Attribute synchronization keeps account data on a source in sync with identity data in IdentityNow. It uses identity information to ensure data is consistent across multiple systems in your enterprise.
In the attribute sync configuration, you specify which account attributes on a source should be kept in sync with corresponding identity attributes. You can configure this for any source account attribute that:
- Is included in the source's Create Account definition, and
- Is mapped directly from an identity attribute in that definition
When the value of a configured identity or account attribute changes for a user so they no longer match, IdentityNow updates the account attribute to match the identity attribute and provisions the change to the source.
Attribute synchronization only applies to existing, correlated accounts. It will not create accounts for identities, and uncorrelated accounts have no corresponding identity data to enforce.
Configuring Attribute Sync
Select a source and choose the account attributes to synchronize.
The source must be in a healthy state to add these configurations.
In the Admin interface, go to Connections > Sources.
Select the source to be enabled for attribute sync.
In the Accounts tab, select Attribute Sync from the left panel to display the attributes you can sync.
This list displays the attributes eligible for syncing and shows the attribute mappings configured in the source's Create Account definition.
Select the checkboxes in the Sync with Identity column for the attributes you want to synchronize.
Select Save and Sync.
Attribute sync runs for all accounts on the source when you modify the configurations and select Save and Sync. This ensures that new sync configurations are applied when they are first defined. After the initial sync, IdentityNow relies on real-time updates to keep the attributes in sync per account.
To limit provisioning traffic to the target system, you may only run this full sync up to 3 times in a 24-hour period, per source. If you attempt to Save and Sync more than 3 times, IdentityNow will still save the configuration. You can test your configurations on individual identities with the manual sync option and can return later to execute a full sync.
For additional guidance on syncing attributes, refer to Best Practices: Attribute Sync.
Triggering Attribute Sync Automatically
Attribute synchronization is automatically triggered by a change to the identity attribute value in IdentityNow. These changes occur when a process, such as an authoritative aggregation, updates the identity attribute.
If attribute sync fails, IdentityNow requeues the failed requests for retry, up to 10 times. If the sync fails all of those retries, once the problem is resolved, an administrator can either manually resync individual identities or use the Source Sync API to resync all accounts for a source.
If your aggregation or provisioning processes change attribute values through logic such as rules, those attributes should usually not be configured for attribute sync. This could create a situation where the configured identity and account attribute will never be in sync, setting up a loop where IdentityNow repeatedly attempts to resynchronize them.
Attribute synchronization also occurs in the scheduled 8:00 AM identity refresh job. The scheduled job handles cases where the account data, rather than the identity data, in the sync configuration changes.
- When the account attribute is changed natively in the source system, IdentityNow uses this daily scheduled sync to overrides the change and enforce the sync configuration.
- If the source account gets moved, or correlated, to a different identity with different identity attribute values, those new values will be synced to the account by the scheduled job.
Manually Synchronizing a Single Identity
You can manually initiate an attribute sync for an individual identity.
In the Admin interface, go to Identity > Identity List.
Select the identity that you want to manually synchronize.
The attribute sync begins immediately and analyzes all accounts for the selected identity.
Viewing Attribute Sync Records
Use either of these options to verify sync activity.
Within a source’s Attribute Sync configuration page, select View Attribute Sync Events. This redirects you to the Search page with a predefined search query that lists attribute sync records for that source.
Use Search to define your own queries to examine event records for provisioning actions on those attributes.