I think we are close to loading the Portal Groups from AD. The only problem I have is with the creation of Criteria Based Groups. On AD for all FIM managed groups we set values for extensionattribute10, extensionattribute11 and extensionattribute15 If the group is to be a manual group on the Portal then 10 = false, 11 = "Owner Approval" and 15 is <not set> If the group is a criteria based Portal group then 10 = true, 11 = "None" and 15 is the memberFilter string. Now. ALL AD groups have members. What I want to arrange in my Inbound Sync Rule is to flow AD member -> MV member IF 10 is false BUT set the MV value of member = NULL if 10 is true because I want the Portal to generate the members in this case. All other attributes should flow, and member is allow null. This member attribute is special, its a multi-valued reference. How can I arrange mySync Rule to explicitly set the MV member attribute to be NULL??? I cant find any Null() function ... I hope that after I have created the criteria based Groups after MV -> FIMMA export, on a FIMMA import I should see in its Connector Space that group object member attribute filled with users who match the criteria, even though the MV object should have no members.

You should be able to use the Null function. I use it all the time in the IIF(Eq(Department,"Finance"),"FI",Null()) Please see http://technet.microsoft.com/en-us/library/ff800820(v=ws.10).aspx Null Description The Null function is used to define that this MA does not have an attribute to contribute and that attribute precedence should continue with the next MA. Function Signature String Null Inputs No parameters Operations A Null is returned. Example: IIF(Eq(domain), unknown, Null()) Output A Null is output.

regarding null().. I believe I saw a discussion on here that indicated that "does not have an attribute to contribute" is different than setting a flow value to null, but I could be wrong, since I don't use Portal Sync rules in most cases- I would do this with classic code like this.. mventry["members"].Values.Clear(); Frank C. Drewes III - Architect - Oxford Computer Group

Frank is absolutely correct about what "null()" does. It really has to be interpreted like "Don't do anything". And it's definately not setting a blank string or null-ing out an attribute. However, if I read your scenario right: you want AD to only contribute to "member" if the value is 10. If it's something else you want the FIM Portal to mange it. I think this could be a scenario where you could use "null()" so that the AD MA leaves the member attribute alone.http://setspn.blogspot.com