Hello. In FIM 2010 configured MPR with a call to approve workflow to create a user on the portal. When I create a user on the fim portal, a user with administrator privileges in FIM, a letter arrives to the user (decision makers). User (responsible for the decision), or accepts or rejects to create user to the fim portal. If a user creates on fim portal agent FIM (built synchronization account), the user creates and is created automatically approve, a letter to the user (responsible for making the decision) does not come with a question accept or reject the creation of the user. How to fix it? Required to create user in the fim portal took place only after approval and no matter who creates it the in the portal, user or agent fim.

Why do you want to restrict the synchronization account? It should only be creating the user in the portal if the user exists in the sync engine's metaverse, and Microsoft considers the portal to be a mirror copy of the object types/attributes that are linked between them. If there is a way to restrict the synchronization account, you would need to examine and modify the MPR(s) that grant permission to the synchronization account to be able to create and manage objects it synchronizes. However, I've never heard of an approval workflow being applied to the sync account's operations and I would expect to see errors when you export on the FIM MA. Without knowing more about your scenario, I suspect what you really need to do is put in an approval workflow for the MPR that adds a sync rule to an object that creates an actual account for a user. The fact that the user is in the portal doesn't give them access to anything. It is when they get an account in Active Directory (or your ERP system, or whatever) that their identity data has meaning. Chris

Hello. My scenario is as follows: 1) There are two domain Active Directory (account domain and resource domain). FIM Server is located in the resource domain. 2) is required to synchronize the user accounts, security groups and distribution groups from account domain to resource domain. 3) Before creation an accounts or groups in the resource domain (from the Account domain), administrator of resource domain will need to confirm this operation. 4) On the server FIM running script, that automatically synchronizes the accounts and groups from account domain to the resource domain. 5) Server fim have next configuration (short described) : a. SETs, synchronization inbound rule (from account domain), and synchronization outbound rule (to resource domain). b. Three Workflow : i. Creation a user in resource domain (synchronization outbound rule (to resource domain)). ii. Notification workflow to inform the resource domain administrator on event of creation or deletion users. iii. Authentication workflow for requesting resource domain administrator to create user. c. MPR (name Test), which will start the my workflow (Test) to create a user in the resource domain (after creating a user on FIM Portal), notification workflow to inform the resource domain administrator on event to create or delete user and authentication workflow to request a resource domain administrator to create user. If the users creates a fim agent (Built-in Synchronization Account) on portal FIM with export operation on fim agent. 1) After creating a user in the portal FIM is applied to it is my MPR. In the log FIM (Requests & Approvals) I see 2 applied rules: a. My MPR Test (with three workflow). b. System MPR Synchronization: Synchronization account controls users it synchronizes (Authentication workflow). 2) My Authentication workflow for requesting resource domain administrator to create user in the approval information (log FIM Requests & Approvals), indicating that automatically approved!. Letter to the request to create a user does not come! 3) After further synchronization of the user is created in the resource domain. If the user on the portal FIM creates is administrator of FIM (operation create user). 1) When creating a user in the portal FIM is applied to it is my MPR. In the log FIM (Requests & Approvals) I see 2 applied rules: a. My MPR Test (with three workflow). b. System MPR Synchronization: Synchronization account controls users it synchronizes (Authentication workflow). 2) There comes a request to the administrator to confirm that a user on the portal of FIM. If the administrator is responsible approve, then the user is created and synchronized to the resource domain. I disable the MPR Synchronization: Synchronization account controls users it synchronizes (Authentication workflow) but then the fim agent (Built-in Synchronization Account) could not create a user on portal fim. I want that administrator of resource domain controlled (confirm or reject the request) of creation users in the resource domain. How to do it ? For example if administrator of account domain mistakenly create or delete 500 user in account domain.