Hi,

In our environment, we have multiple MAs configured. 

1.FlatFile MA(source)

2. FIM MA

3. ADDS MA(target)

4.Google Apps MA.(target)

The flow will be like we provision users from Flat file to FIM and from FIM to AD and Google. We are using MV extension code for ADDS MA and Google MA for provisioning users from FIM to AD and Google. In turn we are flowing object SID and domain back to FIM from AD. For that we have build an Inbound sync rule for AD. When I do Full sync of ADDS MA, the objectSID and domain is not getting to metaverse and not exporting to FIM MA. I had examined the attribute precedence.The precedence is as follows.

1. ADDS MA

2.FIM MA

3.Google MA

Is Inbound sync rule is needed to flow objectSID and domain back to FIM in which user is already present? If not how should be the attribute precedence? If Outbound and Inbound Sync rules are preseent, then which rule will be called first.

Thanks

Prasanthi.

Have you imported this sync rule from FIM MA to metaverse? Do you see in Precedence that this attribute is imported using sync rule?

Hi,

Ya i have imported the inbound sync rule to metaverse. When i see the preview of that user, an outbound sync rule is getting applied(we have one outbound sync rule for google MA(precedence 2) and one inbound sync rule for ADDS MA(precedence 1))

Thanks 

Prasanthi

You need to have objectSID and domain defined as Export Attribute Flows (EAF) on the FIM Management Agent (FIMMA).

These flows are defined as Classic flows on the Agent Properties (tab Configure Attribute Flow) in the FIM Sync Client (miisclient).

• Edited by Leo Erlandsson 21 hours 22 minutes ago

Hi,

my attribute flows are as follows.

For FIM MA,

Data Source       Metaverse

accountName--> accountName

firstName--> firstName

lastname-->lastname

ObjectSID<--ObjectSID

domain<--domain

for ADDS MA

DataSource      Metaverse

samAccountName<-- accountName

givenName<---firstName

sn<--lastname

ObjectSID-->ObjectSID

"domainvalue"--->domain

First, i have done provisioning userA from FIM to AD. It got successfully created at AD(used mvextension provision to sync users from FIM to AD).

Now, i am trying to flow objectSID and domain values for userA from AD to FIM. For that i created one inbound sync rule and projected that inbound rule to metaverse.Then i am doing full import and full Sync on ADDS MA. on Full sync, it is not showing any export flows to FIM MA. In metaverse also i checked the properties of the user. The objectSID and Domain attributes are not showing. on the Connectors Tab it is showing two connectors "FIM MA" and "ADDSMA". I opened and had seen the properties of that ADDS connector in which ObjectSID is present and it is throwing an synchronization error(provision rule failed. on Opening stack trace, the error is due to an Outbound Sync Rule of Google MA(This rule is configured for syncing users from FIM to google)).

My point here is, when i am doing full sync of ADDS MA, why it is giving provision error for that outbound sync rule. Is there any flow for executing SYnc rules(Inbound/Outbound). or is it is due to attribute precedence??

If the user is already present in FIm and in Metaverse, is the inbound sync rule for ADDS MA is needed just for flowing the ObjectSID and Domain??

Thanks

Prasanthi

Ok. So the problem is with this error. FIM calculates flows as a transaction - if any error occurs during calculation, it is rolled back and there are no pending exports.

So you have to correct the issue to have those flows ready.

Or switch off synchronization rules provisioning and verify that flows are going to be exported (but this is a short-term solution as you disable synch rules)

Thank you for reply,

Switch Off Sync rules means, should i remove the sync rule from metaverse?? I have disabled it on FIM portal. but that Sync rule still exists in metaverse. Should i delete in metaverse as well??

For time being, i have deleted connector space of FIM MA and re imported all the users from FIM to metavesre. And i had not imported that sync rule. Now i am able to flow the object SID and domain value. But i think deleting connector space is not the correct issue.

could you please suggest. And i have one more doubt which i asked previously. If the user is already present in FIm and in Metaverse, is the inbound sync rule for ADDS MA is needed just for flowing the ObjectSID and Domain??

You need to have objectSID and domain defined as Export Attribute Flows (EAF) on the FIM Management Agent (FIMMA).

These flows are defined as Classic flows on the Agent Properties (tab Configure Attribute Flow) in the FIM Sync Client (miisclient).

• Edited by Leo Erlandsson Wednesday, April 08, 2015 9:59 AM