Skip to content

Attribute Synchronization

Attribute synchronization is an automated process of synchronizing changes to Identity Cube identity attributes (such as name, email, or department) from an authoritative source to target systems.

A simple example is when an employee’s name changes – Pat Smith becomes Pat Jones. In this example, Human Resources will change the employee's name, and perhaps the email address, in an authoritative source, such as Active Directory. The changes then need to be propagated out to other accounts that the user has, such as JIRA, Sales Force, Outlook, etc.

Lifecycle events can also trigger attribute changes that need to be synchronized: users joining or leaving the organization, or changes to things like a user's status, job title, manager, or department can all cause changes to user attributes that need to be synchronized to various systems.

Choosing Which Attributes to Synchronize

To configure attribute synchronization, you first choose which attributes should be synchronized, and edit them to set up synchronization targets and behavior.

  1. Click gear > Global Settings > Identity Mappings.

  2. Double-click the attribute you want to edit.

  3. The Target Mappings section is where you identify the target systems that should be updated with new values for the attribute. You must add targets one at a time, for each target system. To add a new target, click Add Target.

  4. Enter your Target values:

    • Application – the target system to be updated when this value changes.

    • Attribute – the attribute on the target system that stores this value. The values in the dropdown menu are determined by the application schema defined for this application. See Application Configuration[Link needed] for more information on application schemas.

    • Transformation Rule – if the application attribute is represented differently in the target system than it is in the authoritative source (for example, if your target system records full-time versus part-time employment status as a numeric code 1 or 2, but you record that as "Full" and "Part" in IdentityIQ) you can use a BeanShell rule to modify the attribute as it is pushed out to the target.

    • Provision All Accounts – if the user has more than one account on the target application, check this option to automatically synchronize the value to all accounts. If you leave this option unchecked, the system will prompt someone to choose which accounts to synchronize to, in cases of multiple accounts.

      Click Add to save your changes and close the dialog.

  5. Optional: if you want to use a business process to manage attribute synchronization for this attribute, check the Sync with Workflow option in the Advanced Options section. See Using Business Processes to Manage Attribute Synchronization[Link needed] for more information on using business processes for attribute synchronization, and on how to set this option globally rather than at the individual-attribute level.

  6. Repeat these steps for each additional Target you want to add for this attribute.

How Attribute Synchronization is Triggered

There are two ways attribute synchronization can be triggered in IdentityIQ:

  • Direct Edit to an Identity – editing the identity directly in the UI, in the Identity Warehouse's View Identity Page[Link needed], or the Edit Identity[Link Needed] quicklink. These changes cause the system to immediately process the synchronization. Note that there may be an approval step required for the change, before the synchronization will occur.

  • Aggregation – when an attribute change comes through aggregation, attribute synchronization is initiated through a refresh task that has the Synchronize Attributes option selected. See the Identity Refresh[Link Needed] task for information about configuring and running this task.

Using Business Processes to Manage Attribute Synchronization

You can integrate a business process with attribute synchronization, to let you manage the synchronization of multiple attributes together, in a single request and approval process. If you have Lifecycle Manager implemented, you can use an out-of-the-box business process for managing attribute synchronization. You can also create your own custom business process if you have not implemented Lifecycle Manager, or if you prefer to use custom logic.

You can set a global option so that all attribute synchronization is handled by a business process, or you can choose individual attributes to manage using a business process.

Configuring Attribute Synchronization to Use a Business Process.

To enable a global business process for attribute synchronization:

  1. Click gear > Global Settings > IdentityIQ Configuration.

  2. Click the Identities tab.

  3. In the Business Processes section, choose the business process to use for Attribute Sync. IdentityIQ provides a standard Attribute Sync business process that meets most use cases; you can edit this business process to tailor it to your needs, and you can also create and choose a custom business process if you prefer.

Check the Always Sync using workflow option in the Identity Attributes section. Leaving this option unchecked means that you can set the option to use the business process individually on each attribute in Identity Mappings.

To enable a business process handling for attribute synchronization individually for specific attributes:

  1. Follow the steps above to select a business process in the IdentityIQ Configuration, but do not check the Always Sync using workflow option.

  2. In the gear > Global Settings > Identity Mappings page, click the attribute you want to manage with a business process.

  3. In the Advanced Options section, check the Sync with Workflow option.

  4. If you haven't already set up your Target Mappings for this attribute, follow the steps in Attribute Synchronization[Link Needed] to do so.

  5. Save your changes.

Customizing the Business Process for Attribute Synchronization

With Lifecycle Manager, IdentityIQ provides a standard business process for attribute synchronization; you can modify this business process according to your business needs. If you don't have Lifecycle Manager implemented, or if you prefer to use a completely custom business process, you can develop your own business process for attribute synchronization.

  1. Click Setup > Business Processes.

  2. Click the Attribute Sync business process to select it.

  3. You can modify most of the details of this business process. Those you are most likely to want to modify are the Process Variables:

    • Approvals can be enabled or disabled in the Approval section. If Approvals are enabled, you can choose who is responsible for approving requested attribute changes.

    • Notifications can be enabled or disabled. When they are enabled you can select who should be notified when attribute changes are completed.

See Business Process Management[Link Needed] for more information about Business Processes.

Auditing Attribute Synchronization

If you want the ability to audit details about attribute synchronization, such as what triggered the synchronization, or which attributes were synchronized to which target systems, use IdentityIQ's Audit Configuration to enable auditing for this activity:

  1. Click gear > Global Settings > Audit Configuration.

  2. On the General Actions tab, check the box for Attribute Sync.

  3. Save your changes.

To view audit details for attribute synchronization activity:

  1. Click Intelligence > Advanced Analytics.

  2. In the Search Type dropdown, choose Audit.

  3. In the Action field under Audit Attributes, choose attributeSync. Note that attributeSync will not be available as a choice in this list unless there is attribute synchronization activity that has been completed in your system.

  4. Enter any other search criteria you want to use.

  5. Click Run Search.