Attribute synchronization keeps account data on a source in sync with identity data in IdentityNow. It uses identity information to ensure data is consistent across multiple systems in your enterprise.
In the attribute sync configuration, you specify which account attributes on a source should be kept in sync with corresponding identity attributes. You can configure this for any source account attribute that:
- Is included in the source's Create Account definition, and
- Is mapped directly from an identity attribute in that definition
When the value of a configured identity or account attribute changes for a user so they no longer match, IdentityNow updates the account attribute to match the identity attribute and provisions the change to the source.
- Attribute synchronization only applies to existing, correlated accounts. It will not create accounts for identities, and uncorrelated accounts have no corresponding identity data to enforce. When another operation creates a new account for a user, attribute sync is immediately enforced for that account.
- If an identity has multiple correlated accounts on a source, attribute sync updates all of them.
- Attribute sync only applies to identities whose identity profile specifies a mapping for the identity attribute.
- When an identity attribute gets set to null by its identity profile mapping, attribute sync will propagate the null value to account attributes.
Configuring Attribute Sync
Select a source and choose the account attributes to synchronize.
Go to Admin > Connections > Sources.
Select the source to be enabled for attribute sync.
In the Accounts tab, select Attribute Sync from the left panel to display the attributes you can sync.
This list displays the attributes eligible for syncing and shows the attribute mappings configured in the source's Create Account definition.
The built-in Manager identity attribute can be used in the Create Account definition, but it can't be used for attribute sync. To sync users' manager names to their source accounts, define a custom identity attribute (for example, managerToSync) and configure its mapping to populate it with the user's manager name. Then use that attribute in both your Create Account definition and Attribute Sync configuration.
Select the checkboxes in the Sync with Identity column for the attributes you want to synchronize.
To undo your changes and revert the sync configuration to the last saved state, select Cancel.
Select Save to save your configuration changes.
Select Sync to initiate a bulk attribute sync for all accounts on this source. This option is only enabled when the source is in a healthy state.
- You only need to use this Sync option to apply new sync configurations when they are first defined. Otherwise, IdentityNow enforces attribute sync through real-time updates on a per-account basis.
- To limit provisioning traffic to the target system, you may only run this full sync up to 3 times in a 24-hour period, per source.
For additional guidance on syncing attributes, refer to Best Practices: Attribute Sync.
Triggering Attribute Sync Automatically
Attribute synchronization is automatically triggered by a change to the identity or source account attribute value in IdentityNow. These changes occur when:
- A process, such as an authoritative aggregation, updates the identity attribute.
- A source aggregation discovers a change to the account attribute made natively in the source system. IdentityNow overrides those changes based on the sync configuration.
- The source account gets moved, or correlated, to a different identity with different identity attribute values.
If attribute sync fails, IdentityNow requeues the failed requests for retry, up to 10 times. If the sync fails all of those retries, once the problem is resolved, an administrator can either manually resync individual identities or use the Sync option on the Attribute Sync configuration page to force a bulk re-sync for the source.
If your aggregation or provisioning processes change attribute values through logic such as rules, those attributes should usually not be configured for attribute sync. This could create a situation where the configured identity and account attribute will never be in sync, setting up a loop where IdentityNow repeatedly attempts to resynchronize them.
Attribute synchronization also occurs in the scheduled 8:00 AM execution of identity processing.
If an attribute sync request initiated by the scheduled job fails with a retryable error, it is automatically retried once an hour, up to 3 times.
Manually Synchronizing a Single Identity
You can manually initiate an attribute sync for an individual identity.
Go to Admin > Identity > Identity List.
Select the identity that you want to manually synchronize.
The attribute sync begins immediately and analyzes all accounts for the selected identity.
Viewing Attribute Sync Records
Use either of these options to verify sync activity.
Within a source’s Attribute Sync configuration page, select View Events. This redirects you to the Search page with a predefined search query that lists attribute sync records for that source.
Use Search to define your own queries to examine event records for provisioning actions on those attributes.