How to apply custom condition in Workday attribute Sync to run the attribute sync only for Workday accounts that are connected to Active/Enabled Identity Cubes irrespective of the full attribute sync
Hello @vsekar7,
We can restrict attribute sync based on “Indentity State“. This can be configured in Identity Profile page based on lifecycle state. When the “Identity State“ is being marked as “Inactive(long term)“ no attribute sync will happen to any of accounts tied to the identity cube.
Note: AFAIK, we cannot restrict Attribute sync for specific source or specific accounts
Hi @JackSparrow ,
The status we are using is Inactive(short term) in our system.
When the “Identity State“ is being marked as “Inactive(long term)“ no attribute sync will happen to any of accounts tied to the identity cube.
Just to clarify, this only applies to automatic attribute sync. If you manually run an attribute sync on a source, it will sync all accounts, even those in a long-term inactive state.
1 Like
I would consider using inactive long term, I think there are beneficial license implications as well as solving for this attribute sync issue
You cannot achieve it fully with respective to current ISC feature. But you do have some workaround by using identity state (Inactive long-term) which will not always work and it just skips the sync for the long-term identity state identities during SailPoint identity refresh, but it still does full attribute sync during other processing like manual Identity profile processing, manual identity cube refresh or manual source attribute-sync. The bottom line is that you cannot always control the attribute-sync though you apply the identity state condition.
Hi @vsekar7
ISC doesn’t currently support a custom condition to run attribute sync only for one source (Workday) or only for “active/enabled cubes.”
Attribute sync is evaluated at the identity state level.
What you can control
-
Active + Inactive (short‑term) → attribute sync can still run.
-
Inactive (long‑term) → excluded from automatic attribute sync (but admins can still force it,
to meet the intent:
-
If these users are truly terminated/disabled: move them to Inactive (long‑term) via your lifecycle/identity-state mapping so they stop participating in automatic sync.
-
**If you must keep “Inactive (short‑term)”**you can’t stop the sync engine, but you can stop the unwanted updates by making the identity profile mapping conditional (e.g., conditional transform: when inactive‑short‑term → return existing value / don’t change). This avoids Workday overwriting attributes even if processing occurs
is iportant to mentioned : manual source attribute sync / manual profile processing can still sync everything regardless of long‑term inactive, as mentioned above
You May like to check the below documentation and links for more information about the topic
-
Lifecycle/Inactive long‑term behavior + “Synchronize Attributes” exception: https://documentation.sailpoint.com/saas/help/provisioning/lifecycle.html
-
Conditional transform (for “freeze updates” logic): https://developer.sailpoint.com/docs/extensibility/transforms/operations/conditional/
-
Attribute sync basics: https://documentation.sailpoint.com/saas/help/provisioning/attr_sync.html
Regards
Amr