Step 4: Identify and Clean Up Unreconciled Users
  • 12 May 2023
  • 3 Minutes to read
  • Contributors
  • Dark
  • PDF

Step 4: Identify and Clean Up Unreconciled Users

  • Dark
  • PDF

Article Summary

Now that you've got Downstream Applications configured, attributes prioritized, and roles built. It is time to identify and clean up any orphaned accounts.

In this step, you will perform the following steps:

  1. Explore the Alerts section
  2. Process Identity Resolution alerts
  3. Check out advanced topics!


Lots of different actions and scenarios in Clarity can trigger an alert, (see the Alerts section for more details) but the one we are concerned about right now falls under the category "Identity Resolution".

Important Note

Clarity does not match inactive Service Users from Downstream Applications that are flagged as a Source of Truth to create identities. Only active service users from a Source of Truth application will generate new identities.

Identity Resolution Alerts

The primary cause of an Identity Resolution alert is something we refer to as an orphaned account. To define an orphaned account simply, this is an active Service User from an application with active permissions which is not tied to an active Identity in Clarity (see the note in the section above about the creation of identities).

An example of this would be an employee who is found to be inactive (such as being set to terminate in the HR platform), but an active account and entitlements were found in another Downstream Application. As a result, Clarity will throw an alert for this active account with live access in an application (for which no valid employee, contractor, or service account identity could be found).

In the example below, the user Sam McClarity was found in Generic App with a user identifier of "31337". Clarity attempted to match this user using the email but was unable to find an Identity in the Clarity tenant to match with.
Orphaned Account Alert

This alert type does not always mean there is an orphaned account in your Downstream application, but could simply mean the account (Service User) from the application was unable to be matched to an active identity because an attribute (especially email) was missing or did not match. This type of alert can be manually resolved to an existing identity in Clarity using the user list dropdown and the "Grant to Identity" button. This will create a permanent relationship between this Service User and the Identity you select.

Process your Identity Resolution Alerts

Each iteration of your Identity Resolution Alerts has the following options below to process the Service User. You can also use the Search field in the top right, to perform a simple string match on all of your alerts.

Grant to Identity

This option lets you take the Service User for which the Alert was generated, and manually assign it to an Identity in Clarity. This creates a relationship between this Service User's account (by service user identifier) and the Identity object in Clarity. This is a great option for Service Users that don't have an attribute that Clarity can use to match an existing Identity (such as a missing email, or a username that doesn't follow your standard formatting).

Create New Identity

If an Identity for the Service User (the one that created the alert) does not yet exist, this button lets you create one based on this account. An example of this would be for service accounts (non-human accounts with permissions) found in a non-Source of Truth application.


This option will run the Deactivate process for the Service User in the application.

ID Resolution Alert (no email)

Up Next: Check out Advanced Topics!

You have completed the Clarity Getting Started Guide! Congrats!
Of course, that's not all Clarity can do, but you've got the basics configured to move on to the features of Clarity that depend on data from Downstream Applications in Clarity to function.

Need help?

If you have any problems, contact your customer success team. You can also get in touch with our general support via email, open a support ticket. Our general support team is available Monday - Friday from 8:00 AM - 6:30 PM CST.

Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.