Outbound Sync rule doesnt work
-
Friday, January 25, 2013 5:29 AM
Hi there,
We are in the process to deploy FIM. The main goal is go give SG or DG owner ability to change membership by themselves at this stage. the provisioning and deprovisioning and other common task (including member change for groups) will be done in AD via various scripts like usual. so on the FIM portal, if you are the owner of the group, you change add/remove members.
I set equal precedence for member attribute and it flowed members into portal -- i can see the members are the same as AD. I setup an outbound syn rule to just flow member back to AD but that doesn't work for reason. AD doesn't show anything to export but when do AD sync, it shows export to FIM and finally updated the member again on portal based on AD. In the preview, it shows the rule applied but the action is none. MV changed after FIM MA delta sync but looks like the outbound rule didn’t sync MV to AD.
I used filter scope so no need for set and MPR, right? Scope is set like Type = Security. Then just flow one attribute member to AD:
Should work, right? Someone said I should have Initial flow only but I don’t think so. Am I missing anything? I just let owner to change member not anything else but this simply doesnt work. I think I missed something here. Please help.
All Replies
-
Friday, January 25, 2013 10:00 AM
Hi!
Please check the attribute precedence. Most probably it will work if you set the attribute precedence.
Regards
M. Irfan
-
Friday, January 25, 2013 11:16 AM
Hi,
Thank you.
can you please be specific? As I mentioned, I have set in MV designer --> Attribute Flow Precedence for Group object. I have set Member attribute to "use equal precedence". Some other attribute in Group object have been set to have higher precedence on AD attributes but Member is set to be equal. Is that something you suggested me to check?
I have also tried use different precedence for Member. If I set AD to be higher, it will not flow member change from portal to AD. If I set FIM to to take precedence, it will not flow AD member to FIM and make it show no members in portal.
I guess I am still missing something here. Please shed more lights...
Thanks again.
-
Friday, January 25, 2013 12:42 PM
To add more information:
If I search CS in FIM MA and click the group in question and do a full sync preview, I can see following:
In the Import attribute follow, the mapping for member attribute is applied but the initial and final value are both showed original unchanged value. ExpectedRuleList showed not applied. Is that normal?
In the Outbound Synchronization Rule, I can see my outbound sync rule listed and applied. The action showed None and flow is applied like below. The Initial value is still orginal unchanged value and final value is empty
If I do a full sync now on FIM MA and AD MA, it will show export expected to FIM MA and it will change the member to original unchanged value. That strikes the AD member attribute is still taking precedence despite the fact that I set it to use equal precedence.
In FIM MA, I saw default flow DetectedRuleList from MV to FIM and ExpectedRuleList from FIM to MV.
Anything else I shall check?
-
Sunday, January 27, 2013 9:04 AM
HI
You just need the member attribute to flow to the AD in the Sync Rules. That fine.
Plus you need to set Equal Prcedence for the member attribute as changes would have to be flown IN and OUT.
Now as far as an MPR is concerned, I think you need to have one. it would be a Request MPR, and should be triggered when ever there is an Add or Remove to the multivalue attribute 'member'. Finally the workflow for the Outbound Sync rule for AD Groups will be triggered through that MPR.
-
Monday, January 28, 2013 4:40 AM
Hi Furqan,
I was using filter scope so no workflow or MPR was needed. However, I did try to use different approach by using workflow to trigger that Outbound sync rule. And then I set the MPR to run workflow when there is a request to modify Member attribute. That does NOT work either. I can see the MV was updated after a delta sync or a full sync from FIM MA but it refused to update AD. It looks like there is some disconnects between AD and the MV.
in the full sync preview, I can see the Outbound Sync rule is applied but action is NONE. So even the MV has the latest info, it doesnt flow out to AD. Please help what I missed here:
-
Monday, January 28, 2013 6:01 AM
Seems fine to me. The member seems to be changing, as you have grayed it out, i assume the intial value and the final values differ. What happens when you run an Export Profile on your AD MA? As per my experience It should update the AD.
Use the 'commit preview' option instead of the 'generate preview' and run the export profile on the AD MA, that should do it.
-
Monday, January 28, 2013 2:43 PM
i guess i confused you. The final value is empty so it is NOT changing at all -- I have attached another better screen capture. And you can see the action is None as well. I tried to commit the change and also tried to run export multiple times, there is nothing exported to AD.
Is there any reason FIM cannot see the difference between MV and AD objects? Precedence already set to Equal. I even tried using FIM to take high precedence but that still doesnt work -- nothing exported to AD. It looks like from AD all the way to FIM is always Ok but not the other way around.
-
Monday, January 28, 2013 6:17 PMOk. I think the member attribute is not being populated in the metaverse. Have you defined attribute mapping for 'member' in the FIM MA? You will have to use both import and export flow under the group section of attribute flow of the FIM MA, after doing that run a full import full sync on the FIM MA. That seems to be the only possible reason here, and also please use equal precedence for the member attribute.
.png)
