Loading Account Data
Loading account data into IdentityNow aggregates source accounts and their associated access into the system so they can be governed. To load or aggregate account data into IdentityNow, you need to create one or more sources, which can be either direct connections or flat file feeds.
Account data for flat file sources can be manually uploaded at any time to aggregate changes to those accounts. While you can't load flat file feeds for multiple sources simultaneously, you can load them consecutively.
If you start aggregations for multiple direct connect sources, IdentityNow will place them in a queue and process them in the order that you load the files or start the aggregations. You can monitor the aggregation progress on the System Activity panel of the Admin Dashboard.
You can also configure supported sources to use delta aggregation, which updates only those accounts on the source that have changed. For more information, read Configuring Delta Aggregations for Supported Sources.
Configuring a Source
Choose the type of source you will use as a source of account data and refer to the documentation specific to that type for detailed instructions on how to configure it in IdentityNow:
A direct connection is a method of communicating directly between a source server and IdentityNow. To set up a direct connection between IdentityNow and a source server, you'll provide essential connection information specific to the source.
To access the documentation for a specific supported direct connect source, see the list of Supported Connectors for IdentityNow.
A flat file feed is a CSV file that contains all relevant information about the accounts you want to load into IdentityNow. When you create a flat file source, you load the account information by importing the file.
For more information about loading data into IdentityNow from a flat file, refer to the Flat File Source Configuration Guide.
Source admins can create, configure, manage, and edit sources. Source sub-admins can perform these source actions only on the sources associated with the governance group they are members of.
After you've finished initially loading existing account data into IdentityNow, you must create identity profiles for the source to create IdentityNow accounts from the source data.
After you've created at least one identity profile, you can change the pre-set or default correlation for the source to meet your needs. For more information, see Configuring Account Correlation.
After the initial automatic aggregation that IdentityNow performs to load account data from a configured source, you can manually aggregate account information as needed or schedule IdentityNow to aggregate data from any direct connect source on a regular basis.
Scheduling Aggregations for Direct Connect Sources
After IdentityNow performs an initial aggregation to load account data from a direct connect source, you have the option of scheduling future aggregations to automatically load new data on the source into IdentityNow on a regular basis.
You can also manually aggregate account information from a direct connect source as needed.
Aggregation Best Practices
When scheduling aggregations, we recommend you follow these best practices to help your aggregations run more quickly, with minimal impact to your organization.
Aggregate as infrequently as possible based on your business needs. It is almost never necessary to aggregate more often than once a day for most non-authoritative sources.
When possible, aggregate outside of business hours. Usually, this is at night.
Aggregate only what you deem is necessary and important. Use filtering on the connector if applicable to aggregate only the most recent records for active users.
If the source supports delta aggregation, use this option to lower your aggregation times and minimize load on the system.
To schedule aggregations:
In the Admin interface, go to Connections > Sources and select the source you want to schedule aggregations for.
Use the available options to schedule how often you want the aggregation to run and the time you want to start each aggregation.
If you select Daily, you can use the Recurring Every dropdown menu to set an interval within the day. The start time and interval will determine the number of aggregations that will be performed each day. For example, if the Time is set to 2 pm and the recurrence is set to 8 hours, aggregation will occur twice each day. To aggregate once per day, set it to 24 hours.
Select Save to schedule aggregations for the source.
If you need to cancel an aggregation after it has started, you can do so from the Aggregation Activity Log. This is particularly helpful if you encounter a problem during an aggregation that might take several hours to complete.
Manually Aggregating Information from a Direct Connect Source
The first time you load account or entitlement information from a direct connect source, that information is aggregated automatically. After the initial automatic aggregation, you can manually aggregate accounts and entitlements from the source as many times as you need, using the Source Aggregation tab.
If you are running a manual aggregation on entitlements due to an error with unrecognized entitlements in a certification campaign, the manual remediation alone may not fix the error, but can tell you what the error is so that you can take steps to address it.
Alternately, you may need to generate another campaign after remediation to confirm whether or not the error with entitlements were resolved. If it wasn't resolved, the entitlements will continue to show up in campaigns.
To manually aggregate account information:
In the Admin interface, go to Connections > Sources and select a source.
Select Import Data > Entitlement Aggregation or Account Aggregation based on the type of information you want to aggregate from the source.
If the Enable Schedule option is checked, we recommend you make note of the current settings as they will be reset when you uncheck this option to perform a manual aggregation.
Select the Start button next to Manual Aggregation.
An entry is added to the Aggregation Activity Log with a status of Pending. The Date column indicates the date and time the aggregation was started. When the aggregation is complete, the Status column will indicate if the aggregation completed successfully.
Aggregations can take two hours or longer depending on the size of the source. During this time, the Start button will be disabled. If you need to cancel an aggregation after it has started, you can do so from the Aggregation Activity Log.
Configuring Delta Aggregations for Supported Sources
When IdentityNow performs a delta aggregation on a supported source, it only loads the accounts that have been created or changed since the most recent aggregation. For example, if one of your users changes their phone number in Active Directory, you can aggregate account information for that user only — instead of all of the accounts on the source. This can speed up the process of loading changes from your source.
Account deletions will be handled during the next full aggregation.
Delta aggregation does not support OU moves. If you perform any type of OU move, you need to perform full account aggregations to avoid unexpected behavior such as the creation of duplicate accounts for the same user.
The following sources support delta aggregation:
|Active Directory||IBM Tivoli Directory Server||SAP Direct|
|Azure Active Directory||JDBC||SAP HR|
|G Suite||Oracle Directory Server||ServiceNow|
|IBM Lotus Domino||Oracle Fusion HCM||Workday|
To configure delta aggregations on a supported source:
In the Admin interface, select Connections > Sources.
In the Config tab, select Advanced Options.
Under Delta Aggregation Mode, select the Enable option.
For JDBC, you must select both of these options: Delta Aggregation Mode and Enable Account Delta Aggregation.
Aggregating Account Information on a Direct Connect Source Using APIs
If you prefer to aggregate a direct connect source using the available REST API, you can do so using the
To use APIs, you'll need to use one of our supported authentication methods. As a best practice, SailPoint recommends using OAuth 2. Also, the endpoint may vary slightly based on the authentication method. For details, see the supported Authentication Methods.
Sign in to your org as an administrator.
In the Admin interface, go to Connections > Sources and select the source you want to aggregate.
The source ID is displayed at the end of the URL in your browser address.
Make note of this number, as you'll need to refer to in the next step.
Use your preferred tool to call the following API:
<api-url>is the URL to the API on the IdentityNow org (e.g., https://org-name.api.identitynow.com).
source_idis the ID of the direct connect source you want to aggregate.
To ensure that every account is scanned when you aggregate the source :
If you have changed the correlation configuration for the direct connect source, you can disable optimization by including the following key-value pair in the Body of the call, as
This parameter setting applies to the current aggregation only. Subsequent aggregations performed using the API will have optimization enabled unless you set this flag to
true each time. Scheduled or manual aggregations performed using the UI will always run with optimization enabled.
Viewing the Aggregation Activity Log
Whenever a source is being aggregated, a new entry is added to the Aggregation Activity Log, along with the name of the admin user who started it (for manual aggregations), the date and time the aggregation occurred, and its current status. This is helpful for tracking the progress of an aggregation that is still processing and viewing detailed information about the aggregation.
You can also cancel an aggregation that is in progress from the Aggregation Activity Log.
In the Admin interface, go to Connections > Sources and select the source you want to view aggregation activity for.
If it's a flat file source, go to Import Data.
In the Aggregation Activity Log, select the Info icon to display detailed status information, such as how long it took for the aggregation to complete, and the number of retries that were attempted before the aggregation completed successfully.
Select Close when you are done viewing the detailed information for the aggregation.
Canceling an Aggregation
Aggregating Data for a Single Account
If you are a Helpdesk admin or an administrator, you might need to reload or aggregate the data from a single account to make sure that you have the most current information. For example, if a user calls the Helpdesk needing help unlocking their account, you might not see that status immediately. Aggregating that person's account gives you access without taking the time and resources to update the source's entire contents.
In the Admin interface, select Identities > Identity List.
Select the name of the user whose account you want to aggregate.
This action initiates a refresh of the related identity's data, but it does not synchronize the new data with the identity. It also does not have any impact on provisioning. It only loads any changes from the account source data.
For more information about the identity refresh process, see Updating Identity Data.