none
Manage User Group MemberShip RRS feed

  • Question

  • hi,

    please guide me about outbound synchronization rule for joining users to groups.

    i import ad users and group by inbound synchronization rule and all group in fim is criteria based.

    i create a set and use it in condition of group membership of my groups.

    now i want users that are member of this set become member of this group and these changes applied to active directory by outbound synchronization rule.

    in fact i want manage membership of group by using sets and outbound rules.

    Sunday, July 10, 2016 12:44 PM

Answers

  • Mohammed,

    to make your life easier. delete this outbound sync rule and create a new one and choose the below option for the "Apply Rule" setting. Don't specify a scoping filter if you want to apply it to all groups.

    let me know if this works for you.


    Did my post help? Please use "Vote As Helpful", "Mark as answer" or "Propose as answer". Thank you!

    Tuesday, July 12, 2016 1:06 PM

All replies

  • This article explains well how to synchronic groups from FIM to AD using outbound sync rules https://blogs.msdn.microsoft.com/connector_space/2015/02/07/understanding-group-management-outbound-group-synchronization/

    Did my post help? Please use "Vote As Helpful", "Mark as answer" or "Propose as answer". Thank you!

    Sunday, July 10, 2016 8:59 PM
  • Thank you, but my outbound sync rule not applied.

    when i check synchronization preview, attribute flow not applied to the member.

    Monday, July 11, 2016 10:05 AM
  • Can you show me a snapshot.

    and do you have a scoping filter set on your outbound synchronization rules? If Yes, then make sure your groups matches the criteria.

    Also, In Syn console, look at the attribute flow precedence of member attribute. Does FIM MA have higher precedence than AD?


    Did my post help? Please use "Vote As Helpful", "Mark as answer" or "Propose as answer". Thank you!

    Monday, July 11, 2016 12:39 PM
  • is the member attribute synced to metaverse? can you see the members are updated in MV from FIM MA?

    Did my post help? Please use "Vote As Helpful", "Mark as answer" or "Propose as answer". Thank you!

    Monday, July 11, 2016 12:40 PM
  • yes, is synced.

    i import ad group to fim with members and these groups are criteria-based. i create a set for test and use it as criteria in a group. so each user that member of set, become member of group.

    but in outbound synchronization, status of sync rule is not applied.

    my outbound sync rule:

    Relationship: account name == sAMAccount name

    Attribute flow: member == member

    Precedence of FIM MA and ADMA in member attribute are equal.

    but doesn't work

    Monday, July 11, 2016 3:01 PM
  • Mohammed,

    I just want to make sure you don't have a scoping filter set in this outbound sync rule? Also using the preview tool can be tricky. Can you perform a full sync on the object and confirm there is not pending export on AD?

    I suggest also you delete the Outbound Sync rule and recreate it again. Don't ask why, but this has worked its magic many times.

    Did you import and synced your outbound sync rule from FIM to MV?

    If you look at the MV attributes for the group, does the member attribute shows FIM MA as the contributing MA?


    Did my post help? Please use "Vote As Helpful", "Mark as answer" or "Propose as answer". Thank you!

    Monday, July 11, 2016 3:54 PM
  • Taher, Thank you for reply.

    I explain my scenario

    I import ad user and group to the fim db. i want manage group membership automatically.

    all group that imported in fim db are criteria-based group. 

    so i explain with example.

    In AD, a group with name "Gmembership Test" that imported to fim db.

    in fim i create a set with name "Group MIM" and use it in criteria membership of "Gmembership Test" Group as below: Resource ID in "Group MIM".

    every user that have specific company and job title attribute become a member of "Group MIM" set and so become member of "Gmembership Test".

    in my inbound sync rule, member attribute of groups is populate.

    i create a outbound sync rule as below:

    Relationship: account name == sAMAccount name

    Attribute flow: member == member

    Precedence of FIM MA and ADMA in member attribute are equal.

    in ad management agent and outbound sync rule hasn't scope filter.

    i insert FIM MA flow attribute and outbound sync rule snapshot 

     

    So after that, i create a workflow with add the target resource to synchronization rule activity and then i create a Transition set MPR that use "Group MIM" set and workflow.

    In ad a user exist with name "MIMTest" that company and job title attribute match with set and when i view member of "Gmembership Test" group, i see "MIMtest" as member of this group but when i run management agents run profile, outbound sync doesn't apply and "MIMTest" user doesn't become member of "Gmembership Test" group in AD.

    i change company and job title attribute value in set and "MIM Test" user in AD and use another new value.

    for example:

    New Company Attribute value: B

    New Job Title Attribute value: B

    When i run management agent profiles, ERL is create and pending for synchronization rule.

    in next full sync profile, ERL is deleted and nothing happened again and "MIM Test" user doesn't become a "GMemeber Test" Group.


    Tuesday, July 12, 2016 4:04 AM
  • Mohammed,

    to make your life easier. delete this outbound sync rule and create a new one and choose the below option for the "Apply Rule" setting. Don't specify a scoping filter if you want to apply it to all groups.

    let me know if this works for you.


    Did my post help? Please use "Vote As Helpful", "Mark as answer" or "Propose as answer". Thank you!

    Tuesday, July 12, 2016 1:06 PM
  • Thank you Taher, 

    My problem solved, but why must change apply rule?

    another thing , with change apply rule, can not choose this sync rule in work flow and technically, not MPR and not workflow needed, am i right?

    Wednesday, July 13, 2016 10:20 AM
  • Using a scoping filter is simpler to do and you won't have to deal with EREs.

    You're right, you don't need MPR or workflow for this approach.


    Did my post help? Please use "Vote As Helpful", "Mark as answer" or "Propose as answer". Thank you!

    Wednesday, July 13, 2016 1:13 PM