none
Metaverse Extension Rules in order to provision destination AD with deleted information from source AD RRS feed

  • Question

  • Hi Everyone,

    I need to sync users from AD1 to AD2 using FIM Synchronisation Service.

    I'm trying to write rules extension (MA or MV Rules Extensions) in order to check if USER1 is deleted from AD1, FIM should provision USER1 to AD2 with (Disabled Status and the date of deletion from AD1).

    I will be grateful if you could help me finding more information about the way to proceed.

    Thanks a lot in advance.

    Louban.

    Thursday, August 7, 2014 3:52 PM

All replies

  • Hi Louban,

    I believe, this can be achieved by finding a way in code to count the connector. If the "connector.count" for AD1 becomes Zero (i.e. on delete of user) then you can write a provision method to AD2 in this condition.

    Do make sure, you have proper Join/Projection rules and disconnection logics in place to prevent the errors.


    Regards,
    Manuj Khurana

    • Proposed as answer by Manuj Khurana Tuesday, August 12, 2014 1:52 PM
    Friday, August 8, 2014 10:25 AM
  • Hi Manuj,

    Thanks a lot for youir quick reply. I have appreciated.

    Actually I have MAExtensionRules and MVExtensionRules that are running.

    I have created a custom attribute that retrieves FIM Server's current timestamp while the full Import from AD1 is run and I can provision that time to a custom attribute in AD2.

    My question is How can I check if a object when a object is removed from AD1 and then disable that user in AD2 and then provision provision the time value to AD2.

    Regards,

    Louban

    Friday, August 8, 2014 12:34 PM
  • Hi Louban

    I think you need a third Directory to achive this because:

    In case you have one MVObject for a user account in AD-A and this object gets deleted you loose the MVObject during the Import. And because there is no MVObject, the MVExtension will not run anymore for this deleted object and you cannot Count connectors for a non-existing object.

    But if you have a third connected Directory (it could be a file) you do not loose the MVObject and are can count connectors. 

    Or you imidiately provision your AD account in AD-B when an account is created in AD-A. and when the AD-A Object gets deleted you change the State of the object in AD-B.

    Henry

    Friday, August 8, 2014 12:47 PM
  • Hi Henry,

    I am using the following situation :

    AD-A ==> Object is deleted

    FIM ==> Object is disconnected from MV and TimeStampValue=FIMCurrentTIme

    AD-B <== Object state changes to Disabled

    AD-B <== Object is provisioned with TimeStampValue

    I think, I need to know howto check when MVObject is disconnected.

    Regards,

    Louban

    Friday, August 8, 2014 1:13 PM
  • First of all to answer your question you can Count connectors.

    int Count = mventry.connectedMAs["myMAName"].Connectors.Count;

    BUT: as I said before you cannot Count connectors on a non-exisiting MV-Object. If you have only one connector to the AD-A Object and this is deleted in AD the you will loose the MVObject and you cannot Count connectors anymore. Thats the reason why I said you should introduce a third Directory (a file).

    For every Object in AD-A you provision an entry in your file. Now you know have one MVObject with one connector to AD-A and one connector to the file. You can now count connectors within your AD MA connector space. When your AD-A object gets deleted the MVExtension runs and you are able to Count connectors as well, because you do not loose your MV Object. It is still connected to the FILE CS. the connectors Count is Zero, thats the indicator to Provision a new AD-Object in AD-B.

    Henry 

    Friday, August 8, 2014 1:38 PM
  • Hi Henry,

    Thanks for the answer.

    Oh I see what you mean but isn't it possible to custom "Object Deletion Rules" or "Deprovisioning Rules" in order to avoid using a third connected directory?

    I am a newbie in FIM and I don't know exactly the way to proceed.

    Monday, August 11, 2014 8:44 AM
  • Hi Louban,

    See, FIM do have a connector space for each source for which you create MA. As per my suggestion above, you can check the connector space of that AD and use the conditions to count the connector and if the count becomes zero which is the case when object is deleted.

    To check connector count for AD1 : "connectors = AD1.Connectors.Count"

    In the case when connector count becomes zero, you can write code in Metaverse rules extension by a method :

    Provision a new user to AD2 : "csEntry.CommitNewConnector()" 

    This can be used but you have to apply mandatory attributes mapping in MV rules extension or by Synchronization rule before exporting to AD2.


    Regards,
    Manuj Khurana

    • Proposed as answer by Manuj Khurana Tuesday, August 12, 2014 1:52 PM
    Monday, August 11, 2014 11:13 AM
  • Hi Manuj,

    Thank you so much for your help guys. I am going to try what you have said.
    I will tell you what will be the outcome.

    Regards.

    Louban.

    Tuesday, August 12, 2014 7:41 AM