FIM 2010 AD User Outbound Sync Rule WorkFlow
Thanks Desmond for the response. Changes: Created new Set All Graduate Students and verified members... Good. Created new Sync Rule Remove workflow and applied to the Outbound Synch Rule that creates the AD Users. Created new MPR Transition In for All Graduate Students and under Action workflows it is checked for the new Synch Rule Remove. This is the results: The 84 graduates that have been updated in the Student Info. system so far, Show Up in the FIMMA Synch Only as: -FIMMA Synch as 'Provisioning Disconnects' under Outbound Synch -FIMMA Synch as 'Projections' and 'Metaverse Object Deletes' under Inbound Synch Still can do a Metaverse Search and see those 84 Graduates??? Doesn't affect AD at all.... assume i need to change the Deprovisioning Options under Configure Deprovisioning of the ADMA to be a "Stage a delete on..." option, for the above action to affect AD?
May 23rd, 2012 10:16am
Your last statement is part of it ... if you retain your "Make them Dis-connectors" setting then the dis-connector will effectively be quarantined in your AD connector space and potentially rejoined at a later point. You definitely need the "Stage a delete on next export" option selected. So even then you still sound confused about the meta-verse search returning 84 graduates. Your MV object will not disappear at this point, even if you specify "stage a delete" for your AD MA like you need to, unless you specify an object deletion rule which triggers on the removal of your AD connector. Be careful when you specify this ... as this may not be what you want. If you wish to delete your MV object, then FIM will want to either delete your FIM server record too, or immediately re-project it (depending on whether or not you have specified "Stage a delete on next export" on the FIM MA too). Perhaps you should think about what to do with your graduates longer term ... e.g. retain them in FIM for an extended period before allowing them to be deleted by another (temporal) set transition MPR say 3 months later?Bob Bradley (FIMBob @ http://thefimteam.com/) ... now using Event Broker 3.0 @ http://www.fimeventbroker.com/ for just-in-time delivery of FIM 2010 policy via the sync engine
May 23rd, 2012 11:19am
Educational Environment FIM 2010 Version 4.0.3594.2 Following the concepts in these Articles: http://technet.microsoft.com/en-us/library/hh859718%28v=ws.10%29.aspx http://technet.microsoft.com/en-us/library/ff608273%28WS.10%29.aspx http://social.technet.microsoft.com/wiki/contents/articles/understanding-deletions-in-ilm-2007.aspx ISSUE: Have codeless provisioning setup via FIM portal into AD from an authoritative SQL database for Students. Security Groups are managed and OUs are also managed managed via FIM Synch Rules and Custom (IFF....) statements based on school enrollment. I now need to deprovision users from the system based on the Enrollment Status attribute. (Graduate) I attempted to add an Activity to an existing workflow for the above Synch Rule to remove based on the Attribute Value of "Enrollment Status" ... Remove Value if "Graduate". so far it has had no errors nor any affect on the users in the FIM Portal or in AD. Which I need them to be removed based on this attribute. I am missing a puzzle piece somewhere? If I look at one of the Affected Objects I don't see any changes in the "Expected Rule Entry Action" in the Expected rules list for that object. No "Pending" actions. The authoritative SQL server MA, FIM MA, and the AD MA all have Deprovisioning set to "Make them Disconnectors". At one point I tried a number of different ways checking and unchecking the "Stage a delete" option along with "Configure Object Deletion Rule". Running a preview... never really getting the results i desired. Do you have to have a separate Synch Rule to accomplish this process along with corresponding Components: Set, MPR, Workflow? Or can it all still be configured in the current Synch Rule I am using currently?
May 23rd, 2012 11:43am
The way I would do this is create a Set for Graduates (so Attribute = "Graduate"), and then create a workflow with the Sync Rule Remove activity. Set the MPR to fire when they transition into the set.My Book - Active Directory, 4th Edition My Blog - www.briandesmond.com
May 23rd, 2012 3:05pm
Thank You UNIFYBob! Do you know of a document that gives details of your last statement? How to set the time limit for these FIM MA objects? I didn't see anything obvious to me about adding the time constraints to a Set Transition MPR as with you example of 3 months.
June 3rd, 2012 12:52pm
That's because (unfortunately) there's no default "last modified date" with which to build a temporal set. So ... you need to set a datetime value into a custom binding in the FIM Portal on the object just before you disconnect ... and I wish I could tell you there's an easier way to do this but the method I use involves using a custom workflow activity :(. Have a look at the Tools4FIM workflow library as there may be something in there for this ... my workflow grabs the CreatedTime from the Request object and saves it to [//Target/myCustomBinding], but I don't believe the FunctionEvaluator can do that for you (if anyone can tell us otherwise I'd be greatful to know!).Bob Bradley (FIMBob @ http://thefimteam.com/) ... now using Event Broker 3.0 @ http://www.fimeventbroker.com/ for just-in-time delivery of FIM 2010 policy via the sync engine
June 3rd, 2012 6:21pm