Skip to content

Synchronizing Attributes

Attribute synchronization keeps account data on a source in sync with identity data in Identity Security Cloud. It uses identity information to ensure data is consistent across multiple systems in your enterprise.

In the attribute sync configuration, you specify which account attributes on a source should be kept in sync with corresponding identity attributes. You can configure this for any source account attribute that:

  • Is included in the source's Create Account definition, and
  • Is mapped directly from an identity attribute in that definition

When the value of a configured identity or account attribute changes for a user so they no longer match, Identity Security Cloud updates the account attribute to match the identity attribute and provisions the change to the source.

You can see the percentage of account attributes that are synchronized. Refer to Viewing Attribute Sync Percentages for details.

Notes

  • Attribute synchronization only applies to existing, correlated accounts. It will not create accounts for identities, and uncorrelated accounts have no corresponding identity data to enforce. When another operation creates a new account for a user, attribute sync is immediately enforced for that account.
  • If an identity has multiple correlated accounts on a source, attribute sync updates all of them.
  • Attribute sync only applies to identities whose identity profile specifies a mapping for the identity attribute.
  • When an identity attribute is set to null by its identity profile mapping, attribute sync will propagate the null value to account attributes. Attributes with null values are not considered synchronized.

Configuring Attribute Sync

Select a source and choose the account attributes to synchronize.

  1. Go to Admin > Connections > Sources.
  2. Select or edit the source you want to enable for attribute sync.
  3. In the Account Management section, select Attribute Sync.

    This list displays the attributes eligible for syncing and shows the attribute mappings configured in the source's Create Account definition.

    Important

    The built-in Manager identity attribute can be used in the Create Account definition, but it can't be used for attribute sync. To sync users' manager names to their source accounts, define a custom identity attribute (for example, managerToSync) and configure its mapping to populate it with the user's manager name. Then use that attribute in both your Create Account definition and Attribute Sync configuration.

    To sync users' manager names to Active Directory, refer to Active Directory: Attribute Sync for the Manager Attribute.

  4. Select the checkboxes in the Sync with Identity column for the attributes you want to synchronize.

  5. Select Save to save your configuration changes.

  6. Select Sync to initiate a bulk attribute sync for all accounts on this source. This option is only enabled when the source is in a healthy state.

    Important

    • You only need to use the Sync option to apply new sync configurations when they are first defined. Otherwise, attribute sync is enforced through real-time updates per account.
    • To limit provisioning traffic to the target system, you may only run this full sync up to 3 times in a 24-hour period, per source.
    • The percent of synced attributes can help you decide whether it's necessary to run an attribute sync.

    Note

    Multi-valued attribute sync is supported through custom rules. For more information, refer to the Developer Community.

For additional guidance on syncing attributes, refer to Best Practices: Attribute Sync.

Triggering Attribute Sync Automatically

Attribute synchronization is automatically triggered by a change to the identity or source account attribute value in Identity Security Cloud. These changes occur when:

  • A process, such as an authoritative aggregation, updates the identity attribute.
  • A source aggregation discovers a change to the account attribute made natively in the source system. Identity Security Cloud overrides those changes based on the sync configuration.
  • The source account gets moved, or correlated, to a different identity with different identity attribute values.

If attribute sync fails, the request is requeued and retried for up to 10 times. After the problem is resolved, an administrator can either manually resync individual identities or use the Sync option on the Attribute Sync configuration page to force a bulk resync for the source.

Caution

If your aggregation or provisioning processes change attribute values through logic such as rules, those attributes should usually not be configured for attribute sync. This could create a situation where the configured identity and account attribute will never be in sync, setting up a loop where Identity Security Cloud repeatedly attempts to resynchronize them.

Safeguards Preventing Cyclical Syncs

Depending on how each system represents data, it is possible for attributes to be logically in sync while not containing exactly the same value. For example, leading or trailing spaces, varying representations of nulls, and different expressions of boolean values can make attribute values appear different, but resyncing those values will not fix the discrepancy because of how the system stores that data. Safeguards have been set up in the sync process to prevent unnecessary repeated attempts to sync data, particularly when the values get out of sync due to an account data change.

However, sync will always be enforced when:

  • The case of the values does not match (sync is case-sensitive).
  • The identity attribute value changes.

Manually Synchronizing a Single Identity

You can manually initiate an attribute sync for an individual identity.

  1. Go to Admin > Identity Management > Identities and find the identity that you want to manually synchronize.

  2. Select Actions > Synchronize Attributes.

The attribute sync begins immediately and analyzes all accounts for the selected identity.

Note

You can also initiate an attribute sync from the identity’s details page. Select an identity from the Identities page and then select Actions > Synchronize Attributes.

Tracking Attribute Sync

You can track information about when attributes were synced and the percentage of account attributes that are in sync with the corresponding identity attribute.

Tracking Attribute Sync History

Use either of these options to verify sync activity.

  • Within a source’s Attribute Sync configuration page, select View Events. This redirects you to the Search page with a predefined search query that lists attribute sync records for that source.

  • Use Search to define your own queries to examine event records for provisioning actions on those attributes.

Viewing Attribute Sync Percentages

You can see the percentage of values for a specific account attribute that are synchronized to the corresponding identity attribute.

  1. Go to Admin > Connections > Sources.

  2. Select the source you want to view.

  3. In the Account Management section, select Attribute Sync.

  4. Select the checkbox beside the identity attributes you want to check. You can select up to 10 attributes at a time.

  5. Select Calculate Synchronization.

    You can select Cancel Calculation to stop calculating the attribute sync percentage after it begins.

    The percentage of account attributes that are correctly synchronized to the associated identity attributes are displayed in the Percent Synced column.

  6. Select the number in the Percent Synced column to review details about the attribute pairing.

    In the Summary tab, you can see:

    • The name of the account attribute and identity attribute.
    • The date the sync percentage was last calculated.
    • The percentage of attributes where the values are synchronized between the account and identity.
    • The percentages of identity and account attributes that are null. These values are considered unsynchronized.
    • The percentage of attributes that are unmatched between the account and identity due to inconsistent capitalization.

    In the Unsynced Accounts tab, you can see a list of the accounts where the values of this attribute pair are synchronized.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.