I am facing one weird issue for identity attribute change as mention below:
We have written a workflow to sync Workday email attribute. The trigger is Identity Attribute Change for email.
We have observed that for few users, the workflow is not getting triggered. The identity attribute email is set using firstValid transform which initially sets the email to none and once the AD account (Part of dynamic role assignment) is created, it will be set to AD email and this change in the email triggers the workflow.
But for those identities , we checked the identity snapshot and observed that the first snapshot contains email set to actual AD email rather than none, hence the change is not sensed by IdentityNow.
Could someone help me here what could be the issue here ?
I’m assuming your firstValid transform has the email before the “none” and if so, most likely there is an AD account being correlated to the identity immediately which gets used as the email address vs. “none”.
First thing to check is the correlated accounts for these identities to confirm if they’re getting an AD account correlated (maybe incorrectly from a prior existing account?).
Thank you @edmarks for your quick reply.
Yes, the the AD email comes before the “none” in the trasnform. These identities are new hires and ISC has created the AD account for this user as a part of dynamic role assignment. Looks, like the AD account might have correlated immediately before ISC sets none to Identity attribute email.
Could you please provide me a direction to handle this scenario ?
I’ve synched email back to Workday previously via the attribute sync functionality. I think this would be the preferred writeback option (configuring attribute sync for Workday) vs. using a workflow/trigger.
Thank you @edmarks for your reply. Actually, we have used workflow to handle few conditions which cannot be handled using attribute sync.
I was thinking of using “Source Account Created” trigger to sync the Workday email if AD account is created and Workday still hasn’t updated with the email. However, looks like the “Source Account Created” trigger is mentioned in the documentation, but not present in the workflow.
Could you please suggest any alternate option to handle this scenario ?
May be you should consider making use of separate workflows - Identity Created & Identity Attributes Changed, so that your both conditions can be taken care of.
I’d favor using attribute sync for the email and only use workflows where attribute sync isn’t an option. Without knowing more specifics it’s hard to provide a “good” recommendation, but knowing email can change over time I’d use attribute sync for this unless there’s a compelling reason not to do this.
I favor using the standard functionality as much as possible because anything “custom” (including workflows, PowerShell exits, etc.) all make the solution harder to maintain in the long term. In this case - use attribute sync where possible and only resort to workflows where there’s no other options.