FIM Removing members of a group which are not in Metaverse. Is that expected?
Hi, I have come across rather unusual behavior and wanted to run it by you'll. Scenario is as follows: AD-MA is configured to read user and group objects from (lets say 2 containers). Container-1 and Container-2 AD-MA has a connector filter on group object so that ONLY groups from Container-1 are projected to MV. All users from Container-1 and Container-2 are projected to Metaverse All groups from Container-1 are projected to Metaverse All groups from Container-1 are ignored for projection to MV The current FlowScope on the member attribute is set to "user,group". Problem The problem surfaces when a user from Container-3 (some other container other than Container-1 and Container-2) is a member of a group (lets say GroupX) from Container-1 As AD-MA is configured not to pickup users from Container-3, a place holder is created for this user (lets say: UserX) when GroupX is imported into AD-MA connector space Upon the completion of one complete sync cycle( AD->MV->FIM->MV->AD), the Synchronization service is removing UserX from GroupX as UserX is not in MV. Is this normal behavior or am I missing something? Is there any way to override this behaviour. Thanks for your help in advance. Thanks & Regards, Jameel Syed Principal Consultant, fimGuru - Your window into simplified identities jameel.syed@fimguru.com - http://www.fimguru.com
January 27th, 2011 6:44pm

This is by design. To synchronize reference attributes such as member, you always need the referencing and the referenced object in a data layer (CS, MV). You can find more details on this in How Do I Provision Groups to Active Directory Domain Services or How Do I Synchronize Groups from Active Directory Domain Services to FIM Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation
Free Windows Admin Tool Kit Click here and download it now
January 27th, 2011 7:37pm

Markus, Is there any specific reason why it was designed that way? I feel its a bit unfair for those objects that need to be excluded from FIM so they could be managed independently. It unfortunately puts a limitation on FIM based management of other objects that references these excluded objects. Is there any way to overide this default behavior? Thanks & Regards, Jameel Syed Principal Consultant, fimGuru - Your window into simplified identities jameel.syed@fimguru.com - http://www.fimguru.com
January 27th, 2011 9:18pm

Markus, Is there any specific reason why it was designed that way? I feel its a bit unfair for those objects that need to be excluded from FIM so they could be managed independently. It unfortunately puts a limitation on FIM based management of other objects that references these excluded objects. Is there any way to overide this default behavior? Thanks & Regards, Jameel Syed Principal Consultant, fimGuru - Your window into simplified identities jameel.syed@fimguru.com - http://www.fimguru.com
Free Windows Admin Tool Kit Click here and download it now
January 27th, 2011 9:18pm

A reference attribute by design must have access to the object it references. This is not just the FIM metaverse, but AD, LDAP and many other systems. FIM must maintain the reference through every step from source to target to ensure referential integrity. There is no way to override that, and that's a good thing really. http://www.wapshere.com/missmiis
January 28th, 2011 10:25am

A reference attribute by design must have access to the object it references. This is not just the FIM metaverse, but AD, LDAP and many other systems. FIM must maintain the reference through every step from source to target to ensure referential integrity. There is no way to override that, and that's a good thing really. http://www.wapshere.com/missmiis
Free Windows Admin Tool Kit Click here and download it now
January 28th, 2011 10:25am

Hmmmm - not sure I understand your question.... You have filtered the user objects probably on purpose and a reference attribute is a pointer to an object: Placeholder means reference to object that has not been imported yet. They are required to indicate that the import worked correctly and to help troubleshoot scenarios like yours. What should member in the metaverse point to if there is no projected user? In other words, how should referential integrity work in this case? What you can do is to dereference your reference attribute. In your case, this translates to flowing member into a multi-valued string attribute. Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation
January 28th, 2011 5:35pm

Hmmmm - not sure I understand your question.... You have filtered the user objects probably on purpose and a reference attribute is a pointer to an object: Placeholder means reference to object that has not been imported yet. They are required to indicate that the import worked correctly and to help troubleshoot scenarios like yours. What should member in the metaverse point to if there is no projected user? In other words, how should referential integrity work in this case? What you can do is to dereference your reference attribute. In your case, this translates to flowing member into a multi-valued string attribute. Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation
Free Windows Admin Tool Kit Click here and download it now
January 28th, 2011 5:35pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics