Attribute synchronization keeps account data on a source in sync with identity data in IdentityNow. It uses identity information to ensure data is consistent across multiple systems in your enterprise.
In the attribute sync configuration, you specify which account attributes on a source should be kept in sync with corresponding identity attributes. You can configure this for any source account attribute that:
- Is included in the source's Create Account definition, and
- Is mapped directly from an identity attribute in that definition
When the value of a configured identity or account attribute changes for a user so they no longer match, IdentityNow updates the account attribute to match the identity attribute and provisions the change to the source.
Attribute synchronization only applies to existing, correlated accounts. If an identity has multiple correlated accounts on a source, attribute sync updates all of them. It will not create accounts for identities, and uncorrelated accounts have no corresponding identity data to enforce.
Configuring Attribute Sync
Select a source and choose the account attributes to synchronize.
Go to Admin > Connections > Sources.
Select the source to be enabled for attribute sync.
In the Accounts tab, select Attribute Sync from the left panel to display the attributes you can sync.
This list displays the attributes eligible for syncing and shows the attribute mappings configured in the source's Create Account definition.
Select the checkboxes in the Sync with Identity column for the attributes you want to synchronize.
To undo your changes and revert the sync configuration to the last saved state, select Cancel.
Select Save to save your configuration changes.
Select Sync to initiate a bulk attribute sync for all accounts on this source. This option is only enabled when the source is in a healthy state.
- You only need to use this Sync option to apply new sync configurations when they are first defined. Otherwise, IdentityNow enforces attribute sync through real-time updates on a per-account basis.
- To limit provisioning traffic to the target system, you may only run this full sync up to 3 times in a 24-hour period, per source.
For additional guidance on syncing attributes, refer to Best Practices: Attribute Sync.
Triggering Attribute Sync Automatically
Attribute synchronization is automatically triggered by a change to the identity attribute value in IdentityNow. These changes occur when a process, such as an authoritative aggregation, updates the identity attribute.
If attribute sync fails, IdentityNow requeues the failed requests for retry, up to 10 times. If the sync fails all of those retries, once the problem is resolved, an administrator can either manually resync individual identities or use the Sync option on the Attribute Sync configuration page to force a bulk re-sync for the source.
If your aggregation or provisioning processes change attribute values through logic such as rules, those attributes should usually not be configured for attribute sync. This could create a situation where the configured identity and account attribute will never be in sync, setting up a loop where IdentityNow repeatedly attempts to resynchronize them.
Attribute synchronization also occurs in the scheduled 8:00 AM execution of identity processing. The scheduled job handles some use cases that the triggered sync doesn't address:
- Overriding account attribute changes made natively in the source system, to enforce the sync configuration.
- Changing account data when a source account gets moved, or correlated, to a different identity with different identity attribute values.
Manually Synchronizing a Single Identity
You can manually initiate an attribute sync for an individual identity.
Go to Admin > Identity > Identity List.
Select the identity that you want to manually synchronize.
The attribute sync begins immediately and analyzes all accounts for the selected identity.
Viewing Attribute Sync Records
Use either of these options to verify sync activity.
Within a source’s Attribute Sync configuration page, select View Events. This redirects you to the Search page with a predefined search query that lists attribute sync records for that source.
Use Search to define your own queries to examine event records for provisioning actions on those attributes.