Managing Multi-Host Groups
Multi-host groups enable bulk source creation of infrastructure components and server configuration managed from a centralized location. You can create and manage groups of sources created within the multi-host solution.
After creating a multi-host group, you can view sources and schedule account aggregation groups, and entitlement aggregation groups.
Creating Multi-Host Groups
A multi-host group is a container that holds multi-host sources and their associated account aggregation and entitlement aggregation groups. Multi-host groups can help manage your infrastructure by grouping servers, for example by business functions or geographical location.
Follow the SailPoint Connector Multi-Host documentation for guidance on configuring your specific multi-host group.
Notes
- A multi-host group can contain a maximum of 250 sources.
- The import csv file must only contain new source names that do not currently exist in Identity Security Cloud.
- Any existing sources within the import file will be ignored.
When you have created your multi-host group, you can view your multi-host sources.
Viewing Sources Created in Multi-Host Groups
After you have created a multi-host group, you can view the sources contained within it, as well as manage account aggregation and entitlement aggregation.
-
Go to Admin > Connections > Multi-Host Sources.
-
Select a multi-host group to view details about the integration.
-
Select Edit to view the Source List.
The Source List displays information about each source, including if it has a warning or error status. Select the Actions menu to edit the source configuration or test the connection to the source.
Select the Source Name to view the accounts on the source and to configure account correlation.
Viewing Errors
Select View Logs to view logs of any source creation failures or source deletion failures.
To view aggregation failures, go to Admin > Dashboard > Aggregation Activity.
Deleting, Testing, and Editing Multi-Host Groups
From the Sources List, you can test the connection to all sources or delete all sources in a multi-host group. You can also edit the multi-host group configuration.
Select Delete to delete the multi-host group and all associated sources. Source deletion failures can be viewed within the multi-host logs.
Caution
Deleting a multi-host group will permanently delete the multi-host group and all of is associated sources, account aggregation, and entitlement aggregation groups. This action cannot be undone.
Select Test Connection to test the connection to all sources within the multi-host group. Refresh the page to see the updated status.
Select Edit to edit the base configuration and integration settings that were configured when the multi-host group was created.
Managing Multi-Host Account Aggregation Groups
Account aggregation is the process of loading account data into Identity Security Cloud from external sources. Account aggregation groups enable centralized management of account aggregation for multiple sources.
An account aggregation group can contain a maximum of 10 sources. During the source creation process, the required number of account aggregation groups are automatically created and sources are automatically distributed between groups.
Note
Manual creation of account aggregation groups and manual allocation of sources within the groups is not supported.
You can schedule or manually start account aggregations.
Scheduling Aggregations for Multi-Host Account Aggregation Groups
You can schedule aggregation to automatically load new account data for all sources within the group on a regular basis from the Account Aggregation tab.
-
Go to Admin > Connections > Multi-Host Sources and select a multi-host group.
-
Select Edit and choose the Account Aggregation tab.
-
You can enable aggregation scheduling and set the frequency, time, and recurrence. Refer to Scheduling Aggregations for Direct Connect Sources for guidance.
-
(Optional) Select the Disable Account Deletion checkbox to ensure no accounts are deleted.
Alternatively, you can set the percentage of allowed deleted accounts per aggregation in the Account Delete Threshold section. Choose a percentage from the dropdown list or enter the percentage of accounts in the threshold field. The "%" sign is automatically added. Select Save to save your changes.
Note
The percentage must be an integer between 1 and 100. If the deletions exceed this value, no accounts will be deleted. SailPoint recommends using this option to avoid removing user data in the event of a misconfiguration.
Account Deletion Limitations
- If a source has 10 or fewer accounts, setting this value to 4 percent or less will result in the number being rounded to 1 percent to prevent all accounts from being deleted.
- If a source has 11 - 20 accounts, setting this value to 2 percent or less will will result in the number being rounded to 1 percent to prevent all accounts from being deleted.
-
Select Save to schedule the source aggregation.
Manually Aggregating Multi-Host Account Aggregation Groups
You can manually aggregate account data for sources within an account aggregation group from the Account Aggregation tab.
-
Go to Admin > Connections > Multi-Host Sources and select a multi-host group.
-
Select Edit and choose the Account Aggregation tab.
-
(Optional) Select the Disable Account Deletion checkbox to ensure no accounts are deleted.
Alternatively, you can set the percentage of allowed deleted accounts per aggregation in the Account Delete Threshold section. Choose a percentage from the dropdown list or enter the percentage of accounts in the threshold field. The "%" sign is automatically added. Select Save to save your changes.
Note
The percentage must be an integer between 1 and 100. If the deletions exceed this value, no accounts will be deleted. SailPoint recommends using this option to avoid removing user data in the event of a misconfiguration.
Account Deletion Limitations
- If a source has 10 or fewer accounts, setting this value to 4 percent or less will result in the number being rounded to 1 percent to prevent all accounts from being deleted.
- If a source has 11 - 20 accounts, setting this value to 2 percent or less will will result in the number being rounded to 1 percent to prevent all accounts from being deleted.
-
Select Manual Aggregation to start the account aggregation process.
Managing Multi-Host Entitlement Aggregation Groups
Entitlement aggregation is the process of loading entitlement data into Identity Security Cloud from external sources. Entitlement aggregation groups enable centralized management of entitlement aggregation for multiple sources.
An entitlement aggregation group can contain a maximum of 10 sources. During the source creation process, the required number of entitlement aggregation groups are automatically created and sources are automatically distributed between groups.
Note
Manual creation of entitlement aggregation groups and manual allocation of sources within the groups is not supported.
You can schedule or manually start entitlement aggregations.
Scheduling Aggregations for Multi-Host Entitlement Aggregation Groups
You can schedule aggregation to automatically load new entitlement data for all sources within the group on a regular basis from the Entitlement Aggregation tab.
-
Go to Admin > Connections > Multi-Host Sources and select a multi-host group.
-
Select Edit and choose the Entitlement Aggregation tab.
-
You can enable aggregation scheduling and set the frequency, time, and recurrence. Refer to Scheduling Recurring Aggregations for guidance.
Notes
- To maintain peak aggregation performance, the first source within the group will start aggregation, followed after a short delay by the next source, until all sources have started aggregation.
- If aggregation fails for a specific source within the aggregation group, the process will move on to the next source and continue the aggregation process.
Manually Aggregating Multi-Host Entitlement Aggregation Groups
You can manually aggregate entitlement data for sources within an entitlement aggregation group from the Entitlement Aggregation tab.
-
Go to Admin > Connections > Multi-Host Sources and select a multi-host group.
-
Select Edit and choose the Entitlement Aggregation tab.
-
Select Manual Aggregation to start the entitlement aggregation process.
Managing Multi-Host Account Correlation
Correlation is the process of matching and assigning source accounts to identities. Correlation configuration compares the values of specific account attributes with the values of related identity attributes. When those attribute values match, the account is assigned to the identity.
Multi-host correlation enables bulk correlation of accounts for all sources within a multi-host group.
-
Go to Admin > Connections > Multi-Host Sources and select a multi-host group.
-
Select Edit and choose the Correlation tab.
-
Review the attributes for configuring the source:
- The Identity Attribute is the attribute from the identity profile used to match the accounts.
- The Account Attribute is the attribute on the source that Identity Security Cloud tests against the identity attribute.
- The Operation field is always set to Equals. This field is not editable.
-
Use the Identity Attribute dropdown list to select an identity attribute such as
email
,displayName
, oruid
. For effective correlation, attribute values should be unique among other accounts and identities. Refer to Using Custom Identity Attributes in Correlation for guidance on using custom identity attributes. -
Use the Account Attribute dropdown list to choose the account attribute that corresponds to the identity attribute you selected.
-
Select Add Criteria to add identity attribute and account attribute fields to the correlation configuration.
-
If your organization has a preferred attribute for identifying unique accounts, drag and drop the attribute pairing to determine the order in which attributes will be used to correlate accounts.
-
To remove attribute pairings, select the Delete icon beside the pairing.
-
Select Save to save your changes.
Correlation is applied to each source within the multi-host group during the sources next aggregation. If you change the account correlation for a multi-host group that contains a source that has already been aggregated, you should run another aggregation for that source. This allows unchanged accounts to be reexamined for correlation.
If Identity Security Cloud is unable to match account attributes to identity attributes, the account is considered uncorrelated and is not assigned to identities.
Documentation Feedback
Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.