Assigning Source Accounts to Identities
Correlation is the process IdentityNow uses to match and assign source accounts to identities. IdentityNow's correlation configuration compares the values of specific account attributes with the values of related identity attributes. When IdentityNow finds matching values in an account attribute and an identity attribute, it assigns the account to the identity that has the matching value.
If IdentityNow is unable to match any account attributes to any identity attributes, the account is considered uncorrelated and is not assigned to any identities.
Configuring Account Correlation
Configure account correlation before you load, or aggregate, accounts source accounts for the first time. Before you change the account correlation for a source that has already been aggregated, disable optimization on the source so that unchanged accounts can be reexamined for correlation.
Prerequisite: At least one identity profile already exists.
Use the Correlation Configuration panel on the Import Data tab to map, or pair, an identity attribute with an account attribute. A correlation configuration comprises a group of one or more attribute pairings.
To update a correlation configuration:
- In the Admin interface, go to Connections > Sources and select the source to update.
- Select the Import Data tab and then select Correlation from the left panel. If no correlation configurations already exist for this source, the page looks like the following example.
In the Correlation Configuration panel, review the existing attributes for configuring this source:
- The Identity Attribute field lists the attribute from the identity profile used to match the accounts.
- The Account Attribute field lists the attribute on the source that IdentityNow tests against the identity attribute.
- The Operation field is always set to Equals. This field is not editable.
- If you are working in an existing correlation configuration, remove any unnecessary attribute pairings by selecting the X icon beside the pairing.
- Use the Identity Attribute drop-down to select a unique identity attribute such as
- Use the Account Attribute drop-down to choose the account attribute that corresponds to the identity attribute you just selected.
If your organization has a preferred attribute for identifying unique accounts, use the up or down arrow icons beside each attribute pairing to move the pairing up or down in the list. IdentityNow attempts to correlate accounts by checking the attributes in the order they are listed.
Select Save to apply and save your updates.
Resolving Uncorrelated Accounts
When you load accounts onto a source using a direct connector or flat file, you may have some source accounts not linked to any identities in the source system. These unlinked source accounts are called uncorrelated accounts.
Uncorrelated accounts must be resolved before the identities associated with those accounts can be granted access to systems and apps. Account resolution is required for access, regardless of how access is granted.
After aggregating a source, run and download an Uncorrelated Accounts report to verify whether all newly loaded source accounts have been correlated. This report lists all uncorrelated accounts in IdentityNow by source, so you can easily find and then resolve any uncorrelated accounts.
Accounts may be uncorrelated for a number of reasons. Some accounts simply need to be removed from a source, while others require updates to a source or to information in IdentityNow. The following table presents some possible reasons for uncorrelated accounts and how to resolve them.
|Reason for Uncorrelated Account||Resolution|
|Accounts belong to former employees.||Remove the old accounts from the source and aggregate the updated source accounts to IdentityNow.|
|Unusual, incomplete, or incorrectly entered account data does not match any identities.||Correct the account names on the source and aggregate those accounts to IdentityNow.|
|The identity the accounts are supposed to be linked to have not been created in IdentityNow.||Create an identity profile in IdentityNow that includes identities your uncorrelated accounts can link to.|
Resolving Mismatched Attribute Values
The Uncorrelated Accounts report can be a global report listing all the uncorrelated accounts and their sources or a source-specific report of uncorrelated accounts. Use the global report when you want to see all uncorrelated accounts and their sources. The global report can also be used for resolving uncorrelated accounts from one source.
For detailed instructions on updating information in your source, refer to your third-party source documentation or reach out to Support for additional help.
The following steps describe the basic procedures for resolving mismatched attribute values across multiple sources, using the global Uncorrelated Accounts report.
Prerequisite: Accounts have been aggregated from at least one source.
To resolve uncorrelated accounts caused by mismatched attribute values:
- From the Admin interface, go to Global > Reports.
- Select either PDF or CSV in the Uncorrelated Accounts row to generate a list of all uncorrelated accounts.
- Download the report and review the list of uncorrelated accounts and their sources.
- On each source listed in the report, edit at least one attribute on each uncorrelated account, including the value of an identity attribute used for correlation.
For example, if you’re editing an account in Active Directory, you can update the
sAMAccountNameto match the
uidof an identity in your system, if those attributes are paired in the correlation configuration.
- Save your changes and aggregate the source’s accounts again. The number of uncorrelated accounts updates to reflect your changes.
When you already know which source may have uncorrelated reports, you can access the Uncorrelated Accounts report for that source from the Admin interface at Connections > Sources > < Source Name > > Uncorrelated Accounts. Select Export in the Uncorrelated Accounts panel to download the Uncorrelated Accounts report for that source. Then perform steps 4 and 5 above to update and correlate the accounts.
Preset and Default Configurations
Each supported source type has a preset configuration and a default configuration. The preset configuration is a set of two to four mapped attributes provided on supported sources. Occasionally, however, a source does not have a preset configuration. When the preset configuration is empty, IdentityNow uses the default configuration. The default configuration always contains a single attribute,
displayName, which is not configurable.
If you edit or delete a source’s preset correlation configuration, you can restore those settings. Create a new source of the same type and then enter and save the new source's attribute values in the existing source.
You may need to work with Support to reset your source so you can apply the preset settings to existing identity data.