HiI try to set the manager attribute of a user account.In my example the user account itself has the sAMAccountName of its manager stored in a string formatted attribute, lets say "adManagerAccount", in the metaverse.Now I try to flow the attribute out to AD using a custom expression:Source: /Person[accountName=adManagerAccount]Destination: manager if a given object has "TomTaler" as accountName and the object in question has "TomTaler" in its adManagerAccount value in the metaverse thenin my understanding, /Person[accountName] should result in a reference to the object with the value of "TomTaler" as accountName. I also tried to hard-code the name into the source statement without success:Source: /Person[accountName='tomTaler'] How should the source look like that it can be used as reference value? BTW: Henrik Nilsson told me not to use a string value instead I should use a DNhttp://social.technet.microsoft.com/Forums/en-US/identitylifecyclemanager/thread/6c5f1d1f-245f-4f84-9ddc-9261141570ea To be more specific: the question is how to query to get the DN as a result whenever I only know the value of one unique attribute?In meantime I also imported the managers DN into the metaverse in the attribute named "adDN". EscapeDNComponent(/Person[accountName='TomTaler']/adDN) same error. ? Any help is appreciated.Henry

Hi Henry, Sorry I didn't explain it better to you last time (in the ILM Forum)! If I understood everything right you wish to force a value for manager onto users using a sync rule!? Since Manager is a reference attribute you should set the objectId value (FIM specific) of the managers person object to the manager attribute when you do this from within FIM. During sync this value will be transformed into the DN of the manager (anchor attribute in AD MA) automatically. Edit: Aha... Now I get it. You can't use a custom expression to perform an xpath filter search, custom expression are really simple functions without any connection to the database (they could be executed both from workflow using the function activity and from withing FIM sync service where the flow rules are actually executed). You could look up the objectID of a person you wish to set as manager in the portal and hardcode it to the sync rule and you'll see it will work. If you wish to do this dynamically depending on for example an attribute value you'll have to use workflow. A good idea is to use the Enumerate Resources Activity (takes xpath as an argument) to find the person you wish to use as manager then you could store the value of the manager person's objectID as a workflow parameter for use in the sync rule or set the manager attribute directly on the person resource from within the workflow using the Update Resource Activity. Unfortunately both of these activities can't be used from the FIM workflow designer so you'll have to create the workflow in Visual Studio and import it as xoml. //Henrik Henrik Nilsson Blog: http://www.idmcrisis.com Company: Cortego (http://www.cortego.se)

Hi Henry,I'd suggest going back to basics and resolving this at the MA you used to contribute "adManagerAccount" in the first place - using Henrik's suggestion of making this a reference DN type there. ILM/FIM will manage references for you automatically as long as they are valid in the source and the attribute flow is DN -> DN. For example:empid: 1name: managerempid: 2name: employeemanager: 1Using this oversimplified set of records where empid is the anchor, you would tell the MA that the manager attribute is a reference DN and ILM/FIM will handle it automatically allowing you to flow cs:manager -> mv:manager and through the portal etc... Now, if your data set looks like this it won't work:empid: 1name: managerempid: 2name: employeemanager: managerIn this example, the manager attribute in the source is a string and isn't storing the empid of the manager - ILM/FIM won't allow you to define this attribute as a reference DN in the first place.Hope that helps,Brad Turner, ILM MVP - Ensynch, Inc - www.identitychaos.com

Hi Brad I want to configure a Sync between my Active Directory and a SQL Server database. When I configure db schema, I put the Manager atributte as a Reference (DN) and the field data look like CN=UserName,OU=Users,DC=domain,DC=com, that is the DN of the manager. Whe I run the sync, I have a cs-attribute-type-mismatc error. How can I sync the manager of the active directory users? Is the DN the correct format? Thanks Alberto Diaz Martin twitter://@adiazcan | http://geeks.ms/blogs/adiazmartin

Ahh, not exactly - let's look at our example again: empid: 1 name: manager empid: 2 name: employee manager: 1 Empid is our anchor with manager refering to a record in the same namespace. The namespace in this case would be numerical, and for illustration purposes if we had records ranging from 1 to 10,000 then a valid reference would be a manager value of 228. A manager value of "John Smith" would be invalid, type issues aside, it doesn't "refer" to valid record in the same namespace. So, you need to import this data from your HR system using this methodology. It's common for HR to store both the manager's empid as well as their name, which I typically discard the later. Configuring the manager's empid value as the Reference DN attribute in your HR MA gets the data imported into the metaverse properly and the rest is just normal attribute flow to AD. Brad Turner, ILM MVP - Ensynch, Inc - www.identitychaos.com [If a post helps to resolve your issue, please click the "Mark as Answer" or "Helpful" button at the top of that post. By marking a post as Answered or Helpful, you help others find the answer faster.]

I see, but is there any way to do a lookup to find managerId using AD dn? I try to sync my SharePoint 2010 user profiles with my Active Directory and my HR database.Alberto Diaz Martin twitter://@adiazcan | http://geeks.ms/blogs/adiazmartin

Once you export the manager attribute to AD you could then import it into SharePoint. Once you get the manager reference into the metaverse, FIM handles the referential integrity and lookups for you.Brad Turner, ILM MVP - Ensynch, Inc - www.identitychaos.com [If a post helps to resolve your issue, please click the "Mark as Answer" or "Helpful" button at the top of that post. By marking a post as Answered or Helpful, you help others find the answer faster.]

Brad, I'm struggling with this also. In my environment HR stores the employeeID as text - it is unique and a number but it is a text field. The manager reference does meet the above model. Managers are identified using that manager's employeeID - also a text field. In the HRMA, employeeID is the anchor. When I try to bring in the managerID as a referenceDN I get "The type of managerID (String) is not compatible with the type of ManagerDN (Reference)" As I mentioned, the employeeID is the anchor so I assume it converted automatically. What is the proper type for the manager_ID and is there any way to convert it on the fly? Thanks Thanks,