Want to exclude selective user IDs from FIM's operation. RRS feed

  • Question

  • Scenario is: An organization is using FIM for user's provisioning into AD. Users are basically coming from two different systems(Let say system A and system B) and create an entry in SQL tables which is acting as a source for for FIM's provisioning(including email creation). FIM picks up the data from the SQL tables and provision/synchronize users in Active Directory based on the provisioning logic.

    Now there is a plan to include another provisioning system(SAP IdM) which will take care of the provisioning of system B users into Active Directory. All the existing users(who all belongs to system B) and the users which will be newly created through system B will be taken care by SAP IdM for their provisioning and email creation part and FIM should be excluded from any further activity on those user accounts.
    SAP IdM will also use the same backend SQL tables as a source for the users provisioning, which is being used by FIM.
    FIM will still be doing provisioning but only of the users from system A.
    There is a plan to further migrate all the users from system A to system B and eliminate FIM from the picture.

    So my questions are:
    1. As SAP IdM will take care of the existing users as well as of the new users from system B, what changes should we do in the FIM's configuration to exclude all those users for further provisioning or synchronization via FIM.<o:p></o:p>

    2. What should be done for a unique email address creation.

    Any Suggestions are welcome !!



    Thursday, November 29, 2012 3:01 PM


  • If you're using classic provisioning, you could possibly  flow out some sort of flag from the SAP IdM to identify the system B users in AD, from there you could set up a connector filter based on that flag. (check deprovisioning and metaverse object deletion rules first) 

    There are other options if you are using the portal, like removing the system B users from the set of users that get sync rules. 

    On the unique email address creation, the simplest path is to get the DBA's to write a script to generate it within SQL, as this is the "source of truth". 

    Thursday, November 29, 2012 11:33 PM