Step 4: Identify and Clean Up Unreconciled Users

Now that you've got Downstream Applications configured, attributes prioritized, and roles built. It is time to identify and clean up any Unreconciled Users.

In this section, you will perform the following steps:

1. Explore the Alerts section
2. Process Identity Resolution alerts
3. Check out advanced topics!

Alerts

Lots of different actions and scenarios in Clarity can trigger an alert, (see the Alerts section for more details) but the one we are concerned about right now falls under the category Identity Resolution.

Identity Resolution Alerts

The primary cause of an Identity Resolution alert is something we refer to as an Unreconciled User.

An example of this would be an employee who is found to be inactive (such as being set to terminate in the HR platform), but an active account and entitlements were found in another Downstream Application. As a result, Clarity will throw an alert for this active account with live access in an application (for which no valid employee, contractor, or service account identity could be found).

In the example below, the user First Last was found in MS Active Directory with an email address first.last@claritysecurity.com, User Identifier and User Name are included as additional context (some applications may not have an email field). Clarity attempted to match this user using the email but was unable to find an Identity with matching attributes.

This alert type does not always mean there is an orphaned account in your Downstream Application, but could simply mean the account (Service User) from the application was unable to be matched to an active identity because an attribute (especially email) was missing or did not match. This type of alert can be manually resolved to an existing identity in Clarity using the user list dropdown and the Grant to Identity button. This will create a permanent relationship between this Service User and the Identity you select.

Process your Identity Resolution Alerts

Each iteration of your Identity Resolution Alerts has the following options below to process the Service User. You can also use the Search field in the top right, to perform a simple string match on all of your alerts.

Grant to Identity

This option lets you take the Service User for which the Alert was generated, and manually assign it to an Identity in Clarity. This creates a relationship between this Service User's account (by service user identifier) and the Identity object in Clarity. This is a great option for Service Users that don't have an attribute that Clarity can use to match an existing Identity (such as a missing email, or a username that doesn't follow your standard formatting).

Create New Identity

If an Identity for the Service User (the one that created the alert) does not yet exist, this button lets you create one based on this account. An example of this would be for service accounts (non-human accounts with permissions) found in a non-Source of Truth application.

Terminate

This option will run the Terminate process for the user referenced in the alert, this process is determined whether you have Deactivate or Delete on Termination optioned selected during the application configuration. Because this is a Service User not tied to an Identity, this process is controlled by a separate workflow trigger Service User Terminated (as opposed to Identity Terminated).

Ignore

This option lets you ignore the alert completely. If you would like to undo any Alerts you chose to Ignore, then contact your Clarity Customer Success representative. Support for viewing ignored alerts and returning them to your active alerts page is coming in a future update.

Up Next: Running an Access Review!

In the following section, we will walk you through how to create and complete a User Access Review.

Step 5: Running an Access Review

Need help?