Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

duplicate identity management

asp
Regular Contributor II
Regular Contributor II

‎06/05/2024 03:22 PM

Hello,

I am trying to understand how duplicate identity management is supposed to work. Can someone confirm or correct my understanding? I am more interested in the user import or user creation scenarios (not the detection of existing duplicate identities)

1. DIM will not stop the duplicate user from being created. It can only stop any birthright accounts from being provisioned, until the manual review has happened.

2. In the manual review, you have 2 options - you can reject the match, in which case there is no change to primary (new) or secondary  user and the new user can proceed to birthright provisioning. The other option is 'Analyze' or 'Merge'. In this case, birthright provisioning is not triggered for the new user. Is this correct? 

3. If Analyze is chosen, then one of the outcomes is that the secondary identity is marked as inactive after the manual review. Is this correct? What happens in this case where the authoritative source still has the user as active? 

4. There is 'merging of identities' in the sense that the 2 user records are not merged into 1 user record. Certain uncommon user attributes are copied to the primary user record, but the user objects themselves remain separate and are not merged. 

5. For duplicates - accounts or access is not copied over or transfered. For e.g. primary user 'a' is new and secondary user 'b' is existing, with an existing AD account. That AD account is not 'moved' or transferred to the primary user.  If user 'b' is an owner of a role, or a is a member of a user group, then user 'a' is made the owner of the role or added to that user group, and user 'b' is removed as the owner, or removed from the group. Is this correct? 

Thanks

Labels:
0 Kudos
4 REPLIES 4

rushikeshvartak
All-Star
All-Star

‎06/05/2024 08:13 PM

 

  • Duplicate User Creation:

    • Correct. DIM does not prevent the creation of duplicate users. Instead, it identifies potential duplicates and can halt birthright provisioning until a manual review is conducted.

  • Manual Review Options:

    • Correct. During manual review, you can either reject the match or choose to analyze/merge.
      • Reject Match: The new user is treated as a distinct identity, and birthright provisioning proceeds.
      • Analyze/Merge: The new user’s birthright provisioning is not triggered immediately. Further steps depend on the outcome of the analysis.

  • Outcome of Analysis:

    • Correct with Additional Clarification. If "Analyze" is chosen, one possible outcome is marking the secondary identity as inactive.
      • Scenario with Active Authoritative Source: If the authoritative source still marks the user as active, you will need to manage this discrepancy, potentially through additional configuration or custom logic to handle such cases. Saviynt might not automatically reconcile this status with the authoritative source.

  • Merging of Identities:

    • Correct. In DIM, the identities themselves are not merged into a single user record. Instead, selected attributes from the secondary user may be copied to the primary user, but both user objects remain distinct.

  • Handling Accounts and Access:

    • Partially Correct.
      • Account and Access Transfer: Accounts or access are not automatically transferred from the secondary user to the primary user. You need to manually manage these transfers if needed.
      • Roles and Groups: If the secondary user is an owner of a role or a member of a user group, the primary user may be assigned these roles or memberships, and the secondary user can be removed. This depends on your specific configuration and the actions taken during the manual review process.
  • https://docs.saviyntcloud.com/bundle/EIC-Admin-v24x/page/Content/Chapter08-Advanced-Administrator/Du... 

 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

asp
Regular Contributor II
Regular Contributor II
In response to rushikeshvartak

‎06/20/2024 08:30 AM

One quick follow up -

When the secondary user is deactivated at the end of 'Analyze', would the user update rule for termination pick it up and trigger the disablement of accounts?  Is this considered as a 'user update from UI' or 'user udpate from API'?  Or will nothing happen to the secondary user's accounts and it will simply change the user-status to Inactive? 

Thank you!

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to asp

‎06/20/2024 09:38 PM - edited ‎06/20/2024 09:38 PM

As per my knowledge It will change status to inactive


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

NM
Honored Contributor II
Honored Contributor II
In response to asp

‎06/22/2024 07:19 AM

Hi @asp yes it will make the secondary account status inactive after record is removed.

And it will also trigger user update rule .. if configured only .. as far as I remember it will be updated from UI

0 Kudos
Copyright © 2024 Khoros, LLC