Restrict Attribute Sync

maheshtare · October 9, 2023, 11:49am

Hi Folks,

Would like to get your expert opinions on how to achieve following attribute sync requirement

We have SuccessFactors as a HR source and creating AD account as a birth right application. We are using attribute sync to update AD attributes based on change in SF details. However, we would like attribute sync to work only for specific set of users ex. department=HR. Is it possible?

sharvari · October 9, 2023, 12:11pm

Hi Mahesh,

Sailpoint currently doesn’t support restricted/conditional/filtered attribute sync.

To achieve this you can either utilize the Update Provisioning policy of AD source and use a transform to check Dept value before updating attribute Or you could do the same using a Before Provisioning Rule.

MVKR7T · October 9, 2023, 12:52pm

As @sharvari mentioned, no you cannot restrict sync like that. But there are ways

Add a Transform with condition, if department is HR then read data from AD account if not then read data from HR account.
With this approach, you will have same values for identity attribute and AD account attribute, so nothing to sync for HR department users. For other users, if data is different sync will trigger.

Only con here is you might need to create additional identity attributes but better than Before Provisioning Rule. What if you need to remove all the Attribute Requests in the Plan, that looks ugly rite and is cloud deployment, where as Transform is in your control.

Thanks
Krish

patrickboston · October 9, 2023, 2:10pm

This is only possible via API today via the following /cc endoint: Postman

RAKGDS · October 10, 2023, 6:20am

Hi Patrick,
Could you please elaborate how can we achieive the requirement using the API ?

sivakrishna_1993 · October 30, 2023, 3:03am

Hi Mahesh,

In Transform we can exclude/Include the user by using accountPropertyFilter, please find below screenshot.

For more information please find below link:

sivakrishna_1993 · October 30, 2023, 3:07am

Oh sorry, i am using web-service connector for SuccessFactors.
If you are looking for Direct SF connector. need to check.

sivakrishna_1993 · October 30, 2023, 6:33am

Hi Mahesh,

I checked this approach will work for you as well. In Identity Profile add one attribute and tag your transform and use the same in SF Provisioning policy account mapping.
As @sharvari & @MVKR7T Said,
Just add the condition in the Transform as i posted initially. For required attribute which needed to sync back to SF.

Thanks,
Siva.K

system · December 29, 2023, 6:33am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Attribute Sync - IND trying to update with incorrect Attribute name ISC Discussion and Questions	6	2158	July 19, 2023
SAP Success Factor attributes do not sync to Active Directory via SailPoint IIQ IIQ Discussion and Questions aggregation , identityiq , provisioning , access-profiles , attributes , connectors	25	593	December 31, 2023
Sync for Some Users for Source ISC Discussion and Questions identity-security-cloud , provisioning	7	232	January 28, 2024
POST /api/source/setAttributeSyncConfig Non-Public API Deprecations deprecated	3	310	January 11, 2024
Preview role and attribute sync changes with PowerShell Video Library identity-security-cloud , developer-days-2024-isc , developer-days	0	351	March 25, 2024

Restrict Attribute Sync

Related Topics