In IdentityNow, users are represented by identities. The identity list serves as a repository for data about users, and can calculate the data that’s authoritative based on admin-configured rules. An identity can also serve as an authoritative account for a user that includes attributes such as a user's first name, last name, and email as well as roles and entitlements used to grant access. Since most users won't ever sign in to IdentityNow, however, they will not be using their identities like accounts.
To access the list of all the identities in your org, go to the Admin interface and select Identities > Identity List.
The list is designed to display a maximum of 250 identities per page. Use the controls at the bottom of the page to see additional identities.
Working with Identities
You can do the following from the identity list:
Remove identities from IdentityNow
Search for and select a specific identity to view and update it. You can search for identities based on the following:
- Account ID
- Display Name
- First Name
- Last Name
IdentityNow searches these identity attributes for values that begin with the search term you entered. If you sort the Status column, the Search field can only search for matches in Account ID and Display Name. To reset this limitation, sort on a different column.
Generating a Report
Depending on the number of accounts in your system, generating a report can take a substantial amount of time. You can close the window and the system will continue to generate the report.
The report always represents when Generate was selected. If identity data is being refreshed at the time, the report reflects the list of identities that were available when you selected the button.
The Generated field shows when the report was last generated.
Viewing Identity Statuses
You can see a status badge beside each identity in the identity list. This status refers to the identity's IdentityNow account. You can find a list of these statuses and what they mean below.
In most cases, you can search for these identity statuses within Search. A sample query to find identities in that status is included where applicable.
|Active||The user has registered for IdentityNow and can sign in.||
|Disabled||The user's IdentityNow account was disabled.||
|Error||The identity is in an error state due to email configuration errors, correlation problems, or other issues. See Resolving an ERROR Status for details.||
|Locked||The user's account has been manually locked, usually due to security concerns.||
|Not Invited||The user hasn't been invited to IdentityNow.||
|Pending||The user has been invited to join IdentityNow, but they haven't registered yet.||Not applicable|
|Warning||The identity's invitation email failed to send. Verify that their email address is correct and reinvite the identity to resolve this status.||Not applicable|
Viewing Identity Details
Select the name (or >) from the list to view additional details such as the following:
- The identity profile used to create the identity
- Their IdentityNow user level permissions
- The last time the identity's information was updated
- Their current lifecycle state
- The last time audit events were generated by or for this identity
Resolving an ERROR Status
Identities with an ERROR status may not be able to login to IdentityNow, so you'll need to address the error for them to regain access.
An ERROR status may occur because of email configuration errors, authentication source mismatching, or provisioning issues.
Email Configuration Errors
If your identity profile is configured to send an invitation only to a user's alternate email but the user does not have a alternate email configured. Contact your SailPoint customer support specialist if you suspect that this is the issue.
Authentication Source Mismatch
You might have a mismatch between the identity data in the authoritative source of the profile and the source selected in Directory Connection within the Sign In Method panel.
Specifically, users with the ERROR status might have an account in the authoritative source used to create the profile, but they do not have an account in the authentication source you selected in Directory Connection. You must resolve this issue before you'll be able to send these users invitations to register for SailPoint.
Temporarily removing a user from IdentityNow may resolve this and other problems related to user status.
If an identity has more than one account on a source system and a provisioning event is triggered, this generates an error on the identity and no provisioning occurs. This occurs when IdentityNow cannot determine which account should be changed by the provisioning event.
Resetting a User Identity
You may need to reset a user's identity if they have forgotten their authentication information like their answers to knowledge-based questions. Resetting an identity deregisters the user and they will not be able to access IdentityNow until they are reinvited.
To reset the identity and reinvite the user to IdentityNow:
From the Admin interface, select Identities > Identity List.
Select the name of the user you want to reset.
Select Actions > Reset Identity.
The user's status changes from Active to Not Invited.
Return to the Identity List and select the checkbox next to the name of the user you just reset.
Select Invite Users to send an email invitation to the user who can then re-register and change their password.
If your organization has configured pass-through authentication, the user does not have to select the link in the email and can begin by signing in to IdentityNow with their existing username and password.
If your organization does not use pass-through authentication, resetting an identity will also reset their password. If you do have pass-through authentication, these steps will not change your users' passwords.