newbie question: what is the purpose of FIM MA
Hello,still new to FIM and trying to learn it, however I have a question that came to me while doing the FIM labs, using scenario on ILM technet by synchronizing the info between hrdata file and AD, why do I need to: Step Management Agent Run Profile 1 Fabrikam HRMA Full Import 2 Fabrikam HRMA Full Synchronization 3 Fabrikam FIMMA Export shouldn't the Export step export the data from the MV to the FIM CS, why do I need this step.and following why Do I run the following: Step Management Agent Run Profile 1 Fabrikam FIMMA Delta Import 2 Fabrikam FIMMA Full Synchronization 3 Fabrikam ADMA Export 4 Fabrikam ADMA Delta Import shouldn't I be able to do the following:- HRdata full import- HRData fullsync.- AD MA Exportand objects will be created in AD or I am missing a point.Regards, Mahmoud Magdy
October 25th, 2009 6:01pm

Hi Mahmoud! The FIM MA is the connector to the Appstore (FIM DB) and it within appstore you're supposed to manage your identities... This is what each step do... 1 Fabrikam HRMA Full Import - imports data into HRMA Connector Space 2 Fabrikam HRMA Full Synchronization - syncs data from HRMA CS to other connector spaces depending on configuration 3 Fabrikam FIMMA Export - Exports data to AppStore 4 Fabrikam FIMMA Delta Import - Confirming import to FIMMA CS after export (this is a required step) 5 Fabrikam FIMMA Full Synchronization - Syncs data from FIMMA CA to other connector spaces depending on configuration, for example changes made in Appstore to your identities from HRMA. 6 Fabrikam ADMA Export - Exports data to AD. 7 Fabrikam ADMA Delta Import - Confirming import from AD (this is a required step) If you would do what you believe would be sufficient you would bypass AppStore and that's ok (if you add a confirming import at the end) unless you plan to make any changes at all to your identities or if you use legacy rules for performing changes, this is how we used to do it in MIIS and ILM. By Bypassing AppStore you won't get the nice workflow capabilities, group management, management from the portal, self service password reset, etc. etc... //Henrik Henrik Nilsson Blog: http://www.idmcrisis.com Company: Cortego (http://www.cortego.se)
Free Windows Admin Tool Kit Click here and download it now
October 25th, 2009 6:44pm

Hi Henrik,I think that I am getting somewhere, Since I came from pure MIIS background (and MIIS is my biggest weakness) I think that I started to understand the new architecture in FIM. Now I need to place the data in the FIM appstore in order to be able to have the new features which makes sense, now data will go from a CS to the appstore where it is modified by sync rules and workflows and get exported back to the same CS or another CS based on the configuration. now if I am not wasting your time, can you explain some extra points to me:from my MIIS background, it looks that the import/Sync/Export steps has been changed and I am having some difficulties in them:- Import still the same.- Sync. changed from Synching from a CS to MV to sync from CS to appstore. which is as I understand the default since I cannot find how I have configured it to sync to the appstore directly (or this is have been done in the MA itself).- Export cannot understand the new functionality since in step 3 it exports to the appstore, in 6 it exports to the AD is this has been done using the Synch. rules? - how the delta confirms the import from or to a CD, and why it is required, AFAIK the delta just replicate the changes from a CS to MV or from MV to CS. I hope that you understand why i am confused and hopefully I am not being silly :) Thanks.Regards, Mahmoud Magdy
October 25th, 2009 10:02pm

Hi Mahmoud! No questions are silly! It's the same steps but you can think of ILMMA as any MA except it's a bit special in that you can't write legacy sync rules for it. Sync has always been inbound and outbound sync in a single run step from CS to MV (inbound) and from MV to CS (outbound) so there's no change. Another new thing with FIM is the declarative provisioning, you no longer have to write code for provisioning resources (used to be called objects) to CS, you declare them in the portal as sync rules, thats probably why you don't understand how resources end up in appstore. Exports are still the only way to get resources from CS to a connected system, and it's the same with Appstore. What happens in the chain above is that resources are imported from HR, synced to MV and on to FIM CS, exported to appstore (FIM Database) through workflows that eventually modifies the resources in some way before it's imported back into FIM CS, synced to AD CS and at last exported to AD. What could be missing is an additional import between pints 4 and 5 because the workflows needs some time to complete it's work before it imported back otherwise you might end up with a "exported change not reimported" warning. //Henrik Henrik Nilsson Blog: http://www.idmcrisis.com Company: Cortego (http://www.cortego.se)
Free Windows Admin Tool Kit Click here and download it now
October 25th, 2009 10:42pm

Thanks Henrik,I still confused little bit but looks that I need to have more hands on the FIM, Will have my own labs and then get back with more questions.Thanks a lot for yout support.Regards, Mahmoud Magdy
October 26th, 2009 10:53am

Can I add some points quting you and correct to me if I am wrong:<<<What happens in the chain above is that resources are imported from HR [using the HRMA full import] , synced to MV [using the full sync] and on to FIM CS [using the inblund sync rule] , exported to appstore (FIM Database) through workflows that eventually modifies the resources in some way [using the outbound rules] before it's imported back into FIM CS [using which step] , synced to AD CS [using export or what] and at last exported to AD.Regards, Mahmoud Magdy
Free Windows Admin Tool Kit Click here and download it now
October 26th, 2009 10:56am

before it's imported back into FIM CS [using which step] - That what is missing in your list above because after the confirming import has been performed FIM needs a minute or two before the workflows are finished. synced to AD CS [using export or what] - Step 5 (FIM MA Sync) Import = Imports resources from connected system to CS. Sync = Syncs resources between CS to MV (inbound) and from MC to CS (outbound). Export = Exports resources from CS to connected system. Edit: Check out these... http://technet.microsoft.com/en-us/library/ee534911%28WS.10%29.aspx http://technet.microsoft.com/en-us/library/ee534904%28WS.10%29.aspx Henrik Nilsson Blog: http://www.idmcrisis.com Company: Cortego (http://www.cortego.se)
October 26th, 2009 11:09am

I started to get it butas I said will double check and read more and get back to you.Thanks a lot mate, you are an angel. Regards, Mahmoud Magdy
Free Windows Admin Tool Kit Click here and download it now
October 26th, 2009 5:13pm

I am kind of 90% understand the workflow, just one quick question:should not step5: synced to AD CS [using export or what] - Step 5 (FIM MA Sync) done by running the AD MA in Export mode.Regards, Mahmoud Magdy
October 27th, 2009 5:55pm

:-) No! You want to sync information from FIM MA to AD MA, then you have to run sync on FIM MA. Sync means both inbound sync and outbound sync so if you have an inbound sync configured for FIM MA and an outbound sync on AD MA on the same resource type, data will flow through Metaverse from FIM MA to AD MA. //HenrikHenrik Nilsson Blog: http://www.idmcrisis.com Company: Cortego (http://www.cortego.se)
Free Windows Admin Tool Kit Click here and download it now
October 27th, 2009 6:08pm

ahaaaaaareading again the understnading inbound sync rule and matching your responses that what was missing: Import (staging) of an identity source object from a connected data source in the associated connector space Projection and flow of attribute values from the source connector space object to the metaverse by applying an inbound synchronization rule that is already available in the metaverse. Automated provisioning of the object into the connector space of the FIM 2010 Serviceas a result of the Create Resource In FIM flag that is set in the inbound synchronization rule of the source object. Export of the object to the FIM 2010 Service databaseto attach the calculated ERL attribute and population of this attribute value in the metaverse. Provisioning of the object to a target connector space as a result of applying the outbound synchronization rule that is defined in the ERL attribute value to the object. so attribute flow defined in the MA defines how data flows from a DS to CS but sync rule defines how data in the CS flows to the MV and to the FIM DB, I seeeeeeejust to confirm, step 4 is what you ment by waiting for a minute or 2 for the workflow to be processed by the FIM and data imported to appstore, am I right?Regards, Mahmoud Magdy
October 28th, 2009 11:25am

This is my final question "I swear" :)what is the different between Attribute flow in the MA and the inblund sync rules, am I right as stated above and att. flow is from DS to CS "but is says data source attribute and mapped to MV attribute" little light in that please...Regards, Mahmoud Magdy
Free Windows Admin Tool Kit Click here and download it now
October 28th, 2009 11:34am

The thing is that after you've made an export to a connected system you must always perform a confirming import, in the case with FIM MA you need an additional import after a minute or two in order for the workflows to be able to complete on the users. In your case, the introduction to outbound sync?... The case is initialized after the confirming import, then you add a user in the portal and for that user to show end up in FIM CS you must make an additional import. //HenrikHenrik Nilsson Blog: http://www.idmcrisis.com Company: Cortego (http://www.cortego.se)
October 28th, 2009 11:55am

Thank Henrik for your dedication, that final missing piece is what is the different between attribute flow in the MA configration page which sync to the MV and inbound sync rules configured on the FIM portal I believe that they work in coordination but how they are related together.Regards, Mahmoud Magdy
Free Windows Admin Tool Kit Click here and download it now
October 28th, 2009 12:00pm

You mean why conventional attribute flow must be configured together with "portal" attribute flows? If you read the section in the Introductuction to Inbound sync document around Create Resource In FIM flag you'll get a better understanding about this. Regarding the attribute flow for FIM MA it's required for deciding what attributes are managed in Appstore since the sync rules you define in the portal only is about syncing information between other MA's than FIMMA and the MV. To be honest, i haven't asked myself this earlier but that's pretty much because I haven't tried the Introduction scenarios (I should have tried them!!!) so I do hope this is the correct answer... You are not required to define attribute flow rules for other MA's then FIM but... Since it is necessary to fine-tune the replication process between connector space and metaverse, you can still use the conventional configuration mechanisms to configure the in- and outbound behavior of the c Service management agent. This applies especially for the configuration of import and export attribute flow rules. - You could for example still use legacy attribute flow rules. I do hope this answers your question but as I'm a bit uncertain about this myself I'll add a question for clarification about the relation between "Portal" attribute flow and conventional attribute flow to this thread... Conceptual information about Declarative Provisioning //Henrik Henrik Nilsson Blog: http://www.idmcrisis.com Company: Cortego (http://www.cortego.se)
October 28th, 2009 12:48pm

Henrik,you are a god, that is exactly why I am confused now, I believe that they are used together in some how for:MA sync rule define regular attribute flow, Sync Rules defines extra attribute flow and provisining, but what if I defines a flow in the MA that conflicts with the sync rules, how they are related that will very important to know.Thanks a lot for your support 1000000 times.Regards, Mahmoud Magdy
Free Windows Admin Tool Kit Click here and download it now
October 28th, 2009 12:58pm

Hi Henrik,Reading:http://social.technet.microsoft.com/Forums/en-US/identitylifecyclemanager/thread/2c4f5c39-de0b-4fed-9cdd-057d0394085bhttp://blogs.dirteam.com/blogs/jorge/archive/2009/08/05/fim-fim-attribute-flow-precedence-viewer.aspxhttp://blogs.dirteam.com/blogs/jorge/archive/2009/07/31/provisioning-in-fim-2010-rc0-previously-a-k-a-ilm-2.aspxlooks like things are clear now, looks like sync rule has the logic to provision to the appstore and do custom attribute flow that required coding in the past, also has the power to provision to MV and other CS.using the att. flow documenter I will have a clear view for how the att. flows but to comments:- Can someone confirm that I understood correctly.- How Can I change the precednde between MA att. flow and FIM Sync rules.RegardsRegards, Mahmoud Magdy
October 28th, 2009 2:20pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics