none
Inbound Synchronization rule not applied RRS feed

  • Question

  • Hi,

    I'm running FIM 2010 R2 in a testing environment to test the following situation: I want to join existing user accounts in AD with employee data from the HR system. Relationship criteria should be the AD attribute EmployeeNumber which corresponds to the EmployeeNumber in the HR system. Therefore I added the attribute EmployeeNumber in the schema of the metaverse and the portal.

    I configured a MA for SQL (HR System) and for AD and for the FIM portal. In the FIM portal I configured an inbound synchronization rule for SQL with the setting "Create Resource in FIM" enabled. That part works fine, the users are imported and synchronized to the metaverse and also synchronized to the portal and the attribute EmployeeNumber is populated.

    I also configured an inbound synchronization rule for the AD MA. Here I configured "Create Resource in FIM" disabled, since I don't want accounts from users that don't exist in the HR database to be synchronized to FIM. I configured EmployeeNumber in the inbound attribute flow. I can see that the Synchronization rule is projected to the metaverse, but it isn't executed. When I search the connector space of the AD connector, I can see that all user accounts are imported to the connector space with the following attributes:

    displayName, name, objectSID, pwdLastSet,sAMAccountName and UserAccountControl. None of them are configured in the Synchronization Rule. The attributes configured in the Synchronization rule however are NOT synchronized, so I conclude that the Synchronization rule isn't executed at all.

    What am I doing wrong?

    Kind regards,

    Klaus

    Monday, February 22, 2016 12:49 PM

Answers

  • Hi all,

    Thanks for your support. I found the cause. It wasn't FIM, the problem was the way I staged the AD accounts in my test environment. I had added the accounts with a powershell script, but did not notice that the EmployeeNumber attribute wasn't populated at al, apparently because Powershell interpreted it as an Integer and not a String. I populated the attributes again as Strings, now the Sync Rule is applied and the accounts are joined with the objects in the metaverse.

    Thanks again for your help.

    Regards,

    Klaus

    • Marked as answer by klaus.landes Tuesday, February 23, 2016 9:27 AM
    Tuesday, February 23, 2016 9:27 AM

All replies

  • It sounds like your AD MA sync rule is not mapped correctly to your AD MA.  When you created your AD MA you would have selected the specific attributes you wanted to define in the CS (displayName, name, objectSID, pwdLastSet,sAMAccountName and UserAccountControl may just be the default selections ... I don't know off hand).  You would have had to select employeeNumber (after turning on the "show all attributes" checkbox) then once you saved your MA you should see a corresponding UPDATE request item in the FIM Service "Search Requests" page for the ma-data object corresponding to your MA.  This is the FIM Service's copy of the MA schema which drives what appears in the CS attribute dropdown list when defining your inbound attribute flows.  Check that the correct AD MA has been selected in your Sync Rule to join to the Metaverse person object on employeeNumber ... then make sure you have inbound attribute flows defined against the correct MA (this is my guess as to where you have gone wrong).  Otherwise what you are doing is entirely correct in principle.

    Bob Bradley (FIMBob @ TheFIMTeam.com) ... now using FIM Event Broker for just-in-time delivery of FIM 2010 policy via the sync engine, and continuous compliance for FIM

    Monday, February 22, 2016 1:24 PM
  • Hi Bob,

    thanks for your quick response. It's right that when I created the AD MA I selected EmployeeNumber (and some other additional attributes). It also appears in the CS attribute drop-down box when I configure the Sync Rule.

    I have now configured a brand new inbound sync rule for the AD MA, with precedence of 1. I can see that the rule is projected to the Metaverse, I ran a full import cycle on the AD MA, but still nothing happens. I only have one AD MA in my environment, so that must be correct.

    Just to confirm that my thinking is right: In the first phase I only want to join the useraccounts in AD with the userdata from the HR system. I should be able to accomplish this with just inbound sync rules on the SQL and the AD MA, right?

    Monday, February 22, 2016 2:43 PM
  • Hi,

    Does your user object in AD connector space got joined with its corresponding metaverse object after sync? If not, configure a Join under ADMA properties, 'Configure Join and Projection' with some attribute condition and retry.

    If the user in connector space are joined with MV object but attributes value are not getting synched into FIM then check the attribute flow precedence for those attributes under Metaverse designers option. ADMA precedence should be higher or 'equal precedence' for those attributes for syn into FIM.

    Thanks,
    Varun

    Tuesday, February 23, 2016 6:27 AM
  • Hi all,

    Thanks for your support. I found the cause. It wasn't FIM, the problem was the way I staged the AD accounts in my test environment. I had added the accounts with a powershell script, but did not notice that the EmployeeNumber attribute wasn't populated at al, apparently because Powershell interpreted it as an Integer and not a String. I populated the attributes again as Strings, now the Sync Rule is applied and the accounts are joined with the objects in the metaverse.

    Thanks again for your help.

    Regards,

    Klaus

    • Marked as answer by klaus.landes Tuesday, February 23, 2016 9:27 AM
    Tuesday, February 23, 2016 9:27 AM