Updating Identity Data
When changes occur to identity data or access model configurations (identity profiles, roles, access profiles), corresponding access for your identities may also need to change. These changes happen through the identity refresh process, which can be initiated in response to events, scheduled, or executed manually.
- Event-based updates immediately process identity data for identities changed during an aggregation and for identities modified in provisioning actions.
- Scheduled updates occur every morning and/or evening for identities that meet their requirements.
- Manual updates can be initiated following changes to configurations like role definitions or identity attribute mappings.
When an aggregation or provisioning process modifies an identity, that event initiates an identity refresh to automatically analyze the identity to make sure the rest of their data is accurate.
The refresh performs these changes:
- Updates identity attribute according to the identity profile mappings.
- Updates the identity’s access according to their assigned lifecycle state.
- Updates the identity’s access based on role assignment criteria.
- Determines the identity’s correct manager through manager correlation.
IdentityNow performs a twice-daily scheduled refresh of identities to ensure identity data and system configurations are in sync.
- At 8:00 AM:
- Only identities with an account on a source configured with attribute synchronization are refreshed.
- This runs an abbreviated refresh, which updates identity attribute values and applies the access required by their assigned lifecycle states. It also performs attribute sync for those identities.
- At 8:00 PM:
- If your site has any roles implemented, all identities are automatically refreshed.
- If you have no roles defined, identities are refreshed based on their identity profile. If any of its identity attributes are marked as requiring a periodic refresh, those identities are refreshed.
- This executes all the actions of the event-based updates except manager correlation for these identities.
The lifecycle state attribute is commonly calculated with a transform that compares the current date to a hire date or termination date attribute. This transform would be configured to require a periodic refresh.
- The scheduled refresh jobs are queued for execution at the specified times. Other queued or in-progress operations may delay the job start.
- Times are based on your site's configured timezone (default CST/CDT).
When you create or edit identity profiles, you will be prompted to update your identities. You can also update identities when you change role configurations.
Select Update to manually start a refresh. This performs the actions described in event-based updates for the affected identities:
- The identity profile update runs for all identities associated with the identity profile.
- The role update runs for all identities since any identity can be impacted by role changes.
These processes are time- and resource-intensive. For best results:
- Save and preview your identity profile changes to verify the expected results before selecting Update.
- Complete all desired role changes before selecting Update to recalculate membership and access for all roles at once.
Monitoring Identity Updates
When IdentityNow is refreshing and analyzing a large amount of identity data, you may be temporarily blocked from changing identity profile, source, and application configurations.
A banner stating Identity data is updating displays on those configuration pages.
You can monitor the running process by selecting View or by going to Admin Dashboard > Monitor.
Confirming Identity Update Status
Identity data shows when each user was last updated in IdentityNow.
- In the Admin interface, go to Identities > Identity List and select the user's name.
- In the Details tab, the Last Updated row shows the last time their identity data was updated.