How populate groups owner and displayed owner fields (Reference (DN))
Hi I have tried to populate groups owner and displayed owner fields in a synchronization rule. I have tried to use Administrator's ResourceID and MVResourceID but it says that inbound synchronization rules are invalid. How do I do this?
February 19th, 2010 12:48pm
Hidoes it gives you the error on the creation of your Inbound sync rule or during importation of groups from AD ?On the second case, check that the administrator is correctly populate to the Metaverse and join with your AD inbound user sync rule.
February 19th, 2010 1:13pm
Synchronization rule gets created correctly. These groups don't come from AD but HR system. The error comes when I do "Full Import and Synchronization" with FIM MA (management agent). The actual error messade is "sync-rule-inbound-flow-rules-invalid".
February 19th, 2010 3:10pm
I have try to change my inbound rule to flow a constant value to the Owner and displayed Owner.If I try to make a preview of importing my rule from FIMMA to MV I have the same error as you.To workaround the problem, I have created a workflow that initialize the DisplayedOwner and the Owner to the resourceID of the administrator and make an MPR that run this workflow for each creation of group by the Sync Engine.That way the groups are reimport correctly to the MV without the owner than export to FIM Portal where the Owner is initialize before reimport from Portal to MV.
February 19th, 2010 5:36pm
Here are the min (!) requirements for inbound flows: Inbound Attribute Flows Destination Source displayName displayName accountName sAMAccountName type CustomExpression(IIF(Eq(BitOr(14,groupType),14),"Distribution","Security")) member member membershipLocked false membershipAddWorkflow Owner Approval domain Fabrikam scope CustomExpression(IIF(Eq(BitAnd(2,groupType),2),"Global",IIF(Eq(BitAnd(4,groupType),4),"DomainLocal","Universal"))) Here are the min(!) requirements for EAFs on the FIM MA: Custom Export Attribute Flows For Groups MV AttributeCS Attribute displayNameDisplayName domainDomain membershipAddWorkflowMembershipAddWorkflow membershipLockedMembershipLocked scopeScope typeType DisplayName is something that is not a technical but a logical requirement - in my opinion...There is no need to flow owner and displayedOwner.Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation
February 19th, 2010 6:52pm
You are right Markus to say that owner and displayedOwner are not need since they are not requiered on FIM Schema(and so can't be by design as Microsoft told me).But in this case, when you edit your import group in FIM Portal, it clearly ask you to fill the owner and displayed owner value.Doing this is no problem for some reimport group, but for many group, just like I have test for more than a hundred reimportation from AD to FIM, making a workflow as I make can save time.One remark about your Inbound Attribute Flows to membershipAddworkflow.Make it 'Owner Approval' with no manager set for the group can't cause problem for FIM when user asked to be a member of it ?
February 19th, 2010 7:11pm
These values aren't required but I have MPRs like "Send an email to the owner after the group is created". If there is no owner, it generates errors (+ I do not know when new groups are created (though this isn't that such a big deal)). Therefore I'd like to set a default owner.
February 19th, 2010 8:33pm
Sorry, guys, my mistake - you should not do several things in parallel...I've just focused on the invalid inbound sync rule and not on the fact that Hartwal actually wants to set the ref attributes to a value...So, my comments are just about the bare minimum since I'mworking on it right now...Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation
February 19th, 2010 11:11pm
Well if you want to send a notification, you can do it in the same workflow that I use to init the displayed Owner and the owner.The question is : if you set these 3 actions in the same workflow, does it execute in sequential or in parallel ?Of corse my case will only work on reimport AD since the MPR only work in this case, or is it possible to modify the init function to do something like :IIF(IsPresent(Owner),"AdminID",Owner)
February 20th, 2010 4:22pm