Managed Endpoint Accounts › Integrating Managed Endpoints › Create Correlation Rules

Create Correlation Rules

A Hosting Administrator or an administrator with the Configure Correlation Attributes task can create rules that are used when you explore an endpoint. The Execute Explore and Correlate task uses these rules for the correlation part of the task.

Correlation rules determine how an endpoint account attribute is mapped to a user attribute in the User Console. For example, in Access Control an attribute that is called AccountName exists. You can create a rule to map it to FullName in the User Console. If the rules cause two mappings to apply to one user attribute, the first parameter value is used.

Follow these steps:

1. Log in to the User Console.
2. Click System, Provisioning Configuration, Configure Correlation Attributes.
3. Click Add.
4. Define a correlation rule as follows:
   1. Select a global user attribute list.

      This value refers to the user attribute listed in the Provisioning Directory.

   2. Enable the Set a specific account attribute check box.
   3. Select an endpoint type.
   4. Select an account attribute that applies to the global user attribute.
   5. Optionally, complete the Substring fields.

      If the Substring from field is empty, processing begins at the start of the string. If the Substring to field is empty, processing begins at the end of the string.

5. Click OK.
6. Click Submit.

Note: Whenever you change a correlation rule, be sure to explore the endpoint even if you previously explored it.

Example of Correlation Rules

The following example provides sample settings for an Active Directory endpoint.

GlobalUserName
FullName=LDAP Namespace:globalFullName
FullName=ActiveDirectory:DisplayName
 CustomField01=ActiveDirectory:Telephone

The following actions occur for each previously uncorrelated account that is found while correlating accounts in an Active Directory container:

1. The Provisioning Server compares the first parameter value (GlobalUserName) with the Active Directory endpoint account attribute (NT_AccountID). The server attempts to find the unique global user whose name matches the NT_AccountID attribute value for that account. If a unique match is found, the Provisioning Server associates the account with the global user. If more than one match is found, the Provisioning Server performs Step 5. If no match is found, the Provisioning Server performs the next step.
2. The Provisioning Server considers the second parameter value (FullName=LDAP Namespace:globalFullName). Since this value is specific to another endpoint type, it is skipped and the Provisioning Server performs the next step.
3. The Provisioning Server considers the third parameter value (FullName=ActiveDirectory:DisplayName). Since this value is specific to Active Directory, it is used. The server attempts to find the unique global user whose FullName matches the DisplayName attribute value for that account. If a unique match is found, the Provisioning Server associates the account with the global user. If more than one match is found, the Provisioning Server performs Step 5. If no match is found, the Provisioning Server performs Step 4.
4. The Provisioning Server considers the final parameter value (CustomField01=ActiveDirectory:Telephone). Because this value is specific to Active Directory, it is used. The server attempts to find the unique global user whose Custom Field #01 attribute is equal to the Telephone attribute value for that account. The name that you gave to the custom global user attribute using global properties of the System Task is not displayed here. If a unique match is found, the Provisioning Server associates the account with the global user. If more than one match is found, the Provisioning Server performs Step 5. If no match is found, the Provisioning Server performs the next step.
5. The Provisioning Server associates the account with the [default user] object. If the [default user] object does not exist, the server creates it.