Skip to content

Managing Sources Overview

A source is the Identity Security Cloud representation of a third-party application, database, or directory management system that maintains its own set of user accounts or personnel records. Identity Security Cloud uses connectors to collect user accounts and access rights from those systems and associate them to the source definition.

Multi-Host groups can be used for bulk source creation of infrastructure components and server configuration.

Viewing Source Details

After you have configured a source and loaded account data, you can view or edit a source's details.

To view a list of sources configured by your organization, go to Admin > Connections > Sources. You can search the list by name or description, or filter the list by connection type, source owner, warnings, and more. If there are warnings or statuses, you may be able to select them for more information.

The default view of the sources list is the table view. Select Cards to display source details in a card view.

From the sources list, you can view:

  • Source type - The type of data provided by the source. For a list of source types, refer to the SailPoint Connector documentation.

  • Connection type - The method used to add the source to Identity Security Cloud. Sources can be added through a direct connection with an external system or through a flat file that a user imports. For more information on these connections, refer to Loading Account Data.

  • Source Owner - The owner of the source. After you've configured a source, you must assign a source owner.

  • Recommendations - If your organization uses Recommendations, you can view the status of source configuration recommendations. If you visit the source page with recommendations, the Ready state will be cleared until recommendations are refreshed.

To view governance group and connectivity information for a source, select Edit from the Actions menu or on a card:

  • Governance Group for Source Management - The group used for granting users source role sub-admin level oversight of the source and its access.

  • Additional connectivity details - Connectivity information such as URL, host, port, username, password, and more. This information varies by connector.

Viewing Accounts on a Source

To view which identities have accounts on a source, go Admin > Connections > Sources and select or edit a source.

In the Account Management section, select Accounts to view a list of the accounts on the source.

The list of accounts. There are options to filter by correlated and uncorrelated accounts.

Select an account to view additional details.

The identity assigned to each correlated account is listed by default within the table. Select the Correlated filter at the top of the page to show only correlated accounts.

If an identity is listed multiple times, this indicates that the identity has multiple accounts on this source. As a result, the identity may be able to access the application using any of these accounts, possibly with different types of access through each account.

Uncorrelated accounts have (Uncorrelated) beside their identity name, indicating that while a shadow identity has been created for them, the account hasn't been correlated to an authoritative identity. Select the Uncorrelated filter to show only uncorrelated accounts, which are accounts that have not been matched to an identity in your system.

You can also take several actions on the accounts in this list by selection the Actions icon beside the account.

  • Select Disable Account to disable the user's account on the source.
  • Select Aggregate Account to aggregate only this account data from this source.
  • Select Remove Account to remove this account from Identity Security Cloud. It will be re-aggregated during the next complete source aggregation unless it is removed from the source as well.

Select Export to export details for all accounts on a source, including their entitlements. Sources with more than 100,000 accounts can't be exported.

Assigning a Source Owner

Sources must have a designated source owner who can complete provisioning and certifications tasks:

  • Provisioning - For sources added using a flat file feed, source owners will receive notifications in their Task Manager when an account needs to be added, modified, or removed.

  • Certifications - A source owner may be asked to review the access of people who have entitlements on a source. They may also receive tasks to remove entitlements that were revoked during certification campaigns.

Note

The source owner of the IdentityNow source can only be assigned using the Update Source (Partial) API.

To assign a source owner:

  1. Go to Admin > Connections > Sources.
  2. Select or edit the source you want to assign an owner to.
  3. In the Source Setup section, select Base Configuration.
  4. In the Source Owner dropdown field, enter the name of the user you want to assign as the source owner.
  5. Select Save to add this user as the source owner.

The source owner will receive notifications of tasks they need to complete in their Task Manager.

Notes

If a source owner is not assigned:

  • Access Request approvals are escalated to an Admin if there is a source owner in the approval schema.
  • Source Owner Certification Campaigns show an error.

Verifying Connectivity

You can check the following to ensure that your sources are working after an update:

Identity System Checks

  • Check the Virtual Appliance Health.
  • Validate that VA clusters have a status of Normal.
  • Check the health of your sources:
  • Check the System Status dashboard for source errors.
  • Look for status banners on the source pages.
  • Edit a source and choose Test Connection in the Review and Test section.
  • Validate that user/group aggregations are functioning appropriately.

Verifying Provisioning

Resetting Sources

You can remove data associated with a source from your system, including accounts, entitlements, and access profiles, without losing the source's configuration. For example, you may want to reload the data for a source after you've changed its schema. Rather than delete the source and start over, you can reset the source so it maintains its configuration, and then reload its data.

Note

You can reset one source at a time.

Before you reset a source, review the following table to understand how resetting a source can affect your data and what actions you may need to take after the reset.

Source Data Affected System or User Behavior Post-Aggregation
Connected Identity Profile The identity profile is not deleted, but all identities are deleted from it. If the identity also exists on another authoritative source, it will temporarily become an identity on that source. Identities are recreated.
If an identity was temporarily moved to a different identity profile, it will be reconnected to the original source.
Identity Profiles with Required Attributes Mapped to the Source If mappings are on required attributes, those accounts become uncorrelated. Accounts become correlated.
Identity Profiles with Attributes Mapped to the Source Associated attributes are temporarily removed from the related identities.

Note: Attributes that are mapped to transforms that reference this source are also temporarily removed.
The attributes and their values appear correctly.
Source Owners from the Source If any of the identities on the source you are resetting are source owners of any source, you will not be able to reset the source. Choose a new source owner for that source and try again. Reassign the previous source owner as needed.
App Owners from the Source The app owner field on the app is cleared. You must reassign the app owner.
Entitlements Entitlements are cleared. Entitlements are reloaded.
Access Profiles Access profiles are deleted. You must recreate any access profiles needed for provisioning.
Accounts Correlated to Identities Source accounts that were correlated to your identities are removed. The new correlation configuration is applied to your current identities. Account sources might be reassigned based on these changes.

Aggregations and Source Resets

  • A source reset will fail if an aggregation is in progress.

  • Aggregation schedules are retained after a reset.

  • You must disable delta aggregations for JDBC, Lotus Domino, and SAP HR before resetting these sources. After executing a full aggregation, you can reinstate the delta aggregation configurations.

  • For Active Directory and SharePoint, delta aggregations can remain in place, and schedules associated with aggregation still apply. Identity Security Cloud will run one full aggregation before resuming delta aggregation for these sources.

Resetting a Source

To reset a source, you will remove accounts and entitlements from a source using the REST API. API calls require the appropriate authentication.

To reset your source, you will need the cloud source ID displayed at the end of the URL in your browser address.

Alternatively, you can delete a source if you no longer need to maintain it.

To remove accounts from a source using the REST API:

  1. Go to Admin > Connections > Sources.

  2. Select or edit the source you want to remove accounts from.

  3. Make note of the cloud source ID, which is displayed at the end of the URL in your browser address.

  4. Use your preferred tool to call the following API:

    POST https://<tenant>.api.identitynow.com/beta/sources/<:id>/remove-accounts

    where

    <tenant> is the URL for your Identity Security Cloud tenant.

    <:id> is the ID of the source your accounts will be removed on.

The call removes all accounts from the source. Entitlements might also be removed, if required, as a separate operation. To remove entitlements from a source refer to removing entitlements from a source.

To remove entitlements from a source using the REST API:

  1. Go to Admin > Connections > Sources.

  2. Select or edit the source you want to remove entitlements from.

  3. Make note of the cloud source ID, which is displayed at the end of the URL in your browser address.

  4. Use your preferred tool to call the following API:

    POST https://<tenant>.api.identitynow.com/beta/entitlements/reset/sources/<:id>

    where

    <tenant> is the URL for your Identity Security Cloud tenant.

    <:id> is the ID of the source your entitlements will be removed on.

The call removes all entitlements and access profiles from the source. Run an account aggregation and entitlement aggregation to add accounts and entitlements to the source.

Deleting Sources

Before you can delete a source, you'll need to remove all connections to that source including:

Note

If the source is used to authenticate logins to Identity Security Cloud through pass-through authentication, you must configure an alternative authentication process (source) prior to deleting the source.

Tip

To see a comprehensive list of connections to a source, including the virtual appliance, identity profiles, access apps, and SaaS Management connection, select Connections under Aggregation History and Connections in the source configuration.

Removing Identity Profiles from a Source

Before you delete an identity profile, it's important to understand the implications of doing so. For example, in addition to deleting identities, the accounts on the related source become uncorrelated unless another identity profile in your system also owns those accounts.

Prerequisite: Before deleting an identity profile, verify that associated identities are not source or access app owners. If they are, you won't be able to delete the identity profile until those connections are removed.

To view the identity profiles on a source:

  1. Go to Admin > Connections > Sources.

  2. Select or edit the source you want to remove identity profiles from.

  3. In the Aggregation History and Connections section, select Connections. If the source is connected to an identity profile, the name of the profile is displayed under Identity Profile along with the number of identities that came from the source using that identity profile.

  4. Select Details on the identity profile to view additional details and to verify that deleting it will not pose any problems.

To delete a source's associated identity profile:

  1. Go to Admin > Identity Management > Identity Profiles.

  2. Select Actions > Delete Identity Profile for the identity profile you want to delete.

  3. In the confirmation window, select Delete.

Removing Access App Connections from a Source

Before you remove an access app from a source, it's important to understand the implications of doing so. Removing an access app from a source affects users' ability to use those access applications. You must select a replacement source for the access application before you remove the current source.

  1. Go to Admin > Connections > Sources.

  2. Select or edit the source you want to remove access applications from.

  3. In the Aggregation History and Connections section, select Connections.

  4. Choose the access app from the Applications section to view additional details about it before removing it from the source.

  5. When you understand the impact of removing the access app from the source, go to Admin > Applications and select the access app you want to edit.

  6. In the Account Source section of the Configuration tab, use the Select Source dropdown list to select the new source for the access app to use in place of the one you are preparing to delete.

    Dropdown list with a list of sources to select.

    Note

    The Account Source section only displays when Admin (IT) is selected for App Accounts Created By.

  7. Complete your configuration and select Save to update Identity Security Cloud with your changes.

After you've removed all connections to the source, run an aggregation for the source. When the aggregation process completes, you can delete the source.

Note

You cannot delete a source while identity data is being processed, even if the data isn't connected to the source you want to delete.

Deleting a Source

Before you delete a source, you must remove all references to that source from identity profiles and applications. You can delete a source on the Sources list page or from the Source Configuration page, or by using the Identity Security Cloud REST API. Refer to the Delete Source API documentation for more information on the API call.

To delete from the sources list page:

  1. Go to Admin > Connections > Sources.

  2. Select Actions > Delete for the source you want to delete.

  3. Select Continue on the confirmation message to delete the source. If the source is still in use, an error will display.

Tip

You will see more details about where the source is in use if you delete it from the source details page.

To delete from the source details page:

  1. Go to Admin > Connections > Sources.

  2. Select or edit the source you want to delete.

  3. Select Actions > Delete.

    If the source is still in use, a list of items connected to the source displays. You must remove these connections before you can successfully delete the source.

    Error warning that the source cannot be deleted because of conflicts that must be resolved first.

  4. If the source is not in use, select Continue on the confirmation message to delete the source and its related data.

Source Status Messages

You can view source status information in:

  • The alert icon in both the Sources panel of the System Status and the list of sources.
  • The email notification from Identity Security Cloud, if you have enabled email notifications for your sources.

  • A banner on the source's page.

You can select the source to see the banner at the top of the source's configuration. This banner contains more information about the problem your source is experiencing. Use the following table to troubleshoot source errors:

Banner Text Source Type Suggested Solutions
VA cluster failing for <time> Direct Connect The virtual appliance connected to this source is down or having problems. Verify that your network and servers aren't under maintenance. Verify that the virtual appliance associated with this source is running, is not offline or configuring, and that it is visible from the virtual appliances list. If this does not solve your problem, please contact SailPoint.
Target system failing for <time> Direct Connect The virtual appliance connected to this source works, but the source may be unreachable. Your service credentials might have been disabled or expired, there may be high network latency, or other network routing issues. Verify that your network and servers aren't under maintenance. Verify that your credentials are valid under Connection Credentials. Verify that the hostname is still accurate under Server Host. Try testing the connection manually by selecting Test Connection. If this does not solve your problem, please contact SailPoint.
Loss of VA cluster communication for <time> Direct Connect The virtual appliance connected to this source is down or having problems. Verify that your network and servers aren't under maintenance. Verify that the virtual appliance associated with this source is running, is not offline or configuring, and that it is visible from the virtual appliances list. If this does not solve your problem, please contact SailPoint.
Account file import failed Flat File An admin tried to upload an account file that did not import correctly. Verify that the file uses the correct template for the source. Retry the file upload.
Entitlement file import failed Flat File An admin tried to upload an entitlement file that did not import correctly. Verify that the file uses the correct template for the source. Retry the file upload.
Uncorrelated accounts file import failed Flat File An admin tried to upload an uncorrelated accounts file that did not import correctly. Verify that the file uses the correct template for the source. Retry the file upload.
Source config is incomplete, please add accounts Flat File and Direct Connect This is not an error state, but an informational banner. For direct connect sources, the system is not health-checking the source. Run or schedule an aggregation to load accounts. For flat file sources, no file has been uploaded. Upload a file to load accounts.
Unhealthy for <time>. Flat File and Direct Connect Your source might have lost connectivity to IQService. This affects any provisioning and password reset activities. Check your configuration to IQService, make sure IQService is running, and make sure that network settings are valid. Your source might have failed due to a bad or expired password. All aggregation, provisioning, authentication, and password related activities will fail until this is fixed. Please check your password in the Connection Credentials panel of the source configuration. Your source might be getting a network timeout during aggregation. Check your configuration settings, including the network connections between the VA and the source system. You might have lost connectivity during planned maintenance on a cloud source system. This affects aggregations until the system becomes active again. Check the source system's notifications for more information.
Healthy for <time>. Flat File and Direct Connect This source is healthy and no action is necessary.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.