none
Conditional Sync from two Forests RRS feed

  • Question

  • Hello, 

    I have a question regarding the conditional sync from two forest. The setup is:

    - Two AD forests with management agents (object of each forest is joined to the same metaverse object)

    - AD extension attribute is used to indicate, which forest should determine the attributes of the metaverse object (via connector filters)

    -Connector filter in forest 1: "filter out if extension attribute != 1"

    -Connector filter in forest 2: "filter out if extension attribute != 2"

    My procedure is the following:

    I create an AD object in forest 1, populate certain attribute (extension attribute =1 and a immutable anchor attribute). In forest 2, I create an object with the same anchor attribute (for joining) and the extension attribute also set to 1. Other attribute have different values in comparison to forest 1. I then make a "full import and sync" with the management agent of forest . Connector space get filled and (since metaverse is empty) objects are projected (works fine, metaverse objects have the attribute values of forest 1). After that i set the extension attribute in both forest to a value of 2 and I start a "full import and sync" with the management agent of forest 2. Joining is performed successfully and the metaverse objects attributes have the values of forest 2 (as it should) be. If I run the management agent of forest 1 again, as intended nothing happens (due to the connector filter) to the attribute values of the metaverse object.

    Now comes the interesting part: I now change the extension attribute back to "1". The management agent of forest 2 now does, as expected (due to the connector filter) nothing. However running the management agent of forest 1 also has not effect on the metaverse object. Its attribute values were set to the values of forest two in the former step and should now be updated by the values of forest 1 of the correponding object. Howver this does not happen! Reason presumably is the following: When the managment agent of forest 1 runs againt (happens for delta and full import and sync) it reads the data from forest and compares it to the connector space data it already has from the prior run. Except for the extension attribute, no attribute was changes, and  it seems that the FIM does not apply a flow rule if the source and the connector space attribute have still the same data (although the metaverse attribute value of the object is different). So to speak: "If source directory data and connector space data are the same I do not have to sync to the metaverse."

    Does anyone know how to change this behavior or how to force and metaverse update? (Or any other solution)

    Thanks

    Tuesday, February 23, 2016 12:38 PM

Answers

  • I am not sure I totally understand the scenario, but I believe you have a precedence issue. In your case you need to set "Determine with rules extension" and write some code to do what you are asking.

    Nosh Mernacaj, Identity Management Specialist

    • Marked as answer by janciupka Tuesday, February 23, 2016 3:38 PM
    Tuesday, February 23, 2016 12:58 PM

All replies

  • I am not sure I totally understand the scenario, but I believe you have a precedence issue. In your case you need to set "Determine with rules extension" and write some code to do what you are asking.

    Nosh Mernacaj, Identity Management Specialist

    • Marked as answer by janciupka Tuesday, February 23, 2016 3:38 PM
    Tuesday, February 23, 2016 12:58 PM
  • Sorry for poor description of the scenario. Anyway, your hint with the precedence issue helped me to figure it out. Under the metaverse designer, I configured "Use equal precedence" for each attribute I need to sync conditionally from both forest. Effectively, this means the last writing MA wins. Using this I and the connector filters, I can switch the authoritative source of a metaverse object by an AD attribute. A rule extension was not necessary in this case.

    Anyway thanks for the help.

    Tuesday, February 23, 2016 3:38 PM
  • Even better. Glad it worked.

    Nosh Mernacaj, Identity Management Specialist

    Thursday, February 25, 2016 8:25 PM