Hello Experts,
We have identities getting created from 2 different Authoritative Sources(Employees and Contractors).
We have some of identity attributes which are set for attribute sync to the target source(Active Directory).
However, we want the Attribute Sync to happen only for the identities which are coming from Employees Auth Source.
Is this partial Attribute Sync possible in ISC?
Await to hear from experts.
Thanks,
Kartheek
@kartheek_gopu , Yes, Partial Attribute Sync based on Authoritative Source (E.g: Employee only) is possible- but not directly configurable through the standard “Attribute Sync” in UI. So, you need to control it through “Transform Logic” or “Lifecycle Event Workflow”.
Thanks
This is achievable, but with some caveats.
You can implement a beforeProvisioning rule on the Active Directory source. Within this rule, use BeanShell logic to identify the account’s authoritative source. If the identity is not from the Employees source, you can programmatically remove the corresponding account or attribute requests from the provisioning plan. This effectively prevents attribute sync for non-employee identities.
However, there’s an important consideration: Even though this logic filters out non-employee updates during provisioning, attribute sync will still be triggered for non employee identities every time a source aggregation or tenant refresh occurs. Since the sync logic is unaware that the provisioning plan is discarding your non employee population to be passed downstream, it will continue to generate these updates, leading to unnecessary processing and potential performance overhead.
An alternate approach I could think of is to configure two separate but identical Active Directory sources : one dedicated to employees and the other to non-employees. This setup allows you to enable attribute sync exclusively on the employee AD source while disabling it for the non-employee source, effectively isolating the sync behavior. However, this method introduces overhead, as you’d need to manage entitlements, provisioning policies, and account lifecycle logic across both sources, which can lead to duplication and increased maintenance complexity.
Hi @kartheek_gopu Do you have an Identity attribute representing the Worker Type? If not, I strongly suggest that you populate one using Identity Profiles and then use that in attribute mapping logic.
Create a firstValid transform for each attribute you don’t want to synch and apply that to your identity profile you don’t want to synch from. For instance - if you don’t want to synch the “title” for Contractors, create a transform that looks like the following:
{
"type": "firstValid",
"attributes": {
"values": [
{
"attributes":{
"attributeName":"title",
"sourceName":"Active Directory"
},
"type":"accountAttribute"
},
{
"attributes":{
"attributeName":"JOB TITLE",
"sourceName":"Contractor Source"
},
"type":"accountAttribute"
}
],
"ignoreErrors": true
},
"name": "Contractor Job Title"
}
And apply that transform to your Contractors identity Profile only.
This will allow the Active Directory source to take precedence if it is filled in or changed, but will use the value from your Contractor Source as the initial value.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.