Logic between SET and MPR, and Type of MPR to be selected?
Hi, I have a scenario where I have Created a SET "ADSUM" for selecting Desired Users. I would like to Create Users as well as Update the Users (i.e. Update User Attributes) which fulfill the SET Criteria. I tried Using R-MPR , in which I gave Requestors = "ADSUM" SET , Resource Before Request = "ADSUM" SET, Resource Before Request = "ADSUM" SET, what happens in this case is While Creation on New User The User only which satisfies SET Condition is Created, BUT If I Update an Existing User to Criteria such that the User is not member of ADSUM SET, The User Still gets updated from FIM to Target AD's. I then disabled the above R-MPR, and Created T-MPR with criteria of Trasition IN (ADSUM) SET , The same thing as mentioned above happens , i.e. New User which is not member of SET is not created, but and Existing User when Updated such that it is not member of SET still gets Updated. I would like to Inform that when I tried Updating T-MPR Advanced Properties, the Values of Principal SET,and Resource Current SET to "ADSUM" it gives me Access Denied. Thus I only have Resource Final SET as "ADSUM" selected. As I want to Create as well as Update (Attributes) of Users , Request to Inform Which MPR is best suited , and what setting am I missing in either of the MPR's such that User Update Flows even If the User is not member of Desired SET. Regards, Kaushik
February 25th, 2011 4:29am

Would you like to clarify your scenario? Which one do you want to achieve? User in "ADSUM" can create and update attributes of ANY user Any user can create and update attribute of user in "ADUM" User in "ADSUM" can create and update attributes of user in "ADSUM"
Free Windows Admin Tool Kit Click here and download it now
February 25th, 2011 4:34am

Hi nTony, I would like to Achieve, 1. All New users who satisfy the Criteria for becoming Member of "ADSUM" should only be created from HR to FIM to AD and 2. Existing users in FIM and AD , If Updated by HR , with Value such that they become Non Member of "ADSUM" , Then those Users should not get Updated in AD and if Possible in FIM . and vice versa , The Users which are member of ADSUM and if any of their attribute is Updated such that they continue to be member of "ADSUM" , Then they should be Updated in FIM and AD. i.e. only ADSUM SET Users should be Updated and New Users who are member of ADSUM will only be created in FIM and AD. Thanks for reply, Regards, Kaushik
February 25th, 2011 4:51am

thanks for clarifying. Unfortunately, your scenario involves sync and i am not the expert in that area. I will let other experts chime in
Free Windows Admin Tool Kit Click here and download it now
February 25th, 2011 11:17pm

thanks for clarifying. Unfortunately, your scenario involves sync and i am not the expert in that area. I will let other experts chime in
February 25th, 2011 11:17pm

For both of these you're going to need to use an outbound sync rule. For #1, you want a Workflow which adds the target to the scope of your outbound rule. Subsequently an MPR which fires that workflow on Transition in to your ADSUM set. For #2, you want a workflow which removes the target from the scope of your outbound sync rule. Create an MPR which fires that workflow on Transition Out of your ADSUM set. You need to make sure that the deprovisioning options for your AD Management Agent are set to Disconnect.My Book - Active Directory, 4th Edition My Blog - www.briandesmond.com
Free Windows Admin Tool Kit Click here and download it now
February 26th, 2011 1:25pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics