ERE & DRE still exists for a user, even though he left the Set

Hi,

When a user entered a Set, the relevant ERE and (later) DRE was generated (as expected).

Subsequently the Set criteria changed, and the user was removed from the Set.

Why then is the ERE & DRE still associated with the user in the FIM Portal?

Thank you,

SK

February 22nd, 2015 10:43pm

Hello,

do you remove users from the scope of the syncrule when the leave the set with a workflow too ?

-Peter 

Free Windows Admin Tool Kit Click here and download it now
February 23rd, 2015 3:07am

no I don't.

are you saying I need a transition-out MPR with a workflow calling the same Sync Rule set to "Remove"? Won't this delete the object from the target system (which is not what I want to do).

February 23rd, 2015 1:28pm

Hi,

yes that the mpr and workflow you need.

Objects deletes from the target system depends on your setting of either sync rule, mv deletetion setting and ma deprovision setting.

From the sync rule point its safe when you disable this setting:

In case of disable this setting only the export flows will stop, but since there is no disconnect there will be no delete in MV or MA.

Also check this article on some more details: https://technet.microsoft.com/en-us/library/hh859718%28v=ws.10%29.aspx

-Peter

Free Windows Admin Tool Kit Click here and download it now
February 23rd, 2015 1:45pm

Thanks Peter, we have created a 'transition out' MPR, a 'remove' Sync Rule Workflows (Enable Deprovisioning unticked), refreshed the Set, and the ERE has now disappeared :)

However, the DRE still exists for that Sync Rule on that specific user...should it also have been deleted?

February 23rd, 2015 8:15pm

Hi,

this is because the Existence Test is configured in outbound sync rule but logically evaluated at the end of an inbound sync.

So since you have a connector to the datasource Attribut the DRE is still evaluated:

See: https://technet.microsoft.com/en-us/library/ff608269%28v=ws.10%29.aspx

which states:

As a result, the actual existence test cannot be applied during the
outbound synchronization phase. For example, if your outbound
synchronization rule called Fabrikam Outbound Synchronization Rule that
you use to manage your Active Directory resources that have existence
test flow mappings configured, these flow mappings cannot be evaluated
when the outbound synchronization rule is applied to a resource.

In other words, while logically configured in an outbound
synchronization rule, existence test flow mappings belong technically to
an inbound operation. In our example, the actual existence test is
performed during the inbound synchronization phase of a synchronization
run on the related Active Directory management agent (MA).

-Peter

Free Windows Admin Tool Kit Click here and download it now
February 25th, 2015 10:50am

Just some addition:

before you removed the users from the scope of the outbound sync rule the Attribute with the "existence test" flag was exported to the target System, and on imports the value of that Attribute are checked and the DRE ist created.

after removing the users from the scope of the sync rule this outbound sync rule became a "operational outbound sync rule", so attributes are not exported any more, but the sync engine checks all OSRs regarding to a datasource and evaluates only the "existing test" Attribute flows to check Attribute value in target System which generates the DRE.

To get the DRE removes, you either Need to disconnect the object from DS or the value of CS and MV must be different (so existing test Attribute DRE will  be removed).

-Peter

March 2nd, 2015 6:59am

Thank you Peter
Free Windows Admin Tool Kit Click here and download it now
March 12th, 2015 6:20pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics