Account Aggregation

Account Aggregation tasks scan all applications, discover users and entitlements on those applications, and, optionally correlates those users and entitlements with roles.

Identities that have changed since the last aggregation performed on an application are marked as needing refresh to increase the performance of identity refresh tasks. You can disable this function.

You can perform the correlation functions as part of this task or run account aggregation on all of the applications in your enterprise and then correlate the Identity Cubes with all of the aggregated information using an identity refresh task.

To perform aggregation on a composite application you must include the composite application and all of the applications that have accounts with which it is associated in the task definition.

Partitioning is available to speed the processing time for account aggregations and level the load on the machines running these tasks. Partitioning is used to break operations into multiple pieces, or partitions. Each partition is then placed in a global queue, and machines, or hosts, in a cluster compete to execute the partitions in the queue. Machines are added or removed from the cluster dynamically with automatic balancing. If a machine fails or is taken down while processing a partition, the partition is placed back into the queue and reassigned to a different machine. A single result object is shared by all partitions and is continually updated so you can monitor the overall progress of the partitioned operation. When all partitions have finished executing the result is marked complete. See Partitioning for more information.

Note: You must run the Target Aggregation task after this task is complete if you have activity targets set. This tasks removes all targets when it is run. See Target Aggregation.

During aggregation, if IdentityIQ detects two Active Directory accounts or account groups with the same Distinguished Name but different UUIDs, it will update the UUID to the most recent value, and treat the two accounts or account groups as the same. This handles the case where an account or group is accidentally deleted and readded. Consequently, it is not advisable to reuse the same DN with a different meaning. IdentityIQ will not detect this as an account or account group change to any attribute but UUID.

The information scanned and updated is determined by the following criteria when the task is created or edited. You can use any combination of options to build a task.

Option

Description

Select an application to scan

The dropdown list of all applications.

Optionally select a rule to assign capabilities or perform other processing on new identities

If accounts are discovered that do not have matching identities in the IdentityIQ application, the rule specified here is used to create a new Identity Cube.

These rules are created during configuration and deployment.

Note: Click the [...] icon to launch the Rule Editor to make changes to your rules if needed.

Refresh assigned and detected roles

Scan for newly assigned roles and update Identity Cubes.

IMPORTANT: it is not recommended to use this setting if you are also using the Identity Refresh task to manage entitlement correlation or provisioning, as this can result in unintended or incomplete provisioning.

Check active policies

Scan for policy violations and update Identity Cubes.

Only create links if they can be correlated to an existing identity.

Check to updated existing identities, but not to create new identities if a match is not found

Refresh the identity risk scorecards

Scan for risk score information and update identity risk score cards.

Maintain identity histories

Compare current Identity Cubes to existing Identity Cube history, snapshots, and create new snapshots if any changes are discovered.

Enable Delta Aggregation

Enable the connector to aggregate only those accounts that have changed since the last aggregation. This requires support by the connector.

Detect deleted accounts

Compare current aggregated accounts with the accounts previously aggregated and report any deleted accounts.

Maximum deleted accounts:
This is the maximum number of accounts that can be flagged for deletion after an account aggregation. If this number is passed, no accounts are deleted from the application.

Refresh assigned scope

Refresh assigned scope based on changes discovered during the aggregation and correlation process.

Disable auto creation of scopes

Do not automatically assign scope to identities as part of this task.

Disable optimization of unchanged accounts

Use this option to force the aggregation of all accounts, changed or unchanged since the last aggregation.

Promote managed attributes

When enabled, any values for entitlement or permissions encountered while running the task automatically get promoted as managed attributes.

Enable rename detection on managed attributes

This option affects aggregation from Active Directory. It enables IdentityIQ to detect when an account group DN has changed due to being renamed. IdentityIQ determines whether a DN is new or is a rename of an existing DN, by examining the relevant account group's GUID or UUID. Enabling this option can prevent unintended changes to access that is based on assignment rules which use DN as assignment criteria. For more information on Active Directory moves and renames, see Supporting Active Directory Native Move / Rename.

Note that when a change is made in Active Directory to an OU which contains accounts or groups (such as renaming or moving it), a delta aggregation does not pick up the changes. This is due to a limitation in Microsoft DirSync Control.

To avoid this issue, perform a full aggregation to capture the changes and update the child objects. You might have to do this regularly to ensure the data is up to date.

Disable auto-creation of applications

Do not automatically create application objects for multiplexed accounts.

Disable marking the identity as needing refresh

Disable marking only identities on which change was detected as need to be refreshed.

All identities are included in subsequent identity refresh task.

For more information on using this option to optimize peformance, see Refreshing Changed Identities Only (Delta Identity Refresh).

Enable Partitioning

Enable partitioning of this task across multiple hosts.

Partitioning is not supported for PE2 based connectors.

Partitioning has to be configured on the applications and connectors before this option is valid.

Objects per partition

If the connector(s) for the selected application(s) do not support partitioning, use this field to specify the number of objects per partition. The default value is 1000.

Loss Limit

The loss limit sets the maximum number of accounts that will be reprocessed in case of a sudden termination of a partitioned refresh. This option is used only when partitioning is enabled. See Loss Limits.

Terminate when maximum number of errors is exceeded

Terminate after the specified number of errors occurs.

If the database is available, the task result contains a message indicating that the task was terminated due to excessive errors. If the database is down, the task result cannot be persisted and the task might appear to remain in the pending state.

Maximum errors before termination
Number of errors to tolerate before terminating the task.

Sequential Execution - Terminate an Error

Force applications to aggregate in the listed order and stop the aggregation task if an error is encountered.

Actions to include in the task result

Select the actions performed as part of the aggregation task for which detailed information should be included in the task results.
This task performs a number of individual actions on accounts and Identity Cubes during the aggregation and configuration processes. By default only the final results of the task are included in the task results report.
To included detailed information on the actions performed as part of the task, select those actions from the list.
Correlate Manual – identities with accounts that were manually correlated. These are not changed by the task.
Correlate Maintain – correlation information has not changed since the last time this task ran.
Correlate New Account – a new account was discovered for an existing identity and assigned.
Correlate Reassign – an existing account was reassigned from one identity to another as part of the correlation process.
Create New Identity – an account was discovered for an identity that did not exist in IdentityIQ. An Identity Cube was created for the new identity.
Ignore – an account for a new identity was discovered, but a new Identity Cube was not created. This might occur if this tasks is configured to perform correlation only.
Remove Account – an account discovered as part of a previous aggregation was not found during this aggregation. These accounts are removed from IdentityIQ.