Check For How Many CSEntry Objects Before Import RRS feed

  • Question

  • All,

    My implementation is all most 100% automated.  I have several SQL Server management agents (some authoritative, some not).  I've coded a "sanity" checks for the authoritative sources into the identity management system being replaced to abort if too many object change at once.  This keeps me from turning off or deleted thousands of accounts at one time.

    Is there a way to check to see how many object are going to be changed during an import, before the import starts?  Or maybe, check it as the import runs and abort the entire import? I don't see anything obvious in the FIM classes that would make this possible.

    Can this information be obtained before a sync runs?

    I'm also open to other ideas and thoughts.


    Greg Wilkerson

    Monday, March 17, 2014 3:48 PM

All replies

  • The only way I could see to obtain import information before a sync runs is creating an ECMA2. 

    You can limit the deletions processed by modifying your run profiles. 

    I think this comes down to why you need this functionality and why you don't trust your "source of truth's". Are they likely to have wild changes or are you doing this as a failsafe? 

    Tuesday, March 18, 2014 12:10 AM
  • Hi Cameron,

    I did see the deletions process option in the SQL Server management agent after I posted this.  I'm going to test that and see what happens.  An ECMA2 agent would work for this particular agent, as I don't need the delta and import/sync.  For the agents where I have too many entries, I have to have the delta import/sync and attribute level changes.

    I'm mulling over some type of scenario where the cs objects are not projected/disconnected/deleted at all, but staged in a database that another agent reads from.  Then, I can check volumes in that staging table to see if it's ok to proceed.  I REALLY don't like that, though.  And, I'm not even sure I can make that work.

    And, this is a failsafe or sanity check.

    As for trusting my "source of truths", I have complete confidence in all those systems.  It's the human beings on the other end I have to worry about.  A real world example is a case where the registrar at one of my clients, a large school system, created a new school year in their student system and accidently activated it.  That would have turned off 13,000 student accounts (the new year had no registered students).  Because our systems control everything related to resources, that means home folders, physical access, everything that lives in AD, etc, would have been wiped out.  I can't have that happen.

    What ever the solution, this should be fun to figure out.


    Tuesday, March 18, 2014 2:25 AM