Attribute Synchronization

Attribute synchronization is an automated process of synchronizing changes to Identity Cube identity attributes (such as name, email, or department) from an authoritative source to target systems.

A simple example is when an employee’s name changes – Pat Smith becomes Pat Jones. In this example, Human Resources will change the employee's name, and perhaps the email address, in an authoritative source, such as Active Directory. The changes then need to be propagated out to other accounts that the user has, such as JIRA, Sales Force, Outlook, etc.

Lifecycle events can also trigger attribute changes that need to be synchronized: users joining or leaving the organization, or changes to things like a user's status, job title, manager, or department can all cause changes to user attributes that need to be synchronized to various systems.

Choosing Which Attributes to Synchronize

To configure attribute synchronization, you first choose which attributes should be synchronized, and edit them to set up synchronization targets and behavior.

  1. Click gear > Global Settings > Identity Mappings.

  2. Double-click the attribute you want to edit.

  3. The Target Mappings section is where you identify the target systems that should be updated with new values for the attribute. You must add targets one at a time, for each target system. To add a new target, click Add Target.

  4. Enter your Target values:

    • Application – the target system to be updated when this value changes.

    • Attribute – the attribute on the target system that stores this value. The values in the dropdown menu are determined by the application schema defined for this application. See Application Configuration for more information on application schemas.

    • Transformation Rule – if the application attribute is represented differently in the target system than it is in the authoritative source (for example, if your target system records full-time versus part-time employment status as a numeric code 1 or 2, but you record that as "Full" and "Part" in IdentityIQ) you can use a BeanShell rule to modify the attribute as it is pushed out to the target.

    • Provision All Accounts – if the user has more than one account on the target application, check this option to automatically synchronize the value to all accounts. If you leave this option unchecked, the system will prompt someone to choose which accounts to synchronize to, in cases of multiple accounts.

      Click Add to save your changes and close the dialog.

  5. Optional: if you want to use a business process to manage attribute synchronization for this attribute, check the Sync with Workflow option in the Advanced Options section. See Using Business Processes to Manage Attribute Synchronization for more information on using business processes for attribute synchronization, and on how to set this option globally rather than at the individual-attribute level.

  6. Repeat these steps for each additional Target you want to add for this attribute.

How Attribute Synchronization is Triggered

There are two ways attribute synchronization can be triggered in IdentityIQ:

  • Direct Edit to an Identityediting the identity directly in the UI, in the Identity Warehouse's View Identity Page, or the Edit Identity quicklink. These changes cause the system to immediately process the synchronization. Note that there may be an approval step required for the change, before the synchronization will occur.

  • Aggregation – when an attribute change comes through aggregation, attribute synchronization is initiated through a refresh task that has the Synchronize Attributes option selected. See the Identity Refresh task for information about configuring and running this task. .