Request Management Policy Rule - Users Stuck in Pending
Hello,
I am setting up a test enviornment where i am importing data from a HR data source, exporting it into the FIM Database and then Export it to AD. I have an issue where once the user is exported into the FIM database the MPR rule stays in a pending state under
the properties of the user. I have completed sveral full imports, Syncs etc with no change.
Same thing happens when i create a new user in the FIM Portal. Have i missed something or is the below settings incorrect
Here are my settings
Management Policy Rule Configuration
Name
AD User Provision MPR
Description
Created Time
17/06/2011
Type
Request
Grants Permissions
False
Disabled
False
Requestors and Operators
Requestor
All People
Operation
Create, Modify
Target Resources
Before Request
All Active People
After Request
All Active People
Resources Attributes
AccountName
Policy Workflows
Type
Display Name
Action
AD User Provision
AD Export Sync Rule
Synchronization Rule Configuration
Name
AD User Export
Description
Created Time
17/06/2011
Precedence
1
Data Flow Direction
Outbound
Dependency
Scope
Metaverse Resource Type
person
External System
AD
External System Resource Type
user
Relationship
Create Resource In External System
True
Enable Deprovisioning
False
Relationship Criteria
ILM Attribute
Data Source Attribute
employeeID
employeeID
Initial Outbound Attribute Flows
Allow Nulls
Destination
Source
false
dn
+("CN=",lastName,"\, ",firstName,",OU=Test,OU=Users,DC=TestDomain,DC=com")
false
userAccountControl
Constant: 514
false
unicodePwd
Constant: P@ssword!
Persistent Outbound Attribute Flows
Allow Nulls
Destination
Source
false
sAMAccountName
accountName
false
employeeID
employeeID
false
givenName
firstName
false
sn
lastName
false
displayName
displayName
false
dn
+("CN=",lastName,"\, ",firstName,",OU=Test,OU=Users,DC=TestDomain,DC=com")
HR Import Sync Rule
Synchronization Rule Configuration
Name
HR Data User Import
Description
Created Time
17/06/2011
Precedence
1
Data Flow Direction
Inbound
Dependency
Scope
Metaverse Resource Type
person
External System
HR Data
External System Resource Type
person
Relationship
Create Resource In FIM
True
Relationship Criteria
ILM Attribute
Data Source Attribute
employeeID
EmployeeID
Inbound Attribute Flows
Destination
Source
employeeID
EmployeeID
firstName
FirstName
lastName
LastName
accountName
UserID
displayName
+(UpperCase(LastName),", ",FirstName)
WorkFlow
Workflow Configuration
Name
AD User Provision
Description
Created Time
17/06/2011
Workflow Type
Action
Run On Policy Update
False
Synchronization Rule
Name
AD User Export
Action
Add
June 20th, 2011 1:46am
Hi BlueMan -
Please explain your logic for using a 'Request' MPR rather than a 'Set Transition' MPR.
Please also explain your logic for flowing two (different) DNs in your ADDS provisioning OSR.
Cheers,
MMS_guru
Identity & Metadirectory, Hewlett-Packard UK
Hi MMS_Guru,
I am testing out a Request MPR because eventually i will be setting up notifications and authorization. But first i need to get the MPR to provision the user in AD before i start making all these changes.
I madea mistake with the two different DNs i will edit the post above and fix it.
Thanks
Free Windows Admin Tool Kit Click here and download it now
June 20th, 2011 5:36pm
Have you enabled 'Synchronization Rule Provisioning' in the Sync Engine?
Please check that this is turned on in Tools > Options in the Sync Engine.
Locate a person object in the FIM MA CS, click Preview & Generate Preview.
Is there anything obviously causing provisioning to fail in the Preview UI..?
Cheers,
MMS_guru
Identity & Metadirectory, Hewlett-Packard UK
June 21st, 2011 11:23am
Yep Synchronization rule provisioning is enabled.
In the preview view it displays
Connector Updates
- Random numbers - FIM Management Agent
Export Attribute Flow
All Attributes applied expect for ObjectSID
No errors have been reported
Free Windows Admin Tool Kit Click here and download it now
June 22nd, 2011 12:57am
Are you flowing the ExpectedRulesList attribute in the FIM Service MA?
Cheers,
MMS_guruIdentity & Metadirectory, Hewlett-Packard UK
June 22nd, 2011 11:34am
thanks ms_guru,
no, i'm not flowing the expectedrulelist attriute in the FIM service. SHould i?
I do see a few in the MV but they are only created when a new object is made and have a status of pending.
thanks
Free Windows Admin Tool Kit Click here and download it now
June 22nd, 2011 12:19pm
The 'ExpectedRulesList' attribute should be configured on the FIM Service MA.
For the [FIM Service] 'Person' object to the [MV] 'person' object, flow ERL into the MV.
The Sync Engine uses the ERL to determine which SR to apply to MV objects.
Cheers,
MMS_guruIdentity & Metadirectory, Hewlett-Packard UK
June 22nd, 2011 12:37pm
Thanks MMS_guru that solved it.
Legend
Free Windows Admin Tool Kit Click here and download it now
June 22nd, 2011 12:49pm