Hy all. I have one question regarding FIM provisioning users from HR SQL database to Active Directory. Of course everything about that is well documented but my question is primarily oriented about same(duplicate) users and data in both sources. In my scenario, Company is using HR application for long time and also Active Directory for long time. So all users are in both sources. Now they would like to imeplement FIM in scenario where HR SQL will be authoritative data source and all users will be provisioned to Active Directory. So as far as I know, basicaly I need inbound flow from HR datasource, then outbount flow to AD, and then also inbound flow from AD to FIM to give users the ability to use FIM portal. But what will happen with all those users because they are the same in both data sources (HR & AD)? Do I need to use join rules, something else or could I use normal provisioning and inbound and outbound rules as described here on Technet? Please, can you explain me the needed steps for my scenario where both data sources have most of the data already in place and the data is mostly the same? Of course also they would like to use FIM from now on for all new users created in HR database to be provisioned to AD. (ok with that one there should be no problems because newly created users do not exists in AD). Every kind of help would be really appriciated. Thank you in advance.

Hy Ivan,as I understand you want to get the user from your HR to the portal and join the existing user in your AD to the imported one from HR.In this case, you can follow the Technet without a problem.For the existing user, the relationship criteria in outbound Sync rule is there to detect if a user in your AD MA already correspond to it.For exemple, if your relationship criteria is accountName (in FIM Portal) to sAMAccountName (in AD MA) andtheris a match (ie:ISKOVIC01) then the export does not create a new user but update the exported attributes indicates ine the outbound sync rule.

Thank you.Yes I want to get user from HR to the portal and also join the user in AD with imported in portal. So as you say, there shouldn't be any problem with that?For example in HR database i have (EmployeeID: 001023, Name: John, Smith, Alabama), in portal i currently have nothing, and in AD i have the same user but just the street address change from Alabama to New York. So in that case FIM would first create user in FIM portal, then update attributes (address) in AD, and then provision needed AD attributes(sAMAaccountName, ObjectSID and domain) for users FIM portal access?

Well if your employeeID is your identify attribute, make an inbound sync rule in FIM with a relation criteria based on employeeID and the case 'Create user in fim' checked. Specifiy what attribute to flow (EmployeeID, Name, Department,...).To be create in FIM, you must specify the attribute accountName, so the best way is the same as the sAMAccountName in your AD.You must check how the sAMAccountName in AD is construct to make it correct in FIM Portal.Before launch the import from HR to AD, follow the technet to create the outbound Sync Rule with the workflow and MPR associate with it.The relation criteria for your outbound to AD should be like AccountName -> sAMAccountName or you can also used the employeeID if it is specify in the AD for your existing account.In the attribute flow for the outbound, you must specify the sAMAccountname and the dn as INITIAL Flow.Another import sync rule from AD should be create if you want back from AD the objectSID.The relation criteria must be like the one use for your outbound rule to AD. Do not check the 'Create user in FIM' for this sync rule, since you only want to bind existing user in AD to the one populate by your HR in FIM.

Thank you.But what to do if in HR database I don't have attribute accountName? Ok, relationship criteria can be based on firstname, lastname -> ad firstname, ad lastname. Also, i can generate accountname based on firstname and lastname but then probably some autogenerated accountname won't be the same. I presume everything will be ok when there is no existing AD account but with existing AD accounts my worries are that my autogenerated accountname will update sAMAccountname in AD, and I don't want that to happen. Will it update existing sAMAccountname if in outbound flow initial flow only is checked?Thnx

The initial flow attribute init attribute in the target MA only on creation.After that, only the persistant flow is synchronize.So if you specify the sAMAccountName as init flow, it will be set at the creation of an account to AD and never after.

So basicaly if I create relationship criteria as described above and there is HR accountname= bobdylan and in AD sAMAccountname= bdylan, with initial flow checked bdylan will stay sAMAccountname?Thank you so much for giving great answers even though some of my questions seems a little bit dumb :)

Depending on your relation criteria, the ad will be join or not.Taking your exemple, if the relationship criteria for your outbound rule to AD is : accountName = sAMAccountName,Fim will detect that your accountName(bobdylan) is not the same as the sAMAccountName in AD (bdylan), so the relation criteria not match and then it will create a new user with bobdylan as sAMAccountName.But if you have specify a relationship criteria as you describe in a post message (lastName = lastNameAD AND firstName = firstNameAD), then the join will occure, even if the sAMAccountName is not the same as the accountName in FIM ; of course, if the sAMAccountName export is on init only, it will not be change in AD.The problem that can occure is if 2 people has the same first and last Name.