I have 3 MAs, HR, FIM and AD, and I want to publish users from HR and FIM, as in the "Publishing To Active Directory from Two Authoritative Data Sources" guide. I have an attribute, called Section, for which precedence is like this: HR, FIM. This attribute is present in HR, and I want it to be prioritary, but if an account is created in FIM, I want to export to AD the value in FIM. Everything works fine, as long as "Section" has a value in HR. However, if this attribute becomes null in HR, the old value from FIM is taken, while I would need it to be exported as null to FIM. Is this possible? Is there an equivalent of "allow nulls" for inbound flows? Thanks, PaoloPaolo Tedesco - http://cern.ch/idm

What happens if you select Allow Nulls for the related export attribute flow mapping on your FIMMA? Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Hi Markus, I already selected it. When I unset the attribute from HR and I import the changes (HR Full Import + Full Synch), if I look at the MV object properties, I see the old value for the attribute, and FIM as contributing MA. Thanks, PaoloPaolo Tedesco - http://cern.ch/idm

Just for testing purposes, please remove the IAF mapping for that attribute from the FIM MA. Does the Null from HR go through in this case? Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

If I remove the import flow from FIM, then everything works as expected: removing the attribute from HR results in the attribute being removed from FIM. If I put back the import flow and reconfigure the MV precedence as HR - FIM, then the problem reappears: removing the attribute from HR results in no changes in FIM. Looking at the MV object properties, I see the old value for the attribute and FIM as contributing MA. Cheers, PaoloPaolo Tedesco - http://cern.ch/idm

Thanks, you have saved me some time testing something. Basically, what you see is by design. If a MA contributes a Null, this is interpreted as "I don't want to contribute anything anymore". This is similar to disconnecting an object where attribute recall / repopulation kicks in. So, what you see is a repopulation based on the remaining connectors - in your case the FIMMA. In general, be careful with "Nulling" values. Since you are sitting in front of this scenario, could you please do another test for me? What happens if you modify the IAF for Section to something like this: IIF(IsPresent(Section),Section,"") There is probably no need to really pull the value from FIM - isn't a blank good enough in this case? I haven't tested this yet and wonder whether this produces the expected result. Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Hi Markus, Thanks for the answer and the explanation, I see the point. Your workaround produces the expected result, thanks! There is only one small problem: for each of the users not having a Section in HR, I see an 'exported-change-not-reimported' warning. Do you think there's a way to make it disappear? Thanks, PaoloPaolo Tedesco - http://cern.ch/idm

Hi Markus, There is an additional problem when trying to export the attribute to AD: I want to export this attribute to an extension attribute, and apparently trying to export an empty string causes a "constraint violation" error. This, however, can be easily solved by defining the export flow like IIF(Eq(Section,""),Null(),Section) and checking "allow null values to flow to destination". Sadly, this solution is not ok for me, as it generates "exported-change-not-reimported" warnings at every run. Since I trigger a custom activity whenever this attribute changes (as I need to copy its value from one account to several others) this causes a lot of unnecessary activities to be executed, as the value of Section is changed at every export. Is there a way to fix the spurious "exported-change-not-reimported" warning with empty strings? Thanks, Paolo Paolo Tedesco - http://cern.ch/idm

You are right, I forgot to think about workflow activities in my response to your other thread. I belief, your best bet is to take the CSS route to make sure that this will be fixed. Cheers, Markus Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Paolo, One thing that is often done to address the scenario with an empty string causing the export-change-not-reimported error is instead of using "" as value to use, use an attribute that you know is NULL. One common solution is to create a new attribute alled 'NullAttribute' or something like this, and use that as the value to be used for NULL/empty value. This should keep the export errors from occurring and still accomplish your goal of NULLing out the target attribute.

@Markus, thanks for the suggestion, I contacted the Customer Service. @Glenn, I'm sorry, but I don't really see how that should change the situation...Paolo Tedesco - http://cern.ch/idm

My apoligies Paulo, I mis-understood your scenario. Markus set me straight :)

Hi Glenn, don't worry, I was just hoping that a workaround existed :) Thanks, Paolo Paolo Tedesco - http://cern.ch/idm

Hello, I'm facing the same issue, but it's even more complicated as the attribute in question is Manager, which is a reference value. I'm currently syncing two Active Directories through FIM. the Precedence is as follows AD1 -> AD2 If a user in AD1 has a manager specified , it will flow correctly to AD2 If afterwards I clear the manager attribute in AD1, I expect, that it should be cleared in AD2, especially as I have allowed Null flow for this attribute throughout the system Instead, in the Metaverse the attribute remains, and the contributing MA is now AD2. Has this problem been solved in a hot fix I can download yet? I don't understand what the use of Allowing Null flows is, in this case. The attribute being reference, also prevents me from using a rules extension, or a custom expression in the sync rule as that is not allowed. Thanks Sam Amin Software Development Director - BlueCloud www.BlueCloudCorp.com

i too am having the above issue, i am unable to sync a NULL entry from our HR source into AD even though Allow nulls is enabled. any fix for this issue

i too am having the above issue, i am unable to sync a NULL entry from our HR source into AD even though Allow nulls is enabled. any fix for this issue

FIM doesn’t interpret NULL in a Connector Space, as a value that should be pulled into the metaverse. Instead it takes it to mean that this connector is no longer contributing to this attribute. So if there is any other MA with lower precedence that contributes a value to the same attribute, it will take it. So you have two options. 1) Have only one MA contribute values to this attribute, so when adjusting precedence, the number of Mas for this attribute should be only 1 2) Write a rule extension, that writes an empty string to the metaverse, when the value in the connector is null. Sam Amin Software Development Director - BlueCloud Sam Amin Software Development Director - BlueCloud www.BlueCloudCorp.com

FIM doesn’t interpret NULL in a Connector Space, as a value that should be pulled into the metaverse. Instead it takes it to mean that this connector is no longer contributing to this attribute. So if there is any other MA with lower precedence that contributes a value to the same attribute, it will take it. So you have two options. 1) Have only one MA contribute values to this attribute, so when adjusting precedence, the number of Mas for this attribute should be only 1 2) Write a rule extension, that writes an empty string to the metaverse, when the value in the connector is null. Sam Amin Software Development Director - BlueCloud Sam Amin Software Development Director - BlueCloud www.BlueCloudCorp.com