Attribute synchronization keeps account data on a source in sync with identity data in IdentityNow. It uses identity information to ensure data is consistent across multiple systems in your enterprise.
In the attribute sync configuration, you specify which account attributes on a source should be kept in sync with corresponding identity attributes. You can configure this for any source account attribute that:
- Is included in the source's Create Account definition, and
- Is mapped directly from an identity attribute in that definition
When the value of a configured identity or account attribute changes for a user so they no longer match, IdentityNow updates the account attribute to match the identity attribute and provisions the change to the source.
- Attribute synchronization only applies to existing, correlated accounts. It will not create accounts for identities, and uncorrelated accounts have no corresponding identity data to enforce. When another operation creates a new account for a user, attribute sync is immediately enforced for that account.
- If an identity has multiple correlated accounts on a source, attribute sync updates all of them.
- Attribute sync only applies to identities whose identity profile specifies a mapping for the identity attribute.
- When an identity attribute gets set to null by its identity profile mapping, attribute sync will propagate the null value to account attributes.
Configuring Attribute Sync
Select a source and choose the account attributes to synchronize.
Go to Admin > Connections > Sources.
Select the source to be enabled for attribute sync.
In the Accounts tab, select Attribute Sync from the left panel to display the attributes you can sync.
This list displays the attributes eligible for syncing and shows the attribute mappings configured in the source's Create Account definition.
The built-in Manager identity attribute can be used in the Create Account definition, but it can't be used for attribute sync. To sync users' manager names to their source accounts, define a custom identity attribute (for example, managerToSync) and configure its mapping to populate it with the user's manager name. Then use that attribute in both your Create Account definition and Attribute Sync configuration.
To sync users' manager names to Active Directory, refer to Active Directory: Attribute Sync for the Manager Attribute.
Select the checkboxes in the Sync with Identity column for the attributes you want to synchronize.
To undo your changes and revert the sync configuration to the last saved state, select Cancel.
Select Save to save your configuration changes.
Select Sync to initiate a bulk attribute sync for all accounts on this source. This option is only enabled when the source is in a healthy state.
- You only need to use the Sync option to apply new sync configurations when they are first defined. Otherwise, IdentityNow enforces attribute sync through real-time updates per account.
- To limit provisioning traffic to the target system, you may only run this full sync up to 3 times in a 24-hour period, per source.
Multi-valued attribute sync is supported through custom rules. For more information, refer to the Developer Community.
For additional guidance on syncing attributes, refer to Best Practices: Attribute Sync.
Triggering Attribute Sync Automatically
Attribute synchronization is automatically triggered by a change to the identity or source account attribute value in IdentityNow. These changes occur when:
- A process, such as an authoritative aggregation, updates the identity attribute.
- A source aggregation discovers a change to the account attribute made natively in the source system. IdentityNow overrides those changes based on the sync configuration.
- The source account gets moved, or correlated, to a different identity with different identity attribute values.
If attribute sync fails, IdentityNow requeues the failed requests for retry, up to 10 times. Once the problem is resolved, an administrator can either manually resync individual identities or use the Sync option on the Attribute Sync configuration page to force a bulk resync for the source.
If your aggregation or provisioning processes change attribute values through logic such as rules, those attributes should usually not be configured for attribute sync. This could create a situation where the configured identity and account attribute will never be in sync, setting up a loop where IdentityNow repeatedly attempts to resynchronize them.
Safeguards Preventing Cyclical Syncs
Depending on how each system represents data, it is possible for attributes to be logically in sync while not containing exactly the same value. For example, leading or trailing spaces, varying representations of nulls, and different expressions of boolean values can make attribute values appear different, but resyncing those values will not fix the discrepancy because of how the system stores that data. Safeguards have been set up in IdentityNow's sync process to prevent unnecessary repeated attempts to sync data, particularly when the values get out of sync due to an account data change.
However, sync will always be enforced when:
- The case of the values does not match (sync is case-sensitive).
- The identity attribute value changes.
Manually Synchronizing a Single Identity
You can manually initiate an attribute sync for an individual identity.
Go to Admin > Identity > Identity List and find the identity that you want to manually synchronize.
Select Actions > Synchronize Attributes.
The attribute sync begins immediately and analyzes all accounts for the selected identity.
You can also initiate an attribute sync from the identity’s details page. Select an identity from the identity list and from the Actions menu , select Synchronize Attributes. Users of the updated Identity Details experience can select Actions > Synchronize Attributes.
Viewing Attribute Sync Records
Use either of these options to verify sync activity.
Within a source’s Attribute Sync configuration page, select View Events. This redirects you to the Search page with a predefined search query that lists attribute sync records for that source.
Use Search to define your own queries to examine event records for provisioning actions on those attributes.