none
Expiration Workflow cannot delete ERE RRS feed

  • Question

  • I have discovered several thousand orphaned EREs in my FIM 2010 R2 SP1 system. The system was installed as a FIM 2010 RTM and subsequently upgraded. It contains the following objects:

    • MPR: Delete Orphaned EREs -> set transition into Orphaned EREs; Expiration Workflow is the designated Action workflow; Enabled
    • MPR: Administrators can delete EREs -> Grants permission to Administrators set to Delete resource, Modify a single-valued attribute targeting the All expected rule resources set (which is ExpectedRuleEntry objects), all attributes; Enabled
    • Set: Orphaned EREs -> Resource Parent not in All Active People
    • Set: Administrators -> manually-managed members including domain accounts for myself and s-fimsvcmbsa, which is the account running the FIM Service

    The Orphaned EREs set contains several thousand objects. Set transitions into this set are causing Expiration Workflow to run. I know this because I see Requests entitled Delete ExpectedRuleEntry ‘AD Inbound Outbound Users Sync Rule’ Request, originating from Expiration Workflow, with an operation of Delete and a status of Denied. To me, this explains why there are several thousand orphaned EREs.

    I am also seeing System Event Requests with a PostProcessingError status which target EREs. These requests originate with Forefront Identity Manager Service Account, indicate the Applied Policy is the Delete Orphaned EREs MPR and have Expiration Workflow as the Action Workflow Instance. The Request Status Detail indicates Permission denied.

    I can use PowerShell to delete one of these orphaned EREs, presumably because my account is in the Adminstrators set and there is an MPR that grants permission to do so. My question is this: Why can the Expiration Workflow not delete the orphaned EREs? Isn’t the Forefront Identity Manager Service Account in the System Event Request the same as my s-fimsvcmbsa account? Since it’s in the Adminstrators set, it should be able to do what my account can do.

    Thank you in advance for your time and attention.

    Pete Anfinsen

    Tuesday, October 8, 2013 4:16 PM

Answers

  • You need to actually give the Expiration Workflow the rights to delete the objects that you are applying it to.

    Create a set called "Expiration Workflow" and add the actual expiration workflow object to the set. The easiest way to do this is choose "workflow definition" and displayname = "Expiration Workflow". Then create an MPR that gives that set the rights to delete the EREs.

    Thanks,

    Mark


    Mark Creekmore - BlueVault Software http://www.bluevaultsoftware.com

    • Proposed as answer by Peter_Stapf Tuesday, October 8, 2013 5:32 PM
    • Marked as answer by PeteA Tuesday, October 8, 2013 5:58 PM
    Tuesday, October 8, 2013 4:33 PM

All replies

  • You need to actually give the Expiration Workflow the rights to delete the objects that you are applying it to.

    Create a set called "Expiration Workflow" and add the actual expiration workflow object to the set. The easiest way to do this is choose "workflow definition" and displayname = "Expiration Workflow". Then create an MPR that gives that set the rights to delete the EREs.

    Thanks,

    Mark


    Mark Creekmore - BlueVault Software http://www.bluevaultsoftware.com

    • Proposed as answer by Peter_Stapf Tuesday, October 8, 2013 5:32 PM
    • Marked as answer by PeteA Tuesday, October 8, 2013 5:58 PM
    Tuesday, October 8, 2013 4:33 PM
  • Perfect. That did the trick. The consultant who installed the system missed that one, I guess. Thanks for the quick and accurate response.
    Tuesday, October 8, 2013 5:59 PM
  • I thought I would also post the PowerShell I used to clean up the orphaned EREs, adapted from Marcus' post elsewhere on this forum. I could also have disabled and re-enabled the DeleteOrphanedEREs MPR.

    $AllActivePeopleSetID = "bce1cdd1-5222-4462-b910-ab30f5b6576a"
    #----------------------------------------------------------------------------------------------------------
     set-variable -name URI -value "http://localhost:5725/resourcemanagementservice" -option constant
    #----------------------------------------------------------------------------------------------------------
     If(@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation"} ).count -eq 0) {add-pssnapin FIMAutomation}
    
    $OrphanedEREsFilter = "/ExpectedRuleEntry[ResourceParent != /Set[ObjectID = '$AllActivePeopleSetID']/ComputedMember]"
    $OrphanedEREs = export-fimconfig -uri $URI `
                                      –onlyBaseResources `
                                      -customconfig $OrphanedEREsFilter `
                                      -ErrorVariable Err `
                                      -ErrorAction SilentlyContinue 
    If($Err){Throw $Err}
    $Deletes = $OrphanedEREs | ForEach-Object { 
        $EREID = $_.ResourceManagementObject.ObjectIdentifier -replace "^urn:uuid:" 
        $ImportObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject
        $ImportObject.ObjectType = "ExpectedRuleEntry"
        $ImportObject.TargetObjectIdentifier = $EREID
        $ImportObject.SourceObjectIdentifier = $EREID
        $ImportObject.State = 2 
        $ImportObject
    } 
    
    $Deletes | Import-FIMConfig -uri $URI -ErrorVariable Err -ErrorAction SilentlyContinue 
     If($Err){Throw $Err}
     
     Write-Host "`nCommand completed successfully`n"
    #----------------------------------------------------------------------------------------------------------
     trap 
     { 
        Write-Host "`nError: $($_.Exception.Message)`n" -foregroundcolor white -backgroundcolor darkred
        Exit 1
     }
    #----------------------------------------------------------------------------------------------------------

    Tuesday, October 8, 2013 6:36 PM