Skip to content

Assigning Source Accounts to Identities

Correlation is the process of matching and assigning source accounts to identities. Correlation configuration compares the values of specific account attributes with the values of related identity attributes. When those attribute values match, the account is assigned to the identity.

Diagram of how Identity Security Cloud compares and matches account attributes to related identity attributes.

If Identity Security Cloud is unable to match account attributes to identity attributes, the account is considered uncorrelated and is not assigned to identities.

Configuring Account Correlation

To correlate accounts to identities, you will map, or pair, account attributes to the identity attributes in your tenant. These mappings are configured using correlation criteria, which compare the values of account and identity attributes. Whenever one correlation criteria is met, the account is correlated to the identity.

Configure account correlation before you load, or aggregate, source accounts for the first time. If you change the account correlation for a source that has already been aggregated, you should run another aggregation where optimization has been disabled for that source. This allows unchanged accounts to be reexamined for correlation.

If your org uses recommendations Magic wand icon to indicate recommendations are available for those configurations., you can view attribute pairing suggestions for the highest correlation percentage and automatically optimize the order of your criteria. Refer to Using Recommendations to Correlate Accounts.

Prerequisites: Identities and at least one identity profile exist.

To configure account correlation:

  1. Go to Admin > Connections > Sources and select the source to update.

  2. Select Account Correlation.

    Correlation configuration where users can map identity attributes to account attributes.

  3. Review the attributes for configuring the source:

    • The Identity Attribute is the attribute from the identity profile used to match the accounts.
    • The Account Attribute is the attribute on the source that Identity Security Cloud tests against the identity attribute.
    • The Operation field is always set to Equals. This field is not editable.

  4. Use the Identity Attribute dropdown list to select an identity attribute such as email, displayName, or uid. Refer to Using Custom Identity Attributes in Correlation for guidance on using custom identity attributes.

  5. Use the Account Attribute dropdown list to choose the account attribute that corresponds to the identity attribute you selected.
  6. Select Add Criteria to add identity attribute and account attribute fields.
  7. If your organization has a preferred attribute for identifying unique accounts, drag and drop the attribute pairing to determine the order in which attributes will be used to correlate accounts.
  8. To remove attribute pairings, select the Delete icon beside the pairing.
  9. Select Save to save your changes.

Using Recommendations to Correlate Accounts

If your organization uses recommendations , you may receive suggestions on which criteria to select based on correlation percentages. The number and quality of account correlation recommendations depend on the quality of your identity data and account data.

Refer to Account Correlation Recommendations for information on how recommendations are generated.

Prerequisite: At least one identity profile exists.

To use recommendations to configure account correlation:

  1. Go to Admin > Connections > Sources and select the source to update.

  2. Select Account Correlation.

    Correlation configuration where users can map identity attributes to account attributes.

  3. If you do not already see recommendations, select Refresh Recommendations to display a list of recommended criteria. Recommendation generations can take several minutes.

  4. Select Add Recommendation to add the pairing to the top of your correlation configuration. If multiple identity attributes can fit with an account attribute, select the attribute pairing that best fits your needs.

  5. Identity Security Cloud correlates accounts one attribute at a time in the order they are listed in the Correlation Configuration form. Select Optimize Order to automatically order criteria by the highest correlation percentage or drag and drop the attribute pairing to determine the order of attributes used to correlate accounts.

    Correlation configuration where users can map identity attributes to account attributes. Optimize Order is at the top.

  6. Review the attributes for configuring the source:

    • The Identity Attribute is the attribute from the identity profile used to match the accounts.
    • The Account Attribute is the attribute on the source that Identity Security Cloud tests against the identity attribute.
    • The Operation field is always set to Equals. This field is not editable.

  7. Select Add Criteria to add identity attribute and account attribute fields.

  8. Use the Identity Attribute dropdown list to select an identity attribute such as email, displayName, or uid. Refer to Using Custom Identity Attributes in Correlation for guidance on using custom identity attributes.

  9. Use the Account Attribute dropdown list to choose the corresponding account attribute.
  10. To remove attribute pairings, select the Delete icon beside the pairing.
  11. You can test your account correlation configuration using a sample of your accounts.
  12. Select Save to save your changes.

Testing Account Correlation

You can test the effectiveness of your correlation configurations to ensure you have a high level of correlation.

When you select Test, Identity Security Cloud checks the correlation configurations against a sample of your accounts to estimate the number and percentage of your accounts that will be correlated. You can use this information to determine if the order or number of criteria should be adjusted.

Correlation configuration where users can map identity attributes to account attributes.

If a low number of accounts are correlated, this may indicate there is inaccurate or incomplete source data. You can increase your correlation percentage by optimizing the order of your criteria or reviewing your account information. You can also manually correlate accounts.

When you are satisfied with the correlation results, select Save in the Correlation Configuration form above.

Using Custom Identity Attributes in Correlation

Identity attributes must be configured as searchable to be included in the Correlation Configuration's Identity Attribute list. By default, a subset of the predefined identity attributes are set as searchable. You can use the Create Identity Attribute or Update Identity Attribute endpoint to add up to 6 additional searchable attributes. These are typically chosen from the custom identity attributes you have defined for your site.

Note

This configuration is not related to enabling searches in Search based on your custom attributes. Built-in or custom identity attributes can automatically be used as a search query filter there.

Resolving Uncorrelated Accounts

When you load accounts onto a source using a direct connector or flat file, you may have some source accounts that are not linked to identities in the source system. These unlinked source accounts are called uncorrelated accounts.

Accounts might be uncorrelated for a number of reasons. Some accounts simply need to be removed from a source, while others require updates to a source or to information in your system. The following table presents some possible reasons for uncorrelated accounts and how to resolve them.

Reason for Uncorrelated Account Resolution
Accounts belong to former employees. Remove the old accounts from the source and aggregate the updated source accounts.
Unusual, incomplete, or incorrectly entered account data does not match any identities. Correct the account names on the source and aggregate those accounts.
The identity the accounts are supposed to be linked to has not been created in Identity Security Cloud. Create an identity profile that includes identities your uncorrelated accounts can link to.

Uncorrelated accounts must be resolved before the identities associated with those accounts can be granted access to systems and apps. Account resolution is required for access, regardless of how access is granted.

After aggregating a source, run and download an Uncorrelated Accounts report to verify whether newly loaded source accounts have been correlated. This report lists uncorrelated accounts by source, so you can easily find and then resolve any uncorrelated accounts.

Resolving Mismatched Attribute Values

The Uncorrelated Accounts report can be a global report listing all the uncorrelated accounts and their sources or a source-specific report of uncorrelated accounts. Use the global report to display uncorrelated accounts and their sources. The global report can also be used for resolving uncorrelated accounts from one source.

Refer to third-party source documentation or contact Support for additional help.

Resolving Uncorrelated Accounts on Sources

To resolve mismatched attribute values across multiple sources, you can use the global Uncorrelated Accounts report:

  1. Go to Admin > Global > Reports.
  2. Select PDF or CSV in the Uncorrelated Accounts row to generate a list of all uncorrelated accounts.
  3. Download the report and review the list of uncorrelated accounts and their sources.
  4. On each source listed in the report, edit at least one attribute on each uncorrelated account, including the value of an identity attribute used for correlation. For example, if you’re editing an account in Active Directory, you can update the sAMAccountName to match the uid of an identity in your system, if those attributes are paired in the correlation configuration.
  5. Save your changes and aggregate the source's accounts again. The number of uncorrelated accounts updates to reflect your changes.

You can resolve mismatched attribute values within a single source as well:

  1. Go to Admin > Connections > Sources.
  2. Choose your source and select the Import Data tab.
  3. Select Uncorrelated Accounts and choose Export in the Uncorrelated Accounts panel to download the Uncorrelated Accounts report for that source.
  4. Edit at least one attribute on each uncorrelated account, including the value of an identity attribute used for correlation.
  5. Save your changes and aggregate the source’s accounts again. The number of uncorrelated accounts updates to reflect your changes.

Manually Resolving Uncorrelated Accounts

You can use manual correlation to resolve uncorrelated accounts by creating a permanent link from the account to the identity. Even if the source data for the account changes, the account will still be linked to the identity. To move the account, you must manually recorrelate the account to the identity by importing a new CSV containing the account details and a new userName for the identity owning the account.

Note

You can manually correlate up to 100 accounts to a single identity.

To manually resolve uncorrelated accounts:

  1. Go to Admin > Connections > Sources.

  2. Select the source you want to edit.

  3. Go to Import Data > Uncorrelated Accounts.

  4. Select Export to download a CSV file of the uncorrelated accounts. The following example shows uncorrelated accounts with no userNames in Identity Security Cloud for the Active Directory source.

    Report showing uncorrelated accounts with no userName.

  5. Add the Account IDs of the associated identities to the userName row of the CSV file. To find the Account IDs:

    • Go to Admin > Identity Management > Identities.
    • Select the name of the identity you want to correlate with an account.

    • In the Details tab, review the Attributes list to find the value of the Account Name for the identity.

      Account name and Authoritative Source are shown in the Attributes window.

      This value is the Account Name attribute in the authoritative source's schema.

    • Add the Account Name attribute to the userName column of the appropriate account.

  6. Save the file.

  7. Return to the source configuration and select Uncorrelated Accounts.

  8. In the Manually Correlated Accounts panel, select Import to load the file with the corrected accounts into Identity Security Cloud. In the Uncorrelated Accounts panel, the listed number of uncorrelated accounts adjusts to reflect your changes.

When you import a set of correlated accounts, you can view the summary information about your activity along with a badge that indicates whether there were issues with the file you imported. In the Manually Correlated Accounts panel, select the Information icon next to the uploaded file to view these details.

Note

Accounts that have been created by Identity Security Cloud have the account attribute manuallyCorrelated=true. If you need to uncorrelate the account, you must remove the account or change the attribute to false. Unoptimized aggregation does not remove correlation.

Example of Manual Correlation

In this example, Source XYZ normally links accounts to identities by matching the account attribute email to the identity attribute work email. However, Source XYZ's Account 123 is missing an email. You manually correlate Source XYZ's Account 123 to the user Joe, who has the work email attribute joe@example.com.

Later in the day, Source XYZ's data is updated. Now Account 123 has matched the email attribute to a different work email attribute in the system, lisa@example.com.

When you aggregate Source XYZ, even though correlation logic says it should match to Lisa's identity, the account is permanently linked to Joe, because of the manual correlation. If you want to correlate the account to Lisa instead of Joe, you can do one of the following to remove the permanent link to Joe:

  • Reset all aggregated source accounts and entitlements. This option removes all Source XYZ accounts and entitlements from Identity Security Cloud. When you aggregate again, the source accounts and entitlements are loaded and the correlation logic matches Account 123 to Lisa's identity.

  • Manually move Source XYZ's account 123 by importing a new CSV file that has the Account 123 linked to Lisa's identity instead of Joe's.

  • Remove Account 123 from Identity Security Cloud.

    • Go to Admin > Identity Management > Identities > Joe's identity > Accounts and find Joe's account on Source XYZ.
    • From the Actions menu for Joe's account, select Remove Account. Removing Joe's account deletes the permanent link between Account 123 and Joe's identity.
    • Aggregate source XYZ. Correlation logic matches Account 123 to Lisa's identity.

Preset and Default Configurations

Most supported source types have a preset correlation configuration, which is a set of two to four mapped attributes from the predefined account schema.

If you edit or delete a source’s preset correlation configuration, you can manually restore those settings.

  1. Create a source of the same type to identify the preset correlation attributes.

  2. Use that information to enter and save the same attributes in the existing source.

    Note

    You may need to work with Support​ to reset your source, so you can apply the preset settings to existing identity data.

Identity Security Cloud also uses a default correlation logic if an account can't be correlated using the source's correlation configuration. This logic associates accounts to identities if the attribute marked as the Account Name matches the name attribute of an identity. This value comparison is not case sensitive, so an account with the Account Name User1 will be correlated to an identity with the name user1. The default correlation is not configurable.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.