4 Oracle Identity Analytics Data Correlation

This chapter contains the following sections:

• Section 4.1, "Overview"

• Section 4.2, "Understanding Data Correlation"

• Section 4.3, "Writing Correlation Rules"

• Section 4.4, "Pattern Matching Scenarios"

• Section 4.5, "Manual Correlation"

4.1 Overview

4.2 Understanding Data Correlation

To construct the Identity Warehouse, global users are imported into Oracle Identity Analytics. This causes the entitlements in the various resources and target systems to be imported as well. A commonly used method to import this data is to run the automated Oracle Identity Analytics import process using flat or .csv files.

The process of associating global users to their respective entitlements is called data correlation. In Oracle Identity Analytics, multiple correlation rules can be defined to accurately associate global users to their entitlements. This chapter describes these rules and provides examples that show how to correlate global users to their entitlements using a combination of correlation rules and expressions.

Additionally, Oracle Identity Analytics provides powerful manual correlation capabilities. Manual correlation enables you to manually correlate orphan accounts (accounts that do not have any associated users) as well as change the association of existing correlated accounts.

4.3 Writing Correlation Rules

Correlation rules are defined in the schema (.rbx) files under the Oracle Identity Analytics schema folder.

A correlation rule checks if the global user field matches an account field. The left side of the rule (before the = sign) is associated with the global user, and the right side of the rule is associated with the account. For example, $globalUser.userName=$account.userName.

When creating data correlation rules, remember the following:

• Only one attribute can be set at a time for global users (on the left side of the rule), but any number of expressions can be configured on the right side of the rule for accounts.

• Correlation rules, once defined, are evaluated in the same order as they are found in the schema file.

• No patterns can be applied to the global user attribute. For example #globaluser.userName(-10) is not allowed.

• The default correlation rule to associate users to their entitlements on the basis of their user IDs is $globaluser.userName=$account.userName.

• The global user attribute and the global user table column should bear the same name for the data correlation feature to function correctly. For example, userName is the attribute that appears in the Oracle Identity Analytics table for global users and should be named accordingly.

  See Chapter 2, "Global-User Schema File Reference" for details.

• When one global user accurately meets a certain rule designed for it, the correlation is established between the user and entitlements and no further expressions are evaluated for that account.

• If more than one global user meets a correlation rule for a given account, the next correlation rule is evaluated. Subsequently, both results are intersected, and, if as a result of this intersection only one global user meets both rules, that global user is correlated to the account.

For example, suppose the following rules are configured:

# @IdentityCorrelationRule rule="$globalUser.FirstName=$account.FirstName"

# @IdentityCorrelationRule rule="$globalUser.LastName=$account.LastName"

An account has the following attributes: FirstName="John", LastName="Cook". When evaluating the first rule, Oracle Identity Analytics might find many global users with "John" as FirstName, but when it evaluates the second rule and the intersection is made, only one global user meets both rules.

4.3.1 Example

Following is an example of a schema file with multiple correlation rules:

#

# @iam:namespace name="Summarization" shortName="SUM"
#

# @IdentityCorrelationRule rule="$globalUser.userName=$account.userName"

# @IdentityCorrelationRule rule="$globalUser.FirstName=$account.FirstName"

# @IdentityCorrelationRule rule="$globalUser.LastName=$account.LastName"

# @IdentityCorrelationRule 
rule="$globalUser.MiddleName=$account.FirstName(-1.1)$account.LastName"

# @IdentityCorrelationRule rule="$globalUser.userName=[defaultuser]"

userName,endPoint,domain,comments,suspended,locked,name,FunctionCode,FirstName, 
MiddleName, LastName

Note:

The correlation method used in previous versions of Oracle Identity Analytics using the <correlationkey> tag also works with Oracle Identity Analytics, so you do not need to change the old schema files.

4.4 Pattern Matching Scenarios

Various pattern matching scenarios can be created in order to match the users to their entitlements.

This feature is explained using an example. Assume a user has the following attributes:

FirstName="John"

LastName="Cook"

The following pattern-matching scenarios can be created:

Rule	Result	Description
$account.FirstName$account.LastName	"JohnCook"	Consolidates FirstName and LastName without any space or special characters in between
$account.FirstName(-10)	"John "	Sets the text space to 10, leaves space after the FirstName
$account.FirstName(+10)	" John"	Sets the text space to 10, leaves space before the FirstName
$account.FirstName(/_/+10)	"______John"	Sets the text space to 10 and prints an underscore before the FirstName.
$account.FirstName(/_/-10)	"John______"	Sets the text space to 10 and prints an underscore after the FirstName.
$account.FirstName(3)	"John"	Sets the minimum number of characters to 3.
$account.FirstName(+5)	" John"	Sets the text space to 5 and prints blank space before the FirstName.
$account.FirstName(+2.3)	"ohn"	Deletes all characters after the third one from right side of the FirstName.
$account.FirstName(-2.3)	"Joh"	Deletes all characters after the third one from the left side of the FirstName.
$account.FirstName(-1.1)	"J"	Deletes all characters after the first one from the left side of the FirstName.
$account.FirstName(-1.1)$account.LastName	"JCook"	Deletes all characters after the first one from the left side of the FirstName and inserts LastName.
$account.FirstName(-1.1)_$account.LastName	"J_Cook"	Deletes all characters after the first one from the left side of the FirstName and inserts an underscore and LastName.

Note:

• The - sign signifies that the text is left justified.

• The + sign signifies that the text is right justified.

• The first number inside the parentheses indicates the minimum number of characters.

• The number after the period is used to truncate the string starting from that position.

4.5 Manual Correlation

Manual correlation refers to the ability of manually correlating accounts to users. This capability proves helpful in situations where the existing correlation rules result in accounts that are not automatically associated with any user. Such accounts are called "orphan accounts." Oracle Identity Analytics provides the ability to manually correlate such accounts to specific users. Manual correlation is also useful when the ownership of an account needs to be changed.

4.5.1 To Correlate an Orphan Account to a User

1. Log in to Oracle Identity Analytics.

2. Choose Identity Warehouse > Users.

3. Click the Orphan Accounts tab.

   The panel on the left displays all the resource types that can be expanded to show resources. Expand the list further to view the available orphan accounts.

4. Select a resource type or resource to view all the available orphan accounts.

5. Select account(s) by selecting the corresponding check box, and then click the Assign to User button.

6. Search and select a user from the window that opens.

7. Select the desired user from the search result and click Ok.

4.5.2 To Change Ownership of an Account

1. Log in to Oracle Identity Analytics.

2. Choose Identity Warehouse > Users.

3. Click the Accounts tab.

4. Select the account(s) whose ownership is to be changed by selecting the corresponding check box.

5. Click the Change Owner tab.

6. Search and select the user to be assigned the account(s).

7. Click Ok.