Identity Refresh

A filtering string used to limit the number of identity cubes updated by this task. For example you can limit the refresh to one department within your enterprise, such as Finance, by entering: department == "Finance"

A filtering string used to limit the number of identity cubes updated by this task. For example you can limit the refresh to one group or population within your enterprise.

Refresh any identities not refreshed since the date entered.

Enter and date manually or click the [...] icon to display the calendar view.

Use this to recover from a refresh that ended abnormally. For example, you start a refresh task and it runs for a day before stopping abnormally. After resolving the issue with the task, instead of repeating the refresh of all the identities that completed before the task stopped, you can only refresh the ones that were missed on the last refresh. Enter the approximate date the last refresh stopped and only refresh the remainder.

Enter the number of hours manually.

Use this option to refresh identities that have not been refreshed recently. The time is in this option is relative rather than absolute. Instead of remembering a specific task launch date and typing that in each time you run the refresh task you can have just one task and run that repeatedly. For example you can run it for every thing more than an hour old.

Enter the number of hours manually.

Use this option to refresh identities that were refreshed recently. The primary use case for this is to refresh things that were recently touched by aggregation.

For example, if you have several aggregation sources but those sources tend to touch different subsets of all identities, and you would rather not refresh the identities that were not touch be the last aggregation.

Refresh any identities modified within the specified time frames.

There are two dates stored on each Identity, the date of last refresh and the date of last modification.

The last refresh date is set whenever you run the refresh or aggregation tasks and the identity is changed in some way.

The last modification date is set whenever you edit the identity in some way outside of a refresh or aggregation task, for example from a Lifecycle Manager workflow or a custom task.

Use this option to refresh identities that were edited within a period of time, but not necessarily by the refresh task. For example, you might do a full refresh once a week but during the week people were adding or removing roles, changing extended identity attributes, doing manual correlation, or changing identities in some other way. Most of those cases have options to do a targeted refresh immediately after the change happens but this is not always the case and sometimes it is better to batch up a number of refreshes rather than have hundreds of individual refreshes occurring concurrently. If you ran the refresh task with one of the date-based options you would not necessarily pick up identities that were manually edited. If you want to include those select this option.

Only refresh identities marked as needing refresh during the most recent aggregation task.

For more information on using this option to optimize performance, see Refreshing Changed Identities Only (Delta Identity Refresh).

Do not clear the needing refresh marker set during aggregation.

Use this option if you have multiple refresh tasks scheduled, such as entitlement and risk refresh. Then you can set the final refresh to clear the markers.

Exclude inactive identities from the refresh.

Update Identity Cubes with any changes made to the attributes used to define identities.

Refresh any account attribute mark as an entitlement in the application schema.

This process is resource intensive as it refreshes all entitlement values for all links.

Update all Identity Cubes in which the manager status has changed. For example, if a user was promoted to manager in their department, their Identity Cube would be updated by this task.

Update any assigned or detected role assignments that have change since the last time this task was run. Any additional entitlements found in this refresh are promoted during this task.

Provision any assigned roles and entitlements detected since the last time this task was run.

Prevents assigned roles from being deprovisioned after they have been deassigned.

Update information about the identity's relationship to their role. For example, information regarding whether or not an identity has all the roles required by the given role.

Note: This option must be selected in order to generate Role Statistics.

Sent Account Selection Notification emails to users with more than one account on any application where the system cannot determine the provisioning account. By default, no provisioning is done in this case.

Provision identity mapping targets if their value has changed.

Update Identity Risk Scores with any information discovered by the scan performed by this task.

Update the identity history by creating a snapshot of any identities with information that has changed since the last refresh.

Update Group Risk Scores with any information discovered by the scan performed by this task.

Partitioning is disabled if you select this option.

Delete unreferenced group definitions.

This option is only supported if it is selected in conjunction with the Refresh the group score card option and they run in the same task.

Scan for active policies and apply those policies to the identities included in the task.

Maintain a history of violations that are no longer active.

Scan for and apply only those policies included in this list to the identities included in the task.

Refresh assigned scope based on changes discovered.

Do not automatically assign scope to identities as part of this task.

Mark scopes that are not assigned to any identities as dormant.

Partitioning is disabled if you select this option.

Enable event certifications.

Use the snapshots created during aggregation to approximate the previous state of the identities at the beginning of the refresh. This copied identity is compared to the updated identity to determine if event certifications are launched.

Identity processing thresholds let you stop lifecycle events before they are fully processed to prevent any dangerous workflows from accidentally being triggered. They can ben enabled in Rapid Setup events and in Lifecycle and Certification events.

If identty processing threholds are enabled, use this field to disable the identity processing threshold for this task.

See Using Identity Processing Thresholds for Error Prevention.

Scan for changes to composite applications and refresh the link information.

When enabled, any values for entitlement or permissions encountered while running the task automatically get promoted as managed attributes

Specify the number of concurrent threads used during task processing.

The number of threads should not exceed 10.

This option is not supported with partitioning enabled.

Launch a workflow for each identity even if no identity triggers or provisioning policy questions apply.

Create work items for role entitlements that are not managed by available connectors or provisioning integration modules so the appropriate action can be taken.

Disable the default MANAGER_LOOKUP feature and stop the automatic lookup/bootstrap of the manager account at the connector level.

Enable partitioning of this task across multiple hosts.

Partitioning must be configured globally before this option can be used.

See Partitioning.

Specify a number of partitions. If no number is specified, IdentityIQ calculates an optimal number based on available request servers.

The loss limit sets the maximum number of identities that will be reprocessed in case of a sudden termination of a partitioned refresh. This option is used only when partitioning is enabled.

See Loss Limits.