Skip to content

Managing User Accounts

After you’ve aggregated users' source accounts from a supported source, you can view and manage these accounts in Identity Security Cloud.

Accounts are classified as one of two types:

  • Human account - An account associated with a human identity.

  • Uncorrelated account - An account that is not linked to an authoritative identity. An uncorrelated account must be correlated to an identity before it can be governed.

You can view the statuses of these accounts by going to Admin > Identity Management > Accounts. An account can have multiple statuses, such as Enabled and Locked, but it can never have both the Enabled and Disabled statuses.

Status Definition
Enabled The account is enabled and can be accessed by the user.
Disabled The account has been disabled, and the user can't access it. This may occur when an admin disables the user’s account or when the user's lifecycle state changes.
Locked The user's account has been locked. For example, someone may have entered an incorrect password for the account too many times.

Disabling a User Account

If you are a Helpdesk admin or an administrator, you might need to disable a user's account on a source. For example, if a user reports suspicious activity on that account, you can disable it temporarily while investigating the problem.

Important

This disables the user's account on the source and is different from disabling the user's access to Identity Security Cloud.

  1. Go to Admin > Identity Management > Accounts and find the account you want to disable.

  2. Select the name of the user you want to disable.

  3. Select Actions > Disable Account.

  4. In the confirmation window, select Disable.

You can reenable an account by selecting Actions > Enable Account.

Aggregating User Accounts

Administrators and source admins can run an aggregation for a single account rather than running a full aggregation.

  1. Go to Admin > Identity Management > Accounts and find the account that needs aggregating.

  2. Select Actions > Aggregate Account.

Unlocking User Accounts

If you are a Helpdesk admin or an administrator and a user has been locked out of a source account, you can unlock their account from Identity Security Cloud. This option is available for accounts that have been loaded into your tenant from a supported source that allows unlocking accounts.

Note

You may need to aggregate the account first to ensure that the account status in your tenant is accurate.

  1. Go to Admin > Identity Management > Accounts and find the locked account.
  2. Select Actions > Unlock Account.
  3. In the confirmation window, select Unlock.

Removing User Accounts

Administrators and source admins may need to remove an account from Identity Security Cloud to fix data on the source. For example, if a user's email address was misspelled on the source, their account may correlate to another user's Identity Security Cloud account. You can remove the account from that user to fix the misspelled email address. When the account is aggregated again, it is treated like a new account and will correlate to the correct identity.

Important

If you remove an account from a user and that account is on an authoritative source, the user may move to a different identity profile or disappear from the list of identities.

To remove a source account:

  1. Go to Admin > Identity Management > Accounts and find the account you want to remove.
  2. Select Actions > Remove Account.
  3. In the confirmation window, select Remove to remove the account. This action removes the account from Identity Security Cloud, not from the source system itself.

The account is removed from Identity Security Cloud and will be added again during your next full aggregation.

Note

If your source is configured for delta aggregation, you should disable it if you want to reaggregate the account.

Correlating User Accounts

To resolve an uncorrelated account, administrators and source admins can update the account’s correlation by assigning it to an identity. For example, if an account’s email address was misspelled on Active Directory, it may not be correlated to the correct identity in an aggregation. You can assign the uncorrelated account to this identity, allowing the account to be governed.

Important

SailPoint recommends using this feature if your organization has a limited number of uncorrelated accounts. If you find a large number of uncorrelated accounts, review your organization’s account correlation configuration.

You may also need to correlate accounts to the correct identities in the following cases:

  • An account was manually correlated to the wrong identity.

  • An account was correlated to the wrong identity through an aggregation. If this occurs often, SailPoint recommends reviewing your account correlation configuration.

  • An authoritative account needs to be reassigned to another identity to resolve duplicated identities.

To correlate an account:

  1. Go to Admin > Identity Management > Accounts and find the account that needs to be correlated.

  2. Select Actions > Update Correlation.

  3. Select the identity that should be associated with this account.

  4. Select Save.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.