Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

duplicate identity management

asp
Regular Contributor
Regular Contributor

Hello,

I am trying to understand how duplicate identity management is supposed to work. Can someone confirm or correct my understanding? I am more interested in the user import or user creation scenarios (not the detection of existing duplicate identities)

1. DIM will not stop the duplicate user from being created. It can only stop any birthright accounts from being provisioned, until the manual review has happened.

2. In the manual review, you have 2 options - you can reject the match, in which case there is no change to primary (new) or secondary  user and the new user can proceed to birthright provisioning. The other option is 'Analyze' or 'Merge'. In this case, birthright provisioning is not triggered for the new user. Is this correct? 

3. If Analyze is chosen, then one of the outcomes is that the secondary identity is marked as inactive after the manual review. Is this correct? What happens in this case where the authoritative source still has the user as active? 

4. There is 'merging of identities' in the sense that the 2 user records are not merged into 1 user record. Certain uncommon user attributes are copied to the primary user record, but the user objects themselves remain separate and are not merged. 

5. For duplicates - accounts or access is not copied over or transfered. For e.g. primary user 'a' is new and secondary user 'b' is existing, with an existing AD account. That AD account is not 'moved' or transferred to the primary user.  If user 'b' is an owner of a role, or a is a member of a user group, then user 'a' is made the owner of the role or added to that user group, and user 'b' is removed as the owner, or removed from the group. Is this correct? 

Thanks

4 REPLIES 4

rushikeshvartak
All-Star
All-Star

 

  • Duplicate User Creation:

    • Correct. DIM does not prevent the creation of duplicate users. Instead, it identifies potential duplicates and can halt birthright provisioning until a manual review is conducted.
  • Manual Review Options:

    • Correct. During manual review, you can either reject the match or choose to analyze/merge.
      • Reject Match: The new user is treated as a distinct identity, and birthright provisioning proceeds.
      • Analyze/Merge: The new user’s birthright provisioning is not triggered immediately. Further steps depend on the outcome of the analysis.
  • Outcome of Analysis:

    • Correct with Additional Clarification. If "Analyze" is chosen, one possible outcome is marking the secondary identity as inactive.
      • Scenario with Active Authoritative Source: If the authoritative source still marks the user as active, you will need to manage this discrepancy, potentially through additional configuration or custom logic to handle such cases. Saviynt might not automatically reconcile this status with the authoritative source.
  • Merging of Identities:

    • Correct. In DIM, the identities themselves are not merged into a single user record. Instead, selected attributes from the secondary user may be copied to the primary user, but both user objects remain distinct.
  • Handling Accounts and Access:

    • Partially Correct.
      • Account and Access Transfer: Accounts or access are not automatically transferred from the secondary user to the primary user. You need to manually manage these transfers if needed.
      • Roles and Groups: If the secondary user is an owner of a role or a member of a user group, the primary user may be assigned these roles or memberships, and the secondary user can be removed. This depends on your specific configuration and the actions taken during the manual review process.
  • https://docs.saviyntcloud.com/bundle/EIC-Admin-v24x/page/Content/Chapter08-Advanced-Administrator/Du... 

 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

asp
Regular Contributor
Regular Contributor

One quick follow up -

When the secondary user is deactivated at the end of 'Analyze', would the user update rule for termination pick it up and trigger the disablement of accounts?  Is this considered as a 'user update from UI' or 'user udpate from API'?  Or will nothing happen to the secondary user's accounts and it will simply change the user-status to Inactive? 

Thank you!

As per my knowledge It will change status to inactive


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

NM
Valued Contributor
Valued Contributor

Hi @asp yes it will make the secondary account status inactive after record is removed.

And it will also trigger user update rule .. if configured only .. as far as I remember it will be updated from UI