Hi Everyone,

 

I'm making my way through this FIM stuff. I somehow made it around my last issue and to be honest I have no idea what caused it.

 

Right now i'm trying to build what will be our production Syncing logic. Right now I have two MA's: the FIM Service MA and AD DS. I'm trying to set it up so I can provision users in FIM into a particular OU and also have FIM sync my existing user accounts over to the FIM Portal (for password reset). I'm running into an issue where if I configure both import and export attribute flows on the FIM Service MA objects then are exported to the Service database without any AD Attributes. If I remove the Import flow mappings AD data then is published to the FIM Service data without a problem.

There must be a simple reason for what is going on. Any ideas?

• Moved by Markus VilcinskasMicrosoft employee, Owner Friday, July 16, 2010 10:21 AM (From:Identity Lifecycle Manager)

Did you configure import and export flows on the AD sync rules in the FIM portal?

Do you see the attributes present in the FIM Sync MV?
Did you check the attribute flow precedence in the FIM Sync MV?

HTH,

This is by design.
As Peter has indicated, you need to take a look at your attribute flow precedence configuration.
You can either configure your environment to use manual flow precedence - which is not a good idea if you need one source to be authoritative - or you are initializing your environment in phases.

In case of a phased approach, you would first bring all AD objects into FIM and configure an outbound synchronization rule to AD when you are done bringing existing AD objects into FIM.
More details about attribute flow precedence are here.

Cheers,
Markus

Thanks guys for responding I was at work late last night trying to figure this out.

 

1. I have configured an inbound and outbound sync rule in the FIM portal. 

2. I have checked the attribute flow precedence on the sync service. If seems to have the same effect regardless if I specify the FIM Sync MA or the AD MA first.

3. I'm not at my computer right now but I will say I do remember that the attributes ARE in the MV, they just will not sync to the FIM MV Connector space.

 

That's just the outbound sync from the portal, but I also am having a problem with the inbound sync for AD DS to the MV. For some reason if I try to sync the "displayName" attribute the sync will fail giving me a "sync provisioning" error. If I remove the displayname attribtue from the import flow rules on the MA and in the sync rule the user will sync over. One time I even got an exception-dll error

 

Can I remove import mappings on the FIM MA and just use the declarative sync rule, am I doing something wrong? I was going off of the "Two Authoritative Sources Guide"

 

I'm so close I can taste it, there has to be something minor i'm overlooking. I'll take a look at that attribute flow precedence doc. Is there a way I can post my MA and sync rule config so you guys can take a look?

To post MA and sync rule config: see the FIM Script box and FIM Community Knowledge Box.

HTH,

Okay here are my Sync Rules and MA configuration. I totally figured out my "Display Name" problem. I smacked myself in the face when I thought about it. I had been using a comma in my Display name i.e Russell, Brandon. And because i'm using it in my DN string as a variable its causing an error, cause you can't have a DN with a comma in the middle of it like that. "DOH" I'll just have to switch the variable, no biggie.

I'm still having the problem where I can't sync any user attributes when I have import sync rules on my MA. Perhaps it's presendence but when I make the AD MA 1st presendence it doesen't change anything. I just have to be missing something. Does this config seem okay for a start?

Synchronization Rule Configuration

Name FENIX User Inbound Sync Rule Connector {4CD914AA-4C22-4920-BFBD-955BF724EB08} Pending No Description   Created Time 14/07/2010 Precedence 1 Flow Type Inbound and Outbound

Scope

Metaverse Object Type person Data Source {7F6896F4-E481-43B9-B03C-6C55AE7CBFB2} Data Source Object Type user

Relationship

Create object in FIM true Create object in Connected System true Relationship termination false

Relationship Criteria

ILM Attribute Data Source Attribute accountName sAMAccountName

Inbound Attribute Flows

Destination Source displayName displayName firstName givenName domain CustomExpression(IIF(Eq(Left(ConvertSidToString(objectSid),40),"S-1-5-21-4133570775-275769922-3532604739"),"FENIXVM","Unknown")) objectSid objectSid accountName sAMAccountName lastName sn

Initial Outbound Attribute Flows

Allow Nulls Destination Source false userAccountControl Constant: 512 false dn +("CN=",displayName,",OU=FIMObjects,DC=FENIX,DC=Local") false unicodePwd Constant: p@ssw0rd

Persistent Outbound Attribute Flows

Allow Nulls Destination Source false sAMAccountName accountName false company company false displayName displayName false employeeID employeeID false givenName firstName false sn lastName false manager manager

 MA CONFIG:

FIM MA Attribute Flow Configuration
Metaverse object type: detectedRuleEntry
Flow Direction	Data Source Attribute	Metaverse Attribute	Type	Flow Nulls
Inbound	dn	csObjectID	Direct
Outbound	SynchronizationRuleID	synchronizationRuleID	Direct	no
	DisplayName	displayName	Direct	no
	Connector	connector	Direct	no
	ResourceParent	resourceParent	Direct	no
	dn		sync-rule-mapping	no
	MVObjectID	object-id	Direct	no
Metaverse object type: expectedRuleEntry
Flow Direction	Data Source Attribute	Metaverse Attribute	Type	Flow Nulls
Inbound	CreatedTime	createdTime	Direct
	ExpectedRuleEntryAction	expectedRuleEntryAction	Direct
	SynchronizationRuleData	synchronizationRuleData	Direct
	SynchronizationRuleID	synchronizationRuleID	Direct
	DisplayName	displayName	Direct
Outbound	StatusError	statusError	Direct	no
	SynchronizationRuleStatus	status	Direct	no
Metaverse object type: group
Flow Direction	Data Source Attribute	Metaverse Attribute	Type	Flow Nulls
Inbound	dn	csObjectID	Direct
	AccountName	accountName	Direct
	DisplayName	displayName	Direct
	Member	member	Direct
	ExpectedRulesList	expectedRulesList	Direct
	Scope	scope	Direct
	Type	type	Direct
	DisplayedOwner	displayedOwner	Direct
Outbound	dn		sync-rule-mapping	no
	MVObjectID	object-id	Direct	no
	AccountName	accountName	Direct	no
	DisplayName	displayName	Direct	no
	Member	member	Direct	no
	Scope	scope	Direct	no
	Type	type	Direct	no
	DisplayedOwner	displayedOwner	Direct	no
Metaverse object type: person
Flow Direction	Data Source Attribute	Metaverse Attribute	Type	Flow Nulls
Inbound	sAMAccountNameAccountName	accountName	sync-rule-mapping
	displayNameDisplayName	displayName	sync-rule-mapping
	objectSidDomain	domain	sync-rule-mapping
	givenNameFirstName	firstName	sync-rule-mapping
	snLastName	lastName	sync-rule-mapping
	objectSid	objectSid	sync-rule-mapping
	dn	csObjectID	Direct
	ExpectedRulesList	expectedRulesList	Direct
	Company	company	Direct
	Manager	manager	Direct
Outbound	dn		sync-rule-mapping	no
	MVObjectID	object-id	Direct	no
	AccountName	accountName	Direct	no
	Company	company	Direct	no
	DisplayName	displayName	Direct	no
	Domain	domain	Direct	no
	EmployeeID	employeeID	Direct	no
	EmployeeType	employeeType	Direct	no
	FirstName	firstName	Direct	no
	LastName	lastName	Direct	no
	Manager	manager	Direct	no
	ObjectSID	objectSid	Direct	no
Metaverse object type: synchronizationRule
Flow Direction	Data Source Attribute	Metaverse Attribute	Type	Flow Nulls
Inbound	ConnectedObjectType	connectedObjectType	Direct
	ConnectedSystem	connectedSystem	Direct
	ConnectedSystemScope	connectedSystemScope	Direct
	CreateConnectedSystemObject	createConnectedSystemObject	Direct
	CreateILMObject	createILMObject	Direct
	Dependency	dependency	Direct
	DisconnectConnectedSystemObject	disconnectConnectedSystemObject	Direct
	DisplayName	displayName	Direct
	ExistenceTest	existenceTest	Direct
	FlowType	flowType	Direct
	ILMObjectType	ilmObjectType	Direct
	InitialFlow	initialFlow	Direct
	PersistentFlow	persistentFlow	Direct
	Precedence	precedence	Direct
	RelationshipCriteria	relationshipCriteria	Direct
	SynchronizationRuleParameters	synchronizationRuleParameters	Direct

 Thanks for the assistance guys!

I'm just stuck. Anyone see anything funny with the config?

Just wanted to write and update with what has happened. I took a look at the attribute precedence. I'm positive I put the AD MA with the highest presdence.  That didn't seem to work despite the document provided explained the exact problem I was having. However after turning on the "Use equal precedence" option the problem stopped.

Oddly in this case this is exactly what I want. I want the last MA to write to the MV to change the value and allow it to pass to all connected MAs. I'd imagine if I had an HR system or something that was more authoritative I'd use that as the highest precedence and then anything lower than that would simply drop off other attributes that it was not authoritative for.

So essentially the lesson learned here (I think) is that an MA that has higher precedence of an attribute will not accept a value from an MA that has a lower precendence value into its connector space (although that value will be stored in the MV).

Hi Peter,

Can you please guide me how can i set attribute flow precedence in the FIM Sync MV so that it will be easy for me.

Regards,

Shakeel Shahid