Managing Sources Overview

A source is the Identity Security Cloud representation of a third-party application, database, or directory management system that maintains its own set of user accounts or personnel records. Identity Security Cloud uses connectors to collect user accounts and access rights from those systems and associate them to the source definition.

Multi-Host groups can be used for bulk source creation of infrastructure components and server configuration.

Viewing Source Details

After you have configured a source and loaded account data, you can view or edit a source's details.

To view a list of sources configured by your organization, go to Admin > Connections > Sources. You can search the list by name or description, or filter the list by connection type, source owner, warnings, and more. If there are warnings or statuses, you may be able to select them for more information.

The default view of the sources list is the table view. Select Cards to display source details in a card view.

From the sources list, you can view:

• Source type - The type of data provided by the source. For a list of source types, refer to the SailPoint Connector documentation.

• Connection type - The method used to add the source to Identity Security Cloud. Sources can be added through a direct connection with an external system or through a flat file that a user imports. For more information on these connections, refer to Loading Account Data.

• Source Owner - The owner of the source. After you've configured a source, you must assign a source owner.

• Recommendations - If your organization uses Recommendations, you can view the status of source configuration recommendations. If you visit the source page with recommendations, the Ready state will be cleared until recommendations are refreshed.

To view governance group and connectivity information for a source, select Edit from the Actions menu or on a card:

• Governance Group for Source Management - The group used for granting users source role sub-admin level oversight of the source and its access.

• Additional connectivity details - Connectivity information such as URL, host, port, username, password, and more. This information varies by connector.

Viewing Accounts on a Source

To view which identities have accounts on a source, go Admin > Connections > Sources and select a source name.

If an identity is listed multiple times, this indicates that the identity has multiple accounts on this source. As a result, the identity may be able to access the application using any of these accounts, possibly with different types of access through each account.

This list may also contain uncorrelated accounts, which are accounts that have not been matched to an identity in your system.

Select Export to export details for all accounts on a source, including their entitlements. Sources with more than 100,000 accounts can't be exported.

Assigning a Source Owner

Sources must have a designated source owner who can complete provisioning and certifications tasks:

• Provisioning - For sources added using a flat file feed, source owners will receive notifications in their Task Manager when an account needs to be added, modified, or removed.

• Certifications - A source owner may be asked to review the access of people who have entitlements on a source. They may also receive tasks to remove entitlements that were revoked during certification campaigns.

To assign a source owner:

1. Go to Admin > Connections > Sources.
2. Select Edit from the Actions menu or card for the source you want to assign an owner to.
3. In the Source Owner dropdown field, enter the name of the user you want to assign as the source owner.
4. Select Save to add this user as the source owner.

The source owner will receive notifications of tasks they need to complete in their Task Manager.

Verifying Connectivity

You can check the following to ensure that your sources are working after an update:

Identity System Checks

• Check the Virtual Appliance Health.
• Validate that VA clusters have a status of Normal.
• Check the health of your sources:
  • Check the System Status dashboard for source errors.
  • Look for status banners on the source pages.
  • Edit a source and choose Test Connection in the Review and Test section.
  • Validate that user/group aggregations are functioning appropriately.

Verifying Provisioning

• Validate the role is providing the expected entitlements.

• Validate attribute synchronization operates as expected.

• Validate lifecycle state changes operate as expected.

Resetting Sources

You can remove data associated with a source from your system, including accounts, entitlements, and access profiles, without losing the source's configuration. For example, you may want to reload the data for a source after you've changed its schema. Rather than delete the source and start over, you can reset the source so it maintains its configuration, and then reload its data.

Note

You can reset one source at a time.

Before you reset a source, review the following table to understand how resetting a source can affect your data and what actions you may need to take after the reset.

Source Data Affected	System or User Behavior	Post-Aggregation
Connected Identity Profile	The identity profile is not deleted, but all identities are deleted from it. If the identity also exists on another authoritative source, it will temporarily become an identity on that source.	Identities are recreated. If an identity was temporarily moved to a different identity profile, it will be reconnected to the original source.
Identity Profiles with Required Attributes Mapped to the Source	If mappings are on required attributes, those accounts become uncorrelated.	Accounts become correlated.
Identity Profiles with Attributes Mapped to the Source	Associated attributes are temporarily removed from the related identities. Note: Attributes that are mapped to transforms that reference this source are also temporarily removed.	The attributes and their values appear correctly.
Source Owners from the Source	If any of the identities on the source you are resetting are source owners of any source, you will not be able to reset the source. Choose a new source owner for that source and try again.	Reassign the previous source owner as needed.
App Owners from the Source	The app owner field on the app is cleared.	You must reassign the app owner.
Entitlements	Entitlements are cleared.	Entitlements are reloaded.
Access Profiles	Access profiles are deleted.	You must recreate any access profiles needed for provisioning.
Accounts Correlated to Identities	Source accounts that were correlated to your identities are removed.	The new correlation configuration is applied to your current identities. Account sources might be reassigned based on these changes.

Aggregations and Source Resets

• A source reset will fail if an aggregation is in progress.

• Aggregation schedules are retained after a reset.

• You must disable delta aggregations for JDBC, Lotus Domino, and SAP HR before resetting these sources. After executing a full aggregation, you can reinstate the delta aggregation configurations.

• For Active Directory and SharePoint, delta aggregations can remain in place, and schedules associated with aggregation still apply. Identity Security Cloud will run one full aggregation before resuming delta aggregation for these sources.

Resetting a Source

To reset a source, you will remove accounts and entitlements from a source using the REST API. API calls require the appropriate authentication.

Alternatively, you can delete a source if you no longer need to maintain it.

To remove accounts from a source using the REST API:

1. Go to Admin > Connections > Sources and select the source you want to reset.

   The cloud source ID is displayed at the end of the URL in your browser address. The source ID is also known as the front-end ID for a source.

2. Make note of the source ID, as you'll need to refer to it in the next step.

3. Use your preferred tool to call the following API:

   POST https://<tenant>.api.identitynow.com/beta/sources/<:id>/remove-accounts

   where

   <tenant> is the URL for your Identity Security Cloud tenant.

   <:id> is the ID of the source your accounts will be removed on.

The call removes all accounts from the source. Entitlements may also be removed, if required, as a separate operation. To remove entitlements from a source refer to removing entitlements from a source.

To remove entitlements from a source using the REST API:

1. Go to Admin > Connections > Sources and select the source you want to reset.

   The cloud source ID is displayed at the end of the URL in your browser address. The source ID is also known as the front-end ID for a source.

2. Make note of the source ID, as you'll need to refer to it in the next step.

3. Use your preferred tool to call the following API:

   POST https://<tenant>.api.identitynow.com/beta/entitlements/reset/sources/<:id>

   where

   <tenant> is the URL for your Identity Security Cloud tenant.

   <:id> is the ID of the source your entitlements will be removed on.

The call removes all entitlements and access profiles from the source. Run an account aggregation and entitlement aggregation to add accounts and entitlements to the source.

Deleting Sources

Before you can delete a source, you'll need to remove all connections to that source including:

• Identity profiles associated with the source.
• Apps connected to the source.
• References to the source in a transform.

Note

If the source is used to authenticate logins to Identity Security Cloud through pass-through authentication, you must configure an alternative authentication process (source) prior to deleting the source.

Tip

To see a comprehensive list of connections to a source, including the virtual appliance, identity profiles, apps, and SaaS Management connection, select the Connections tab for the source.

Removing Identity Profiles from a Source

Before you delete an identity profile, it's important to understand the implications of doing so. For example, in addition to deleting identities, the accounts on the related source become uncorrelated unless another identity profile in your system also owns those accounts.

Prerequisite: Before deleting an identity profile, verify that associated identities are not source or app owners. If they are, you won't be able to delete the identity profile until those connections are removed.

To view the identity profiles on a source:

1. Go to Admin > Connections > Sources and select the source you want to review.

2. Select the Connections tab. If the source is connected to an identity profile, the name of the profile is displayed under Identity Profile along with the number of identities that came from the source using that identity profile.

   

3. Select the name of the identity profile to view additional details about it and to verify that deleting it will not pose any problems.

To delete a source's associated identity profile:

1. Go to Admin > Identity Management > Identity Profiles.

   

2. Select Actions > Delete Identity Profile for the identity profile you want to delete.

3. In the confirmation window, select Delete.

Removing App Connections from a Source

Before you remove an app from a source, it's important to understand the implications of doing so. Removing an app from a source affects users' ability to use those applications. You must select a replacement source for the application before you remove the current source.

1. Go to Admin > Connections > Sources and select the source you want to review.

2. Select the Connections tab and choose the app from the Applications section to view additional details about it before removing it from the source.

3. When you understand the impact of removing the app from the source, go to Admin > Applications and select the app you want to edit.

4. In the Account Source section of the Configuration tab, use the Select Source dropdown list to select the new source for the app to use in place of the one you are preparing to delete.

   

   Note

   The Account Source section only displays when Admin (IT) is selected for App Accounts Created By.

5. Complete your configuration and select Save to update Identity Security Cloud with your changes.

After you've removed all connections to the source, run an aggregation for the source. When the aggregation process completes, you can delete the source.

Note

You cannot delete a source while identity data is being processed, even if the data isn't connected to the source you want to delete.

Deleting a Source

Before you delete a source, you must remove all references to that source from identity profiles and applications. You can delete a source on the Sources list page or from the Source Configuration page, or by using the Identity Security Cloud REST API. Refer to the Delete Source API documentation on the Developer Community for more information on the API call.

To delete from the Sources list page:

1. Go to Admin > Connections > Sources.

2. Select Actions > Delete for the source you want to delete.

3. Select Continue on the confirmation message to delete the source.

   If the source is still in use, an error will display.

   

   Tip

   You will see more details about the places where the source is in use if you try to delete it from the source details page.

To delete from the Source details page:

1. Go to Admin > Connections > Sources.

2. Select the source you want to delete.

3. Select Delete Source.

   If the source is still in use, a list of items connected to the source displays. You must remove these connections before you can successfully delete the source.

   

4. If the source is not in use, select Continue on the confirmation message to delete the source and its related data.

   

   Note

   The appearance of this message may differ slightly depending on the type of source selected.

Source Status Messages

You can view source status information in:

• The alert icon in both the Sources panel of the System Status and the list of sources.

• The email notification from Identity Security Cloud, if you have enabled email notifications for your sources.

• A banner on the source's page.

You can select the source to see the banner at the top of the source's configuration. This banner contains more information about the problem your source is experiencing. Use the following table to troubleshoot source errors:

Banner Text	Source Type	Suggested Solutions
VA cluster failing for <time>	Direct Connect	The virtual appliance connected to this source is down or having problems. Verify that your network and servers aren't under maintenance. Verify that the virtual appliance associated with this source is running, is not offline or configuring, and that it is visible from the virtual appliances list. If this does not solve your problem, please contact SailPoint.
Target system failing for <time>	Direct Connect	The virtual appliance connected to this source works, but the source may be unreachable. Your service credentials might have been disabled or expired, there may be high network latency, or other network routing issues. Verify that your network and servers aren't under maintenance. Verify that your credentials are valid under Connection Credentials. Verify that the hostname is still accurate under Server Host. Try testing the connection manually by selecting Test Connection. If this does not solve your problem, please contact SailPoint.
Loss of VA cluster communication for <time>	Direct Connect	The virtual appliance connected to this source is down or having problems. Verify that your network and servers aren't under maintenance. Verify that the virtual appliance associated with this source is running, is not offline or configuring, and that it is visible from the virtual appliances list. If this does not solve your problem, please contact SailPoint.
Account file import failed	Flat File	An admin tried to upload an account file that did not import correctly. Verify that the file uses the correct template for the source. Retry the file upload.
Entitlement file import failed	Flat File	An admin tried to upload an entitlement file that did not import correctly. Verify that the file uses the correct template for the source. Retry the file upload.
Uncorrelated accounts file import failed	Flat File	An admin tried to upload an uncorrelated accounts file that did not import correctly. Verify that the file uses the correct template for the source. Retry the file upload.
Source config is incomplete, please add accounts	Flat File and Direct Connect	This is not an error state, but an informational banner. For direct connect sources, the system is not health-checking the source. Run or schedule an aggregation to load accounts. For flat file sources, no file has been uploaded. Upload a file to load accounts.
Unhealthy for <time>.	Flat File and Direct Connect	Your source might have lost connectivity to IQService. This affects any provisioning and password reset activities. Check your configuration to IQService, make sure IQService is running, and make sure that network settings are valid. Your source might have failed due to a bad or expired password. All aggregation, provisioning, authentication, and password related activities will fail until this is fixed. Please check your password in the Connection Credentials panel of the source configuration. Your source might be getting a network timeout during aggregation. Check your configuration settings, including the network connections between the VA and the source system. You might have lost connectivity during planned maintenance on a cloud source system. This affects aggregations until the system becomes active again. Check the source system's notifications for more information.
Healthy for <time>.	Flat File and Direct Connect	This source is healthy and no action is necessary.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.