Hi,
In my IIQ Environment, we have configured target mappings for Email to workday. so Identity Refresh task is provisioning Email from SailPoint to Workday even though there is no change or update on the Identity email and its running every alternate day to update the same.
can someone help me or any idea on why its frequently updating it?.
Thanks
Prashanth
@PrashRV if you added sync in fresh then it will always go for update but it will filtered if value is same.
Synchronize attributes
This option is used to turn on attribute synchronization from IdentityIQ to applications that are configured as targets for identity attribute synchronization. This option causes IdentityIQ to provision out identity attributes that have target mappings. This causes IdentityIQ to evaluate attribute target mapping rules and if there are any differences between the value on the target application's link correlated to the Identity create a provisioning plan for that target application's connector.
I am hoping you will items Filtred in most of time so you can ignore it. it’s normal.
Let me know if you have more questions.
Prashanth,
In my experience it’s important to limit the number of identities to be refreshed when the Identity Refresh job runs. This is done by checking the “Refresh only identities marked as needing refresh during aggregation” checkbox on the identity refresh task. This also has to be done in coordination with account aggregations that provide optimization. Say you have 100,000 identities and only 500 of them change per day. You want to only refresh the 500.
As the others mentioned, attribute sync is done by the Identitizer and it refreshes every field on every active link, every time an identity is refreshed. What saves the system from over-provisioning is the filtering mechanism of the plan compiler. There’s no danger or harm to generate a plan and have every field filter, that basically nullifies the process.
Where developers get in trouble, is when they try to use dates to trigger business processes. For example you have a process that kicks off when a user’s termination date = today, or even termination date <= today (just in case you missed a refresh). In that situation you are forced to perform a refresh on every user at least once a day, to see if the user’s termination date has “hit”. A lot of integrators using the SSF did exactly that and I have had to deal with that so many times.
A better design only refreshes a user when a connector indicates that something has changed on a source. And then you have two choices for terminations and transfers, either a hard flag where the action is immediate, or if you are stuck with dates, then you have to create a forward scheduled workflow using the Request Processor.
@PrashRV ,
There attribute sync is case sesitive job. If there is a difference of case between identity attribute value and target value, IIQ will try to push the change.
Couple of things to check
Hope this helps.
@PrashRV if it is sending every alternative day, then there is change some case issue before and after, so u run aggregation then refresh then next aggration and refresh . Between aggregation or refresh some value is getting change what we were getting from workday.
I suggest please check the refresh task , attribute sync u can run only once a day
check if any case issue orvalue change from identity