Share all details about your problem, including any error messages you may have received.
The customer reported that they are using an IIQ identityAttributeTarget rule to update the Email attribute in SuccessFactors during an identity refresh using the Synchronize Attribute option. They discovered that IIQ continues to update the Email attribute in SuccessFactors even when there is no change to the identity’s email value in IIQ.
The customer would like the synchronization to update the email in SuccessFactors only when there is a delta change in IIQ. They are asking whether IIQ is behaving as expected, and how to have IIQ sends the update only if the identity’s email is changed in IIQ.
To confirm, when IIQ continues to update the email in SuccessFactors, is the identity email the same as the value in Success Factors? Or email was natively changed in Success Factors so it’s not in sync with the identity email
Hi,
The easiest fix would be you update the identityAttribute Target rule, where you basically get the identity current email, and the account currents email from the link, and then only return the value if there’s change, else return null.
@jxu1 Returning null may pass the value without transformation or will try to set null value (as per the documentation: “The transformed value will be pushed to the target. If null is returned, then null will be pushed to the target.”). Please check if there is a mismatch of value between Successfactor vs what you have in IIQ. Also, if IIQ is actually updating or it is filtering out.
Note: Found a fix? Help the community by marking the comment as solution. Feel free to react(, , etc.) with an emoji to show your appreciation or message me directly if your problem requires a deeper dive.
Hi @jxu1, this should be handled as follows: I assure you there are differences between the identity email value and the email value available at the link level, such as extra spaces. Please trim, or if some domain changes, construct to match the target before returning
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
Log logger = LogFactory.getLog("");
String returnValue = null;
try {
if(null != value && value.trim().length() > 0) {
returnValue = value;
}
} catch(Exception e) {
logger.error("Rule Name || Error occured while transforming value for " + sourceIdentityAttributeName + " --> " + e.getMessage());
}
logger.debug("Rule Name || Return Value for " + sourceIdentityAttributeName + " --> " + returnValue);
return returnValue;
Yes, both are the same. The email in SF is updated by IIQ and SF does not change it. Customer runs SF aggregation daily and AD account aggregation daily too. Then identity refresh task with Synchronize Attribute option is executed.
That is what we have tried with no luck. We compared the IIQ email to SuccessFactors link email if they are different. For the same email to IIQ and SF, we tried to send SF email back to SF but IIQ does not filter it out. The transaction log showed the email sent to SF and the same email updated in SF. We even tried to use the email within the triggerSanpshot to send back with no luck.
We used very similar transformation rule like yours. When IIQ returns null value to SF, it raised lots of “Failed” errors that make the customer concerns. I wonder if that is IIQ default behavior and if it does, I then let them know.
If it is not being filtered on provisioning, that would imply that there is a difference even if minimal
Have you confirmed the typing and case are the same for both the identity attribute and target attribute? I’ve seen issues before where the application expects a single member list, and the identity attribute is a string (as an example) causing that daily provisioning request to occur
The rule used in PROD attached. The space is trimmed before the comparison. The case is sensitive and treated as the change. However, customer reported the email updated without a change. Very odd. Thanks.
@jxu1 I tested this in one of the demo app: PRISM. If values are same, IIQ is not even trying to send. No entry in Provisioning Transaction and no logs. Seems it is specific to SF app.
Could you please also confirm, if the transaction is initiated by Refresh task: Synchronization Attributes or some other options/modules initiated it?
Here is the case reported during the test. In audit log. the source “unknown” says Identity attribute Email changed originally from Active Directory application during attributeSync, and the change provisioned to Employees (SuccessFactors) application by the transformation rule. However the value of ad mail, identity email, and SF primaryemailaddress are identical. We expect IIQ filtered the change but it’s not.
Hi @jxu1 , I would recommend that you print a plan during the identity refresh in SuccessFactor after providing the rule and see. Share it here so that the issue can be checked in a better way.
, 
, etc.) with an emoji to show your appreciation or message me directly if your problem requires a deeper dive.
