I have some existing users, and I want to create a new "export-only" management agent to dump some users' data to a database. I created an outbound Synch-Rule that creates the objects in the connected system and exports the attributes I need, then I created the associated Workflow. Finally, I configured an MPR that triggers the workflow whenever a new user is created or one of the relevant attributes changes. Everything works fine if I create a new user or modify a user's attribute; but how can I export the existing users to the new data source? If no attribute is changed, no Expected Rule Entry will be created for them... Thanks, PaoloPaolo Tedesco - http://cern.ch/idm

Just making sure - for provisioning, the preferred method is to use set transition MPRs. Try disabling / enabling the related MPR. Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Hi Markus, thanks for your answer! So, if I understood correctly I should: Check "run on policy update" for the Workflow Create a transition MPR that is triggered on transition-in to "All Users", and that triggers the workflow Disable and enable the MPR Is this correct? In any case, updating values will still require a request based MPR triggered when one of the attributes change, right? Why do you say that transition MPRs are to be preferred for provisioning? Cheers, PaoloPaolo Tedesco - http://cern.ch/idm

You can find a better explanation in Designing Business Policy Rules. In essence, it makes more sense to separate requests for updating data from state transitions. If you take one of the classic cases - provisioning based on the employeeType attribute - you will probably have a request based MPR to handle who is allowed to update certain user attributes including the employeeType. So, if a change happens to the employeeType, you can assume that this change is a valid (authorized) change that has been handled by a RMPR. In this case, it is for provisioning decisions only necessary to react on state changes that are a result of authorized attribute changes. Set transition based MPRs have been specifically introduces to simplify the process of modeling synchronization policies. I don't know enough about your environment to tell you whether "All Users" is the right Set. If members of All Users are supposed to be provisioned to all managed systems, it is the right Set. Disabling and enabling the related MPR of your synchronization policy causes a reevaluation to take place. Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Thanks Markus, the disable/enable trick did the job. Cheers, PaoloPaolo Tedesco - http://cern.ch/idm