Identity Correlation
Use the Identity Correlation page to maintain the IdentityIQ Identity Cubes which contain information about an individual user's entitlements, activity, and associated business context. Identity Cubes are created when identity aggregation is performed on your identity authoritative source. An example of an identity authoritative source is a human resources application that is the main repository for employee information and the data source that is used to build most Identity Cubes.
Note: If user accounts are discovered on at-risk applications that do not correlate to the IdentityIQ identities that were created based on the employee information in your identity authoritative sources, it may indicate a risk situation that needs to be addressed.
Because each Identity Cube is associated with an identity authoritative source, it provides a single representation of each managed identity and associated user accounts. However, user accounts on applications may not correlate to IdentityIQ identities. Some examples include the following:
-
An employee who no longer works for your enterprise. They were removed from the human resources application, however, their account was not removed from every application to which they had access.
-
Mismatched or redundant accounts. Accounts that were created on different applications at different times or by different administrators using variations of the employee's name; Tom Jones, Thomas Jones, and tjones.
To display detailed information about the account or identity, click an account ID or name. The details panels for an account and an identity can be open at the same time for comparison before you perform a merge.
Accounts that are manually assigned to identities from this page can be reassigned if necessary from the identity Application Accounts tab. See Application Accounts Tab.
Use the Correlated column of the Select Target Identity panel to manually change the correlation status of specific accounts.
The Identity Correlation page is divided into two panels:
-
Select Uncorrelated Accounts – a list of the accounts on a specific application that are not correlated with an account detected on an authoritative source. See Select Uncorrelated Accounts Panel .
-
Select Target Identity – a list of all accounts detected on all applications monitored by IdentityIQ. See Select Target Identity Panel.
Make selections in each panel to perform manual correlation. See How to Perform Manual Identity Correlation.
Select Uncorrelated Accounts Panel
The Select Uncorrelated Accounts panel displays a list of the accounts on a specific application that are not correlated with an account detected on an authoritative source. From this list you can select accounts to merge with identities.
Select an application from the Search dropdown list or enter the first few letters of an application name and make a selection from the suggest box to populate the table. Use the filtering options to reduce the number of accounts displayed at one time.
Use the Included Account Types filter to exclude specific account types from the uncorrelated list. For example, certain account types such as Service or Privileged accounts may never be assigned to specific users and, therefore, should never be correlated with a specific Identity Cube. To exclude a specific account type from the uncorrelated accounts list, click Included Account Types and clear the checkbox associated with that account type on the dropdown list.
Click an Account ID to display detailed account information.
The Select Uncorrelated Accounts panel contains the ID and user name associated with the account and the date the account was created, along with the following options:
Note: The columns on this page can be configured and may display differently in your enterprise.
|
Column |
Description |
|
Account ID |
Unique identifier associated with the account |
|
Account Name |
Name associated with the account. |
|
Create Date |
The date when the account was created. |
|
Inactive Account |
Inactive accounts have a value of true. |
|
Last login |
The date when the account was last accessed. |
|
Service Account |
Mark accounts as service accounts if appropriate. |
|
Privileged Account |
Privileged accounts have a value of true. |
Select Target Identity Panel
The Select Target Identity panel contains a list of all accounts detected on all applications that IdentityIQ monitors. From this list you can select an identity with which to merge the uncorrelated accounts on the selected application.
Use the filtering options to display specific identities or click the filter icon to display every identity in IdentityIQ. Enter a letter string and click the search icon to search by user name or click Advanced Search for more options.
Click a name to display detailed information about the selected identity.
The Select Target Identity panel contains the a variety of information about the identity, including the following:
Note: The columns on this page can be configured and may display differently in your enterprise.
|
Column |
Description |
|
Correlated |
Note: This column is read only. Making changes here does not change the state of the account. The correlation status of the identity. |
|
Manager |
Manager listed for this identity. |
|
|
Full email address. |
|
Inactive |
Current status of the identity account, active or inactive. |
|
Last Refresh |
The date when the last identity refresh was performed on this identity cube. |
|
Advanced Search Options: |
|
|
Standard Attributes: |
|
|
Standard attributes include name, username, email, and manager fields. Enter a letter string in any of these fields to return a list of identities that have a matching string in that identity attribute value. |
|
|
Inactive |
True – only show active identities False – only show inactive identities |
|
Correlated |
True – only show correlated identities False – only show uncorrelated identities |
|
Searchable Attributes:
|
|