Skip to content

Assigning Source Accounts to Identities

Correlation is the process Identity Security Cloud uses to match and assign source accounts to identities. Identity Security Cloud's correlation configuration compares the values of specific account attributes with the values of related identity attributes. When Identity Security Cloud finds matching values in an account attribute and an identity attribute, it assigns the account to the identity that has the matching value.

Diagram of how Identity Security Cloud compares and matches account attributes to related identity attributes.

If Identity Security Cloud is unable to match any account attributes to any identity attributes, the account is considered uncorrelated and is not assigned to any identities.

Configuring Account Correlation

Configure account correlation before you load, or aggregate, source accounts for the first time. If you change the account correlation for a source that has already been aggregated, you should run another aggregation where optimization has been disabled for that source. This allows unchanged accounts to be reexamined for correlation.

Prerequisite: At least one identity profile already exists.

Use the Correlation Configuration panel on the Import Data tab to map, or pair, an identity attribute with an account attribute. A correlation configuration comprises a group of one or more attribute pairings.

To update a correlation configuration:

  1. Go to Admin > Connections > Sources and select the source to update.
  2. Select the Import Data tab and then select Correlation from the left panel. If no correlation configurations exist for this source, the identity and account attribute fields will be empty.

    Correlation configuration where users can map identity attributes to account attributes.

    In the Correlation Configuration panel, review the existing attributes for configuring this source:

    • The Identity Attribute field lists the attribute from the identity profile used to match the accounts.
    • The Account Attribute field lists the attribute on the source that Identity Security Cloud tests against the identity attribute.
    • The Operation field is always set to Equals. This field is not editable.
  3. If you are working in an existing correlation configuration, remove unnecessary attribute pairings by selecting the X icon beside the pairing.

  4. Use the Identity Attribute dropdown menu to select a unique identity attribute such as email, displayName, or uid.
  5. Use the Account Attribute dropdown menu to choose the account attribute that corresponds to the identity attribute you just selected.
  6. If your organization has a preferred attribute for identifying unique accounts, use the up or down arrow icons beside each attribute pairing to move the pairing up or down in the list. Identity Security Cloud attempts to correlate accounts by checking the attributes in the order they are listed.

  7. Select Save to apply and save your updates.

Using Custom Identity Attributes in Correlation

Identity attributes must be configured as searchable to be included in the Correlation Configuration's Identity Attribute list. By default, a subset of the predefined identity attributes are set as searchable. You can use the Create Identity Attribute or Update Identity Attribute endpoint to add up to 6 additional searchable attributes. These are typically chosen from the custom identity attributes you have defined for your site.

Note

This configuration is not related to enabling searches in Identity Security Cloud Search based on your custom attributes. Any built-in or custom identity attribute can automatically be used as a search query filter there.

Resolving Uncorrelated Accounts

When you load accounts onto a source using a direct connector or flat file, you may have some source accounts that are not linked to identities in the source system. These unlinked source accounts are called uncorrelated accounts.

Accounts may be uncorrelated for a number of reasons. Some accounts simply need to be removed from a source, while others require updates to a source or to information in Identity Security Cloud. The following table presents some possible reasons for uncorrelated accounts and how to resolve them.

Reason for Uncorrelated Account Resolution
Accounts belong to former employees. Remove the old accounts from the source and aggregate the updated source accounts to Identity Security Cloud.
Unusual, incomplete, or incorrectly entered account data does not match any identities. Correct the account names on the source and aggregate those accounts to Identity Security Cloud.
The identity the accounts are supposed to be linked to have not been created in Identity Security Cloud. Create an identity profile in Identity Security Cloud that includes identities your uncorrelated accounts can link to.

Uncorrelated accounts must be resolved before the identities associated with those accounts can be granted access to systems and apps. Account resolution is required for access, regardless of how access is granted.

After aggregating a source, run and download an Uncorrelated Accounts report to verify whether all newly loaded source accounts have been correlated. This report lists uncorrelated accounts in Identity Security Cloud by source, so you can easily find and then resolve any uncorrelated accounts.

Resolving Mismatched Attribute Values

The Uncorrelated Accounts report can be a global report listing all the uncorrelated accounts and their sources or a source-specific report of uncorrelated accounts. Use the global report to display uncorrelated accounts and their sources. The global report can also be used for resolving uncorrelated accounts from one source.

For detailed instructions on updating information in your source, refer to your third-party source documentation or reach out to Support for additional help.

Resolving Uncorrelated Accounts on Sources

To resolve mismatched attribute values across multiple sources, you can use the global Uncorrelated Accounts report:

  1. Go to Admin > Global > Reports.
  2. Select PDF or CSV in the Uncorrelated Accounts row to generate a list of all uncorrelated accounts.
  3. Download the report and review the list of uncorrelated accounts and their sources.
  4. On each source listed in the report, edit at least one attribute on each uncorrelated account, including the value of an identity attribute used for correlation. For example, if you’re editing an account in Active Directory, you can update the sAMAccountName to match the uid of an identity in your system, if those attributes are paired in the correlation configuration.
  5. Save your changes and aggregate the source's accounts again. The number of uncorrelated accounts updates to reflect your changes.

You can resolve mismatched attribute values within a single source as well:

  1. Go to Admin > Connections > Sources.
  2. Choose your source and select the Import Data tab.
  3. Select Uncorrelated Accounts and choose Export in the Uncorrelated Accounts panel to download the Uncorrelated Accounts report for that source.
  4. Edit at least one attribute on each uncorrelated account, including the value of an identity attribute used for correlation.
  5. Save your changes and aggregate the source’s accounts again. The number of uncorrelated accounts updates to reflect your changes.

Manually Resolving Uncorrelated Accounts

Resolving uncorrelated accounts can involve manual correlation. Manual correlation creates a permanent link from the account to the identity. Even if the source data for the account changes, the account will still be linked to the identity. To move the account, you must manually re-correlate the account to the identity by importing a new CSV containing account's details and a new userName for the identity owning the account.

Note

You can manually correlate up to 100 accounts to a single identity.

To manually resolve uncorrelated accounts:

  1. Go to Admin > Connections > Sources.

  2. Select and open the source you want to review.

  3. Go to Import Data > Uncorrelated Accounts. When uncorrelated accounts exist, they are to the right of the Export panel.

  4. Select Export to download a CSV file of the uncorrelated accounts. The following example shows uncorrelated accounts with no userNames in Identity Security Cloud for the Active Directory source.

    Report showing uncorrelated accounts with no userName.

  5. Add the Account IDs of the associated identities to the userName row of the CSV file. To find the Account IDs:

    • Go to Admin > Identity Management > Identities.
    • Select the name of the identity you want to correlate with one account.
    • In the Details tab, review the Attributes list to find the value of the Account Name for the identity.

      Account name and Authoritative Source are shown in the Attributes window.

      This value is the Account Name attribute in the authoritative source's schema.

    • Add the Account Name attribute to the userName column of the appropriate account.

  6. Save the file to apply and save your changes.

  7. Return to your source's page and select Uncorrelated Accounts.

  8. In the Manually Correlated Accounts panel, select Import to load the file with the corrected accounts into Identity Security Cloud. In the Uncorrelated Accounts panel, the listed number of uncorrelated accounts adjusts to reflect your changes.

When you import a set of correlated accounts, you can view the summary information about your activity along with a badge that indicates whether there were issues with the file you imported. In the Manually Correlated Accounts panel, select the Information icon next to the uploaded file to view these details.

Note

Accounts that have been created by Identity Security Cloud have the account attribute manuallyCorrelated=true. If you need to uncorrelate the account, you must remove the account or change the attribute to false. Unoptimized aggregation does not remove correlation.

Example of Manual Correlation

In this example, Source XYZ normally links accounts to identities by matching the account attribute email to the identity attribute work email. However, Source XYZ's Account 123 is missing an email. You manually correlate Source XYZ's Account 123 to the user Joe, who has the work email attribute joe@example.com.

Later in the day, Source XYZ's data is updated. Now Account 123 has matched the email attribute to a different work email attribute in the system, lisa@example.com.

When you aggregate Source XYZ, even though correlation logic says it should match to Lisa's identity, the account is permanently linked to Joe, because of the manual correlation. If you want to correlate the account to Lisa instead of Joe, you can do one of the following to remove the permanent link to Joe:

  • Reset all aggregated source accounts and entitlements. This option removes all Source XYZ accounts and entitlements from Identity Security Cloud. When you aggregate again, the source accounts and entitlements load into Identity Security Cloud and this time the correlation logic matches Account 123 to Lisa's identity.

  • Manually move Source XYZ's account 123 by importing a new CSV file that has the Account 123 linked to Lisa's identity instead of Joe's.

  • Remove Account 123 from Identity Security Cloud.

    • Go to Admin > Identity Management > Identities > Joe's identity > Accounts and find Joe's account on Source XYZ.
    • From the Actions menu for Joe's account, select Remove Account. Removing Joe's account deletes the permanent link between Account 123 and Joe's identity.
    • Aggregate source XYZ. Correlation logic matches Account 123 to Lisa's identity.

Preset and Default Configurations

Most supported source types have a preset correlation configuration, which is a set of two to four mapped attributes from the predefined account schema.

If you edit or delete a source’s preset correlation configuration, you can manually restore those settings.

  1. Create a new source of the same type to identify the preset correlation attributes.

  2. Use that information to enter and save the same attributes in the existing source.

    Note

    You may need to work with Support​ to reset your source, so you can apply the preset settings to existing identity data.

Identity Security Cloud also uses a default correlation logic if an account can't be correlated using the source's correlation configuration. This logic associates accounts to identities if the attribute marked as the Account Name matches the name attribute of an identity. This value comparison is not case sensitive, so an account with the Account Name User1 will be correlated to an identity with the name user1. The default correlation is not configurable.

Documentation Feedback