Processing Identity Data
When changes occur to identity data or access model configurations (identity profiles, roles, access profiles), corresponding access for your identities may also need to change. These changes happen through identity processing, which can be initiated in response to events, scheduled, or executed manually.
- Event-based processing immediately processes identity data for identities changed during an aggregation and for identities modified in provisioning actions.
- Scheduled processing occurs every morning and evening for identities that meet the requirements.
- Manual processing can be initiated following changes to configurations like role definitions or identity attribute mappings.
These actions were previously performed by the process known as an identity refresh.
When an aggregation or provisioning process modifies an identity, that event initiates identity processing to automatically analyze the identity to make sure the rest of their data is accurate.
If the identity's data is out of sync with the configurations, it performs these changes:
- Updates identity attribute according to the identity profile mappings.
- Determines the identity’s correct manager through manager correlation.
- Updates the identity’s access according to their assigned lifecycle state.
- Updates the identity’s access based on role assignment criteria.
Most identities are kept up to date by event-based identity processing. However, in some identity profiles, identity attributes are calculated through rules or transforms that compute values based on time, rather than just on aggregated data.
The lifecycle state attribute is commonly calculated with a transform that compares the current date to a hire date or termination date attribute.
Scheduled identity processing runs twice daily, at 8:00 AM and 8:00 PM in the tenant's configured time zone (default CST/CDT).
- At 8:00 AM:
- Only identities with an account on a source configured with attribute synchronization are processed.
- This is an abbreviated process which updates identity attribute values and applies the access required by their assigned lifecycle states. It also performs attribute sync for those identities.
- At 8:00 PM:
- If your site has any roles implemented, all identities are automatically processed.
- If you have no roles defined, identities are processed based on their identity profile. If any of its identity attributes are marked as requiring a periodic refresh, those identities are processed.
- This executes all the actions of the event-based processing for these identities. However, for best system performance, it computes the identity attribute mapping for all identities in these profiles but only reexamines user access data (roles and lifecycle state-driven access) for identities whose identity data changes.
- The scheduled processing jobs are queued for execution at the specified times. Other queued or in-progress operations may delay the job start.
- Times are based on your site's configured timezone (default CST/CDT).
When you create or edit identity profiles, you will be prompted to Apply Changes to your identities.
Likewise, when you make changes to Roles or Access Profiles, you can select Apply Changes to enforce those changes to your identities' access. For customers who have implemented Password Management with IdentityNow, the Applications page also contains an Apply Changes option.
Select Apply Changes to manually start identity processing. This performs the actions described in event-based processing for the affected identities:
- From the identity profile, this runs for all identities associated with that profile.
- From the role, access profile, and application pages, this runs for all identities.
These processes are time- and resource-intensive. For best results:
- Save and preview your identity profile changes to verify the expected results before selecting Apply Changes.
- Complete all desired role, access profile, and application changes before selecting Apply Changes to recalculate membership and access for all of those at once.
Monitoring Identity Processing
When IdentityNow is running identity processing and analyzing a large amount of identity data, you may be temporarily blocked from changing identity profile, source, and application configurations.
A banner stating Processing identity data displays on those configuration pages.
You can monitor the running process by selecting View on the banner or by going to Admin Dashboard > Monitor.
Confirming Identity Update Status
Identity data shows when each user was last updated in IdentityNow.
- In the Admin interface, go to Identities > Identity List and select the user's name.
- In the Details tab, the Last Updated row shows the last time their identity data was updated.