Skip to content

Managing Sources Overview

A source is the IdentityNow representation of a third-party application, database, or directory management system that maintains its own set of user accounts or personnel records. IdentityNow uses connectors to collect user accounts and access rights from those systems and associate them to the source definition.

Viewing Source Details

After you have configured a source and loaded account data into IdentityNow, you may need to view or make changes to a source's details.

To access the source list, go to Admin > Connections > Sources. This is a list of all sources configured by your organization. You can search the list by name or description or filter the list by connection type and source owner.

The default view of the source list is the table view. Each row contains information about the source based on the customizable columns. If there are warnings or errors, you can select them in the Status column for more details. Select the the Actions menu to edit or delete the source.

Select Cards to switch to the card view. Each source card contains information about the source, including the name, description, source type, connection type, and source owner. If there are warnings or errors, you can select them on the source card for more details.

For Direct Connection sources, you can test the connection from the Actions menu on the table row or card, or you can delete the source. Select View for more details.

Select Edit to go to the source configuration page and review or update the following information about a source:

  • Source type - The type of data provided by the source. For a list of source types, refer to Supported Connectors for IdentityNow.

  • Connection type - The method used to add the source to IdentityNow. Sources can be added through a direct connection with an external system or through a flat file that a user imports into IdentityNow. For more information on these connections, refer to Loading Account Data.

  • Source Owner - The owner of the source. After you've configured a source, you can assign a source owner.

  • Governance Group - The group used for granting users source role sub-admin level oversight of the source and its access.

  • Additional connectivity details - Connectivity information such as URL, host, port, username, password, and more. This information varies by connector.

You can also view the account schema for a source by selecting Import Data > Account Schema. From this page, you can add, edit, or delete attributes.

Viewing Accounts on a Source

You can view which identities have accounts on a source in its Accounts tab.

  1. Go to Admin > Connections > Sources.

  2. Select the source you want to review.

  3. Select the Accounts tab to display a count and list of accounts on the source.

    Notes

    • If an identity is listed multiple times, this indicates that the identity has multiple accounts on this source. As a result, the identity may be able to access the application using any of these accounts, possibly with different types of access through each account.
    • This list may also contain uncorrelated accounts. These accounts have not been matched to an identity on the Identities page.

    Select CSV to export a list of the details for all the accounts on a source, including their entitlements.

    Note

    Sources with more than 100,000 accounts can't be exported.

  4. Select a user's name to view the identity's details.

Assigning a Source Owner

IdentityNow requires the selection of an owner for each source. This user is known as a source owner.

A source owner may complete specific tasks for the following IdentityNow services:

  • Provisioning - For sources that are not direct-connect, source owners will receive notifications in their Task Manager when an account needs to be added, modified, or removed.

  • Certifications - A source owner may be asked to review the access of people who have entitlements on a source. They may also receive tasks to remove entitlements that were revoked during certification campaigns.

To assign a source owner:

  1. Go to Admin > Connections > Sources.

  2. Select Edit on the Source table row or card of the source you want to assign an owner to.

  3. In the Source Owner section of the Edit Configuration tab, enter the name of the user you want to assign as the source owner.

  4. Select Save to add this user as the source owner.

The new source owner will receive notifications of tasks they need to complete in their Task Manager.

Verifying Connectivity

You can check the following to ensure that your sources are working after an update:

Identity System Checks

  • Check the Virtual Appliance Health.
  • Validate that VA clusters have a status of Normal.
  • Check the health of your sources:
    • Check the System Status dashboard for source errors.
    • Look for status banners on the source pages.
    • If you go to a source and select Test Connection, you see the Connected message.
    • Validate that user/group aggregations are functioning appropriately.

Verifying Provisioning

Resetting Sources

You can remove all data associated with the source from IdentityNow, including accounts, entitlements, and access profiles, without losing the source's configuration. For example, you may want to reload the data for a source after you've changed its schema. Rather than delete the source and start over, you can reset the source, so it maintains its configuration, and then reload its data.

Before you reset a source, review the following table to understand how resetting a source can affect your data and what actions you may need to take after the reset.

Source Data Affected System or User Behavior Post-Aggregation
Connected Identity Profile The identity profile is not deleted, but all identities are deleted from it. If the identity also exists on another authoritative source, it will temporarily become an identity on that source. Identities are recreated.
If an identity was temporarily moved to a different identity profile, it will be reconnected to the original source.
Identity Profiles with Required Attributes Mapped to the Source If mappings are on required attributes, those accounts become uncorrelated. Accounts become correlated.
Identity Profiles with Attributes Mapped to the Source Associated attributes are temporarily removed from the related identities.

Note: Attributes that are mapped to transforms that reference this source are also temporarily removed.		 The attributes and their values appear correctly.
Source Owners from the Source If any of the identities on the source you are resetting are source owners of any source, you will not be able to reset the source. Choose a new source owner for that source and try again. Reassign the previous source owner as needed.
App Owners from the Source The app owner field on the app is cleared. You must reassign the app owner.
Entitlements Entitlements are cleared. Entitlements are reloaded.
Access Profiles Access profiles are deleted. You must recreate any access profiles needed for provisioning.
Accounts Correlated to Identities Source accounts that were correlated to your identities are removed. The new correlation configuration is applied to your current identities. Account sources might be reassigned based on these changes.

Notes

  • You can reset one source at a time.
  • A reset will fail if an aggregation is in progress. Reset the source when aggregation has completed.
  • Aggregation schedules are retained through a reset.
  • You must disable delta aggregations for JDBC, Lotus Domino, and SAP HR before resetting these sources. After executing a full aggregation, you can reinstate the delta aggregation configurations.
  • For Active Directory and SharePoint, delta aggregations can remain in place, and any schedules associated with aggregation still apply. IdentityNow runs one full aggregation before resuming delta aggregation for these sources.

Resetting a Source

To reset a source, you'll need to open a Support ticket or use the IdentityNow REST API.

To reset a source using the IdentityNow REST API:

  1. Sign into your org as an administrator.

  2. Go to Admin > Connections > Sources and select the source you want to reset.

    The cloud source ID is displayed at the end of the URL in your browser address. The source ID is also known as the front-end ID for a source.

  3. Make note of the source ID, as you'll need to refer to it in the next step.

  4. Use your preferred tool to call the following API:

    POST https://<tenant>.api.identitynow.com/cc/api/source/reset/<cloudSourceId>

    where

    <tenant> is the URL for the IdentityNow org.

    <cloudExternalId> is the ID of the source you want to reset.

The call removes all accounts and entitlements from the source, allowing you to aggregate new data.

You can selectively delete accounts or entitlements and access profiles by adding ?skip=accounts or ?skip=entitlements to the API call's URL. If you choose to skip accounts, all account data remains. If you choose to skip entitlements, all entitlements and access profiles remain.

Note

This call will require the appropriate authentication/authorization.

Alternatively, if you no longer need to maintain the source in IdentityNow, you can completely remove it by deleting the source.

Deleting Sources

Before you can delete a source, you'll need to successfully remove all connections to that source including:

Note

If the source is used to authenticate logins to IdentityNow through pass-through authentication, you must configure an alternative authentication process (source) prior to deleting the source.

Tip

To see a comprehensive list of connections to a source, including the virtual appliance, identity profiles, apps, and SaaS Management connection, select the Connections tab for the source.

Removing Identity Profiles from a Source

Before you delete an identity profile, it's important to understand the implications of doing so. For example, in addition to deleting identities, the accounts on the related source become uncorrelated unless another identity profile in your system also owns those accounts.

Prerequisite: Before deleting an identity profile, verify that associated identities are not source or app owners. If they are, you won't be able to delete the identity profile until those connections are removed.

To view the identity profiles on a source:

  1. Go to Admin > Connections > Sources and select the source you want to review.

  2. Select the Connections tab. If the source is connected to an identity profile, the name of the profile is displayed under Identity Profile along with the number of identities that came from the source using that identity profile.

  3. Select the name of the identity profile to view additional details about it and to verify that deleting it will not pose any problems.

To delete a source's associated identity profile:

  1. Go to Admin > Identity Management > Identity Profiles.

  2. Select Actions > Delete Identity Profile for the identity profile you want to delete.

  3. In the confirmation window, select Delete.

Removing App Connections from a Source

Before you remove an app from a source, it's important to understand the implications of doing so. Removing an app from a source affects users' ability to use those applications. You must select a replacement source for the application before you remove the current source.

  1. Go to Admin > Connections > Sources and select the source you want to review.

  2. Select the Connections tab and choose the app from the Applications section to view additional details about it before removing it from the source.

  3. When you understand the impact of removing the app from the source, go to Admin > Applications and select the app you want to edit.

  4. In the Account Source section of the Configuration tab, use the Select Source dropdown list to select the new source for the app to use in place of the one you are preparing to delete.

    Note

    The Account Source section only displays when Admin (IT) is selected for App Accounts Created By.

  5. Complete your configuration and select Save to update IdentityNow with your changes.

After you've removed all connections to the source, run an aggregation for the source. When the aggregation process completes, you can delete the source.

Note

IdentityNow doesn't allow you to delete a source while identity data is being processed, even if the data isn't connected to the source you want to delete.

Deleting a Source

Before you delete a source, you must remove all references to that source from identity profiles and applications. You can delete a source on the Sources list page or from the Source Configuration page, or by using the IdentityNow REST API. Refer to the Delete Source API documentation on the Developer Community for more information on the API call.

To delete from the Sources list page:

  1. Go to Admin > Connections > Sources.

  2. Select Actions > Delete for the source you want to delete.

  3. Select Continue on the confirmation message to delete the source.

    If the source is still in use, an error will display.

    Tip

    You will see more details about the places where the source is in use if you try to delete it from the source details page.

To delete from the Source details page:

  1. Go to Admin > Connections > Sources.

  2. Select the source you want to delete.

  3. Select Delete Source.

    If the source is still in use, a list of items connected to the source displays. You must remove these connections before you can successfully delete the source.

  4. If the source is not in use, select Continue on the confirmation message to delete the source and its related data.

    Note

    The appearance of this message may differ slightly depending on the type of source selected.

Source Status Messages

When one of your sources is having problems, IdentityNow notifies you by:

  • Displaying an alert icon in both the Sources panel of the System Status and the list of sources.

  • In the email notification IdentityNow sends you, if you have enabled email notifications for your sources.

  • By displaying a banner on the source's page.

Regardless of how you are notified, you can select the source to see the banner at the top of the source's configuration. This banner contains more information about the problem your source is experiencing. Use the following table to troubleshoot source errors:

Banner Text Source Type Suggested Solutions
VA cluster failing for <time> Direct Connect The virtual appliance connected to this source is down or having problems. Verify that your network and servers aren't under maintenance. Verify that the virtual appliance associated with this source is running, is not offline or configuring, and that it is visible from the virtual appliances list. If this does not solve your problem, please contact SailPoint.
Target system failing for <time> Direct Connect The virtual appliance connected to this source works, but the source may be unreachable. Your service credentials might have been disabled or expired, there may be high network latency, or other network routing issues. Verify that your network and servers aren't under maintenance. Verify that your credentials are valid under Connection Credentials. Verify that the hostname is still accurate under Server Host. Try testing the connection manually by selecting Test Connection. If this does not solve your problem, please contact SailPoint.
Loss of VA cluster communication for <time> Direct Connect The virtual appliance connected to this source is down or having problems. Verify that your network and servers aren't under maintenance. Verify that the virtual appliance associated with this source is running, is not offline or configuring, and that it is visible from the virtual appliances list. If this does not solve your problem, please contact SailPoint.
Account file import failed Flat File An admin tried to upload an account file that did not import correctly. Verify that the file uses the correct template for the source. Retry the file upload.
Entitlement file import failed Flat File An admin tried to upload an entitlement file that did not import correctly. Verify that the file uses the correct template for the source. Retry the file upload.
Uncorrelated accounts file import failed Flat File An admin tried to upload an uncorrelated accounts file that did not import correctly. Verify that the file uses the correct template for the source. Retry the file upload.
Source config is incomplete, please add accounts Flat File and Direct Connect This is not an error state, but an informational banner. For direct connect sources, the system is not health-checking the source. Run or schedule an aggregation to load accounts. For flat file sources, no file has been uploaded. Upload a file to load accounts.
Unhealthy for <time>. Flat File and Direct Connect Your source might have lost connectivity to IQService. This affects any provisioning and password reset activities. Check your configuration to IQService, make sure IQService is running, and make sure that network settings are valid. Your source might have failed due to a bad or expired password. All aggregation, provisioning, authentication, and password related activities will fail until this is fixed. Please check your password in the Connection Credentials panel of the source configuration. Your source might be getting a network timeout during aggregation. Check your configuration settings, including the network connections between the VA and the source system. You might have lost connectivity during planned maintenance on a cloud source system. This affects aggregations until the system becomes active again. Check the source system's notifications for more information.
Healthy for <time>. Flat File and Direct Connect This source is healthy and no action is necessary.