none
Synchronization engine with insuficcient permissions RRS feed

  • Question

  • Hey guys,

    I have this question that desperately needs an answer. I have been struggling with this issue for weeks.

    I get a set of users synched into metaverse with a attribute (let's call it AppUser set to true/false). What I want to do is that when the user is created in FIM I want FIM to look at this value and put the user in a specific set. I have tried to use criteria-based membership on the set. This doesn't work for me. I could be doing it the wrong way or it could have something to do do with MPR.

    Thanks in advance.


    • Edited by VimKin Thursday, August 23, 2012 5:07 PM
    Thursday, August 23, 2012 2:40 PM

All replies

  • Not sure why you're having an issue, since this is pretty straightforward.. well, except for the step where you update which attributes users or administrators can use to build set membership filters (which will get you an 'access denied' error on submit)

    • What happens when you try to create the set, do you get an error, no users, or something else?
    • Are the users getting their attribute values populated in the portal user object(i.e. are the values flowing from the metaverse to the portal)?

    Frank C. Drewes III - Architect - Oxford Computer Group

    Thursday, August 23, 2012 5:43 PM
  • I know. This seemingly straightforward issue is really bugging me. I may have explained myself a bit badly, sorry about that.

    • The Set already exist (MyApplication) and is set to use criteria-based membership (AppUsers is True). What I want to do is that when a new User is populated to the FIM portal I want the MPR, which is set to Transition In on the MyApplication Set, to trigger a Workflow which prepares the user to be populated to AD (DN, UAC etc..).
    • Yes, the users are getting their attribute values populated in the portal. Both Administrators and Synchronization Engine are able to set/modify the AppUser-attribute (when I access the user, the AppUser boolean attribute is set).

    The AppUser attribute is added to both of the "Administration: Administrators can read and update users" and "Synchronization: Synchronization account controls users it synchronizes" MPR's.

    One other thing id' like to mention (which I find even more absurd) is that if I delete the Set and use the Administrator account to create a new set with the same criteria, the MPR triggers for all the users that matches the criteria. It's a bit hard to explain, but it seems like when the user is populated to the portal it "skips a step".

    Thanks a bunch so far.


    • Edited by VimKin Thursday, August 23, 2012 7:57 PM
    Thursday, August 23, 2012 7:57 PM
  • do you mean that if a Set exists when you create a user the user wont be included in that set?

    (if I delete the Set and use the Administrator account to create a new set with the same criteria, the MPR triggers for all the users that matches the criteria.)

    so the issue is: there is a set based on if an AppUsers equals true and it doesnt work for users created after the set has been created, right?

    does the MPR have run on policy update thingie checked? only thing that comes to my mind... really.
    Friday, August 24, 2012 11:28 AM
  • The 'Run On Policy update' option will handle the users who belonged to the set before the MPR was created. This looks like the opposite problem..

    Let's see if we can eliminate the sync server angle... What happens if you manually set the AppUsers attribute and make the user transtion into the set? Does the user end up in the set? And does the workflow execute?

    Also look in the request log to see if the workflow that executes is running. Perhaps something in the workflow is failing.


    Frank C. Drewes III - Architect - Oxford Computer Group

    Saturday, August 25, 2012 3:05 AM
  • If I manually set the AppUsers attribute, the policy does not get applied, although if I click "View members" on the set, the user shows.
    Since my "Transition In"-policy is not applied to the "Request: Create User", the workflow does not run. The workflow runs if I add members manually

    The communication problems seems to be located somewhere in between when the user is created and when the user becomes member of a set (criteria based).


    • Edited by VimKin Friday, August 31, 2012 9:42 AM
    Friday, August 31, 2012 8:34 AM
  • do you mean that if a Set exists when you create a user the user wont be included in that set?

    (if I delete the Set and use the Administrator account to create a new set with the same criteria, the MPR triggers for all the users that matches the criteria.)

    so the issue is: there is a set based on if an AppUsers equals true and it doesnt work for users created after the set has been created, right?

    does the MPR have run on policy update thingie checked? only thing that comes to my mind... really.

    Yes, that's exactly my problem.

    Only workflows have run on policy update, and yea it is checked. Unfortunately the process does not go as far as triggering the workflow.

    Friday, August 31, 2012 9:09 AM