Identity Cloud

Synchronization actions

When an object has been assigned a situation, the synchronization process takes the configured action on that object. If no action is configured, the default action for that situation applies.

The following actions can be taken:


Create and link a target object.


Link and update a target object.


Delete and unlink the target object.


Link the correlated target object.


Unlink the linked target object.


Flag the link situation as an exception.

Do not use this action for liveSync mappings.

In the context of liveSync, the EXCEPTION action triggers the liveSync failure handler, and the operation is retried in accordance with the configured retry policy. This is not useful because the operation will never succeed. If the configured number of retries is high, these pointless retries can continue for a long period of time.

If the maximum number of retries is exceeded, the liveSync operation terminates and does not continue processing the entry that follows the failed (EXCEPTION) entry. LiveSync is only resumed at the next liveSync polling interval.

This behavior differs from reconciliation, where a failure to synchronize a single source-target association does not fail the entire reconciliation.


Do not change the link or target object state.


Do not perform any action but report what would happen if the default action were performed.


Do not perform any action or generate any report.


An asynchronous process has been started, so do not perform any action or generate any report.

For more information on how to configure the situations and actions to take in the IDM admin UI, refer to Configure situations and actions using the IDM admin UI.

Launch a script as an action

In addition to the static synchronization actions described previously, you can provide a script to run in specific synchronization situations. You can specify the script inline (with the "source" property).

The following excerpt of a sample mapping specifies that an inline script should be invoked when a synchronization operation assesses an entry as ABSENT in the target system. The script checks whether the employeeType property of the corresponding source entry is contractor. If so, the source entry is ignored. Otherwise, the entry is created on the target system:

    "situation" : "ABSENT",
    "action" : {
        "type" : "text/javascript",
        "globals" : { },
        "source" : "if (source.employeeType === 'contractor') {action='IGNORE'}
                   else {action='CREATE'};action;"

The following variables are available to a script that is called as an action:

  • source

  • target

  • linkQualifier

  • recon (where recon.actionParam contains information about the current reconciliation operation)

For more information about the variables available to scripts, refer to Script variables.

The result obtained from evaluating this script must be a string whose value is one of the synchronization actions listed in Synchronization actions. This resulting action is shown in the reconciliation log.

To launch a script as a synchronization action using the IDM admin UI:

  1. From the IDM console, click Native Consoles > Identity Management.

  2. From the navigation bar, click Configure > Mappings, and click the mapping to edit.

  3. Click the Behaviors tab, and expand the Policies node.

  4. Click the edit button for the situation action to edit.

  5. On the Perform this Action tab, click Script, and enter the script that corresponds to the action.

  6. Click Submit, and then click Save.

Copyright © 2010-2024 ForgeRock, all rights reserved.