Translating Data During SailPoint Aggregations

Anyone familiar with identity management is well aware that not all data is created equal. Many times we get data that isn’t exactly in the state we’d like it to be. One instance I’ve seen many times when working with data for SailPoint IIQ is to get data in what can be described as a horizontal format rather than a vertical format for a CSV file. A data file that would be very easy to aggregate within SailPoint IIQ may look like the following:


This data is fairly basic, there’s a username attribute, a profile attribute, and a business unit attribute that is multivalued. This data would be able to modeled in SailPoint using a basic delimited flat-file application by merging the data on USERNAME and marking BUSINESSUNIT as multi-valued. This is to me the easiest format when working with SailPoint IIQ. However, the same data could be expressed in the following format:


In this format, the attribute names and values exist on the same line. The attribute requires both entires in the line. To model this data in SaillPoint IIQ, we will transform the data from the horizontal structure of the second file to the vertical structure of the first. To make this even easier, we can do the transformation in a single line of code. To enable the transformation, we first need to modify the application’s schema. Rather than naming the ATTRIBUTE and VALUE, we create the schema to include the attributes USERNAME, PROFILE, and BUSINESS UNIT. Like the first set of data, we merge the data on USERNAME and mark BUSINESS UNIT as multi-valued. We then create a buildmap rule with the following line of code:


Using the example, the line of code will place Administrator as a value of the attribute PROFILE. Transforming the data makes it more readable and makes certification decisions easier. The only downside I’ve come across with this transformation is during provisioning. If you’re using the PIM to automatically provision accounts, then the data will have to be translated back before the provision event to match the initial input stream.


Questions, comments or concerns? Feel free to reach out to us below, or email us at IDMWORKS to learn more about how you can protect your organization and customers.

  1. So in this first scenario – the basic flat file. How do you configure the delimiter account/group settings and the schema.

    I am new to Sailpoint – we are replacing our current Aveksa system and right now we are just have a DEV environment up for Sailpoint. no matter how I configure it – I can only get ONE entitlement collected per user. In other words the user1 in your example – my system only collects the Administrator 1 – but not the Administrator 2

    I played around with the merging but maybe I have something wrong – any advice is helpful. We have training scheduled but it’s almost a month out.

Leave a Reply

Your email address will not be published. Required fields are marked *