I want to add an authorization workflow on the syncing of my users from hr source to fim, so that I can have someone like a HR manager authorize adding of a user. I created an authorization workflow and added it to 'Synchronization: Synchronization account controls users it synchronizes'. But it doesnt do anything. It works for my admin when I add it to 'Administration: Administrators can read and update Users' and then create a user in the portal, so the authorization workflow itself it ok. What do I need to do to make this work ?

Unfortunately, by design, the Synchronization account bypasses all authentication and authorization workflows, so you will not be able to trigger the authorization workflow when sync'ing from HR to FIM. You can find information about this in the Installation Guide: Understanding the purpose of the FIM Service management agent account The purpose of this account is to make it possible for the FIM Service to be able to identify the FIM Synchronization Service when it is exporting to the FIM Service through the Web services. When the FIM Synchronization Service engine is exporting, all authentication (AuthN) and authorization (AuthZ) workflows are ignored and only action workflows run. I had a similar requirement for a client; the only supported option from the product group was to create a custom workflow activity that would then use the FIM web services to create the user within FIM. By doing so, you would be running under a different user context (not the Sync account) and would trigger the authorization workflow. In the end, the client decided to change the process so I never ended up pursuing this. There is a Feedback item (Start Approval Workflow from HR Feed) on Connect that addresses this. If it's important to you, please vote it up. There are some additional suggestions on how to handle this situation there as well. Cheers, Marc Marc Mac Donell, ILM MVP, VP Identity and Access Solutions, Avaleris Inc.

Mark is correct. We can't add that workflow to the creation of the object in the Portal. However, there are other workflows that can be used. What is your ultimate goal with this approval workflow? Prevent new users from appearing in the portal until they are approved? Prevent new users from appearing in other systems like AD and Exchange until they are approved? You can have new users appear in the Portal with a flag set to personUnapproved=true. You could then modify your MPR's so that normal users can't see users in this state. You could also modify your MPR's/Provisioning rules so they do not create new AD/Exchange/Other objects for users in this state. You could write a process so that users in this state then have their personUnapproved flag changed to false that triggers an MPR with an approval step for the HR department. As you can see - this is going to take some work and the specific steps really depend on how you want to handle the users prior to HR approval. Think on this for a while and let us know what you decide. -Jeremy

Thanks, its good to have an idea on how this could be achieved. The idea was not to just let everything flow in without approval, and then after that indeed also let ict-services approve the creation of the AD account. Also If someone would change a users department in HR system, I would like the manager of the department approve the move of this user to his department.

You could have two attributes in the Portal: Department HRDepartment Changes to HRDepartment could trigger an action workflow to update Department. This update to Department could require approval. -Jeremy

oke, so basicly anything that I want to trigger on I could create two attributes, one that gets set through sync, and then use an action workflow to update the second attribute and put an approval on that one. Think I understand how I can achieve this kind of things. Thanks for explaining this concept Jeremy

You're welcome. Please do report back to the group about your solution to this requirement and anything that worked well or did not work. -Jeremy