The duplicate Identity matching feature will match the incoming data of a user provisioning request with existing profiles in Identity and/or with existing profiles in the specified SOA system based on the user match rules defined. When there are matches found, then those matches will be sent to the User Match Administrator for further action. The administrator can either match the user with an existing user or create a new user as desired.
User Match Process Overview
All user provisioning requests will be received by the PPE (Policy Processing Engine), which first checks whether the user already exists in Identity with the given SourceKeyAttribute and value. If PPE finds a profile in Identity with the given SourceKey, then the changeType will be resolved as modify and the provisioning request will be considered as a modify request.
When PPE could not find an existing Identity profile with the given SourceKey, the request will be considered as a new user provisioning request. PPE then checks whether the “Transaction- UserMatchOption” value in the user data turns off the User Match option for this request. If not, PPE sends the user data to the User Match Engine.
User Match Engine will evaluate the user data against all user match policies configured in the org one by one to find the qualified user match policy for the user. Once a user match policy gets qualified, the user will be matched against the rules specified in that policy. The match process may find none or more matches for the user, which will be returned to PPE. If there are no matches returned, then PPE will continue to provision the new user. If there is only one perfect match returned, then PPE will do provisioning for that matched user. If the returned match is either a strong match or there are more matches returned, then PPE will not provision that user instead will record those matches and notify the User Match Administrators.
User Match Administrators can log in to the Self-Service UI to see the matches. They can either select
one of the matches or chose create new option and submit. When a match is selected and submitted, PPE will be called to process the matched user, which will first update the user data based on the precedence and matched data selection specified in the policy and will initiate the provisioning for the matched user with updated user data. When PPE is called to process a new user with “create new” option, the regular new user provisioning process will be initiated with the user data already given to PPE.
User Match Configuration
The user match configuration includes configuring the user match administrators, defining user match rules and setting the user match configuration properties.
Configuring User Match Administrators
For details on configuring User match Administrators to view and/or manage user match tasks from the Self- Service Portal, refer to the Client Admin chapter in the Identity Suite Administration Guide Volume - 1.
Defining a User Match
There are 3 components to define a user match. They are User Match Condition, User Match Rule and User Match Policy.
The most basic component to define a user match configuration is User Match Condition
Creating User Match Conditions
- From the Admin UI _Users tab, click User Match Condition. The user match conditions already defined are listed. A new condition can be created by clicking the Add button, or an existing condition can be copied by clicking the Copy button after selecting the condition. The User Match Condition - Details (Add New) page displays.
Data Validation Condition
- Enable the Data Validation radio button for Operation to add a data validation condition.
Condition Name
Enter the unique name of the user match condition.Condition Description
Enter the description of the user match condition.Source Attribute
- Attribute: Click Select button to select the source attribute whose value is to be matched with the value of same attribute in Identity (FUP). Only profile column mapped attributes are available for use.
- Literal: Enter a literal value and select a Target Attribute. Only profile column mapped attributes are available for use. The literal value entered will be matched with the selected Target Attribute value in Identity (FUP).
Format Source Data
- Remove Space: Select this checkbox to remove space from the source data before matching.
- Allow All Characters: Enable this radio button to allow all characters in the source data for matching.
- Allow these Characters: Enable this radio button and enter the characters that are to be allowed in the source data for matching.
Operation
Identity Match: Enable this to match the source data with an attribute in FISC_USER_PROFILE.Validation Clause
Select Null/Not Null option to validate the source attribute.Identity Match Condition
-
Enable the Identity Match radio button for Operation to add an Identity match condition.
Condition Name
Enter the unique name of the user match condition.Condition Description
Enter the description of the user match condition.Source Attribute
- Attribute: Click Select button to select the source attribute whose value is to be matched with the value of same attribute in Identity (FUP). Only profile column mapped attributes are available for use.
- Literal: Enter a literal value and select a Target Attribute. Only profile column mapped attributes are available for use. The literal value entered will be matched with the selected Target Attribute value in Identity (FUP).
Format Source Data
- Remove Space: Select this checkbox to remove space from the source data before matching.
- Allow All Characters: Enable this radio button to allow all characters in the source data for matching.
- Allow these Characters: Enable this radio button and enter the characters that are to be allowed in the source data for matching.
Operation
Identity Match: Enable this to match the source data with an attribute in FISC_USER_PROFILE.Match Type
Select a match type:
- Starts With
- Ends With
- Contains
- Equals
- Not Equals
- Null
- Not Null
Number of Characters to pick from Source attribute for Matching:
-
- All: All characters from the source attribute will be used to match with the target.
- Specific: Enter the number of characters that are to be picked from source attribute for matching.
- Pick From: Select an option, Left or Right to pick the specified number of characters from. Pick From options are enabled only when Specific radio button is selected.
Source Value's Case Sensitivity:
- As it is: The source value's case will be retained as it is and matched with the target.
- All Uppercase: The source value will be converted to upper case and then matched.
- All Lowercase: The source value will be converted to lower case and then matched.
- Insensitive: A case insensitive match is done between the source and target.
Must Be Unique:
This is visible only when the Match Type selected is Equals.
- Select True if the source attribute value should be unique. This checks that no user in Identity has the same value for the source attribute selected.
- Select False if the source attribute value need not be unique.
Evaluate Empty Source Value
This value will be set to True by Default. This should be unchecked if the condition needs to be evaluated only when source-attribute has value. When unchecked, an empty source-attribute makes this condition true.External match Condition
-
Enable the External Match radio button for Operation to add an External match condition.
Condition Name
Enter the unique name of the user match condition.Condition Description
Enter the description of the user match condition.Source Attribute
- Attribute: Click Select button to select the source attribute whose value is to be matched with the value of same attribute in Identity (FUP). Only profile column mapped attributes are available for use.
- Literal: Enter a literal value and select a Target Attribute. Only profile column mapped attributes are available for use. The literal value entered will be matched with the selected Target Attribute value in Identity (FUP).
Format Source Data
- Remove Space: Select this checkbox to remove space from the source data before matching.
- Allow All Characters: Enable this radio button to allow all characters in the source data for matching.
- Allow these Characters: Enable this radio button and enter the characters that are to be allowed in the source data for matching.
Operation
Identity Match: Enable this to match the source data with an attribute in FISC_USER_PROFILE.Match Type
Select a match type:
- Starts With
- Ends With
- Contains
- Equals
- Not Equals
- Null
- Not Null
Number of Characters to pick from Source attribute for Matching:
-
- All: All characters from the source attribute will be used to match with the target.
- Specific: Enter the number of characters that are to be picked from source attribute for matching.
- Pick From: Select an option, Left or Right to pick the specified number of characters from. Pick From options are enabled only when Specific radio button is selected.
Source Value's Case Sensitivity:
- As it is: The source value's case will be retained as it is and matched with the target.
- All Uppercase: The source value will be converted to upper case and then matched.
- All Lowercase: The source value will be converted to lower case and then matched.
- Insensitive: A case insensitive match is done between the source and target.
Must Be Unique:
This is visible only when the Match Type selected is Equals.
- Select True if the source attribute value should be unique. This checks that no user in Identity has the same value for the source attribute selected.
- Select False if the source attribute value need not be unique.
Evaluate Empty Source Value
This value will be set to True by Default. This should be unchecked if the condition needs to be evaluated only when source-attribute has value. When unchecked, an empty source-attribute makes this condition true.External Schema Name: Enter the schema of the target External System with which the source data is to be matched. External Table/View Name:
Enter the table / view name of the target External System with which the source data is to be matched.External Table/View Column:
Enter the table / view column name of the target External System with which the source data is to be matched.Data Type Select the datatype of the External Table/View Column:
- String
- Numeric
- Data
- After entering all the required information, click Add to save the User match condition. To edit an existing condition, click the hyperlink of the Name of the condition in the listing page and make appropriate changes. After making changes, click Update to save the changes.
Creating User Match Rules
-
From the Admin UI ►Users tab, click User Match Rule. The user match rules already defined are listed. A new rule can be created by clicking the Add button, or an existing rule can be copied by clicking the Copy button after selecting the rule. The User Match Rule Details (Add New) page displays.
Enter a Rule Name and Rule Description.
Under Primary matching Logic, click Add Condition. The User match Conditions page displays. Check the boxes next to the conditions to add, and then click the Select button. One or more conditions can be selected together. Either Identity Match Conditions or External Match Conditions should be added to the Primary matching logic of a user match rule. Data Validation Conditions can be added along with both Identity and External match conditions.
Select the appropriate logical relationship for primary matching logic. Select All Conditions, Any Condition or build an Advanced Expression. This logic will be used to extract matched users from either Identity or External System.
Under Additional Data Fetch Logic, add Conditions if any additional data has to be fetched from an external system in addition to the data extracted using the primary matching logic. Only External Match Conditions and Data Validation Conditions should be added to Additional Data Fetch Logic. Select the appropriate logical relationship for Additional Data Fetch Logic.
Under Match Refinement Logic, add Conditions if any further refinement logic is to be applied to the data extracted using Primary Matching Logic. Identity Match Conditions, External Match Conditions and Data Validation Conditions can be added to Match Refinement Logic. Select the appropriate logical relationship for Match Refinement Logic.
Click Add to save the User match Rule. To edit an existing rule, click the hyperlink of the Name of the rule in the listing page and make appropriate changes. After making changes, click Update to save the changes.
Creating User Match Policies
- From the Admin UI -> Users tab, click User Match Policy. The user match policies already defined are listed. A new policy can be created by clicking the Add button, or an existing policy can be copied by clicking the Copy button after selecting the policy. The User Match Policy - Details (Add New) page displays.
- Enter a Policy Name and Policy Description.
- Under Execute User Match For, select the processes that need to execute the user matching. The options available are: Automated Provisioning of New User(Policy), Create New User and Self-Registration. When Create New User option is selected, the user match process will be executed when the user is added from Admin UI as well as Self-Service UI.
- Select an option for Match Execution Criteria.
- Always: The user match process is executed for all the users.
- Conditional: Select Conditional and click Set button to build the user match execution criteria. The user match process is executed only for users who qualify this criteria.
- Under Exact Match, click Add. The User match Rules page displays. Check the boxes next to the rules to add, and then click the Select button. One or more rules can be selected together. These rules are the criteria for a user to qualify as an exact match.
- Enter a Priority for each Exact Match rule selected. The rules will be executed in the order of their priority, the one with highest value getting executed first. If a match is found for any of the rules, the rest of the rules specified in the policy will not be executed. If the matching process leads to a single exact match, no administrator review is done and is automatically matched. If multiple exact matches are obtained, it is sent for administrator review.
- Skip user match on multiple exact matches-->If this is checked, then the User Match will be skipped if Multiple Exact Matches are found.
- Under Strong Match, click Add. The User match Rules page displays. Check the boxes next to the rules to add, and then click the Select button. One or more rules can be selected together. These rules are the criteria for a user to qualify as a strong match.
- Check the Required checkbox for the rules that a user must qualify to qualify for a match. The Required rules are executed first and if no match is found for that, the rest of the rules are not executed. If there is no Required rule selected, all the strong match rules will be executed.
- Enter a value for Minimum Rules to Match. This value should be greater than or equal to number of Required rules selected. If a user does not qualify for the minimum number of rules, he will not be considered as a match.
- Enter a value for Maximum Strong Matches to Display. This is the number of user matches that will be displayed for administrator to review.
- Under Review Match, click Add. The User match Rules page displays. Check the boxes next to the rules to add, and then click the Select button. One or more rules can be selected together. Only Data Validation rules should be selected for review match. These rules are executed when no exact or strong matches are found and the user matching these criteria is sent for Administrator review. A review match is not mandatory.
- Under External System - Attribute Mapping & Matched Data Selection, configure the mappings for all the external system columns that are used in the rules. All columns that need to be displayed to the Administrator for selecting a match or for overwriting the incoming data should be mapped.
- Select a Table/View from the dropdown list whose column is to be mapped. The dropdown list will list all the tables/views used in the rules of this policy.
- Enter the DB column name that is to be mapped.
- Select the Attribute that is to be mapped to the column.
- Enter a description for the mapping.
- When the column Use This Data is checked, the incoming data will be overwritten with the data from external system.
- Select a Table/View from the dropdown list whose column is to be mapped. The dropdown list will list all the tables/views used in the rules of this policy.
- Under Identity System - Matched Data selection, select the fields of the incoming data that should be used to modify the existing Identity profile, when a user is manually matched by an administrator.
- Select the checkbox, Identity data takes precedence when a user is matched with existing Identity User and a user in External System, if the identity data is to be given the precedence over the incoming data.
- Post Match Workflow - User Match policy detail screen is modified to configure a post match workflow which will be invoked after the user match process. Any workflow deployed as Lookup type can be selected as the post match workflow.
If the qualified user match policy has a post match workflow configured, then after the user match process, it will be invoked with incoming data (the actual user data from the SOA/User creation screen) and the data of the matched profile. All incoming data will be prefixed with “Original_”. For eg: Original_Person-Firstname to the post match workflow represents the Person-Firstname from SOA/Create new user screen and Person-Firstname represents Person-Firstname of the matched profile. The user provisioning will wait for the post match workflow to complete. Once the workflow completes, the data from the workflow will be merged with the matched data, which will be used for down stream provisioning.
- Under Administrator Notification, enter the following:
- Email Addresses – Enter the email addresses of the administrators to whom the user match notifications are to be sent.
- Notification – Select the user match notification to be sent. (There is a default notification by the name, ‘User Match Notification’ which can be used.)
- Click Add to save the User match Policy. To edit an existing policy, click the hyperlink of the Name of the policy in the listing page and make appropriate changes. After making changes, click Update to save the changes.
User Match Attributes:
Configure the attributes and their ordering on the UI displayed on viewing the matching and matched user details of a user match request from self-service User Match events. The Move Up and Move Down buttons can be used to reorder the attributes
User Match Configuration Properties
The configuration properties that are needed to be set up for usermatch goes under
Admin UI ► Configuration ► Configuration. From the Modify Configuration for: dropdown Select Provisioning Server. The attributes dealing with usermatch are ‘User Match External System’, ‘User Match External System Key’ and ‘User Match Identity Key’.
The value of ‘User Match External System’ property specifies the External System to be used for User Match Operations
The value of ‘User Match External System Key’ property specifies the column which is used as the unique key across the User Match External System profile records and as the join condition to fetch profile data from multiple tables/views. This key is also used to link with 'User Match Identity Key' to fetch corresponding Identity profiles for an external profile and vice versa.
The value of ‘User Match Identity Key property specifies the FUP column which is used as the unique key across the Identity System profile records. This key is also used to link with 'User Match External System Key' to fetch corresponding external profiles for an identity profile and vice versa.
Managing UserMatch Requests
Usermatch requests can be viewed and actions can be taken or monitored using various applications. These options are available to manage usermatch requests:
- Administrators can view the progress of requests from the Admin UI
- UserMatch Administrators can manage requests from the Web-based Self-Service UI.
Processing a UserMatch Request
- Open the Self-Service UI
- The Self-Service - Login page displays:
- Log in with your User ID and Password. For a usermatch administrator, the Admin tab will be displayed.
- Click on the Admin tab and then select User Match tab. All the Pending requests would be listed.
- To view details to a request individually, click the hyperlink next to a request. The details of the request displays.
- The input user details, the Identity Matches and the External System Matches will be displayed in the detail panel.
- To respond to a request individually, select the match and then Click Submit.
- For creating a new user without selecting a match, click on Create New User in Identity button.
Processing a Review Match Request
- Review match request is the match request send to the user match administrator for review when no external or Identity matches are obtained after the usermatch process.
- From the usermatch request page in Self-service UI for usermatch admin, Click on the hyperlink near a review match. The review match details will be displayed.
- The actions that can be taken for a review match are Create and Cancel.
- For creating a new user, select the Create review match action and Click Submit.
- If the review match request is to be cancelled, select the Cancel action and Click Submit.
User Match User Details
- "The details of Matching User, Identity Match , External Match and Review Match can be viewed by clicking the wrench symbol beside each profile entry.
- "Clicking the wrench symbol displays the profile details in a pop-up box