none
Is it possible to BULK clear an attribute value in FIM

    Question

  • Hello Everybody,

         Due to a new company policy I must clear the jobtitle value in FIM for all users. I used ADModify.net to set Null for the attribute and this works in Active directory for all users. So I set the AD management agent to have the highest  precedence and performed a full import, followed by a full sync, and finally and export on the FIM management agent however it did not clear the value for all the fim objects. I have tested changing one of the objects value to "test" and doing the same and it does change in FIM so I'm at a loss why it wont take the Null.

          I'm under a strict deadline and seem to be stuck so any advice would be greatly appreciated. 

    jeudi 31 octobre 2013 19:21

Toutes les réponses

  • Hello,

    did you set the "allow null" flag on the export attribute flows ?

    I have also cleared attributes by creating an string attribute called NullSting in MV and let never flow any value to it. Then I used this in attribute flows to the destination attribute so every object will get this value not even the objects with correct (null) values in the connected data sources.

    But for one-time operations I mostly use PowerShell to clear the attribute directly in FIM Portal and then let the values flow to the Data Sources.

    Regards
    Peter


    Peter Stapf - Doeres AG - My blog: JustIDM.wordpress.com

    jeudi 31 octobre 2013 20:36
  • To add to Peter's post, you mentioned setting AD to highest precedence, which indicates to me that you still have other systems (FIM Service?) contributing to that attribute. 

    By design, if a higher-precedence system has a NULL value, the next system in the precedence list will provide its value.  So, in your case, if you have more than one system contributing, you won't be able to null out the value by switching precedence to AD with its NULL values.

    You would be better off to do as Peter suggested, creating a PowerShell script to reset/clear that value in the FIM Service.   You can find examples of using PowerShell with the FIM Service in the FIM How To Script TechNet posting.

    Cheers,

    Marc


    Marc Mac Donell, VP Identity and Access Solutions, Avaleris Inc.
    http://www.avaleris.com

    vendredi 1 novembre 2013 11:50
  • To add to Peter's post, you mentioned setting AD to highest precedence, which indicates to me that you still have other systems (FIM Service?) contributing to that attribute. 

    By design, if a higher-precedence system has a NULL value, the next system in the precedence list will provide its value.  So, in your case, if you have more than one system contributing, you won't be able to null out the value by switching precedence to AD with its NULL values.

    You would be better off to do as Peter suggested, creating a PowerShell script to reset/clear that value in the FIM Service.   You can find examples of using PowerShell with the FIM Service in the FIM How To Script TechNet posting.

    Cheers,

    Marc


    Marc Mac Donell, VP Identity and Access Solutions, Avaleris Inc.
    http://www.avaleris.com

    Hi Marc,

     By anychance do you have the script to clear an attribute for all users in FIM because I am unable to find one. 

       

    vendredi 1 novembre 2013 14:35
  • Hello,

    I've descibed something similar in my blog post, ist about clearing up membership from groups, but you can adapt this to your needs for person objects.

    http://justidm.wordpress.com/2013/10/14/correct-group-objects-with-waring-dynamic-group-has-static-member/

    Just use the Replace operation instead of Delete and Define the ArrtibuteName (jobtitle in your case) but do not set the AttributeValue (don't set it to empty string instead just omit the property)

    Regards
    Peter


    Peter Stapf - Doeres AG - My blog: JustIDM.wordpress.com

    vendredi 1 novembre 2013 14:51
  • Hello,

    I've descibed something similar in my blog post, ist about clearing up membership from groups, but you can adapt this to your needs for person objects.

    http://justidm.wordpress.com/2013/10/14/correct-group-objects-with-waring-dynamic-group-has-static-member/

    Just use the Replace operation instead of Delete and Define the ArrtibuteName (jobtitle in your case) but do not set the AttributeValue (don't set it to empty string instead just omit the property)

    Regards
    Peter


    Peter Stapf - Doeres AG - My blog: JustIDM.wordpress.com

    Hi Peter,

        I tried to modify your script and am having some issues. If you can please take a look at this and let me know what I'm doing wrong.

    When I try to run the script I receive an error as stated below

    PS C:\Windows\system32> $personlist = Export-FIMConfig -OnlyBaseResources -custom "/Person"
    Export-FIMConfig : Failure on making enumeration web service call.
    Filter = /Person
    Error= The web service client has encountered the following class of error: IdentityIsNotFound
    Details: Additional Text Details: The requestor's identity was not found.
    Correlation Identifier: 99e5de66-b204-4b53-954d-6009c223fe42
    Failure Message:
    Request Identifier:
    At line:1 char:31
    + $personlist = Export-FIMConfig <<<<  -OnlyBaseResources -custom "/Person"
        + CategoryInfo          : InvalidOperation: (:) [Export-FIMConfig], InvalidOperationException
        + FullyQualifiedErrorId : ExportConfig,Microsoft.ResourceManagement.Automation.ExportConfig

    add-pssnapin FIMAutomation
     
    $personlist = Export-FIMConfig -only -custom "/Person"
     
    If ($personlist -eq $null) { Write-Host "There are no people" ; exit }
     
    foreach ($person in $personlist)
    {
        $memberlist=($person.ResourceManagementObject.ResourceManagementAttributes).Values
     
        $importObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject
        $importObject.ObjectType = "Person"
        $importObject.TargetObjectIdentifier = $person.ResourceManagementObject.ObjectIdentifier
        $importObject.SourceObjectIdentifier = $person.ResourceManagementObject.ObjectIdentifier
        $importObject.State = 1
     
        foreach ($member in $memberlist)
        {
            $importChange = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportChange
            $importChange.Operation = [Microsoft.ResourceManagement.Automation.ObjectModel.ImportOperation]::Replace
            $importChange.AttributeName = "JobTitle"
            $importChange.AttributeValue = $member.Replace()
            $importChange.FullyResolved = 1
            $importChange.Locale = "Invariant"
            $importObject.Changes += $importChange
        }
     
        $importObject | Import-FIMConfig
    }


    vendredi 1 novembre 2013 19:00
  • Hello

    as stated in the error:

    Details: Additional Text Details: The requestor's identity was not found.

    it seems the account you let the powershell run with, is not in the FIMPortal.
    The account must have admin rights in portal.

    Regards
    Peter


    Peter Stapf - Doeres AG - My blog: JustIDM.wordpress.com

    vendredi 1 novembre 2013 20:52