In IdentityNow, your organization's users are represented by identities, created when you aggregate accounts from your authoritative sources. Each identity contains attributes that provide information about the user. This could be identifying information, such as first name, last name, and email, as well as information that describes their relationship to the organization, such as manager name, department, or job title. Each identity also shows the access the user has in your enterprise through their accounts, roles, and entitlements.
Most identities represent human users in your organization, whether employees, contractors, vendors, etc. Identities can also represent robotic processes (bots) or service accounts with access to your enterprise systems.
In addition, identities are the user accounts that your personnel use to access IdentityNow. Your configurations determine which users can sign in and what level of access each user has to IdentityNow functions and data.
Using the Identity List
From the identity list, you can view details about any identity in your site, view the status of your identities, and manage users' access to IdentityNow and its functions.
To access the list of all the identities in your site, go to Admin > Identities > Identity List.
In the left pane, choose which identities to display in the list:
- All Identities includes healthy identities, identities with errors, and incomplete identities.
- Identities with Errors shows those which have encountered email configuration errors, authentication source mismatching, or provisioning issues.
- Incomplete Identities shows those which are missing values for required identity attributes. These identities must be completed before they can sign in or be used in other actions, including access requests, certifications, and more.
Use the search bar to find the identities you need. IdentityNow searches the account ID, display name, email, first name, and last name attributes for values that begin with the search term you enter.
The list displays a maximum of 100 identities per page. Use the controls at the bottom of the page to change your page size and navigate through the pages of identities. You can switch between Cards view for a tablet-friendly display or Table view for a condensed layout.
If you need to work with your identity data offline, you can also export the list to a CSV file.
Viewing Identity Statuses
Each identity's IdentityNow account status is displayed in the identity list. You can also use the provided queries in IdentityNow's Search to find identities by these statuses.
|Active||The user has registered for IdentityNow and can sign in.||
|Disabled||The user's IdentityNow account is disabled, preventing sign-in and any other user actions.||
|Error||The identity is in an error state due to email configuration errors, correlation problems, or other issues. Refer to Resolving an ERROR Status for details.||
|Incomplete||The identity is missing a UID, email, or last name.||Not applicable|
|Locked||The user's account has been manually locked, usually due to security concerns.||
|Not Invited||The identity hasn't been invited to IdentityNow as a system user.||
|Pending||The user has been invited to register with IdentityNow, but they haven't registered yet.||
|Warning||The identity's invitation email failed to send. Verify their email address is correct and reinvite the identity.||Not applicable|
status:UNREGISTERED query returns users whose identities have been reset or disabled and reenabled in addition to those who have never been invited to register.
Resolving an ERROR Status
When identities appear in the Identity List with an ERROR status, you can select the information icon to display more details.
An ERROR status may occur because of email configuration errors, authentication source mismatching, or provisioning issues. Some errors can prevent sign in to IdentityNow, so you'll need to address the error for those users to regain access.
- Email Configuration Errors: This occurs if your identity profile is configured to send an invitation only to a user's alternate email but the user does not have an alternate email configured. Check and adjust your identity profile invitation options or attribute mappings.
- Authentication Source Mismatch: This error occurs if your identity profile is configured with a Sign-in Method that uses a Directory Connection (pass-through authentication) and an identity created in that profile does not have an account on the specified authentication source. Without an account there, the user will not be able to authenticate to IdentityNow to sign in. To correct this, you must correlate an account on that directory source to the identity or change the sign-in method for the identity profile.
- Provisioning Issues: If an identity has more than one account on a source system where a provisioning event is triggered, this generates an error on the identity and no provisioning occurs. This occurs when IdentityNow cannot determine which account should be changed by the provisioning event.
Managing IdentityNow Access
You can use the identity list to manage users' access within IdentityNow through these actions:
- Invite users to register for access to IdentityNow.
- Set user levels to manage their level of access to IdentityNow functions and data.
- Enable or disable their identity.
- Reset the identity to clear any elevated user levels, erase their security question answers, and return them to a Not Invited status.
- Delete the identity from IdentityNow.
- Users cannot perform these actions for their own identity.
- You cannot view details or perform any of these actions on incomplete identities.
Setting User Level Permissions
By default, all users have end user permissions which grant them limited system access. Elevated permissions within IdentityNow are grouped into different user levels that administrators can grant to users. The User Level Access Matrix summarizes the IdentityNow pages and components that are accessible at each user level.
Multiple user levels can be granted to a user. The user's access is cumulative across all granted user levels.
Many user levels require users to perform strong authentication. Verify that strong authentication preferences are properly set up for identity profiles before increasing a user's level.
To grant or remove an IdentityNow user level:
- Go to Admin > Identities > Identity List and find the identity you want to grant user levels to.
- Select the ellipsis button under Actions and select Set User Levels.
Enable the toggle for each user level you want to grant to the user. Disable the toggle for user levels you want to revoke from the user.
- The user's new user levels will take effect the next time they sign in to IdentityNow.
- User levels are managed by administrators. They are not requestable and cannot be included in Roles or Access Profiles.
Disabling an identity immediately removes IdentityNow login access from the user. For example, you might want to disable the identity of a user who has left the company or who no longer has responsibilities that require IdentityNow access.
- This does not disable the user's source accounts or otherwise revoke their access to those systems.
- If the user is signed into IdentityNow when their identity is disabled, this does not end their active IdentityNow session.
- A user whose identity is disabled cannot change their passwords.
To disable an identity:
- Go to Admin > Identities > Identity List and find the identity you want to disable.
- Select the ellipsis button under Actions and select Disable.
- Select Disable Identity to confirm.
To disable multiple users simultaneously, select the checkboxes next to the identities you want to disable, select Actions > Disable at the top of the identity list, and select Disable Identities to confirm.
If a user has been disabled, they must be reenabled after the issue has been resolved to regain access to IdentityNow.
To enable an identity:
- Go to Admin > Identities > Identity List and find the identity you want to enable.
- Select the ellipsis button under Actions and select Enable.
To enable multiple users simultaneously, select the checkboxes next to the identities you want to enable and select Actions > Enable at the top of the identity list.
- User levels assigned when the identity was disabled are retained by the user.
- This returns the identity to a Not Invited status.
You may need to reset a user's identity if they have forgotten their authentication information like their answers to knowledge-based questions. Resetting an identity de-registers the user and removes any elevated user levels they have. They must be reinvited before they can access IdentityNow again.
To reset the identity and reinvite the user to IdentityNow:
- Go to Admin > Identities > Identity List and find the identity you want to reset.
Select the ellipsis button under Actions and select Reset.
The user's status changes to Not Invited.
To reinvite the user, return to that identity record, select the ellipsis button under Actions, and select Invite.
The invitation step is only necessary for users who sign in through a user name and password recorded in IdentityNow directly. When they re-register, they will also reset their IdentityNow password.
Deleting an identity can allow you to resolve identity problems that you haven't been able to solve through more targeted actions. It removes their access to IdentityNow and deletes all accounts correlated to the identity. However, it does not deprovision those accounts from their sources.
Identities that are set as the owners of sources, roles, access profiles or apps cannot be deleted. Certification reviewers with active certifications also cannot be deleted. Select new owners and reassign certifications to delete these identities.
To delete a user from IdentityNow:
- Go to Admin > Identities > Identity List and find the identity you want to delete.
- Select the ellipsis button under Actions and select Delete.
- Select Delete Identity to confirm.
To delete multiple users, select the checkboxes next to the identities you want to delete, select Actions > Delete at the top of the identity list, and select Delete Identities to confirm.
Deleting is a temporary action if the user still exists in your authoritative sources. Correct underlying problems on your source systems and reaggregate an authoritative account to create a new identity for the user. Then you can reaggregate their other accounts so they will correlate to the new identity.
To restore the user's IdentityNow access, the new identity must be invited and granted any elevated permissions they require since these settings were removed when the original identity was deleted.
Viewing Identity Details
To view additional details about an identity or to manage that user's accounts and other settings, select the identity name in Table view or the Details button in Cards view.
Identity details include:
- The identity profile they belong to.
- Their IdentityNow user level permissions.
- The last time the identity's information was updated.
- Their current lifecycle state.
- The last time audit events were generated by or for this identity.
Their identity attributes.
Access held by the user through their accounts and entitlements, as well as roles assigned to them.
- Work reassignment configurations defined for them. You can also add new reassignment configurations.
Several actions available on the identity list page can also be done from the identity details page. These are presented in the Actions menu and include options to disable, reset, and remove the identity, as well as to set user levels.
The export option generates a zipped CSV file of the current set of identities which you can download for use offline.
- Select Export to start the file generation.
- When it finishes, the bar at the bottom of the page shows Done and you can select the arrow to expand the panel and download the file.
- Select Download to download the zip file to your local computer.
- Depending on the number of identities in your system, generating this file can take a substantial amount of time. You can leave the page while the process runs. The generated file will be retained as long as your current IdentityNow session is active.
- The file includes the list of identities as it existed when you started the export.