Friday, March 08, 2013 6:49 PM
I touched on this subject in previous posts, but now understand what the customer would like to see.
Ideally, when an admin creates a new user within FIM, the user is provisioned into AD DOMAIN_A. DOMAIN_A is considered the authoritative source for the env.
If a power user is oboarded, the user will be provisioned into AD DOMAIN_A and AD DOMAIN_B and a SQL store.
Is this primarily what Sets are for, to manage which type of user gets what set of rules applied, hence where they are provisioned? Any other suggestions on how to approach this.
- Edited by Osho27 Friday, March 08, 2013 6:49 PM
Friday, March 08, 2013 8:11 PM
Well - this is provisioning in general. You have to make a decission where to provision your users. How do you do this is other question. If you are using Synchronization rules you have to create rules for each target and decide when to assign resource to a rule or remove resource from the scope of the rule. In most cases you will use some MPRs based on request or set transition (and here sets are coming into equation as a way to trigger a rule to assign resource to provisioning target).
If you are using classic provisioning rule extension you are making this decisions in a code. This might be based on attributes which are result of workflow being triggered etc. So it all depends on your design ;) ... and this is what design is for :).
Tomek Onyszko, memberOf Predica FIM Team (http://www.predica.pl), IdAM knowledge provider @ http://blog.predica.pl
- Marked As Answer by Osho27 Tuesday, March 12, 2013 2:59 PM