FIM Suggestion Box: Allow Attribute Clearing Through Sync Rules
A common requirement is a need to clear or actually delete an attribute using an outbound sync rule. An example is during off-boarding where some cleanup of the AD objects is required, such as, removing the manager attribute. The null() function is essentially a "no op" within the function evaluator and does not clear an attribute, however, is useful for other reasons to ignore the else in an IIF clause. A workaround has been to create a new attribute in the FIM schema called nullDN, bind it to the person object, add it through the Metaverse Designer to the person object in the old ILM UI, and flow nullDN to manager in the off-boarding sync rule in FIM. During an export to AD, the manager attribute is actually cleared. Attributes would be required for each attribute type for this workaround...nullDN, nullString, nullInteger. Either something similar or a new function in the sync rule function evaluator would be useful. Another function for the evaluator as a nice to have would be a Now() function that we could use as a timestamp on any custom attributes. There is a DateTimeFormat function to reformat existing date values during synchronization, however, it would be useful to set the existing date during an outbound flow that could be picked up by subsequent processes.
February 4th, 2011 6:24pm
I completely agree. I am trying to flow the values for the AD attribute msNPAllowDialin. It is boolean and either true,false or not set in AD. Not Set is neither true nor false and allows access to be granted via RAS policy. I have created a rules extension to import this data, but I have yet to find a way to export the <not set> cleared value. Deleting the csentry just has it leave what ever is set in AD and no longer updates the attribute. if you change it from Allow to not set in FIM, then in AD the value will remain Allow. There have been other attributes I've needed to do this on as well. Manager is a great example. When a user is terminated we to remove the manager and today have to do that via powershell custom activity.
November 15th, 2012 2:28pm
I handle the "sometimes null" rule in classic attribute flows by allowing the export of nulls, and figuring out the state in extension code, throwing DeclineMappingException whenever the data do not prescribe null. I.e., sometimes I don't know what the value is supposed to be, but can't authoritatively delete whatever is already there.
November 15th, 2012 3:22pm