| Full email address. | |
| Inactive | Current status of the identity account, active or inactive. |
| Last Refresh | The date when the last identity refresh was performed on this identity cube. |
| Advanced Search Options: | |
| Standard Attributes: | |
| Standard attributes include name, username, email, and manager fields. Enter a letter string in any of these fields to return a list of identities that have a matching string in that identity attribute value. For example, typing st in the first name field returns Steve and Hester. | |
| Inactive | True - only show active identities False - only show inactive identities |
| Correlated | True - only show correlated identities False - only show uncorrelated identities |
| Searchable Attributes: Searchable attributes are defined during configuration and vary for each installation of the product. |
|
How to Perform Manual Identity Correlation
To perform identity correlation complete the following steps:
-
Select Identities > Identity Correlation.
-
Choose which application to correlate identities for: select an application from the Search dropdown list or enter the first few letters of an application name and make a selection from the suggest box to populate the table. This table contains a list of the accounts on a specific application that are not correlated with an account detected on an authoritative source.
-
Select the accounts to merge with identities that were created during the aggregation of your authoritative sources.
-
In Select Target Identity, select an identity to merge with the uncorrelated accounts selected in step 3. Use the filtering options to display specific identities or select the filter icon to display every identity in IdentityIQ. Enter a letter string and select the search icon to search by user name or select Advanced Search for more options.
-
Select an identity account to merge with the accounts selected in the Select Uncorrelated Accounts panel.
-
Select Perform Merge to perform the merge for these identities.
The merge removes the accounts from the Select Uncorrelated Accounts table.