Fixing accountExistsByNativeIdentity() in SailPoint Identity Security Cloud

By /

🧠 Fixing accountExistsByNativeIdentity() in SailPoint Identity Security Cloud

When writing Cloud Executed Rules in SailPoint Identity Security Cloud (ISC), one common requirement is to check if an Identity already has an account on a specific source before performing an operation — for example, during provisioning, correlation, or entitlement logic.

At first glance, this seems simple:

idn.accountExistsByNativeIdentity(appName, nativeIdentity)

But in many implementations, it always returns false, even though the account clearly exists in the source catalog.
Let’s explore why this happens and how to fix it properly.

🚨 The Common Problem

Most developers try something like this:

if (idn.accountExistsByNativeIdentity(appName, userId)) {
    // logic here
}

They pass:

  • appName as "SourceName [source]" or simply "SourceName"
  • userId as some identity attribute (like "email" or "userId")

Still, it doesn’t work — the rule fails to find the account.

🧩 Why It Fails

Here are the top three reasons why accountExistsByNativeIdentity() returns false:

  1. Wrong native identity
    The nativeIdentity must be the exact account identifier from the Link object — not an identity attribute.
    Example: For Active Directory, the native identity might be a DN or GUID, not sAMAccountName.
  2. Incorrect source name
    The appName should match the canonical source name exactly as it appears in ISC.
    You should not append or trim the [source] suffix unless that’s literally part of the name.
  3. Account not aggregated or correlated
    The method only works for accounts that exist in the SailPoint catalog and are linked to an identity.

✅ The Correct Approach

You should dynamically pull both appName and nativeIdentity from the identity’s links instead of hardcoding them.

Here’s the correct code snippet:

for (Link link : reportee.getLinks()) {
    if (link != null && appName.equals(link.getApplicationName())) {
        String nativeId = link.getNativeIdentity();
        if (idn.accountExistsByNativeIdentity(appName, nativeId)) {
            log.debug("Account exists for " + nativeId + " on " + appName);
        }
    }
}

This ensures you’re using the exact values that SailPoint expects internally.

🧰 A Reusable Function for Cloud Executed Rules

Here’s a full example that you can reuse:

List fetchReport(String attribute, String value, String logPrefix) {
    List resultList = new ArrayList();
    if (StringUtils.isNotEmpty(value)) {
        List identities = idn.findIdentitiesBySearchableIdentityAttribute(attribute, "Equals", value, attribute);

        for (Identity reportee : identities) {
            for (Link link : reportee.getLinks()) {
                if (appName.equals(link.getApplicationName())) {
                    String nativeId = link.getNativeIdentity();
                    if (idn.accountExistsByNativeIdentity(appName, nativeId)) {
                        Map reporteeMap = new HashMap();
                        reporteeMap.put("displayName", nativeId);
                        resultList.add(reporteeMap);
                    }
                }
            }
        }
    } else {
        log.debug(ruleName + ": " + logPrefix + " is missing or empty.");
    }
    return resultList;
}

This pattern is clean, robust, and ensures accurate account validation.

⚡ Easier Alternatives

If your goal is simply to check whether an identity has any account on a given source, these helper methods are simpler:

String nid = idn.getFirstAccountNativeIdentity(appName, identity.getName());
List accounts = idn.getAllAccounts(appName, identity.getName());
  • nid == null → No account exists
  • accounts.isEmpty() → No linked accounts

These APIs save you the hassle of matching nativeIdentity manually.

🧭 Quick Debug Checklist

✅ CheckWhat to Verify
Source NameMust exactly match what’s shown in ISC
Native IdentityMust be the link.getNativeIdentity() value
Account Aggregated?Ensure the account exists in the catalog
Identity Correlated?Must have a valid link to the identity
Rule LoggingAlways log both link.getApplicationName() and link.getNativeIdentity() when testing

🪄 TL;DR

  • Use the exact source name and link.nativeIdentity, not custom attributes.
  • Always retrieve both values from the user’s Link.
  • Prefer getAllAccounts() or getFirstAccountNativeIdentity() for simple existence checks.

✍️ About the Author

Amit Kumar Gupta is an IAM Architect and founder of IdentityClasses — a leading platform for hands-on training and consulting in SailPoint, Saviynt, Okta, and Oracle IAM.
He helps enterprises and engineers simplify Identity Governance through real-world solutions and practical design patterns.

If you found this post useful, share it with your team or IAM community and follow IdentityClasses on LinkedIn for more hands-on SailPoint tips!

Scroll to Top