What is the difference between Account Aggregation and Identity Refresh Tasks?

  • 7011219
  • 21-May-2011
  • 19-Oct-2012

Resolution

An account aggregation is simply the on-boarding of data into Access Governance Suite. Account Aggregation and Correlation are two of the three primary pillars of building an Identity Cube, the primary representative model of an identity as constructed in Access Governance Suite. It is called an Identity Cube as it represents the full view of the Identity from all possible angles with all possible data that is pulled from authoritative and non-authoritative sources linked to the Identity and those relationships as correlated to match to the identity and show where there are overlaps, and existing inter-relations and how they may exist within the framework on an organization's policies, rules and governance.

The act of aggregating data is simply reading data into the Access Governance Suite repository (database) itself from read-only connectors to the disparate data sources as provided by the organisation. These can be of many different types as described in the User Guides, and are either direct or indirect connections as determined by the client's choosing. You may think of aggregating data the same as a farmer gathering their harvest in the field; I like to think of a wheat farmer gathering his crop - he gathers the grain and separates the chaff. Aggregating accounts is very similar - we read in data and  gather only that information we require from those connectors.

By aggregating accounts from Active Directory, we mean that we are actively reading and gathering the information that is important to us for review from Active Directory. As a part of that aggregation we also perform the second pillar of the Identity Cube build, Correlation, a process wherein we build relationships based upon the data that is read into the repository from the account information that we have aggregated.

For instance, let us presume that the Active Directory application is our authoritative source application, and that we know that some account attributes therein are also able to be correlated therein. A primary example might be a Manager Correlation Rule, wherein I know that a value on the account aggregation from Active Directory for Manager can be Correlated as Manager to the Identity Cube of the Identity being aggregated. Therefore, a Manager Correlation happens when I have a Manager Correlation Rule to correlate the Manager value of the attribute to the cube from this aggregation. Simple enough to understand, it just takes time and practice to implement and utilise.

The Identity Refresh Task finalises the linking of the discovered relationships and information to each identity from every aggregation and correlation task that has occurred prior to the refresh. As each Aggregation task on-boards new bits of data, new bit of information are being gathered about the Identity Cube. This information is being stored, but has not yet been finalized until the refresh task completes its run and stores that data with the proper persistence into the Identity object that represents the Identity Cube itself. once that has been done though, the complete Identity Cube has been built to the point of the data which it has been given information about the Identities therein stored. This is not to say that it is the complete and total picture, for you may yet decide to provide additional information, but it is complete to the point of the information so far provided.