Hi ILM pioneers! I have a text file as the data source. In this file I can NOT have an attribute related to the state of the user object, whether active or inactive. (Why? HR does not want to provide it) I have to flow that users to a target AD with FIM2010RC1. So I have to implement the following scenario: + The user exists in the text file and does not exist in AD ==> create the user object on the target AD + The user was deleted from the text file and is currently enabled on the target AD ==> disable that user object and leave it on the same location on the target AD + The user is re-crated in the text file and is currently disabled on the target AD ==> re-enable the user object on the target AD What I am going to do is the following: + Create a MV "state" attribute. + Flow that attribute value to the AD user object using codeless sync rules. + The AD user object will only be enable/disable and will remain on the same DN location always. I have the two scenarios below I don't clearly understand how to implemment: + user is re-created in the data source and the user object already exist in the MV - FIM will join them automatically? or Should I create a join rule for the data source MA on the 'Configure Join and Projection Rules' panel?? - What method do I have to use to detect that the user object has been re-joined and modify the MV 'state' attr value accordingly?? o Should I create an extesion project for the data source MA??? o Do I need to implement the 'provision' method? + user is deleted from the data source - Which method do I have to use to detect that the user object has been deleted and modify the MV 'state' attr value accordingly?? o Do I need to implement the 'deprovision' method for the data source MA? please guys give me some help to understand how to do what I mentioned before.... thank you a lot! max Reply Quote

When you configure a synchronization rule, you have to specify a join rule.In FIM, this is your relationship criteria.If your relationship criteria is properly configured, your HR object will join to the MV object when it "returns". I have outlined how to handle enabling and disabling of AD accounts in this article.You should extend your MV schema with an additional operational attribute (e.g.: “HasHRAccount”).Configure an inbound attribute flow mapping from your HR MA (only!) to this attribute.You should use the DN as attribute value.When a HR object is disconnected, the value for HasHRAccount is recalled.You can leverage this in your outbound synchronization rule to AD:If IsPresent(HasHRAccount) Then Enable AccountElse Disable AccountThis should give you enough to get started.Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

thanks a lot Markus! one thing...what you mean with 'recalled'......."When a HR object is disconnected, the value for HasHRAccount is recalled."??? thankss max

When a CS object is disconnected from a MV object, by default, FIM pulls all the values the object has contributed to the MV. This setting makes sure that you won't end up with stale information in the MV.Pulling attributes from the MV on disconnect is also known as "attribute recall" You can configure the attribute recall behavior in the "Configure Deprovisioning" section of your MA configuration: Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Thanks Markus! I got it!, so regarding this: If IsPresent(HasHRAccount) Then Enable AccountElse Disable Account how and where am I supposed to perform that validation? do you mean I need to create an extension project for the AD MA? or can I program that directly into the portal? thankssssss p.s. btw HNY!

Awesome! If IsPresent(HasHRAccount) Then Enable AccountElse Disable Account This is just the a description of the gist of the implementation.You can configure this in a declarative manner (no coding required) as custom expression in an outbound flow mapping of your AD outbound synchronization rule. A detailed description on how to implement “Enable Account” / “Disable Account” is included in this article. Cheers,Markus Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Markus and people! I did the following: **Inbound HR MA Sync Rule name=>firstName . . dn=>HasHRAccount (string) ** FIM MA Attribute flow mail->email mail<-email . . Employee Type -> HasHRAccount(Import) Employee Type <- HasHRAccount(Export) **Outbound Sync Rule email=>email . . IIF(CustomExpression(isPresent(HasHRAccount),512,514)=>userAccountControl Then, I create a text file with one user. I initialize the FIM MA and AD MA. Then, I run the following run profiles: Full Import (HRMA) Full Sync(HR MA) Export (FIM MA) At this point execution fails with the following error: "failed-creation-via-web-services" , BUT If I remove the attribute flow related to "HasHRAccount" MV attr from the FIMMA configuration, then it suceeds. Then, I keep executing the following run profiles: Delta Import (FIM MA) Full Sync (FIM MA) Export (AD MA) Delta Import (AD MA) The user gets created enabled in AD. (GOOD) I delete the user from the text file. I run all the same run profiles in the exact same order as before. User remains enabled (VERY BAD NEWS) So, 1) Is incorrect to define an attribute flow for the "HasHRAccount" MV attr in the FIMMA configuration? 2) Is correct to execute that run profiles in that order? I have no idea what is wrong =(....please help! max

Max,how about following the instructions in this article :o)It is very easy to get rid of "failed-creation-via-web-services".Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Ok COOL! Do I need an specific parameter to execute those scripts? Or place them on a specific folder? PS C:\Users\setupadmin\Desktop> C:\Users\setupadmin\Desktop\MPR.ps1 Error: A parameter cannot be found that matches parameter name 'onlyBaseResources'. thanks! max

You haven't installed Update2 - have you :o)Update your FIM installation, and then run the script.Here are more details about this.You can run them from whatever folder on your FIM server.You can also start them from a VBScript.More details about this are here.Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

By the way, you should take a look at this...Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Markus!! yes, I had not installed FIM Update 2 =S...but I just did it!. I reverted my WM to the state where FIM is configured to only provision users to AD (without the enable/delete logic). I updated FIM to FiM Update 2, then executed an import-sync-export cycle for 3 users and it worked fine. (users were created in AD). Finally, I executed both scripts you recommended me but the MPR related script shows a warning as you can notice below: FIM MPR Configuration For Synchronization Check =============================================== MPRs that need to be enabled: -General: Users can read non-administrative configuration resources -User management: Users can read attributes of their own Caution: Your current MPR configuration requires your attention! +++ Is this warning critical??? (users were successfully provisioned to AD) thanks, max p.s. thanks for the great documents!

Critical enough to cause the "failed-creation-via-web-services" error you have.Cheers,Markus Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

MARKUS!..."failed-creation-via-web-services" is gone! But I am still not able to disable an already DELETED user. ** HR ISR id=> EnableFlag **FIM MA attribute flow mapping location-> EnableFlag (import) location<- EnableFlag (export) ** AD OSR IIF(CustomExpression(isPresent(EnableFlag),512,514)=>userAccountControl +Note: I know I should not be using "514" fixed value but this is just for testing purposes. I create one text file with two users and the users gets created in AD in a 'enabled' state. I delete only ONE user from the text file, I execute all the run profiles but the BOTH users is still 'enabled'. Now, I use the 'Metaverse Search' option from the Synchronization Service Manager app AND the 'EnableFlag' attribute contains values, the value it is STILL there for both users so that is the reason the DELETED user is STILL enabled. PLEASEEE MARKUS...What the heck am I doing wrong? What do I need to enable????? thanksss max DEBUG INFO ---- | | \/ ==============MA Configuration =============== All of them have 'UNchecked' the 'Do not recall attributes.....' option in the 'Configure Deprovisioning' panel. ============Metaverse Designer ================= **EnableFlag attribute - Configure Attribute Flow Precedence: 1. FIM MA 2. HR MA 'Use equal precedence' option....CHECKED ==== Run profiles executed after manually deleting ONE user from the HR text file ====== **HR MA run profiles Full Import [Deletes 1] Full Sync [Deleted Connectors 1] ** FIM MA run profiles Export Delta Import Full Sync **AD MA Export Delta Import

Pretty simple, Max.If you look at the article I wrote, you will find the following:In case of our scenario, you can take advantage of this feature in form of an operational attribute on your metaverse object. This attribute is also known as Connector Flag. There are two requirements for a Connector Flag: The attribute has only one inbound flow source – the connector you care about The attribute is populated by your anchor attribute If you look at your description, you will find the following: ** HR ISR id=> EnableFlag **FIM MA attribute flow mapping location-> EnableFlag (import) location<- EnableFlag (export)You have two inbound flow sources configured..."Now, I use the 'Metaverse Search' option from the Synchronization Service Manager app AND the 'EnableFlag' attribute contains values, the value it is STILL there for both users so that is the reason the DELETED user is STILL enabled."Now, you know how attribute recall / repopulation works :o)When your HR resource got disconnected, the MV attribute is populated by your FIM MA, which is why you see a value on the MV object/Remove the flow mappings on your FIM MA - that should do the trick...Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Markus, I did what you said but it is just not working T_T... No attr flow mappings configured on FIM MA regarding 'EnableFlag' attr. ISR includes one specific rule to populate the 'EnableFlag' attr with the anchor attribut ("id" attr). This ISR contains more rules. I only have one ISR. Metaverse object has the following option selected: 'Delete metaverse object when last conenctor is disconnected'. All the three MAs involved in this scenario has the following options selected: 1) Configure Deprovisioning[Make them disconnectors] 2) Configure Deprovisioning[Do not recall attributes....] UNCHECKED HR MA "Full Import and Full Sync" run profiles report the deletion of the object but the related Metaverse Object remains untouched, as a consequence, the 'EnableFlag' attr contains a value. I use the Metaverse Search option and add the 'EnableFlag' column to debug the value of it. So, the object gets deleted from the HR MA Connector Space but the corresponding MV object remains 'undisturbed'. How is the deletion of the aforementioned CS object supposed to propagate to the MV and modify the Connector Flag attribute? Which 'run profile' sequence I should be using? And the real question, What I am doing wrong????? q@__@p Markus, have mercy! thanksssss max

Max,no problem...Whenever you are stuck with a bigger problem, you should try to isolate the smaller building blocks of it and test them in a simple scenario.If the small things don't work, the big things can't - makes sense?In your case, forget about your scenario for a second and setup something simpler.All you need is a file MA that syncs some objects to FIM.You just need the connector flag in this scenario.Also, go back to the article and let me know if something is not clear enough - OK?"How is the deletion of the aforementioned CS object supposed to propagate to the MV and modify the Connector Flag attribute?"The "trick" we are using to make this happen is is covered in the article.When a CS object got disconnected from a MV object, the attributes the disconnected object has contributed are pulled (attribute recall).After these attributes got pulled (recalled), a repopulation is taking place.This means, the remaining connectors are used to populate the value, if they have inbound flows for the attributes that got pulled configured.Since the deleted object was the only contributor to the connector flag attribute, the metaverse object's value should be empty after you have processed the deletion.Processed the deletion means, run an import and a delta sync on your file MA.That's all you need.At the end of the sync run, the MV attribute must be empty.If not, it can be only due to three things: An error The MA is configured to NOT pull the attributes You have more than one contributor Make sure that your attribute flow configuration for the Connector Flag looks like this: The good thing is - it works :o)We just need to figure out what's missing in your environment.Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Yes, Today I have been doing the small things approach, I have been only using my HR MA and my FIM MA. The MA is configured to NOT pull the attributes---------- I have double checked and that feature is unchecked, so, It is configured to recall attrs You have more than one contributor-------------------- I have double checked in the MV Designer and attribute flow configuration for the Connector Flag looks exactly the same. Only one contributor. I do: HR MA: Full Import, Full Sync FIM IMA: Full Import, Full Sync Nevertheless, there is one error being shown for two accounts when it comes to 'Full Sync' run profile of the FIM MA: "Microsoft.MetadirectoryServices.ProvisioningBySyncRuleException: The DN must be set before calling CSEntry.CommitNewConnector." The accounts involved are: + domain\installadmin (the account used to log in to the computer and ONLY execute the FIM installers; I am logged in to the computerwith this acct) + domain\ilmMA (the MA account)---> your powershell script says this acct is OK. I was never been able to get rid of the error lines above. Could this error be the cause? THANKS max