How to reenable user in the FIM portal and AD
Hello! I created the rule which disables user in the AD by these steps: 1. Create attribute ISHRConn in the Metaverse with Schema designer 2. To the inbound SYNC rule add maping HR Table column ID (Which is set up like anchor in the FIM HR MA): ID -> ISHRConn 3. To the Outbound rule create the expresion: Iif(IsPresent(ISHRConn),EnableADUser,DisableADUser) When I hide the user in the Table view or configure connection filter in HRMA, the user is disabled in the AD. When I restore user, the user is detected, but after running sync profiles, the duplicate is created in the FIM portal. When synchronizing changes, the error "user already exists in management agent "adma"" Question: how to correctly configure the expression / sync rules to re-enable AD user? Thanks!
October 5th, 2011 7:51am

this usually happens when your user does not satisfy the join condition set in the sync rule dis you set it up for a unique attribute sur as the accountname ? when you genreate preview you should see the join rule getting a matchHitch Bardawil
Free Windows Admin Tool Kit Click here and download it now
October 5th, 2011 10:03am

What attributes are you joining on from your HR MA?My Book - Active Directory, 4th Edition My Blog - www.briandesmond.com
October 5th, 2011 1:39pm

What attributes are you joining on from your HR MA? Login -> ISHRConn
Free Windows Admin Tool Kit Click here and download it now
October 5th, 2011 5:06pm

What attributes are you joining on from your HR MA? Login -> ISHRConn Are you importing ISHRConn back from FIM? It won't join back up if the attribute isn't in the metaverse.My Book - Active Directory, 4th Edition My Blog - www.briandesmond.com
October 5th, 2011 5:08pm

Also make sure that you have join rule from your HR MA before a projection rule - otherwise you'd get duplicate MV objects. Also have join rules before projection rules where possible. And as Brian says, make sure that your join rules use existing attributes - and maybe design your attribute flows with "breadcrumbs" such employeeNo or similar...Regards, Soren Granfeldt http://granfeldt.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
October 5th, 2011 5:27pm

Are you importing ISHRConn back from FIM? It won't join back up if the attribute isn't in the metaverse. Do you mean: after export of the FIM MA create delta import in the FIM MA? Do I need to create the flow mapping in FIM MA, too?
October 6th, 2011 6:59am

Also make sure that you have join rule from your HR MA before a projection rule - otherwise you'd get duplicate MV objects. Also have join rules before projection rules where possible. And as Brian says, make sure that your join rules use existing attributes - and maybe design your attribute flows with "breadcrumbs" such employeeNo or similar... I have no join rules in the FIM MA.
Free Windows Admin Tool Kit Click here and download it now
October 6th, 2011 7:25am

The FIM MA will always project, so you need to make sure that your import flow from the FIM MA populates enough values on the MV object for the other MA's to succesfully join. All other MA should always have a join rule before any projection rule.Regards, Soren Granfeldt http://granfeldt.blogspot.com
October 6th, 2011 7:29am

when you disconnect the HR object the ISHRConn attribute is recalled from the MV, if you go and search for that user in the MV, double click check the contributing MA for ISHRConn. if you configured import attribute flow on FIMMA ( FIMMA:ISHRConn -> MV:ISHRConn) now it will have the precedence and it will repopulate the value into the metaverse. remove the ISHRConn import/export attribute flow in the FIMMA (properties - > Attribute Flow), and test again ... and you need to check the version of your FIM, I think there was an issue with the precedence that was solved, so if the above did not worked try to update your FIM to the latest versionIt's never too late in life ... to start living
Free Windows Admin Tool Kit Click here and download it now
October 7th, 2011 2:02am

You need to go in the properties of the FIM MA and create an import attribute flow for ISHRConn back to the metaverse. Next, go in the MV Designer and set the precedence of the FIM MA to last for that attribute. This will ensure that when your HR MA disconnects you'll still have a value in IsHRConn so you can re-join.My Book - Active Directory, 4th Edition My Blog - www.briandesmond.com
October 8th, 2011 11:52am

if the HR:login value is the same as the login account in AD, then in your inbound SR for HRMA configure the joining relationship "HRMA:login" with the "MV:accountName". if not you need to use something common between HR and AD, example Employee Number if applicable your operational flow HR:login -> MV:ISHRConn is just a way to check if the user has HR connector or not, it should not be used as a joining relationship. no need to import/export the ISHRConn to FIM portal using FIMMA, unless you need to define SETs or Groups based on filters using that attribute but you need to make sure that your inbound SR for both AD and HR are configured with "Create Resource in FIM" ... It's never too late in life ... to start living
Free Windows Admin Tool Kit Click here and download it now
October 8th, 2011 12:34pm

Dear All! My current configuration is the following: FIM HR MA: Login configured as anchor Attribute ISHRConn custom attribute in the Metaverse, binded to person the attribute precendence of the ISHRConn: HRMA takes precendence over FIMAMA FIM MA Inbound SYNC rule attribute flow Account name-> ISHRConn (as I understand this is for getting data back in metaverse) Relationship criteria:"HRMA:login" with the "MV:accountName" (joining relationship) outbound attribute maping HR Table column Login (Which is set up like anchor in the FIM HR MA): Login -> ISHRConn Outbound sync rule expresion: Iif(IsPresent(ISHRConn),EnableADUser,DisableADUser) The configuration above does not work like expected: when the new user is added to the HRMA view, the user is created in the FIM and the AD when we hide the user from view, the attribute ISHRConn contains the value and the user is not disabledon the AD I hide the user using Configure Connection Filter on the HR MA. What is wrong on my configuration? Do I need to configure the attribute flow in the Inbound sync rule (Login -> ISHRConn ) ? Please hep me to undesrstand where is problem!
October 8th, 2011 6:18pm

when you disconnect the HR object the ISHRConn attribute is recalled from the MV, if you go and search for that user in the MV, double click check the contributing MA for ISHRConn. if you configured import attribute flow on FIMMA ( FIMMA:ISHRConn -> MV:ISHRConn) now it will have the precedence and it will repopulate the value into the metaverse. remove the ISHRConn import/export attribute flow in the FIMMA (properties - > Attribute Flow), and test again ... and you need to check the version of your FIM, I think there was an issue with the precedence that was solved, so if the above did not worked try to update your FIM to the latest versionIt's never too late in life ... to start living
Free Windows Admin Tool Kit Click here and download it now
October 8th, 2011 7:18pm

Thanks, all works now!
October 16th, 2011 3:36am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics