none
FIM Synchronization Service - How to provsion a group to another object type RRS feed

  • Question

  • Hi,

    i'm new to fim and use just the fim2010 synchronization engine with some rules extensions.

    I have 2 ActiveDirectories and want to Provision a Group(used as Distribution list) from ActiveDirectory A as a contact object in ActiveDirectory B with the SMTP address of the Group as the targetaddress of the contact.

    Can you give me a hint how to accomplish that?

    Should i use the ShouldProjectToMV() Method in the rulesextension from the AD Connector of Domain A and out the Group as a Special mvtype? How do i join (what anchor to use) the Group to Domain B if i also sync normal contact objects as well?

    Thanks you for your help!

    Thursday, April 10, 2014 11:43 AM

Answers

  • This is typical GAL synch task.

    1. Project groups from domain A to metaverse as a object of choice, like group :). 

    2. Write provisioning extension (provision method) to implement provisioning logic and provision this group as contact in AD B. 

    Should project to MV is more like a filter and logic to control which type to use based on some conditions.  

    For the join question - use SMTP address or account name if you synch it to other AD as well. 


    Tomek Onyszko, memberOf Predica FIM Team (http://www.predica.pl), IdAM knowledge provider @ http://blog.predica.pl

    • Marked as answer by baschuel Friday, April 11, 2014 5:23 PM
    Thursday, April 10, 2014 2:36 PM

All replies

  • This is typical GAL synch task.

    1. Project groups from domain A to metaverse as a object of choice, like group :). 

    2. Write provisioning extension (provision method) to implement provisioning logic and provision this group as contact in AD B. 

    Should project to MV is more like a filter and logic to control which type to use based on some conditions.  

    For the join question - use SMTP address or account name if you synch it to other AD as well. 


    Tomek Onyszko, memberOf Predica FIM Team (http://www.predica.pl), IdAM knowledge provider @ http://blog.predica.pl

    • Marked as answer by baschuel Friday, April 11, 2014 5:23 PM
    Thursday, April 10, 2014 2:36 PM
  • Thank you, that gives me the right direction :)

    As far as i understand i just need to use the minimal set of attributes for the provisiong code to create the object and the rest comes with the Attribute flows?

    Thursday, April 10, 2014 5:17 PM
  • in provisioning code you should set all attributes which are required to start object instance and also attributes you are intending to set only once and then not to use in the flows

    Tomek Onyszko, memberOf Predica FIM Team (http://www.predica.pl), IdAM knowledge provider @ http://blog.predica.pl

    Thursday, April 10, 2014 7:15 PM
  • Thank you again!

    Last question for this thread:

    how do i accomplish the task to deprovision the contact object if the mail address is deleted in the group (mail attribute empty if the group is 'converted' back to a normal not mail-enabled security group)?

    i think deprovisioning when the group in source is deleted is standard disconnect and Object Deletion rule.

    Friday, April 11, 2014 2:10 PM
  • If you want to decide that object is deleted you need to implement your de-provisioning logic. 

    De-provisioning logic should be implemented in Provision method as well. You need there something like:

    if(I_dont_have_contact_for_group)

    {

    Provison_new_one

    } else

    {

    if(do_I_Have_email_on_my_group_in_mv)

    {

    No -> delete_contact_in_other_forest

    }

    }

    Depends on the target agent scope, if you have there other object types than contacts, you may want to implement Deprovision() method in agent extension to decide that contact should be deleted but other type of objects not.


    Tomek Onyszko, memberOf Predica FIM Team (http://www.predica.pl), IdAM knowledge provider @ http://blog.predica.pl

    Friday, April 11, 2014 11:30 PM