Declarative provisioning multiple connectors via single MA
Here’s my current scenario: Users need to have the capability of updating their profile, entering a pager number and pager email address and selecting a check box to create an associated Exchange contact for other users to send email to their pager. The end result would be that the user’s MV object would have two connected objects through one MA (the standard user and the contact object). This is very easy to deal with in the provisioning extension and I quickly put together a working model to show them. The customer however (like most customers now days), wants to do everything with the synchronization rules. I have the sets, mprs, workflows and sync rules all set up. The users transition in an out of the sets just like they should. When a user transitions into the set to create the pager contact, they get the sych rule added to their ERL, but the ERE get immediately updated to “Not Applied”. I have no idea why and can’t seem to find any error messages or anything else to help me troubleshoot this. I’m flowing all of the correct attributes (the same attributes work in the provisioning extension). Any ideas would be greatly appreciated. Thanks, Mark Mark Creekmore - BlueVault Software http://www.bluevaultsoftware.com
August 31st, 2010 10:33pm

Hi Mark, You could create yourself another declarative synchronization rule that is added to the user when the "flag" is set that maps the person object in the metaverse to the contact object in the AD MA. Components required: Declarative Rule for creating the user account (which you already have) Declarative Rule for creating the contact entry Workflow to add Declarative rule for creating user account (adding user sync rule) Workflow to add Declarative rule for removing user account (removing sync rule - if you're using disconnection/deprovisioning when rules are removed) Workflow to add Declarative rule for creating user contact (adding user sync rule) Workflow to add Declarative rule for removing user contact (removing sync rule - if you're using disconnection/deprovisioning when rules are removed) MPR to add synchronization rule for new user accounts. MPR to remove synchronization rule for user accounts. MPR to add synchronzation rule for new contacts MPR to remove synchronization rule for contacts Set of accounts that require user accounts. Set of accounts that require contacts. That should do it :). B
Free Windows Admin Tool Kit Click here and download it now
August 31st, 2010 10:53pm

All of those items are already there. When the rule that is supposed to create the contact object gets added, it is just changed to "Not applied". I wish it would give me a reason why it's not getting applied, that might simplify things a bit. I think you are missing the fact that the user needs an account and a contact at the same time. Do I have to remove the rule that created the user account in order to create the contact or can they both be there at the same time? I would think that they could both be there, if not, the user object would stop getting updated. Thanks, MarkMark Creekmore - BlueVault Software http://www.bluevaultsoftware.com
August 31st, 2010 11:01pm

If you're continuing to have problems with that scenario, could you simply create another MA to the AD environment that you could use to manage contacts? That way you would have a clear deliniation of what is being managed by which MA and remove the "dual connector" requirement. However, that solution we've discussed seems to be valid although I would have to build a server to test it. Any attribute precedence issues with the contact in AD having higher precedence on the contact attribute flow than FIM? You may have updated the "person" attribute precedence but not the "contact" in the "Metaverse Designer"? And lets not forget the relationship criteria must match and the criteria that you're using must be indexed or they will fail. That gotcha has gotten me on a few occassions. Thanks B
Free Windows Admin Tool Kit Click here and download it now
August 31st, 2010 11:04pm

Having multiple connectors from the same CS is an unsupported scenario in FIM! On the inbound side, you will run into an ambiguous attribute flow error. Have you verified that you don't get additional errors reported during a synchronization run on the target side? The most common case for an unapplied is an issue with the DN. In your test environment, you should first test verify whether your logic for provisioning objects works for each individual object type. This means, create a test user 1 in FIM that will be provisioned as contact and a test user 2 that will be provisioned as user - not both at the same time - before you try to provision a MV object to both types. Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation
September 2nd, 2010 1:52pm

I'm surprised that this scenario is not supported. I do understand that there are many potential issues that can occur, but I’ve been doing this for years and the provisioning code easily handles this. My scenarios are normally two different object types, so it’s very straight forward to keep them separate. In this case one is a user and one is a contact. I don’t have any need to import anything in from the contact, so there’s no overlap there. At this point I’ve convinced the customer that using code is the best / safest way to handle this. Thanks for your feedback, Mark Mark Creekmore - BlueVault Software http://www.bluevaultsoftware.com
Free Windows Admin Tool Kit Click here and download it now
September 2nd, 2010 3:51pm

The workaround to this is simply to create another AD MA that manages the contact objects. That keeps you in the "spirit" of the supported connector count per object as well as allows you to define the declarative rules you're looking for. Thanks B
September 2nd, 2010 5:19pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics