Skip to content

Managing Source Account Schemas

Each source supports a variety of details, or attributes, about each user who has an account, such as their name, email address, manager name, and location.

The set of account attributes each source stores and how they're organized is known as the account's schema. To best represent your data, you can configure sources to use an account schema matching the one you use in the external connector.

Viewing an Account Schema

Most sources have an account schema as soon as they're connected to Identity Security Cloud. To view your account schema:

  1. Go to Admin > Connections > Sources.

  2. Select or edit the source containing the account schema you want to view.

  3. In the Account Management section, select Account Schema.

    Table of the default account schemas with the attribute name, type, and whether they are entitlements or multi-valued.

Each source schema has one attribute marked as the Account Name and one attribute marked as the Account ID. Editing the Account Name or Account ID after aggregation can result in serious issues and is strongly discouraged.

If your source doesn't have an account schema, you can create one by adding attributes to the source that match your external connector.

Discovering an Account Schema

You might have customized the attributes that are recorded for accounts on your source. On some sources, you can discover the schema on the external source and import it to Identity Security Cloud.

On sources that do not support schema discovery, you must edit manually.

Prerequisite: A source has been created and set up correctly.

  1. Go to Admin > Connections > Sources.

  2. Select or edit the source you want to discover the account schema for.

  3. In the Account Management section, select Account Schema.

  4. Select Discover Schema.

  5. If applicable, in the dialog box that appears, select which attributes should be used as the Account Name and Account ID.

  6. Select Save Schema.

The account schema for this source is saved. The next time accounts are aggregated, their attributes will follow this schema.

You can also edit the schema for a source.

Editing an Account Schema

You can add and delete attributes from an account schema, as well as indicate whether an attribute supports multiple values.

  1. Go to Admin > Connections > Sources.

  2. Select or edit the source containing the account schema you want to update.

  3. In the Account Management section, select Account Schema.

    • To add a new attribute, select + Add New Attribute and fill out all required fields.

      Important

      Attribute names cannot contain periods.

    • To delete an attribute, select the Actions icon beside the attribute and select Delete.

      You can also select the checkbox beside attributes in this list and select Delete Attributes.

    • To mark an attribute as an entitlement, select the Actions icon beside the attribute and select Edit. Select the Entitlement checkbox, then select Update.

      Note

      Boolean attributes cannot be marked as entitlements.

    • To include permissions with entitlements that are part of an account aggregation, select the Include permissions in aggregations checkbox.

    • To remove the Multi-Valued setting on an attribute, select the checkboxes beside the attributes you want to edit. Clear the checkbox for the Multi-Valued setting. You can also do this in the Edit Attribute overlay.

    • To edit a source's Account Name and Account ID attributes, select Edit Schema at the top of the page. Under Account ID and Account Name, choose the attributes that should be used to provide those values and select Update.

      Changing Account Name and Account ID Attributes

      Updating the Account Name or Account ID attributes for a source after aggregating accounts is strongly discouraged and can cause significant errors.

      The Account Name attribute is immutable, and editing it after accounts have been aggregated can cause duplicate accounts and identities to be aggregated and created. The Account ID attribute is used in multiple places across systems to reference accounts. Changing the Account ID can break these references in serious and unexpected ways.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.