none
Selective provisioning to the portal RRS feed

  • Question

  • Hi,

    I have an HR feed that contains a lot of users that should not be provisioned to the portal.

    Reading this thread http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/5b40a979-ec0a-44e4-86b6-98a50addb9cf I am not able to get the method to work with the three inbound sync rules. The users are all getting provisioned even if they fall in the scope of the sync rule without "Create in FIM" checked.

    Reading further in that thread, am I correct in thinking that the way we should do this is having a second management agent--so that one is a feed of users from HR that should be provisioned and the other is a feed with users who shouldn't? That seems rather cumbersome...

    I appreciate any guidance.

    Thanks,

    Sami

    Friday, October 12, 2012 12:53 AM

Answers

  • Hi,

    From what I recall only one FIM MA is supported.

    Here's a few options:

    • Classify your user types (e.g. staff, student, etc) and store this in an attribute. Then create a filter to exclude the ones you do not want to export to the Portal.
    • This might have long term consequences, so you need to plan carefully, but you could create different MV objects for different user types, and only export the one specific user type to the Portal.
    • MV extension as Carol pointed out.

    Regards.

    • Marked as answer by SamiVV Sunday, October 21, 2012 11:41 AM
    Thursday, October 18, 2012 4:52 AM
  • Unfortunately, the "create in FIM" language in the Portal Synchronization Rules is pretty confusing and has nothing to do with pushing records into the FIM Service; it should really say "create in Metaverse," but for some reason the Portal seems to eschew that term.  The product is designed such that any metaverse object type that has a mapping to a FIM Service / FIM Portal object type will be provisioned into the portal.
    • Marked as answer by SamiVV Sunday, October 21, 2012 11:41 AM
    Friday, October 19, 2012 6:07 PM

All replies

  • I'm giving Carol's suggestion here http://www.wapshere.com/missmiis/selective-provisioning-to-the-fim-ma-well-sort-of a try.

    The client is buying licenses for all of their users, but only want to introduce the portal in a phased approach.

    I think this has merit as it keeps sync times down and keeps the portal from becoming over-cluttered for the phase when the users are supplying feedback.

    I do wish there were a way to do this that was more straightforward. Not every implementation is one in which the client wants to bring everyone in at once. (In this case, it's a global company and they are bringing regions in in phases, but would still like to use the sync engine to provision and deprovision accounts that aren't part of phase 1.)

    Thanks,

    Sami

    Wednesday, October 17, 2012 10:59 PM
  • Hi,

    From what I recall only one FIM MA is supported.

    Here's a few options:

    • Classify your user types (e.g. staff, student, etc) and store this in an attribute. Then create a filter to exclude the ones you do not want to export to the Portal.
    • This might have long term consequences, so you need to plan carefully, but you could create different MV objects for different user types, and only export the one specific user type to the Portal.
    • MV extension as Carol pointed out.

    Regards.

    • Marked as answer by SamiVV Sunday, October 21, 2012 11:41 AM
    Thursday, October 18, 2012 4:52 AM
  • Hi,

    Thanks for your response.

    For your first option--I tried storing an attribute to indicate whether a user should be provisioned or not, but it didn't seem to work. I put a filter on the Inbound Sync rule to only apply to users with a status of 'A' and had "create in FIM" selected but it still created everyone in the portal. (I also tried creating an additional SR for users without a status of 'A' with "create in FIM" unchecked, but they got created too.)

    Was that the wrong approach? Should the filter be done elsewhere?

    I wasn't thinking two FIM MAs, I was thinking of two HR MAs, but my experiments there led to the same results. If a person object is in the MV and there's a sync rule ot bring person objects to the portal, even if it has an inbound scoping filter, the person got created in the portal.

    I appreciate your help.

    Thanks,

    Sami

    Friday, October 19, 2012 11:14 AM
  • Unfortunately, the "create in FIM" language in the Portal Synchronization Rules is pretty confusing and has nothing to do with pushing records into the FIM Service; it should really say "create in Metaverse," but for some reason the Portal seems to eschew that term.  The product is designed such that any metaverse object type that has a mapping to a FIM Service / FIM Portal object type will be provisioned into the portal.
    • Marked as answer by SamiVV Sunday, October 21, 2012 11:41 AM
    Friday, October 19, 2012 6:07 PM
  • Thanks for the clarification, though it is confusing terminology as you said.

    I think I may have *sort of* gotten it working... I hadn't selected the appropriate "Apply To" radio button on the front page of the SR... This is what 80 hour weeks do to a person.

    Thanks for all of the help.

    Friday, October 19, 2012 11:02 PM