Attribute Synchronization

In this blog, we will explore the process of attribute synchronization using RSA Governance & Lifecycle (RSA G&L), focusing on how it ensures consistency between user identity data and account data across various downstream systems. By automating the synchronization of attributes such as roles, email addresses, and group memberships, RSA G&L simplifies identity management, reduces errors, and ensures that all connected systems maintain accurate and up-to-date information.

This process is initiated when changes in user attribute values are detected after identity data collection and unification. When such changes occur, the system generates a change request to update the specified target account attributes, which are used to access business sources like applications and directories. Attribute synchronization process can target one or more downstream applications.

e.g. When a user's email attribute in an HR system is linked to the corresponding mail attribute in an Active Directory account, a mapping can be established to ensure that any updates to the user's email are automatically reflected in the Active Directory account. This process requires defining both the source and target attributes for each business source and determining the transformation method needed to update the target attribute accurately.

When a change is detected, G&L will generate a change request with change items for each account mapped to the user with the change and for each business source.

e.g. In the previous scenario, if a user's email address changes in the HR system and attribute synchronization has been mapped for both Active Directory and an Oracle database, a change request will be generated containing two change items: one for updating the email in Active Directory and another for updating it in the Oracle database.

Notes

• This is an optional feature that must be explicitly enabled before it can be configured.
• Attribute synchronization is applicable only to accounts held by individual users and does not extend to shared accounts

After understanding how attribute synchronization works, let's examine the high-level steps to configure it in your Governance and Lifecycle (G&L) environment.

Configuration

1. Go to Admin > System and click on Settings tab. Click Edit.
   
2. Ensure the Account Data Controller (ADC) for the application has the required attributes defined and properly mapped.
   
   
3. Go to Collectors > Attribute Synchronization, for each of the target application attribute map a source user attribute.
   Example:
   • Click on Email Address in the Source User Attribute table
   • Click on New.
   • Select the application and the account attribute and click OK. Optionally, define a transformation for the attribute before it is sent to the target.
     
     .
4. Finally, ensure that the Update an Account verb for the mapped AFX connector has been defined and the attributes are properly mapped.
   
   

Limitations

• Attribute synchronization relies on mapping user attributes to account attributes. Due to limitations on the availability of account attributes, there is a maximum of 20 string attributes, 5 date attributes, and 5 integer attributes that can be used for synchronization.
• Transformations can be applied to individual attributes but cannot combine multiple attributes. For example, converting all First Name values to lowercase is possible, but creating a Display Name by combining first name and last name is not supported.