I am using classic provisioning rules but recently discussed with a colleague about how group and user resources are getting created in the FIM portal by the FIM MA without the use of sync rules. The only classic provisioning code I have for the FIM MA is to deprovision terminated employees, nothing to create a FIM connector. I've seen other posts how people can't get the FIM MA to provision objects into the portal without a sync rule, but I have the opposite problem, there are objects I'd like to restrict the creation in the portal as I only need them in the metaverse for other MAs to consume, but I don't know how to prevent this if I am not doing anything now to provision the objects into the portal other than having the object type mapping. As a workaround in my test environment I am creating a new metaverse object type that isn't mapped to a object type in the FIM MA and that seems to be working but I'd really like to understand how the FIM MA decides to create objects in its connector space without anything from what I can tell, saying to do so. When the objects are created it always says "provisioning-rule" as the reason.

If you project an object into the Metaverse as a class that you have established a linkage to in the FIM MA definition, you will automatically create an object of that type in the FIM MA with only the MV ID and the Resoruce ID on it. So honestly, you don't really NEED inbound source rules, you could just use this to create the object in the portal and use classic rules without ever having to write "provision to FIM" code. Give it a try and see if that matches what you are experiencing.Eric

That's what I figured. So, if I don't do an object type mapping, then it won't project unless I use a ISR or classic provisioning code to create it?

Adam, It was my understanding that if you didn't have an object mapping, you can't get it into the FIM MA at all. If you're going to try using MVExtension code to provision into FIM MA - let me know if it works or not. Never had a need to do that, but it would be interesting if you can... Frank C. Drewes III - Senior Consultant: Oxford Computer Group

Really I am looking to find out why I am having objects created in FIM with no ISR defined with a Create Resource in FIM Portal ... http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/5b40a979-ec0a-44e4-86b6-98a50addb9cf I want to be able to do that, limiting the objects that get created in the portal to ones that I need in the portal. But I can't track down where the provisioning rules are that are telling the sync engine to create a connector in the FIM MA connector space.

There aren't any rules, it is a feature built-in to the product. If you have the object type mapped then it will always create a FIM portal object. There is no way to choose which objects get provisioned and which don't this way. The only way is by having different object types. It is a pain at times.

So the Create Resource in FIM Portal on a ISR is worthless?

'Create Resource in FIM' will create it in the Metaverse. I don't think you can select the FIM portal as a system anywhere in a sync rule.

So that just controls whether the ISR is a join or a join else project ...