Managing Multi-Host Groups
Multi-host groups enable bulk source creation of infrastructure components and server configuration managed from a centralized location. You can create and manage groups of sources created within the multi-host solution.
After creating a multi-host group, you can view sources and schedule account aggregation groups, and entitlement aggregation groups.
Creating Multi-Host Groups
A multi-host group is a container that holds multi-host sources and their associated account aggregation and entitlement aggregation groups. Multi-host groups can help manage your infrastructure by grouping servers, for example by business functions or geographical location.
Follow the SailPoint Connector Multi-Host documentation for guidance on configuring your specific multi-host group.
Notes
- A multi-host group can contain a maximum of 250 sources.
- The import csv file must only contain new source names that do not currently exist in Identity Security Cloud.
- Any existing sources within the import file will be ignored.
When you have created your multi-host group, you can view your multi-host sources.
Viewing Sources Created in Multi-Host Groups
After you have created a multi-host group, you can view the sources contained within it, as well as manage account aggregation and entitlement aggregation.
-
Go to Admin > Connections > Multi-Host Sources.
-
Select a multi-host group to view details about the integration.
-
Select Edit to view the Source List.
The Source List displays information about each source, including if it has a warning or error status. Select the Actions menu to edit the source configuration or test the connection to the source.
Select the Source Name to view the accounts on the source and to configure account correlation.
Viewing Errors
Select View Logs to view logs of any source creation failures or source deletion failures.
To view aggregation failures, go to Admin > Dashboard > Aggregation Activity.
Deleting, Testing, and Editing Multi-Host Groups
From the Sources List, you can test the connection to all sources or delete all sources in a multi-host group. You can also edit the multi-host group configuration.
Select Delete to delete the multi-host group and all associated sources. Source deletion failures can be viewed within the multi-host logs.
Caution
Deleting a multi-host group will permanently delete the multi-host group and all of is associated sources, account aggregation, and entitlement aggregation groups. This action cannot be undone.
Select Test Connection to test the connection to all sources within the multi-host group. Refresh the page to see the updated status.
Select Edit to edit the base configuration and integration settings that were configured when the multi-host group was created.
Managing Multi-Host Account Aggregation Groups
Account aggregation is the process of loading account data into Identity Security Cloud from external sources. Account aggregation groups enable centralized management of account aggregation for multiple sources.
An account aggregation group can contain a maximum of 10 sources. During the source creation process, the required number of account aggregation groups are automatically created and sources are automatically distributed between groups.
Note
Manual creation of account aggregation groups and manual allocation of sources within the groups is not supported.
You can schedule or manually start account aggregations.
Scheduling Aggregations for Multi-Host Account Aggregation Groups
You can schedule aggregation to automatically load new account data for all sources within the group on a regular basis from the Account Aggregation tab.
-
Go to Admin > Connections > Multi-Host Sources and select a multi-host group.
-
Select Edit and choose the Account Aggregation tab.
-
You can enable aggregation scheduling and set the frequency, time, and recurrence. Refer to Scheduling Aggregations for Direct Connect Sources for guidance.
-
(Optional) Select the Disable Account Deletion checkbox to ensure no accounts are deleted.
Alternatively, you can set the percentage of allowed deleted accounts per aggregation in the Account Delete Threshold section. Choose a percentage from the dropdown list or enter the percentage of accounts in the threshold field. The "%" sign is automatically added. Select Save to save your changes.
Note
The percentage must be an integer between 1 and 100. If the deletions exceed this value, no accounts will be deleted. SailPoint recommends using this option to avoid removing user data in the event of a misconfiguration.
Account Deletion Limitations
- If a source has 10 or fewer accounts, setting this value to 4 percent or less will result in the number being rounded to 1 percent to prevent all accounts from being deleted.
- If a source has 11 - 20 accounts, setting this value to 2 percent or less will will result in the number being rounded to 1 percent to prevent all accounts from being deleted.
-
Select Save to schedule the source aggregation.
Manually Aggregating Multi-Host Account Aggregation Groups
You can manually aggregate account data for sources within an account aggregation group from the Account Aggregation tab.
-
Go to Admin > Connections > Multi-Host Sources and select a multi-host group.
-
Select Edit and choose the Account Aggregation tab.
-
(Optional) Select the Disable Account Deletion checkbox to ensure no accounts are deleted.
Alternatively, you can set the percentage of allowed deleted accounts per aggregation in the Account Delete Threshold section. Choose a percentage from the dropdown list or enter the percentage of accounts in the threshold field. The "%" sign is automatically added. Select Save to save your changes.
Note
The percentage must be an integer between 1 and 100. If the deletions exceed this value, no accounts will be deleted. SailPoint recommends using this option to avoid removing user data in the event of a misconfiguration.
Account Deletion Limitations
- If a source has 10 or fewer accounts, setting this value to 4 percent or less will result in the number being rounded to 1 percent to prevent all accounts from being deleted.
- If a source has 11 - 20 accounts, setting this value to 2 percent or less will will result in the number being rounded to 1 percent to prevent all accounts from being deleted.
-
Select Manual Aggregation to start the account aggregation process.
Managing Multi-Host Entitlement Aggregation Groups
Entitlement aggregation is the process of loading entitlement data into Identity Security Cloud from external sources. Entitlement aggregation groups enable centralized management of entitlement aggregation for multiple sources.
An entitlement aggregation group can contain a maximum of 10 sources. During the source creation process, the required number of entitlement aggregation groups are automatically created and sources are automatically distributed between groups.
Note
Manual creation of entitlement aggregation groups and manual allocation of sources within the groups is not supported.
You can schedule or manually start entitlement aggregations.
Scheduling Aggregations for Multi-Host Entitlement Aggregation Groups
You can schedule aggregation to automatically load new entitlement data for all sources within the group on a regular basis from the Entitlement Aggregation tab.
-
Go to Admin > Connections > Multi-Host Sources and select a multi-host group.
-
Select Edit and choose the Entitlement Aggregation tab.
-
You can enable aggregation scheduling and set the frequency, time, and recurrence. Refer to Scheduling Recurring Aggregations for guidance.
Notes
- To maintain peak aggregation performance, the first source within the group will start aggregation, followed after a short delay by the next source, until all sources have started aggregation.
- If aggregation fails for a specific source within the aggregation group, the process will move on to the next source and continue the aggregation process.
Manually Aggregating Multi-Host Entitlement Aggregation Groups
You can manually aggregate entitlement data for sources within an entitlement aggregation group from the Entitlement Aggregation tab.
-
Go to Admin > Connections > Multi-Host Sources and select a multi-host group.
-
Select Edit and choose the Entitlement Aggregation tab.
-
Select Manual Aggregation to start the entitlement aggregation process.
Managing Multi-Host Account Schemas
Each source supports a variety of details, or attributes, about each user who has an account, such as their name, email address, manager name, and location.
The set of account attributes each source stores and how they're organized is known as the account's schema. To best represent your data, you can configure sources to use an account schema matching the one you use in the external connector.
Multi-host account schemas enable bulk configuration of account schemas for all sources within a multi-host group.
Viewing an Account Schema
Most sources have an account schema as soon as they're connected to Identity Security Cloud. To view your multi-host group account schema:
-
Go to Admin > Connections > Multi-Host Sources and select a multi-host group.
-
Select Edit and choose the Account Schema tab.
Each multi-host group schema has one attribute marked as the Account Name and one attribute marked as the Account ID. Editing the Account Name or Account ID after aggregation can result in serious issues and is strongly discouraged.
If your multi-host group doesn't have an account schema, you can create one by adding attributes to the source that match your external connector.
Editing an Account Schema
You can add and delete attributes from a multi-host group account schema, as well as indicate whether an attribute supports multiple values.
-
Go to Admin > Connections > Multi-Host Sources and select a multi-host group containing the account schema you want to update.
-
Select Edit and choose the Account Schema tab.
-
To add a new attribute, select Add New Attribute and fill out all required fields.
Important
Attribute names cannot contain periods.
-
To delete an attribute, select the Actions icon
beside the attribute and select Delete.
You can also select the checkbox beside attributes in this list and select Delete.
-
To mark an attribute as an entitlement, select the Actions icon
beside the attribute and select Edit. Select the Entitlement checkbox, then select Update.
Note
Boolean attributes cannot be marked as entitlements.
-
To include permissions with entitlements that are part of an account aggregation, select Edit Schema at the top of the page, and select the Include permissions in aggregations checkbox.
-
To remove the Multi-Valued setting on an attribute, select the checkboxes beside the attributes you want to edit. Clear the checkbox for the Multi-Valued setting.
You can also do this in the Edit Attribute overlay.
-
To edit a source's Account Name and Account ID attributes, select Edit Schema at the top of the page. Under Account ID and Account Name, choose the attributes that should be used to provide those values and select Update.
Changing Account Name and Account ID Attributes
Updating the Account Name or Account ID attributes for a source after aggregating accounts is strongly discouraged and can cause significant errors.
The Account Name attribute is immutable, and editing it after accounts have been aggregated can cause duplicate accounts and identities to be aggregated and created. The Account ID attribute is used in multiple places across systems to reference accounts. Changing the Account ID can break these references in serious and unexpected ways.
-
Managing Multi-Host Account Correlation
Correlation is the process of matching and assigning source accounts to identities. Correlation configuration compares the values of specific account attributes with the values of related identity attributes. When those attribute values match, the account is assigned to the identity.
Multi-host correlation enables bulk correlation of accounts for all sources within a multi-host group.
-
Go to Admin > Connections > Multi-Host Sources and select a multi-host group.
-
Select Edit and choose the Correlation tab.
-
Review the attributes for configuring the source:
- The Identity Attribute is the attribute from the identity profile used to match the accounts.
- The Account Attribute is the attribute on the source that Identity Security Cloud tests against the identity attribute.
- The Operation field is always set to Equals. This field is not editable.
-
Use the Identity Attribute dropdown list to select an identity attribute such as
email
,displayName
, oruid
. For effective correlation, attribute values should be unique among other accounts and identities. Refer to Using Custom Identity Attributes in Correlation for guidance on using custom identity attributes. -
Use the Account Attribute dropdown list to choose the account attribute that corresponds to the identity attribute you selected.
-
Select Add Criteria to add identity attribute and account attribute fields to the correlation configuration.
-
If your organization has a preferred attribute for identifying unique accounts, drag and drop the attribute pairing to determine the order in which attributes will be used to correlate accounts.
-
To remove attribute pairings, select the Delete icon
beside the pairing.
-
Select Save to save your changes.
Correlation is applied to each source within the multi-host group during the sources next aggregation. If you change the account correlation for a multi-host group that contains a source that has already been aggregated, you should run another aggregation for that source. This allows unchanged accounts to be reexamined for correlation.
If Identity Security Cloud is unable to match account attributes to identity attributes, the account is considered uncorrelated and is not assigned to identities.
Managing Account Creation Provisioning
When a user is granted access on a source where they don't already have an account, an account is created for them as part of the provisioning process. This applies regardless of how the provisioning action was initiated. When a new account is created on a source, the attributes on that account must be populated with values.
Multi-host account creation enables bulk account creation for all sources within a multi-host group.
Editing the Account Creation Configuration
Most source types have predefined attributes used for account creation, but you can edit the way they are mapped. This will apply to all sources within a multi-host group.
-
Go to Admin > Connections > Multi-Host Sources and select a multi-host group.
-
Select Edit and choose the Create Account tab.
-
In Account Attribute Mappings, for each source attribute, select a mapping type and set the related attributes:
-
Identity Attribute - Use an identity attribute’s value to set the account attribute. For example, to use the identity’s work email address to set an account attribute value, select Identity Attribute and then choose Work Email from the Attribute list.
Important
The built-in Manager identity attribute can be used to set an account attribute in the Create Account definition. However, it cannot be used in attribute sync. If you need to sync users' manager names to their source accounts, define a custom identity attribute (for example,
managerToSync
) and configure its mapping to populate it with the user's manager name. Then use that attribute in both your Create Account definition and Attribute Sync configuration. -
Generator - Generators compute a value for the account attribute, usually based on a pattern you specify. Select the name of a generator that will create the value for the source attribute during provisioning. For example, the Create Unique Account ID generator produces an account ID for each account based on the pattern you enter in the Pattern Used field.
Patterns can use text values and variables. For variables:
- Reference identity attributes with
$(attributeTechnicalName)
. An attribute's technical name can be found in parentheses next to the attribute in the Mappings tab of the identity profile. For instance, the technical name for the identity attributeFamily Name
is$(lastname)
. - Optionally, include a counter that generates a unique number with
$(uniqueCounter)
.
For example, the default pattern for
distinguishedName
on Active Directory sources is:CN=$(firstname).$(lastname)$(uniqueCounter),OU=YOURCONTAINER, DC=YOURDOMAIN
.Generator patterns cannot reference other Create Account attributes.
Note
While you can select new attributes for any of these fields, SailPoint recommends using the default values in the Generator fields for the generated attributes. To add generators to the list, your implementation team can create Attribute Generator rules.
- Reference identity attributes with
-
Static - Enter a simple text value or build a value for the attribute using an Apache Velocity script template. Static values use the same Velocity syntax as Static Transforms. These scripts can reference other account attributes defined higher in the Create Account list with
$attributeName
.Static values cannot reference identity attributes.
-
Disable - Select this option to omit the attribute when creating a new account.
-
-
You can add mappings for existing attributes or create attributes to use in your create account configuration.
-
Select Save when you've finished mapping the source attributes.
Adding Existing Attributes
You can add existing account attributes to the multi-host create account configuration so those attributes are assigned values during provisioning actions.
-
Go to Admin > Connections > Multi-Host Sources and select a multi-host group.
-
Select Edit and choose the Create Account tab.
-
At the bottom of the list of attributes, select Add Mapping.
-
Select Add Existing Attribute.
-
Select the attribute to add from the Account Attribute dropdown list.
-
Select Add.
-
Update the attribute's provisioning configuration as described in Editing the Account Creation Configuration.
Creating Attributes
You can create attributes in your multi-host account creation configuration so values can be provisioned to attributes that exist on your source but aren't included in your account schema.
-
Go to Admin > Connections > Multi-Host Sources and select a multi-host group.
-
Select Edit and choose the Create Account tab.
-
At the bottom of the list of attributes, select Add Mapping.
-
Select Create New Attribute.
-
In the Attribute Name field, enter the name of the attribute to add as it appears on the source. This field is case-sensitive.
-
Select Add.
-
Update the attribute's provisioning configuration as described in Editing the Account Creation Configuration.
Editing the Attribute List
Attribute values are calculated for an account in the order in which they appear on the Create Account page. You can reorder the attributes in this list so they are provisioned correctly, or remove them from the list entirely.
If an attribute relies on data from another attribute to set its value, the attribute used to calculate the second value must be listed first.
-
Go to Admin > Connections > Multi-Host Sources.
-
Select Edit and choose the Create Account tab.
-
In the list of attributes, use the up or down arrows next to the attributes to reorder them. You can also drag and drop attributes to reorder.
Use the Delete icon
to remove the attribute from the list.
-
Select Save.
Documentation Feedback
Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.