Hi, Im having a issue with one user object in fim.. Somehow the user wont get their ERE entry ...I am syncing the user between 2 systems...HR and AD management agents... the user attributes mostly come from the Auth system (HR) with just the useraccountcontrol and domain values coming from AD... they join automatically in FIM MV and the synch rules are set up correctly to give the user object their ERE for final export to the AD...(for eveyone else at least) Ive tried disconnecting everything but the user account dosent come through again from the auth system (hr) and when i join the disconnectors again records i get this: ADMA - joiner rules HRMA -joiner rules FIMMA - Projection rules with all 3 connected as above the synch rule just wont get provisioned!!! ive found that other working persons have a Projection, Provisioning and join rule each and this arrangement seems to work..my relationship criteria is by ACCOUNTNAME... can anyone shed any light on this? I need to get him connected before i can delpoiy to live and Im pulling my hair out! please help :) StuCheers Stu

Hi Stu- What does the set transition/workflow logic look like to add these folks to the outbound sync rules?My Book - Active Directory, 4th Edition My Blog - www.briandesmond.com

follows closely with the "synch from 2 authoritative sources" guide on technet site.. when users have: - "DEALER" as domain - "VIC" as state they get put into the "all dealers" set which then applies the "AD INBOUND AND OUTBOUND SYNC RULE".. it syncs the objects to the AD. i think this user wont work as its been disconnected? is there a way i can make the user account sync entirely again freshly from the HR MA?Cheers Stu

If you have disconnectors in the AD CS you need to join them to MV objects if HR is the authoritative source of AD users. In your AD SR what is your relationship criteria? And are the attributes required in the CS, e.g. if using employeeID is that in the CS (if you look at the disconnector does it have the attribute value) and the MV (does the MV object have an employeeID)? Also, note, that if your AD SR is *outbound only* it won't join. It needs to be an inbound and outbound or you need another inbound rule to actually apply the relationship criteria and join.

> is there a way i can make the user account sync entirely again freshly from the HR MA? If it's a lab, you can always delete the CS of both AD and FIM then re-stage both, turn off sync rule provisioning, full sync both, turn on provisioning and disable/enable your SR MPR (to recreate the EREs). Not the best answer but definately a quick and easy way to get back to a known state. :)

Paul Thanks for replies..i could delete the CS but there are so many users and settings ill have to do over again so ill leave that as a last option..your other questions below: - all disconnectors have been joined to MV objects - relationship criteria is: USERID (HR) > ACCOUNTNAME (FIM) > SAMACCOUNTNAME (AD)..therefore AD is: accountName > SamAccountName - import attribute flow has 'not precedent' for the accountname (i will change precedence and see if i can fix) - in AD outbound flow...the accountame is "not applied" in the HR outbound flow..it is applied... also how could i make it entirely sync again..change a value or something ion the HR MA? Cheers Stu

Paul Thanks for replies..i could delete the CS but there are so many users and settings ill have to do over again so ill leave that as a last option..your other questions below: - all disconnectors have been joined to MV objects - relationship criteria is: USERID (HR) > ACCOUNTNAME (FIM) > SAMACCOUNTNAME (AD)..therefore AD is: accountName > SamAccountName - import attribute flow has 'not precedent' for the accountname (i will change precedence and see if i can fix) - in AD outbound flow...the accountame is "not applied" in the HR outbound flow..it is applied... Cheers Stu

You can rerun your synchronisation rules whenever you want. After changing precedence you'll have to do this, but make heavy use of preview to test and validate before wasting time running full syncs, etc. If all disconnectors are joined you don't have any disconnectors right? If you want to generate a new ERE you need to do one of the following things: Manipulate the object such that the MPR that fires the Synchronization Rule activity is invoked (this is often a set transition MPR so getting a resource that is not in the set into the set is the goal). Disable and enable the ST-MPR after enabling Run On Policy Update (ROPU, also referred to as retroactive policy application). Where are we?

Look in the “Search Requests” page, find the Request that you expected to trigger the MPR (eg. the request that created the user). Open up the Request and look at the applied policies tab. If the MPR that triggered the sync rule with ERE Provision workflow is not listed there, it did not get triggered.

thanks for the help guys..it seems that from making a change to the user in the portal generated the ERE process again. "Manipulate the object such that the MPR that fires the Synchronization Rule activity is invoked (this is often a set transition MPR so getting a resource that is not in the set into the set is the goal)" cheers stuCheers Stu