Idea ID: 2848220

Orphan Account Review - IGA to allow manual association of account to an user

Status: Needs Clarification

Needs Clarification

See status update history

Currently in Orphan Account Review, whenever user select "Assign account to User", IG does not have any action. It created a fulfillment task that need manual intervention in target system.

IG should execute the action and associate the account to user in IG.

There are cases like user has multiple IDs and target system does not have additional column to store additional correlation key. 

Besides, the other IGA products are working in this way. Why MF IG is not?

  • There is no more update from this post matter ever since year 2020 even we acknowledged is a major limitation whereby most of the organization will need to have manual user assignment.

    Guess the number of likes doesn't help ? Thinking

  • As documented in the User&Admin Guide / "Editing Attribute Values of Objects in the Catalog" chapter, this is how we should also be able to handle the account to user association as well:

    "When you edit the data, you override the originally collected content and Identity Governance shows an icon next to the value to indicate the change. Any attribute that you edit will be persisted through subsequent collection and publication, even if the original value for the attribute changes. You can later reset the attribute value to its collected value."

    The above only applies to "editable" attributes. Probably there's a bit more work than just marking the "Account-User Mapping" as editable under the hood. But this would be the way to go. Seems to work just fine with "Custodians" attribute. Once possible, it should be also possible to fulfill the orphan account review "assign account to user" like this, if the application doesn't support user assignment directly.

  • Sorry , missed your message, we can have a call. 

    I think what VilleS explained is pretty clear and precise. The current "assign account to user" function is useless.

  • We evaluated the product a couple of years ago and had to choose another vendor product mostly because of this major shortcoming. Collecting all kinds of user account data from all kinds of existing systems is the core functionality of identity governance solution. The solution must support linking/mapping/correlating collected application accounts to real identities, but it must not assume that the source application could be improved to contain and provide perfect data for this operation. Or would want to develop automation for that (that's usually called IDM) or have manual data update process for each lacking application. IG should of course utilize data (e.g. employee number) whenever possible, but even if there were just random user account names in the application, in IG it should be possible to manually add the account linking to the identity. Being able to run reviews with "Assign account to User" is already great, but if IG cannot persist this manual assignment internally, it's pretty useless.

    And yes, other vendors do this (but may have other shortcomings).

  • Hi, 

    In orphan account review, if reviewer decided to modify the account by assigning the account to an user, IG should automatically associate that account to the user selected by the reviewer. 

    What we see now is, if reviewer does that, there will be a "Modify Assigned user" fulfillment task created. But there is no way to associate the account to user unless we update the correlation attribute value in target system.