none
Configuring Attribute precedence when multiple MAs are present. RRS feed

  • Question

  • Hi,

    In our environment, we have multiple MAs configured. 

    1.FlatFile MA(source)

    2. FIM MA

    3. ADDS MA(target)

    4.Google Apps MA.(target)

    The flow will be like we provision users from Flat file to FIM and from FIM to AD and Google. We are using MV extension code for ADDS MA and Google MA for provisioning users from FIM to AD and Google. In turn we are flowing object SID and domain back to FIM from AD. For that we have build an Inbound sync rule for AD. When I do Full sync of ADDS MA, the objectSID and domain is not getting to metaverse and not exporting to FIM MA. I had examined the attribute precedence.The precedence is as follows.

    1. ADDS MA

    2.FIM MA

    3.Google MA

    Is Inbound sync rule is needed to flow objectSID and domain back to FIM in which user is already present? If not how should be the attribute precedence? If Outbound and Inbound Sync rules are preseent, then which rule will be called first.

    Thanks

    Prasanthi.

    Wednesday, April 8, 2015 9:23 AM

All replies

  • Have you imported this sync rule from FIM MA to metaverse? Do you see in Precedence that this attribute is imported using sync rule?

    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Wednesday, April 8, 2015 9:40 AM
  • Hi,

    Ya i have imported the inbound sync rule to metaverse. When i see the preview of that user, an outbound sync rule is getting applied(we have one outbound sync rule for google MA(precedence 2) and one inbound sync rule for ADDS MA(precedence 1))

    Thanks 

    Prasanthi

    Wednesday, April 8, 2015 9:44 AM
  • You need to have objectSID and domain defined as Export Attribute Flows (EAF) on the FIM Management Agent (FIMMA).

    These flows are defined as Classic flows on the Agent Properties (tab Configure Attribute Flow) in the FIM Sync Client (miisclient).


    Wednesday, April 8, 2015 9:59 AM
  • Hi,

    my attribute flows are as follows.

    For FIM MA,

    Data Source       Metaverse

    accountName--> accountName

    firstName--> firstName

    lastname-->lastname

    ObjectSID<--ObjectSID

    domain<--domain

    for ADDS MA

    DataSource      Metaverse

    samAccountName<-- accountName

    givenName<---firstName

    sn<--lastname

    ObjectSID-->ObjectSID

    "domainvalue"--->domain

    First, i have done provisioning userA from FIM to AD. It got successfully created at AD(used mvextension provision to sync users from FIM to AD).

    Now, i am trying to flow objectSID and domain values for userA from AD to FIM. For that i created one inbound sync rule and projected that inbound rule to metaverse.Then i am doing full import and full Sync on ADDS MA. on Full sync, it is not showing any export flows to FIM MA. In metaverse also i checked the properties of the user. The objectSID and Domain attributes are not showing. on the Connectors Tab it is showing two connectors "FIM MA" and "ADDSMA". I opened and had seen the properties of that ADDS connector in which ObjectSID is present and it is throwing an synchronization error(provision rule failed. on Opening stack trace, the error is due to an Outbound Sync Rule of Google MA(This rule is configured for syncing users from FIM to google)).

    My point here is, when i am doing full sync of ADDS MA, why it is giving provision error for that outbound sync rule. Is there any flow for executing SYnc rules(Inbound/Outbound). or is it is due to attribute precedence??

    If the user is already present in FIm and in Metaverse, is the inbound sync rule for ADDS MA is needed just for flowing the ObjectSID and Domain??

    Thanks

    Prasanthi

    Wednesday, April 8, 2015 10:19 AM
  • Ok. So the problem is with this error. FIM calculates flows as a transaction - if any error occurs during calculation, it is rolled back and there are no pending exports.

    So you have to correct the issue to have those flows ready.

    Or switch off synchronization rules provisioning and verify that flows are going to be exported (but this is a short-term solution as you disable synch rules)


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Wednesday, April 8, 2015 10:51 AM
  • Thank you for reply,

    Switch Off Sync rules means, should i remove the sync rule from metaverse?? I have disabled it on FIM portal. but that Sync rule still exists in metaverse. Should i delete in metaverse as well??

    For time being, i have deleted connector space of FIM MA and re imported all the users from FIM to metavesre. And i had not imported that sync rule. Now i am able to flow the object SID and domain value. But i think deleting connector space is not the correct issue.

    could you please suggest. And i have one more doubt which i asked previously. If the user is already present in FIm and in Metaverse, is the inbound sync rule for ADDS MA is needed just for flowing the ObjectSID and Domain??

    Wednesday, April 8, 2015 11:04 AM