Configuration Guide › Connecting to Endpoint Systems › Correlate Imported Accounts to Users

Correlate Imported Accounts to Users

CA GovernanceMinder imports accounts from endpoints. You define how CA GovernanceMinder matches these accounts to users in the universe.

Note: When you import endpoint data using CA IdentityMinder, accounts are already mapped to users. Define account mapping logic for connectors that use the CA IAMS Connector Server or connectors that import data files.

To create correlation logic, use the Correlation tab of the Universe screen. Typically you define, test, and refine the settings of this tab in several iterations to achieve the mapping behavior that you want. Define the following settings:

Correlation Rules

Correlation rules compare fields in imported accounts to known user attributes so that CA GovernanceMinder can associate accounts with existing users. A score assigned to each rule indicates how strongly the rule predicts a real user-account link. You can apply string manipulations to attribute values, so that rules match sub-strings such as the first or last name of a personID. One correlation rule can test several conditions.

You can define rules that match account fields to any user attribute. Rules that match the personID user attribute have the highest scores, indicating the most confidence in the user-account link. Rules that match other user attributes have lower scores - they do not identify a unique user, but can confirm a match.

Note: Analyze the account data to identify the string patterns used on each endpoint. For example, email accounts can use variations on the personID value, as in the following examples for user Ellen Hayek:

Ellen.Hayek@companyserver.com

EHay023@companyserver.com

Synonyms

Synonyms let one correlation rule test common string variants that may represent the same value. The synonym file defines sets of synonyms. When a string expression in a rule equals a term in the synonym file, CA GovernanceMinder tests the rule using each synonym of the term. For example, if the synonym file lists Nathaniel, Nathan, Nate, Nat as synonyms, CA GovernanceMinder tests correlation rules for a user named Nathan using each of the alternate terms.

Correlation Thresholds

Correlation thresholds determine how CA GovernanceMinder evaluates user-account pairs that match correlation rules. For each user, CA GovernanceMinder aggregates the scores of all matched rules. CA GovernanceMinder decides to accept or reject the user-account mapping by comparing the aggregate score to the thresholds.

CA GovernanceMinder applies thresholds as follows:

• If all matching users score less than the Low Threshold, no user is mapped to the account.
• CA GovernanceMinder maps the account to the first user whose aggregate score exceeds the High Threshold.
• When only one user scores between the Unique and High Thresholds, CA GovernanceMinder maps the account to this user.
• When one or more users score between the Low and High Thresholds, CA GovernanceMinder submits all matching users for review by a manager.

Aggregation Type

Defines the way rule scores are aggregated when more than one rule matches the same user-account pair. For example, you have the following two rules:

Rule A - Score 60

Rule B – Score 30

And they both match User1 to Account1. The final score of this pair is as follows, depending on which aggregation type you select:

• Sum: 90 (if the sum is more than 100, it is limited to 100)
• Max: 60
• Average: 45
• Combined Probability: Measures the probability of a user-account pair that matches a particular rule to be the correct match. If two rules point to the same match, CA GovernanceMinder uses the combined probability to calculate the new score. The example has a match of 60 and a match of 30. If we improve the 60 score by 30 percent we reach 72.