Managing Identities
In IdentityNow, your organization's users are represented by identities, created when you aggregate accounts from your authoritative sources. Each identity contains attributes that provide information about the user. This could be identifying information, such as first name, last name, and email, as well as information that describes their relationship to the organization, such as manager name, department, or job title. Each identity also shows the access the user has in your enterprise through their accounts, roles, and entitlements.
Note
Most identities represent human users in your organization, whether employees, contractors, vendors, etc. Identities can also represent robotic processes (bots) or service accounts with access to your enterprise systems.
In addition, identities are the user accounts that your personnel use to access IdentityNow. Your configurations determine which users can sign in and what level of access each user has to IdentityNow functions and data.
Viewing Identities
From the identity list, you can view details about any identity in your site, view the status of your identities, and manage users' access to IdentityNow and its functions.
-
To access the list of all the identities in your site, go to Admin > Identities > Identity List.
-
Select a filter to choose which identities are displayed:
-
All Identities includes all identities, including identities with errors and incomplete identities.
-
Identities with Errors shows identities that have email configuration errors, authentication source mismatching, or provisioning issues. For more information about these errors, refer to Resolving an Error Status.
-
Incomplete Identities shows identities that are missing values for required identity attributes. These identities must be completed before they can sign in or be used in other actions like access requests and certifications.
-
-
Use the search bar to find the identities you need. IdentityNow searches the account ID, username, display name, email, first name, and last name attributes for values that begin with the search term you enter.
You can switch between Cards view for a tablet-friendly display or Table view for a condensed layout.
If you need to work with your identity data offline, you can also export the list to a CSV file.
Viewing Identity Statuses
Each identity's IdentityNow account status is displayed in the identity list. You can also use the provided queries in IdentityNow's Search to find identities by these statuses.
Status | Description | Search Query |
---|---|---|
Active | The user has registered for IdentityNow and can sign in. | status:ACTIVE |
Disabled | The user's IdentityNow account is disabled, preventing sign-in and any other user actions. | status:DISABLED |
Error | The identity is in an error state due to email configuration errors, correlation problems, or other issues. Refer to Resolving an ERROR Status for details. | status:ERROR |
Incomplete | The identity is missing a UID, email, or last name. | Not applicable |
Locked | The user's account has been manually locked, usually due to security concerns. | status:LOCKED |
Not Invited | The identity hasn't been invited to IdentityNow as a system user. | status:UNREGISTERED |
Pending | The user has been invited to register with IdentityNow, but they haven't registered yet. | status:PENDING |
Warning | The identity's invitation email failed to send. Verify their email address is correct and reinvite the identity. | Not applicable |
Note
The status:UNREGISTERED
query returns users whose identities have been reset or disabled and reenabled in addition to those who have never been invited to register.
Resolving an ERROR Status
When identities appear in the Identity List with an ERROR status, you can select the Information icon to display more details.
An ERROR status may occur because of email configuration errors, authentication source mismatching, or provisioning issues. Some errors can prevent sign in to IdentityNow, so you'll need to address the error for those users to regain access.
- Email Configuration Errors: This occurs if your identity profile is configured to send an invitation only to a user's alternate email but the user does not have an alternate email configured. Check and adjust your identity profile invitation options or attribute mappings.
- Authentication Source Mismatch: This error occurs if your identity profile is configured with a Sign-in Method that uses a Directory Connection (pass-through authentication) and an identity created in that profile does not have an account on the specified authentication source. Without an account there, the user will not be able to authenticate to IdentityNow to sign in. To correct this, you must correlate an account on that directory source to the identity or change the sign-in method for the identity profile.
- Provisioning Issues: If an identity has more than one account on a source system where a provisioning event is triggered, this generates an error on the identity and no provisioning occurs. This occurs when IdentityNow cannot determine which account should be changed by the provisioning event.
Managing IdentityNow Access
You can use the identity list to manage users' access within IdentityNow through these actions:
- Invite users to register for access to IdentityNow.
- Set user levels to manage their level of access to IdentityNow functions and data.
- Enable or disable their identity.
- Reset the identity to clear any elevated user levels, erase their security question answers, and return them to a Not Invited status.
- Delete the identity from IdentityNow.
Notes
- Users cannot perform these actions for their own identity.
Inviting Identities
You can manually invite identities to use IdentityNow from the identity list. Refer to Inviting Users Manually for more details.
Setting User Level Permissions
By default, users have end user permissions which grant them limited system access. IdentityNow administrators can expand the default end-user access by granting different permissions grouped into user levels. The User Level Access Matrix summarizes the IdentityNow pages and components that are accessible at each user level.
Multiple user levels can be granted to a user. The user's access is cumulative across all granted user levels.
Best Practice
Many user levels require users to perform strong authentication to access the Admin and Search interfaces. Verify that strong authentication preferences are properly set up for identity profiles before increasing a user's level.
To set an IdentityNow user level:
- Go to Admin > Identities > Identity List and find the identity you want to grant user levels to.
- Select Actions
> Set User Levels.
-
Enable the toggle for each user level you want to grant to the user. Disable the toggle for user levels you want to revoke from the user.
-
Select Save to save your changes. The user's new user levels will take effect the next time they sign in to IdentityNow.
Note
User levels are managed by administrators. They are not requestable and cannot be included in Roles or Access Profiles.
Disabling Identities
Disabling an identity immediately removes IdentityNow login access from the user. For example, you might want to disable the identity of a user who has left the company or who no longer has responsibilities that require IdentityNow access.
Notes
- This does not disable the user's source accounts or otherwise revoke their access to those systems.
- Disabled identities can't be reset or invited to IdentityNow.
- If the user is signed into IdentityNow when their identity is disabled, this does not end their active IdentityNow session.
- A user whose identity is disabled cannot change their passwords.
To disable an identity:
- Go to Admin > Identities > Identity List and find the identity you want to disable.
- Select Actions
> Disable Identity.
- Select Disable Identity to confirm.
To disable multiple users, select the checkboxes next to the identities you want to disable, select Actions > Disable Identities at the top of the identity list, and select Disable Identities to confirm.
Enabling Identities
If a user has been disabled, they must be reenabled after the issue has been resolved to regain access to IdentityNow.
To enable an identity:
- Go to Admin > Identities > Identity List and find the identity you want to enable.
- Select Actions
> Enable Identity.
To enable multiple users, select the checkboxes next to the identities you want to enable and select Actions > Enable Identities at the top of the identity list.
Notes
- User levels assigned when the identity was disabled are retained by the user.
- This returns the identity to a Not Invited status.
Resetting Identities
You may need to reset a user's identity if they have forgotten their authentication information like their answers to knowledge-based questions. Resetting an identity de-registers the user and removes any elevated user levels they have. They must be reinvited before they can access IdentityNow again.
To reset the identity and reinvite the user to IdentityNow:
- Go to Admin > Identities > Identity List and find the identity you want to reset.
-
Select Actions
> Reset Identity.
The user's status changes to Not Invited.
-
To reinvite the user, return to that identity record, select Actions
> Invite Identity.
Note
The invitation step is only necessary for users who sign in through a user name and password recorded in IdentityNow directly. When they register again, they will also reset their IdentityNow password.
Deleting Identities
Deleting an identity can allow you to resolve identity problems that you haven't been able to solve through more targeted actions. It removes their access to IdentityNow and deletes all accounts correlated to the identity. However, it does not deprovision those accounts from their sources.
Important
Identities that are set as the owners of sources, roles, access profiles or apps cannot be deleted. Certification reviewers with active certifications also cannot be deleted. Select new owners and reassign certifications to delete these identities.
To delete a user from IdentityNow:
- Go to Admin > Identities > Identity List and find the identity you want to delete.
- Select Actions
> Delete Identity.
- Select Delete Identity to confirm.
To delete multiple users, select the checkboxes next to the identities you want to delete, select Actions > Delete Identities at the top of the identity list, and select Delete Identities to confirm.
Note
Deleting is a temporary action if the user still exists in your authoritative sources. Correct underlying problems on your source systems and reaggregate an authoritative account to create a new identity for the user. Then you can reaggregate their other accounts so they will correlate to the new identity.
To restore the user's IdentityNow access, the new identity must be invited and granted any elevated permissions they require since these settings were removed when the original identity was deleted.
Synchronizing Attributes
If your organization has configured attribute synchronization, you can manually synchronize an identity's attributes from the identity list. Refer to Manually Synchronizing a Single Identity for details.
Viewing Identity Details
Note
This documentation describes the legacy Identity Details experience. Customers using the updated Identity Details experience should refer to Viewing Identity Details.
To view additional details about an identity or to manage that user's accounts and other settings, select the identity name in Table view or the Details button in Cards view.
Identity details include:
- The identity profile they belong to.
- Their IdentityNow user level permissions.
- The last time the identity's information was updated.
- Their current lifecycle state.
- The last time audit events were generated by or for this identity.
-
Their identity attributes.
-
Access held by the user through their accounts and entitlements, as well as roles assigned to them.
- Work reassignment configurations defined for them. You can also add new reassignment configurations.
Exporting Identities
The export option generates a zipped CSV file of the current set of identities which you can download for use offline.
- Select Export to start the file generation.
- When it finishes, the bar at the bottom of the page shows Done and you can select the arrow
to expand the panel and download the file.
- Select Download to download the zip file to your local computer.
Notes
- Depending on the number of identities in your system, generating this file can take a substantial amount of time. You can leave the page while the process runs. The generated file will be retained as long as your current IdentityNow session is active.
- The file includes the list of identities as it existed when you started the export.