Is there any way we can attribute sync for active users for a specific Source in ISC?
HI @Jadhikary
Are you wanting to attribute sync for only those active individuals and exclude the others on that particular source? If so, AFAIK, thereâs no way to only attribute sync without enabling it for all accounts on a given source.
However, if youâre looking to do a one time sync for users ad-hoc, that can be achieved using the API. This still requires that attribute sync is enabled on the end source for all accounts on that source. synchronize-attributes-for-identity | SailPoint Developer Community
If I enable attribute sync for a source, then it will try to sync the attributes for all the users. Is there any specific time when Attrubute Sync runs.
Right, attribute sync runs after identity processing which is typically after an aggregation runs on the end source, but can also occur multiple times a day through other processes.
You build the âonly for active userâ logic into the transform that builds the Identity attribute [value] for syncing.
You build the âonly for active userâ logic into the transform that builds the Identity attribute [value] for syncing.
What do you mean? Do you have the value as an empty attribute when not active?
Correct. Or eval to maintain / return current value (instead of clearing / nulling it). Thereby, no ânew valueâ to sync.
e.g.
If active, return what it needs to be.
Else, return current account attribute value.
ISC doesnât have a feature for conditional attribute-sync. When you say an active user and if it means an active identity, then you may use Inactive (long-term) identity state to prevent the attribute sync for inactive identities.
Also, another work around if you talk about active identities to be sync could be to populate the identity attribute value based on Sourceâs account state using transform. If an account in that source is active, populate the new value otherwise assign the account attribute value to the identity attribute to match values in both attributes, hence it will not sync. But it requires an account attribute to determine the account state, and it may be a soiled solution.
Please follow this URL.
If you have identity state configured then follow the process shared by me in the previous msg. If identity state is not configured then it is better approach.
Thanks for the correction. Agreed, if the identities are in an inactive LCS going with what you mentioned is superior. I was assuming thatâs not the case.
Yeah, agree with others if you already have the right LCS pieces in place and in alignment with what you actually need, thatâs the way to go.