Hello Guyz i'm workin on a cool FIM project (Portal and everything) and i had an issue i need help with my portal is synchronizing between a file and an active directory i want to tell my portal to ask for authorization before deleting anything i created my workflow and my MPR however the suers are getting deleted without my approval if i delete the users manually from the portal, approval works, and a mail is sent ! can anyone help ? thanks ! HitchHitch Bardawil

Users are getting deleted - how? From the sync service? I believe there is a problem with authZ workflows being bypassed for the Sync account. There are quite a few posts on this forum about that. Here's one thread - I know there are others as this has been a much-discussed topic: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/ca6ad47b-6cc7-459d-a446-dc69dde3b162 http://www.wapshere.com/missmiis

hello Carol, well users are getting deleted through the sync rule, as they should, but i'm just not getting any approval request, i just read i had to create a custom activity that asks for approval before user creation deletion ? i'm still a bit unfamilar with those ... any ressources you could recommend ? thnx! Hitch Bardawil

hello Carol, well users are getting deleted through the sync rule, as they should, but i'm just not getting any approval request, i just read i had to create a custom activity that asks for approval before user creation deletion ? i'm still a bit unfamilar with those ... any ressources you could recommend ? thnx! Hitch Bardawil

What Carol was trying to explain: typically you would attach this "approval" to an authorization workflow. However as the sync account bypasses these, your approval will never be considered...http://setspn.blogspot.com

What Carol was trying to explain: typically you would attach this "approval" to an authorization workflow. However as the sync account bypasses these, your approval will never be considered...http://setspn.blogspot.com

thanks thomas that's what i'd understood, so is there a way to get this approval anyway ? custom workflows maybe ?Hitch Bardawil

From a FIM Portal point of view it's like you're doing it the wrong way around - the object has already been deleted and then you want approval. While this may make perfect sense in your environment I think the expectation is that the portal would be driving the deletion. So, for example, in my environment I have a check box "Confirm Delete" which only appears once a user has already been disabled and moved into OU=Resigned. The responsible administrator then tick the box to confirm the final object deletion. If I wanted to add an approval workflow to checking this box it would be vary easy to do. Once that's done I can delete the target objects, and then import the deletion back into the Portal without any further aproval being needed. Not an answer I know but maybe it helps to understand why it works this way...http://www.wapshere.com/missmiis

thanks for the answer, it does clarify how this thing works, then there is no way to ask for approval before creaion or deletion of objects, i can x this out ? i can still send an alert email i guess right ? Hitch Bardawil

hello again ! i was trying the method you told me about with a little variation ! i created a new boolean attribute "approve" and binded it to the user ressource then created two sets based on the values of this attribute my workflow only created the user in active directory if the value of this attribute is true so basically the users imported from the file remain in the portal until someone checks this box then the mpr gets executed could you please confirm that this could work ? i then need to add this checkbox to the user creation /edit GUI any guidelines i could follow ? thanks for your help you're a life saver ! Hitch Bardawil

Yes that should work. For editing the RCDC there's only really the official documentation: http://technet.microsoft.com/en-us/library/ee534918(WS.10).aspx My tips for editing RCDCs are: - Always keep a backup of the previous version, - Only make one change at a time - even though it's a bore to have to load in the new xml and restart iis all the time, it's way quicker than trying to backtrack through a bunch of changes when the new form doesn't work. http://www.wapshere.com/missmiis