Skip to content

Managing Accounts

After you’ve aggregated source accounts from a supported source, you can view and manage these accounts in Identity Security Cloud.

Accounts are classified as one of three types:

  • Human account - An account associated with a human identity.
  • Machine account - A non-human account that relates to an application or service. Machine accounts may include service accounts, bots, or shared accounts that multiple users log in to. Machine accounts will appear in the Human Accounts list if they are correlated to human identities.
  • Uncorrelated account - An account that is not linked to an authoritative identity. An uncorrelated account must be correlated to an identity before it can be governed.

You can view the statuses of these accounts by going to Admin > Identity Management > Accounts and selecting the type of account. An account can have either an Enabled or Disabled status.

Status Definition
Enabled The account is enabled and can be accessed.
Disabled The account has been disabled and can't be accessed.

Disabling Accounts

If you are an administrator or Helpdesk admin, you might need to disable an account on a source. For example, if a user reports suspicious activity on that account, you can disable it temporarily while investigating the problem.

  1. Go to Admin > Identity Management > Accounts.

  2. Select the type of account from the left panel.

  3. Find the account you want to disable and select Actions > Disable Account.

  4. In the confirmation window, select Disable.

You can reenable an account by selecting Actions > Enable Account.

Aggregating Accounts

You can aggregate data for a single account rather than run a full aggregation.

  1. Go to Admin > Identity Management > Accounts.

  2. Select the type of account from the left panel.

  3. Find the account you want to aggregate and select Actions > Aggregate Account.

If the account’s source is in a healthy state, the aggregation will begin.

Unlocking Accounts

If a user has been locked out of a source account, you can unlock their account from Identity Security Cloud. This option is available for accounts that have been loaded into your tenant from a supported source that allows unlocking accounts.

Note

You may need to aggregate the account first to ensure the account status in your tenant is accurate.

  1. Go to Admin > Identity Management > Accounts.
  2. Select the type of account from the left panel.
  3. Find the locked account and select Actions > Unlock Account.
  4. In the confirmation window, select Unlock.

Removing Accounts

You may need to remove an account from Identity Security Cloud to fix data on the source. For example, if a user's email address was misspelled on the source, their account might correlate to another user's Identity Security Cloud account. You can remove the account from that user to fix the misspelled email address. When the account is aggregated again, it is treated like a new account and will correlate to the correct identity.

Important

If you remove an account from an identity and that account is on an authoritative source, the identity might move to a different identity profile or disappear from the list of identities.

To remove a source account:

  1. Go to Admin > Identity Management > Accounts.
  2. Select the type of account from the left panel.
  3. Find the account you want to remove and select Actions > Remove Account.
  4. In the confirmation window, select Remove to remove the account. This action removes the account from Identity Security Cloud, not from the source system itself.

The account is removed from Identity Security Cloud and will be added again during your next full aggregation.

Note

If your source is configured for delta aggregation, you should disable it if you want to reaggregate the account.

Correlating Accounts

To resolve an uncorrelated account, you can update the account’s correlation by assigning it to an identity. For example, if an account’s email address was misspelled on Active Directory, it might not be correlated to the correct identity in an aggregation. You can assign the uncorrelated account to this identity, allowing the account to be governed.

Important

SailPoint recommends using this feature if your organization has a limited number of uncorrelated accounts. If you find a large number of uncorrelated accounts, review your organization’s account correlation configuration.

You may also need to correlate accounts to the correct identities in the following cases:

  • An account was manually correlated to the wrong identity.

  • An account was correlated to the wrong identity through an aggregation. If this occurs often, SailPoint recommends reviewing your account correlation configuration.

  • An authoritative account needs to be reassigned to another identity to resolve duplicated identities.

To correlate an account:

  1. Go to Admin > Identity Management > Accounts.

  2. Select the type of account from the left panel.

    Note

    Refer to Updating Machine Accounts for information on correlating a machine account to a machine identity.

  3. Find the account that needs to be correlated and select Actions > Update Correlation.

  4. Select the identity that should be associated with this account.

  5. Select Save.

Updating Machine Accounts

If you need to make changes to a machine account after it’s been mapped, you can manually update the machine account’s attributes. For example, you might need to update the account owner for a machine account if the previous owner moves to a different role or leaves your organization.

  1. Go to Admin > Identity Management > Accounts.

  2. Select Machine Accounts from the left panel.

  3. Find the machine account you want to update and select Actions > Update Account.

  4. Make changes as needed and select Apply to apply the changes.

    Note

    Machine accounts can only be correlated to machine identities.

Identity Security Cloud will preserve manual changes made to this account even if the account's mapping changes.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.