Hey, I'm playing around with DRE's in a test environment where I want to kickoff a workflow when the account "exists" in AD. So I checked "use as existence" test on one of my outbound SR for the sAMAccountName attribute. Now the weird thing: the DRE objects are being generated and exported to the Portal, but for all AD accounts. I mean I've got several SR for different "user account types", and all of them are getting the DRE for my modified SR. Ofcourse they all have a sAMAccountName flow which would match the DRE condition, but I would think the DRE is only added if the SR is in fact applied to the object. Am I correct or is what I'm seeing "by design". Kind regards, Thomashttp://setspn.blogspot.com

Not a clue on your scenario, but, I use a simple solution for this scenario. Create a boolean attribute called "existsAD" and flow "true" to it in your sync rule.My Book - Active Directory, 4th Edition My Blog - www.briandesmond.com

Brian' suggestion is right and this will be simple solution however one word (or few) on this one: (...) Ofcourse they all have a sAMAccountName flow which would match the DRE condition, but I would think the DRE is only added if the SR is in fact applied to the object. (...) Nope - it will be created when conditions for detecting rule being applied will apply. Imagine scenario when you have SR and you want to execute correction action if you will detect that someone has this rule applied where it should not (has AD account in given forest or domain where it should not be provisioned). Because in case detection rule will be applied you will get DRE which will allow you to execute some action. Just to put some lights on the reasoning for that (or at least my understanding of it :) ).Tomek Onyszko, memberOf Predica FIM Team (http://www.predica.pl), IdAM knowledge provider @ http://blog.predica.pl

Yes I agree. DRE gets applied the moment an object is "Detected" in the external system meeting that criteria. I am a strong proponent of using DREs instead of the approach which Brian had brought up. It keeps the schema clean and avoids the clutter which otherwise these flags would result in. Its my opinion, that DREs when used correctly makes the FIM Service truly code-less and one can make authoritative decisions as the existence/absence of DRE is more reliable than some arbitrary attribute based flags/logic which can be messed with.Thanks & Regards, Jameel Syed | Managing Partner | Credexo, Inc - Your window into simplified identity | jameel.syed@credexo.com | http://www.credexo.com

Yes I agree. DRE gets applied the moment an object is "Detected" in the external system meeting that criteria. I am a strong proponent of using DREs instead of the approach which Brian had brought up. It keeps the schema clean and avoids the clutter which otherwise these flags would result in. Its my opinion, that DREs when used correctly makes the FIM Service truly code-less and one can make authoritative decisions as the existence/absence of DRE is more reliable than some arbitrary attribute based flags/logic which can be messed with.Thanks & Regards, Jameel Syed | Managing Partner | Credexo, Inc - Your window into simplified identity | jameel.syed@credexo.com | http://www.credexo.com

Yes I agree. DRE gets applied the moment an object is "Detected" in the external system meeting that criteria. I am a strong proponent of using DREs instead of the approach which Brian had brought up. It keeps the schema clean and avoids the clutter which otherwise these flags would result in. Its my opinion, that DREs when used correctly makes the FIM Service truly code-less and one can make authoritative decisions as the existence/absence of DRE is more reliable than some arbitrary attribute based flags/logic which can be messed with.Thanks & Regards, Jameel Syed | Managing Partner | Credexo, Inc - Your window into simplified identity | jameel.syed@credexo.com | http://www.credexo.com

As the first replies didn't came fast enough here I also came to the thought of using some attribute in the MetaVerse being populated by AD. Way more simple to understand and thus eassier to manage. Besides that I also dodge having to export 27.000 DRE objects to the portal.... Thanks for the feedback! http://setspn.blogspot.com

As the first replies didn't came fast enough here I also came to the thought of using some attribute in the MetaVerse being populated by AD. Way more simple to understand and thus eassier to manage. Besides that I also dodge having to export 27.000 DRE objects to the portal.... Thanks for the feedback! http://setspn.blogspot.com