AD source aggregation

girishkms1 · May 22, 2024, 3:04am

Hi,
We have requirement to dynamically disable sync of few attributes when running the AD source aggregation and enable it back sync after aggregation completes.
Do we have any way to achieve this automatically?

jesvin90 · May 22, 2024, 3:16am

Hi @girishkms1,

Why do you want to disable the attribute sync while doing the aggregation.? That itself fails the purpose of the attribute sync.

You may need to rely on a workflow to disable attribute sync using this endpoint, then do an HTTP operation to trigger the aggregation and then enable the attribute sync back.

girishkms1 · May 22, 2024, 6:51am

Hi @jesvin90
Actually we are having few attributes for which attribute sync is enabled, but we do not have those attributes in AD. We are handling those via powershell script separately.
When aggregation runs, sailpoint always triggers change for those attributes since they do not exists. This will result in overload on iqserver resulting in time outs.
Mainly we need those syncs enabled when the authoritative source aggregation runs and disabled when AD aggregation runs.
I think your suggestion on workflows can be tried, I will try that and let you know the result.
Thanks…

baoussounda · May 22, 2024, 8:57am

Hi @girishkms1,

Why you do not disable permanently sync on those attributes AD that you do not have in AD ?

girishkms1 · May 22, 2024, 9:05am

Hello @baoussou
We need those attribute sync to be enabled, as we are using those attributes in powershell script to manage country/department specific requirement.

Just for example, we need mobile number to be provisioned for few specific department and not to some departments.

Thanks

jesvin90 · May 22, 2024, 9:15am

Hi @girishkms1,

Take a look into this documentation. The attribute sync can get triggered as part of other events too. It wouldn’t be good idea to disable the sync and run the aggregation.

As @baoussounda mentioned, it would be better to disable the attribute sync for these attributes permanently and use the powershell scripts to handle that part outside of ISC. Or make use of transforms (if possible in your scenario) to populate the Identity attributes as per your specific department requirements and then sync them to AD.

tysremi · May 22, 2024, 9:18am

Why not create a specific Mobile Number identity attribute that is only populated for your specific departments, and attribute sync that towards AD?

girishkms1 · May 22, 2024, 9:35am

Hi @jesvin90
Thanks for the documentation. I will check on this and get back to you if more information required.

ipobeidi · May 22, 2024, 3:31pm

@girishkms1 , this happens because after every aggregation ISC calls a refresh for the identity that have a change.
This makes the attribute sync to run.

You could use the api to disable it, but that does not make to much sense.

girishkms1 · May 23, 2024, 12:24am

Hi @ipobeidi , Yes, its not ideal. Parallelly we are working on different approach to mitigate this one.

system · July 22, 2024, 12:24am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Looking for alternative to Attribute Sync - Need just provisioning ISC Discussion and Questions identity-security-cloud	6	478	May 15, 2024
Newbie Question ISC Discussion and Questions aggregation , identity-security-cloud	4	59	November 18, 2024
Account sync during aggregation process ISC Discussion and Questions saas-connector , identity-security-cloud	4	258	March 15, 2024
AD source is failing every couple of hours and also causing aggregation error ISC Discussion and Questions aggregation , identity-security-cloud	5	155	August 20, 2024
Historic data on source aggregations ISC Discussion and Questions aggregation , identity-security-cloud , provisioning	3	35	October 4, 2024

AD source aggregation

Related topics