Saviynt Forums

Paul_Meyer · ‎09/05/2022

Is it possible to determine if an application account has been manually correlated to a User?

I have one AD account that should be correlated to User A according to the endpoint correlation config, but it remains correlated to User B, which does not match the correlation rule, after full account recon jobs. Wondering if the account was manually correlated and might override correlation via account recon job.

rushikeshvartak · ‎09/05/2022

Only way to find if account is correlated manually or via Job is using user_accounts table with updatedate & updateuser column

https://saviynt.freshdesk.com/support/solutions/articles/43000521404-saviynt-enterprise-identity-clo...)

Accounts correlation get override only in some connector

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

sahajranajee · ‎09/08/2022

@Paul_Meyer

As Rushikesh mentioned, use the user_accounts table information to validate who and when did this correlation happen :

To correct the user account correlation. You could use the below 3 options :
1. Update the correlation from UI by opening the account details page for the account.

2. Use the assign account to user API (assignAccountToUser)

3. Use a csv account upload and enable the 'Overwrite User Assigned' option

Regards,
Sahaj Ranajee
Sr. Product Specialist

Paul_Meyer · ‎10/25/2022

@sahajranajee

Based on the provided options, is the account recon task not capable of automatically re-correlating the Accounts to Users (based on the Endpoint correlation config) if the Endpoint correlation rule changes or the actual account data changes?

Are you required to manually intervene periodically to ensure that Accounts correlate to the correct Users?

Regards

Paul

rushikeshvartak · ‎10/25/2022

Account correlation is not updated automatically if correlation rule is updated. You can have detective control ( analytics report ) you can have user name stored in accounts custom property and validate with saviynt account user correlation if its doesn’t match then you can update correlation using APi / csv /Manual as mentioned by Sahaj

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Paul_Meyer · ‎10/25/2022

@rushikeshvartak

And for account data changes?

For example, an AD account was correlated to the incorrect User account, based on incorrect account data. The account data was updated and doing a manual compare between the User and Account data should be a perfect match with the correct User based on the correlation rule. We have a large number of AD accounts that does not correlate regardless where the actual data matches exactly. The account data was updated after the initial account recon and we cannot get a full recon task to recorrelate the accounts.

rushikeshvartak · ‎10/25/2022

Account Data will always come from target so it won’t be incorrect as this will be from one source & not from two source for same account for example AD + DB DATA coming to same account.

if AD mapping is incorrect you should find correct unique identifier and update your correlation rule & one time remove all mapping from user_accounts table with helps of operations team & correct it

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Saviynt Forums

Manual account correlation