Linked Identities

Linked Identities is a feature that can create relationships between Identities in Clarity and defines connections between multiple accounts which all belong to one unique entity (person). These relationships help prevent inappropriate reviewing of access (reviewing one's own access during User Access Reviews) and cascading terminations events (when an employee is terminated, any linked identities will be terminated) for admin or service accounts.

Parent vs Linked

Parent Identity: an identity that has one or more identities linked to it.
Linked Identity: an identity that has been linked to a parent identity.

Parent and Linked Identities currently do not share attributes.

Parent Identity

This Identity has one or more Identities linked to it. This is often the identity in Clarity that has your HR platform establishing whether this identity should be active or inactive.

Linked Identity

An Identity that has been linked to another (parent) Identity. This type is often something like an admin account or special service account.
Common Examples: Duplicate accounts in an application with higher levels of access. Your main Azure AD user object (the one associated with your email) would be tied to your Parent Identity, but any additional Azure AD accounts that belong to you would be linked identities (Clarity does not allow for multiple Service Users from the same application in one Identity).

Establish a Linked Identity Relationship

Navigate to the child identity (typically an admin or service account), and click on the Edit Profile button (or the pencil icon in the top right). In the pop out menu, look for the Link to a Parent Identity section (see below), and use the text field to search for the parent identity, and then select the Identity you want. Click the Update Identity button at the bottom of the pop out menu to save the changes.

Now if you visit the parent identity in Clarity, you will see a list of the number of linked identities in place of the Link to a Parent Identity section of the Edit Profile pop out menu. This is because an once an Identity is the parent to another identity, it can no longer be linked as a child. While an Identity set as a parent to another identity can no longer be linked as a child, they can be a parent to multiple Linked Identities.

Combining Identities

Clarity will prevent a single identity from having multiple service users for the same application. Instead, Clarity will create a new identity that you link to a parent.

UAR Creation

There is an additional checkbox to include Linked Identities for select Types when running a User Access Review.

Provisioning access

Clarity will block the provisioning of access to Linked Identities with inactive Parent Identities.

Special Notes

• Terminating (automatic or manual) of a Parent Identity will trigger a termination event on any Linked Identities; however the reverse will not happen. A termination event on a linked identity will not trigger a parent identity to be terminated.
• Once an Identity has been set as a Parent Identity (other identities are linked to it), then that Identity is no longer eligible to be linked to another Identity.
• An active linked identity with an inactive Parent Identity, will be treated as an Orphaned Account.
• Access Reviews will automatically prevent Self-Reviewing of Linked Identities.
• By default, on the Identities page, Linked Identities are hidden. Selecting the toggle in the top right of the screen will let you show or hide these Identities.

Need Help?