Skip to content

Updating Identity Cube®

Provisioning activities that occur completely within IdentityIQ, such as assigning a business role to an identity, are the only provisioning actions that change the information in Identity Cube. For example, implementing a provisioning plan does not update role detections. You must perform an Identity Refresh to update the identity based on the provisioned items. For example, to update the list of detected entitlements and roles, you must perform an Identity Refresh.

Identity Refresh

Provisioning workflows generally includes an Identity Refresh step than can be enabled or disabled as needed for the provision activity. To perform an identity refresh to update Identity Cube, you must:

  • Include an Identity Refresh step in the Workflow

    Or

  • Run an Identity Refresh task after the Workflow completes

To enable the Refresh step in the workflow the doRefresh variable must be set to True.

General Guidelines

Direct Read-write connectors – for Direct read-write connectors that process requests immediately, the Identity Refresh step is generally enabled. The changes to application accounts that the connectors make are usually displayed immediately in IdentityIQ.

Queued Requests – requests that were queued are not applied to Identity Cube until a reaggregation has occurred from the application involved. As a result, the Identity Refresh step is typically disabled for provisioning workflows that are managing integration configuration-driven provisioning activities, because the refresh can not detect any changes until after an aggregation from the source system.

Items that were processed as Work Items from the unmanaged plan are treated as queued requests, because manually closing a Work Item does not necessarily indicate all the work was completed. To confirm that the request was processed, you must perform a reaggregation from the source system. This aggregation must be followed by an identity refresh to update Identity Cube with the information.

Because the Application Accounts tab for Identity Cube displays account data that is recorded on the Link object for the identity, the tab lists the provisioned access immediately following the read-write connector commit or following a reaggregation from integration configuration-managed applications. However, the entitlement data on the Entitlement tab and in any certification is not updated until the Identity Refresh task has run.

Special Case: Optimistic Provisioning

When the workflows are configured for Optimistic Provisioning, provisioned changes appear in IdentityIQ before the changes are confirmed through reaggregation. Optimistic Provisioning assumes that provisioning requests are completed and then updates Identity Cube to display the changes when the request is submitted, not when the request is verified.

Optimistic provisioning configuration is useful for some testing scenarios or product demonstrations, but it is not an ideal configuration for most production environments. Companies often prefer that IdentityIQ indicates a confirmed state of system access and not a desired state.

To configure the workflows for Optimistic Provisioning:

  1. Verify that the workflow has the Set the optimisticProvisioning process variable. By default, most provisioning-related workflows are configured with this argument

  2. Set the optimisticProvisioning process variable, or XML arg, option to True. The default value is false.

Note

To modify other workflows, add the variable and then follow the steps listed above.