Identity Merge

Identity management is both art and science. It may look completely deterministic. But too often there are cases that cannot be completely automated and encoded by rules. Sometimes there are cases that nobody expected. Good identity management system should be able to handle even those situations.

Identity correlation is a good example for this. MidPoint has ability to automatically correlate identities since its very beginning. Therefore midPoint can tell that this account belongs to this user because username matches, because employee number matches, because number of an internal employee matches, but in case of external employee the contract identifiers should match together with the username … or any other complex deterministic rule. MidPoint can do that easily. However, the identifiers are assigned by the people and governed by the business processes that are far from perfect. Even sophisticated correlation rules may fail. And they do fail. The result of failed correlation is often an unmatched account – that is easy to assign manually.

But the situation is quite different if there are several information sources. There may be several HR systems for several company branches. There may be different source systems for university students and staff. MidPoint supports this configuration in a very elegant way. However, the information sources sometimes overlap and the identities need to be correlated. If these correlation rules fail then the result is a bit worse than just unmatched account. In this case two identities are created instead of one. And these two identities may live their own life: there are already some roles for the old identity. But the user will request new roles for new identity – or those roles may be assigned automatically. It is not easy to correct this situation even if it is detected immediately. After few days it becomes absolute nightmare. This is how it works in almost all IDM systems. But midPoint 3.5 will be better.

MidPoint 3.5 has a new feature that supports merge of two identities. Administrator can pre-configure the rules for identity merge: take username from the old identity, organization from the new identity, write a script to select values and so on. Then when the operator discovers duplicated identities there is a simple operation to merge them:

object-merge

This is yet another small step on our mission to create the best and most practical identity management and governance system. MidPoint has been the state-of-the-art IDM system for several years. We have recently introduced the essential governance features in midPoint 3.4. Before this year is over MidPoint 3.5 will bring more governance and usability goodness. And even more of that is planned for the next year.

Leave a Reply

Your email address will not be published. Required fields are marked *