Resources for IT Professionals >
Forums Home
>
Identity Management Forums
>
Identity Lifecycle Manager 2
>
Set manager attribute in Active Directory using FIM RC1
Set manager attribute in Active Directory using FIM RC1
Hi
I try to set the manager attribute of a user account.
In my example the user account itself has the sAMAccountName of its manager stored in a string formatted attribute, lets say "adManagerAccount", in the metaverse.
Now I try to flow the attribute out to AD using a custom expression:
Source: /Person[accountName=adManagerAccount]
Destination: managerif a given object has "TomTaler" as accountName and the object in question has "TomTaler" in its adManagerAccount value in the metaverse then
in my understanding, /Person[accountName] should result in a reference to the object with the value of "TomTaler" as accountName.I also tried to hard-code the name into the source statement without success:
Source: /Person[accountName='tomTaler']
How should the source look like that it can be used as reference value?BTW: Henrik Nilsson told me not to use a string value instead I should use a DN
http://social.technet.microsoft.com/Forums/en-US/identitylifecyclemanager/thread/6c5f1d1f-245f-4f84-9ddc-9261141570eaTo be more specific: the question is how to query to get the DN as a result whenever I only know the value of one unique attribute?
In meantime I also imported the managers DN into the metaverse in the attribute named "adDN".EscapeDNComponent(/Person[accountName='TomTaler']/adDN)
same error.
?
Any help is appreciated.
Henry
Answers
- Hi Henry,
Sorry I didn't explain it better to you last time (in the ILM Forum)!
If I understood everything right you wish to force a value for manager onto users using a sync rule!?
Since Manager is a reference attribute you should set the objectId value (FIM specific) of the managers person object to the manager attribute when you do this from within FIM. During sync this value will be transformed into the DN of the manager (anchor attribute in AD MA) automatically.
Edit: Aha... Now I get it. You can't use a custom expression to perform an xpath filter search, custom expression are really simple functions without any connection to the database (they could be executed both from workflow using the function activity and from withing FIM sync service where the flow rules are actually executed). You could look up the objectID of a person you wish to set as manager in the portal and hardcode it to the sync rule and you'll see it will work. If you wish to do this dynamically depending on for example an attribute value you'll have to use workflow.
A good idea is to use the Enumerate Resources Activity (takes xpath as an argument) to find the person you wish to use as manager then you could store the value of the manager person's objectID as a workflow parameter for use in the sync rule or set the manager attribute directly on the person resource from within the workflow using the Update Resource Activity. Unfortunately both of these activities can't be used from the FIM workflow designer so you'll have to create the workflow in Visual Studio and import it as xoml.
//Henrik
Henrik Nilsson Blog: http://www.idmcrisis.com Company: Cortego (http://www.cortego.se)- Edited byHenrik Nilsson Monday, November 02, 2009 2:15 PM...
- Marked As Answer byMarkus VilcinskasMSFT, ModeratorSaturday, November 07, 2009 5:57 PM
- Hi Henry,
I'd suggest going back to basics and resolving this at the MA you used to contribute "adManagerAccount" in the first place - using Henrik's suggestion of making this a reference DN type there. ILM/FIM will manage references for you automatically as long as they are valid in the source and the attribute flow is DN -> DN. For example:
empid: 1
name: manager
empid: 2
name: employee
manager: 1
Using this oversimplified set of records where empid is the anchor, you would tell the MA that the manager attribute is a reference DN and ILM/FIM will handle it automatically allowing you to flow cs:manager -> mv:manager and through the portal etc...
Now, if your data set looks like this it won't work:
empid: 1
name: manager
empid: 2
name: employee
manager: manager
In this example, the manager attribute in the source is a string and isn't storing the empid of the manager - ILM/FIM won't allow you to define this attribute as a reference DN in the first place.
Hope that helps,
Brad Turner, ILM MVP - Ensynch, Inc - www.identitychaos.com- Marked As Answer byMarkus VilcinskasMSFT, ModeratorSaturday, November 07, 2009 5:57 PM
All Replies
- Hi Henry,
Sorry I didn't explain it better to you last time (in the ILM Forum)!
If I understood everything right you wish to force a value for manager onto users using a sync rule!?
Since Manager is a reference attribute you should set the objectId value (FIM specific) of the managers person object to the manager attribute when you do this from within FIM. During sync this value will be transformed into the DN of the manager (anchor attribute in AD MA) automatically.
Edit: Aha... Now I get it. You can't use a custom expression to perform an xpath filter search, custom expression are really simple functions without any connection to the database (they could be executed both from workflow using the function activity and from withing FIM sync service where the flow rules are actually executed). You could look up the objectID of a person you wish to set as manager in the portal and hardcode it to the sync rule and you'll see it will work. If you wish to do this dynamically depending on for example an attribute value you'll have to use workflow.
A good idea is to use the Enumerate Resources Activity (takes xpath as an argument) to find the person you wish to use as manager then you could store the value of the manager person's objectID as a workflow parameter for use in the sync rule or set the manager attribute directly on the person resource from within the workflow using the Update Resource Activity. Unfortunately both of these activities can't be used from the FIM workflow designer so you'll have to create the workflow in Visual Studio and import it as xoml.
//Henrik
Henrik Nilsson Blog: http://www.idmcrisis.com Company: Cortego (http://www.cortego.se)- Edited byHenrik Nilsson Monday, November 02, 2009 2:15 PM...
- Marked As Answer byMarkus VilcinskasMSFT, ModeratorSaturday, November 07, 2009 5:57 PM
- Hi Henry,
I'd suggest going back to basics and resolving this at the MA you used to contribute "adManagerAccount" in the first place - using Henrik's suggestion of making this a reference DN type there. ILM/FIM will manage references for you automatically as long as they are valid in the source and the attribute flow is DN -> DN. For example:
empid: 1
name: manager
empid: 2
name: employee
manager: 1
Using this oversimplified set of records where empid is the anchor, you would tell the MA that the manager attribute is a reference DN and ILM/FIM will handle it automatically allowing you to flow cs:manager -> mv:manager and through the portal etc...
Now, if your data set looks like this it won't work:
empid: 1
name: manager
empid: 2
name: employee
manager: manager
In this example, the manager attribute in the source is a string and isn't storing the empid of the manager - ILM/FIM won't allow you to define this attribute as a reference DN in the first place.
Hope that helps,
Brad Turner, ILM MVP - Ensynch, Inc - www.identitychaos.com- Marked As Answer byMarkus VilcinskasMSFT, ModeratorSaturday, November 07, 2009 5:57 PM
