none
Recommended Run Profile

    Question

  • Hey guys,

    I was wondering if someone could please give me an example of how you would setup run profiles for the scenario below. Carol has a great post on the run profiles that can be found here http://www.wapshere.com/missmiis/run-profiles, but because of some issues with my rules not being applied as expected I am questioning how I have mine set up.

    The core of my FIM setup is an HR system (SQL) that synchronizes active employees to FIM and then provisions active employees to FIM. As employees are marked terminated in HR they will be disabled in AD. I will also have a custom SQL application where depending on user roles for the application the users will be added to certain AD groups.

    How would you setup your run profiles for?

    • AD MA
    • HR MA
    • SQL MA (custom app)
    • FIM MA

    Also, what would your schedule be? I know it depends on the business, but in your experience what do you find is typical?

     

    Thanks for your help,

     


    -PD

    Thursday, February 16, 2012 3:12 PM

Answers

  • Assuming you don't have Deltas for your SQL MA, I'd do something like this:

    HR - Delta Import; Delta Sync

    AD - Delta Import; Delta Sync

    SQL - Full Import; Delta Sync

    FIM - Export; Delta Import; Delta Sync

    AD - Export; Delta Import; Delta Sync

    SQL - Export; Delta Import; Delta Sync

    FIM - Export; Delta Import; Delta Sync

    Alot of this really depends on what join attributes are in place, where data is flowing to (e.g. is something from SQL going to AD or vice versa, etc.).


    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com


    Thursday, February 16, 2012 10:25 PM

All replies

  • Phillip,

    What kind of issues are you having with rules not  being applied?  Do you mean you are doing a sync preview and get "Not Applied" as the status, or something else?

    I'd recommend reading Define FIM/ILM Run Profile Strategies: Part 1.

    My situation is analogous though we're still on ILM not FIM, so there isn't an analogy to the FIM MA.  I have a custom SQL MA that I use for group management (also lifting more than a page from Carol Wapshere's blog).  The sequence we use (leaving out other MAs unrelated to this discussion) is:

    HR MA DI-DS

    AD MA Ex/DI-DS

    SQL MA Export

    (stored procedures called to recalculate group memberships and deltas)

    SQL MA DI-DS

    AD MA Ex/DI-DS

    The reason for going to AD first is that the AD identities must be created and imported to the sync engine before they can be added to groups in AD.  The FIM portal shouldn't add an identity to a group if the AD account info (domain, SID, sAMAccountName) isn't present, and if your custom SQL MA is presenting group membership relationships that can't be translated to AD user/group relationships then you'll have problems on export at the very least.

    I run a delta cycle every 15 minutes to create new student and employee accounts throughout the day, and a few full imports and full syncs overnight to enforce some date logic that the FIM portal could do for us through temporal sets if/when we upgrade.

    Thursday, February 16, 2012 8:40 PM
  • Hi Chris,

    So my initial setup has an AD SR created from following the technet docs. This worked just fine to provision users that were brought in from my HR system. Since I didn’t want to provision the terminated users from the HR system I created a new Set (All Active Employees) that has a custom criteria for only users that are listed as active in the HR system. Next, I disabled the old AD MPR and created a new one and bound it to the flow and new set.

    The reason I’m asking about proper synchronization of run profiles is that users that are not in my All Active Employees set are still being provisioned in AD. I’m not sure what I’m doing wrong. I initially had a Full import and sync (the combo, not running separate) for my HRMA. Right after I ran that, I would show I could export the user objects to AD. Ever since I had issues with all my users active/inactive being exported to AD, I wondered if perhaps my run profiles were wrong. I tried running my HRMA running the full import separately and then running a full sync separately. When I tried running it this way, I couldn’t export users out to AD anymore. The export to my AD MA never showed the objects. They showed in the connector space, but they were never marked for export if that makes any sense. Anyhow, that’s why I’ve been wondering if my run profiles were even set up right because of my users to AD issue.

     

    I just still don’t really understand when to use the full syncs, imports or delta syncs, imports. When I read the text it all seems to make perfect sense. However, when I run it from FIM the behavior just doesn’t quite make sense to me yet..

    My environment currently consists of:

    ADMA – with an active directory inbound/outbound SR

    • Synchronizes users and groups
    • Provisions users to AD based on hrStatus flowing from the HRMA
      • 0 = active
      • 1 = inactive
      • 2 = terminated

    HRMA – with an inbound SR

    • Flows users
      • Created in the FIM portal
      • Created in AD
      • Flows hrStatus

    FIMMA

     

    thanks for the help

    -PD

    Thursday, February 16, 2012 9:29 PM
  • I don't think this is a problem with  your run profiles but rather your sync rules.  A better guide for this kind of troubleshooting is here.

    Based on your description of events, it sounds like you added the AD SR to everyone with one MPR, then created another MPR that only adds the SR to all active people.  However, what seems to be missing is an MPR that removes the AD SR to those that had it added but no longer are in the All Active Employees set.

    Chris


    p.s.  I'm not sure the best way to "clean up" now that you're in that state.  Perhaps one of the other forum experts can help with that part.
    Thursday, February 16, 2012 10:03 PM
  • Hi Chris,

    thanks for confirming it's not the run profiles. that's pretty much what i wanted to know. i've been told by others that i need the MPR that removes the AD SR. I actually did that, but i'm a little vague on the process.

    would you happen to know:

    Do I create a new MPR that removes the AD SR and then leave it enabled?

    or

    Can I edit the existing MPR and edit it to remove objects from the AD SR. Let it run and then change it back?


    -PD

    Thursday, February 16, 2012 10:16 PM
  • Assuming you don't have Deltas for your SQL MA, I'd do something like this:

    HR - Delta Import; Delta Sync

    AD - Delta Import; Delta Sync

    SQL - Full Import; Delta Sync

    FIM - Export; Delta Import; Delta Sync

    AD - Export; Delta Import; Delta Sync

    SQL - Export; Delta Import; Delta Sync

    FIM - Export; Delta Import; Delta Sync

    Alot of this really depends on what join attributes are in place, where data is flowing to (e.g. is something from SQL going to AD or vice versa, etc.).


    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com


    Thursday, February 16, 2012 10:25 PM
  • thanks for the responses guys. this forum has been such a huge help.

    it really helps to understand the run profiles a lot  better after the examples you guys gave.


    -PD

    Saturday, February 18, 2012 6:27 PM