Processing Identity Data

When changes occur to identity data or access model configurations (identity profiles, roles, access profiles, or applications), corresponding access for your identities may also need to change. These changes happen through identity processing, which can be initiated in response to events, scheduled, or executed manually.

• Event-based processing immediately processes identity data for identities changed during an aggregation and for identities modified in provisioning actions.
• Scheduled processing occurs every morning and evening for identities that meet the requirements.
• Manual processing can be initiated following changes to configurations like role definitions or identity attribute mappings.

These actions were previously performed by the process known as an identity refresh.

Event-Based Processing

When an aggregation or provisioning process modifies an identity, that event initiates identity processing to automatically analyze the identity to make sure the rest of their data is accurate.

If the identity's data is out of sync with the configurations, it performs these changes:

1. Updates identity attribute according to the identity profile mappings.
2. Determines the identity’s correct manager through manager correlation.
3. Updates the identity’s access according to their assigned lifecycle state.
4. Updates the identity’s access based on role assignment criteria.

Scheduled Processing

Most identities are kept up to date by event-based identity processing. However, in some identity profiles, identity attributes are calculated through rules or transforms that compute values based on time, rather than just on aggregated data.

Example

The lifecycle state attribute is commonly calculated with a transform that compares the current date to a hire date or termination date attribute.

Scheduled identity processing runs twice daily, at 8:00 AM and 8:00 PM in the tenant's configured time zone (default CST/CDT).

• At 8:00 AM:
  • Active and Inactive (short-term) identities with an account on a source configured with attribute synchronization are processed.
  • This is an abbreviated process which updates identity attribute values and applies the access required by their assigned lifecycle states. It does not perform bulk attribute sync for these identities.

• At 8:00 PM:

  • If your site has any roles implemented, Active and Inactive (short-term) identities are automatically processed.
  • If you have no roles defined, identities are processed based on their identity profile. If any of its identity attributes are marked as requiring a periodic refresh, Active and Inactive (short-term) identities are processed.
  • This executes all the actions of the event-based processing for these identities. However, for best system performance, it computes the identity attribute mapping for all identities in these profiles but only reexamines user access data (roles and lifecycle state-driven access) for identities whose identity data changes.

  Notes

  • The scheduled processing jobs are queued for execution at the specified times. Other queued or in-progress operations may delay the job start.
  • Times are based on your site's configured time zone (default CST/CDT).

Manual Processing

When you create or edit identity profiles, roles, or access profiles, you must manually initiate identity processing to update your identities. This is required to apply your access model updates to your identities and recalculate access requirements, even when the identities have not changed. You can also initiate identity processing for selected identities.

Manual Processing for All Identities

To manually start identity processing, select Apply Changes on an identity profile or on the role, access profile, or application list pages.

This performs the actions described in event-based processing for the affected identities:

• From the role, access profile, and application pages, this runs for Active and Inactive (short-term) identities.
• From the identity profile, this runs for identities associated with that profile.

Best Practice

These processes are time- and resource-intensive. For best results:

• Complete all desired role, access profile, and application changes before selecting Apply Changes to recalculate membership and access for all of those at once.
• Save and preview your identity profile changes to verify the expected results before selecting Apply Changes.

When you select Apply Changes for roles, access profiles, or applications, you can select Review recent configuration changes before you initiate the job. This will open a pre-defined search showing changes made since manual identity processing was last initiated for all identities through the role, access profile, and application pages. This can help you anticipate the impact of the identity processing job you are initiating.

Manually Processing for Select Identities

You can also initiate identity processing for a set of identities.

1. Go to Admin > Identity Management > Identities and find the identity you want to process.
2. Select Actions > Process Identity.

This performs the actions described in event-based processing for the affected identity.

To process multiple identities, select the checkboxes next to the identities you want to process, select the Actions menu, and choose Process Identities.

Monitoring Identity Processing

When identity processing is executing, you can go to Admin > Dashboards > Monitor to monitor the running process in the Active Jobs list.

You can also use Search to review audit records of identity processing jobs initiated with Apply Changes. Use this query to see the start and end records for each execution: name:"Manual Identity Processing Started" OR name:"Manual Identity Processing Passed"

Confirming Identity Update Status

Identity data shows when each user was last updated in IdentityNow.

1. Go to Admin > Identity Management > Identities and select an identity.
2. In the Details tab, view the Modified date to determine when the identity was updated.