How SailPoint ISC Transforms Application Data into Reliable Identities

KranthiKranthi
3 min read

When working in IAM, it's easy to focus on high-level goals like provisioning or certification — but none of that works until you have good identity data in place.

After connecting my Google Cloud-hosted MySQL database to SailPoint Identity Security Cloud (ISC) using the Virtual Appliance, I wanted to understand:
What really happens after aggregation?
How does an account from an external application turn into a governed identity inside SailPoint?

So I decided to walk through that entire flow — and share it here.


Where It Starts: The Source

Every identity starts in a source system — for me, that was a MySQL database acting as an authoritative store. This source held user data like names, email addresses, departments — all the pieces needed to form a user record.

I connected this DB to ISC using the JDBC connector via the Virtual Appliance.

Once the connection was tested, it was time to aggregate accounts.

Aggregation: Pulling in Raw Accounts

Account aggregation is ISC's way of saying:
"Let me go fetch account data from this source and see what I can do with it."

Behind the scenes, the VA runs the SQL query I provided:

Each row becomes an account object — not yet an identity, but a potential building block for one.

Correlation: Turning Accounts into Identities

This is where things get interesting.

Once ISC has accounts, it needs to figure out whether:

  • It should create a new identity

  • Or link to an existing one

That logic is driven by the Identity Profile, which defines:

  • The correlation rule (e.g., match on email or employee ID)

  • Which attributes from the account map to identity fields

  • Which source takes priority if multiple sources send the same user

In my case, I used email as the correlation key. If an email matched, ISC linked the account to an existing identity. If not, it created a new one.

Transforms: Cleaning Up the Data

Before account data becomes part of the identity, it runs through transforms.

This is where I standardized things:

  • Concatenated first and last name into a lowercase username

  • Lowercased email addresses

  • Mapped department codes to full department names

It might seem minor, but clean, consistent data is what makes access policies and provisioning logic actually work.

Identity Created: Inside the Identity Cube

Once everything is mapped and transformed, ISC creates an Identity Object in the Identity Cube.

Each identity includes:

  • Mapped attributes (name, email, title, dept)

  • Linked accounts from the source

  • Entitlements (if pulled)

  • Lifecycle state (like Joiner, Active, Terminated)

At this point, that identity can be governed — you can apply policies, start certifications, assign access, and more.

Why This Flow Is So Important

You can’t govern what you haven’t defined.
You can’t certify what you haven’t correlated.
And you definitely can’t automate provisioning on bad data.

Most IAM challenges don’t come from bad provisioning logic — they come from incomplete, inconsistent, or unlinked identity data.

That’s why understanding how aggregation, correlation, and transforms work together is so important. It’s not just “syncing data.” It’s creating the foundation of trust your entire IAM system runs on.

0
Subscribe to my newsletter

Read articles from Kranthi directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Kranthi
Kranthi

👋 Hi, I’m Kranthi Kumar Puttapaka, a Certified SailPoint IAM Engineer with over 5 years of experience in building secure and scalable identity solutions. I help organizations streamline their Identity & Access Management (IAM) processes and strengthen their security posture. I specialize in designing and implementing enterprise-grade IAM systems using technologies like SailPoint IdentityIQ, Identity Security Cloud (ISC), Okta, Azure AD (Entra ID), and CyberArk. My focus areas include identity governance, access lifecycle automation, role-based access control, and Zero Trust security architectures. Over the years, I’ve led multiple SailPoint IIQ to ISC migration projects with zero downtime, developed custom connectors for seamless integrations, and implemented compliance frameworks like SOX, GDPR, HIPAA, and NIST. I also have hands-on experience with cloud platforms such as AWS and Azure, enabling organizations to adopt cloud-native identity governance. On the technical side, I work with Java, JavaScript, Python, and BeanShell for customization and automation. My toolkit includes Spring Boot, Spring Security, Docker, Terraform, and databases like MySQL, Oracle, MongoDB, and LDAP. Here on Hashnode, I write about IAM architecture patterns, SailPoint implementation deep dives, cloud identity strategies, Zero Trust security models, and real-world challenges I’ve solved in Identity Governance. Always excited to connect with fellow IAM professionals and share knowledge about building secure, scalable identity solutions. Let’s make the digital world more secure, one identity at a time!