locked
How to "null out" previously imported attributes RRS feed

  • Question

  • Hello.
    I have an Oracle MA that works like this:  OracleMA->MV->AD. I have been importing the attribute "title" for persons  with a "direct" attribute flow and have populated the metaverse and active directory with the values.

    It turns out now that the titles from the Oracle MA won't do and we would prefer to just leave the title field blank until we can get a better source.

    It is easy to remove the "title" attribute from the Oracle Management Agent. But how do I manage to blank out or null the titles that this Management Agent has contributed?

    If I just delete the title attribute from the MA,  a preview import and full sync still shows the previously imported value in the Metaverse and "unchhanged" in for the title row. And I can't find any way to import a "null" constant for the field.

    Thanks.
    Wednesday, January 31, 2007 5:03 PM

Answers

  • This is only for a one time run, after the Full Sync is done you can remove the Import attribute flow rule in Oracle and the export attribute flow rule you have in Active Directory.

    By changing the Attribute flow rule to an Advanced Import Flow rule and adding the code to delete the attribute, it will delete the Metaverse Attribute Value.

    Which would then null out the Active Directory attribute value.

    Just setup the an Advanced Attribute flow rule for "Title" like this"

    Oracle MA

    Connector Space                             Metaverse

    TITLE                     =>                            title                

    <dn>

    Make sure that <dn> and TITLE are both selected in the connectorspace side.

    To select more than one attribute in the interface, use either the control or shift key.

    Add the code to your extension and you should be done.

    HTH,

     

    Joe

    Wednesday, January 31, 2007 6:30 PM
  • Al,

     

    this looks good with one little modification.

    Full imports are not required.

    A delta import is sufficient in both cases.

     

     

    Cheers,

    Markus

     

    ///////////////////////////////////////////////////////////////////////
    Markus Vilcinskas

    Technical Writer
    Microsoft Identity Integration Server
    mailto:markvi@microsoft.com.NO_SPAM

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/copyright.htm
    ///////////////////////////////////////////////////////////////////////

     

    Thursday, February 1, 2007 2:59 AM
    Moderator

All replies

  • You can certainly flow NULL values within attribute flow rules.

    To do so, you need to enable it. There is a checkbox in the attribute flow dialog.

    If you want to “bulk” set an attribute value in a connected data source, I would script it and let the script run against the connected data source.

    It is technically possible, to do something like that with MIIS.

    However, considering the time it takes to set this up, you are much better off using a script.  

     

    Cheers,

    Markus

     

    ///////////////////////////////////////////////////////////////////////
    Markus Vilcinskas

    Technical Writer
    Microsoft Identity Integration Server
    mailto:markvi@microsoft.com.NO_SPAM

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/copyright.htm
    ///////////////////////////////////////////////////////////////////////

    Wednesday, January 31, 2007 6:03 PM
    Moderator
  • The problem is you need to trigger a delete on the metaverse attribute... You can't do this by just deleting the attribute flow..

    To do this you can change the direct flow that you have setup for title in the Oracle MA to an Advanced Import

    Flow that deletes the metverse attribute.

    Here's the code to do it:

                Case "Testing"
                    If mventry("TestAttribute").IsPresent Then
                        mventry("TestAttribute").Delete()
                    End If

    You just need to make sure that your export flow in Active Directory is set to "Allow Nulls"

    Just make sure you run a Full Sync on the ORacle MA.

     Also like Markus says you could just delete it in the datasource..

    HTH,

    Joe

    Wednesday, January 31, 2007 6:09 PM
  • … and this would require a change contributed by a connected data source to get a flow rule triggered, which doesn’t help you if you just want to bulk reset an attribute value that was set with a wrong value by your MIIS configuration.

     

    The key in these scenarios is to understand that MIIS is by design not capable of generating staged updates without a triggering event from a connected data source.

     

    Cheers,

    Markus

     

    ///////////////////////////////////////////////////////////////////////
    Markus Vilcinskas

    Technical Writer
    Microsoft Identity Integration Server
    mailto:markvi@microsoft.com.NO_SPAM

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/copyright.htm
    ///////////////////////////////////////////////////////////////////////

    Wednesday, January 31, 2007 6:19 PM
    Moderator
  • Thanks Markus,

    But "Allow Nulls" seems to always be disabled for import from the Oracle Management agent. A blank in this field doesn't seem to trigger a modification in the MV.

    "Allow Nulls" is enabled in export rules to AD.

    cheers,
    Al

    Wednesday, January 31, 2007 6:20 PM
  • This is only for a one time run, after the Full Sync is done you can remove the Import attribute flow rule in Oracle and the export attribute flow rule you have in Active Directory.

    By changing the Attribute flow rule to an Advanced Import Flow rule and adding the code to delete the attribute, it will delete the Metaverse Attribute Value.

    Which would then null out the Active Directory attribute value.

    Just setup the an Advanced Attribute flow rule for "Title" like this"

    Oracle MA

    Connector Space                             Metaverse

    TITLE                     =>                            title                

    <dn>

    Make sure that <dn> and TITLE are both selected in the connectorspace side.

    To select more than one attribute in the interface, use either the control or shift key.

    Add the code to your extension and you should be done.

    HTH,

     

    Joe

    Wednesday, January 31, 2007 6:30 PM
  • Thanks, Joe
    The rules extension .Delete()  was going to be the next thing I tried. I was hoping there might be something more straight forward.

    The Datasource is a fairly large and long-running Oracle view.  I was hoping not to have to make any changes in it, just to ignore that attribute and eventually drop it from the import flow.  At the same time, I was skeptical as to whether changing the view to present an empty "title" field would over-write an existing value in the MV, since "Allow Nulls" seems to be disabled for import flows.

    Cheers,
    Al
    Wednesday, January 31, 2007 6:32 PM
  • Allow Nulls can only be setup for an Export Flow Rule, no import flow rules.

    Also just setting the Active Directory Export Attribute flow to "Allow Nulls" will not delete your attribute yet because you need to

    delete the metaverse attribute first.

    Also

     

    Adding the <dn> in the selection makes sure that your code will be triggered when running a sync.

     

    HTH,

     

    Joe

    Wednesday, January 31, 2007 6:33 PM
  • You are missing the point.

    We do not recommend modifying rules extensions for “one hit wonder”  tasks because it is in a professional environment too expensive to do this.

    I’m not saying that you can’t do this with MIIS. I’m saying that you shouldn’t do this with MIIS if you care about the costs.

     

    Cheers,

    Markus

     

    ///////////////////////////////////////////////////////////////////////
    Markus Vilcinskas

    Technical Writer
    Microsoft Identity Integration Server
    mailto:markvi@microsoft.com.NO_SPAM

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/copyright.htm
    ///////////////////////////////////////////////////////////////////////

    Wednesday, January 31, 2007 6:51 PM
    Moderator
  • Honestly I thought you were saying that you couldn't do this..

    I am really trying to understand why this is bad to do.

    Basically your telling him to do it directly in the datasource and not through a controlled environment.

    Even by him doing this mod in the datasource doesn't clean up what has been done in the metaverse.

    You can delete the import flow and export flow and you will still have the value in the metaverse.

    The big reason I recommended this was because the metaverse would still have a value that is not controlled.

    This I would not recommend.

    HTH,

    Joe 

     

    Wednesday, January 31, 2007 7:04 PM
  • Joe,

     

    “better off” usually means that there is an alternative that doesn’t seem to be the right solution to something.

    In a professional environment, you hopefully have processes in place to take a “good idea” from a “laptop environment” to a lab environment and then into production. This usually involves several teams, lots of testing, time and at the end of the day money.

    Many good ideas have turned out to be PSS calls at the end of the day.

    MIIS was not designed to be an application component - it is an infrastructure component.

    Now, let’s do a simple math exercise.

    Doing what you suggested, requires two changes of your sync rules:

    • The first change is to deploy the desired attribute value
    • The second change is to configure the rule to what it is supposed to do.

    In MIIS this translates to:

    • A full sync on all effected MAs
    • An export
    • A confirming import
    • A reset of the sync rules
    • Another full sync on all effected MAs
    • (Another export)
    • (Another confirming import)

       

    Whether you need to do the last two steps is a matter of your personal experience with an environment.

    Is this worth it?

    I would say no, which is why I’m suggesting to apply known bulk changes directly to a connected data source. Whether you need to NULL the attribute or whether a “” is sufficient is then a different question.

    This is the long explanation and I’m sure I have missed something.

    The short recommendation is to do bulk updates directly on a connected data source.

    The metaverse cleanup happens during the next import...   

     

     

    Cheers,

    Markus

     

    ///////////////////////////////////////////////////////////////////////
    Markus Vilcinskas

    Technical Writer
    Microsoft Identity Integration Server
    mailto:markvi@microsoft.com.NO_SPAM

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/copyright.htm
    ///////////////////////////////////////////////////////////////////////

     

    Wednesday, January 31, 2007 8:13 PM
    Moderator
  • Thank you guys,

    I appreciate the suggestions as well as the discussion of best practices.

    So just to be clear, what Markus would suggest is:

    1) Remove the import rule for the "title" field from the Oracle MA.
    2) Run a full import and sync on the Oracle MA.
    3) Use LDAP tools to script the update of the "title" field in AD.
    4) Run a full import and sync on the AD MA.

    or

    1) Change Oracle View to always contain blank field for "title".
    2) Run a full import and sync on the Oracle MA
    3) Run export and confirming import on AD MA (AD is the only MA that uses "title")

    Does this sound correct?
    Thanks,
    Al




    Wednesday, January 31, 2007 9:14 PM
  • Al,

     

    this looks good with one little modification.

    Full imports are not required.

    A delta import is sufficient in both cases.

     

     

    Cheers,

    Markus

     

    ///////////////////////////////////////////////////////////////////////
    Markus Vilcinskas

    Technical Writer
    Microsoft Identity Integration Server
    mailto:markvi@microsoft.com.NO_SPAM

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/copyright.htm
    ///////////////////////////////////////////////////////////////////////

     

    Thursday, February 1, 2007 2:59 AM
    Moderator
  • Here's my problem with the following:

    If you did the first part of this you will end up rewriting the value back to Active Directory when you do end of Running a Full Sync on the AD side because the metaverse attribute is still there in the metaverse.

    And also you still have an export flow out from the Metaverse to Active Directory, which would write the value back out to Active Directory again.

    Now because you did delete a rule from the Oracle MA, you should still run Full Sync to clear the warning notifications "that you should run a Full Sync because the rules have changed"

    Even if you delete the import and export flow rules.. The metaverse attribute will end up staying in the metaverse.

    Now here's the problem with number 2, why even set the value in the table... Why not just delete the export flow rule

    and then modify the Active Directory data source.

    What happens if you decide to use that value down the road? then you need to change the view...

    Either way you are going to need to Run Full Imports and Full Syncs because you did a rule change, plus its a best practice to run these every once in a while anyway.

    And to clear up the misconception of how my process worked.

    You would to modify the one rule... Just like with the other solutions...

    You would have only needed to run a Full Sync on the Oracle MA. This would have deleted the value from the metaverse and flowed the null value to Active Directory.

    Then when you are done, you delete both the flows and you have a clean metaverse...

    Now as a best practice you should run the full import full sync's to clear warning messages.

     

    HTH,

    Joe

     

    Thursday, February 1, 2007 4:26 PM
  • Joe,

     

    if your first concern would be a concern, you would actually have a bigger problem – a miss configured environment.

    As soon as you have an EAF rule for an attribute configured, there should be at least one IAF rule to this attribute.

    Until a better source for the attribute has been identified, AD could be made authoritative for it.

    If the ADMA doesn’t have an IAF flow rule for this attribute yet, you can implement this without the need of changing the code of a rules extension. In this case, the changes from AD – the updated attribute – would overwrite the false value in the metaverse.

    There is no need for a full import to pickup these changes.

    In case of the second approach, there is no need to change a value in a table. A view is a virtualized table and you can modify a view to return a specific value for a field.

    Either way, it is true that this constellation requires some changes.

    However, according to the feedback we have from our customers, one guiding principle should be to avoid changes to the rules extensions if possible for the reasons I have mentioned - which makes sense to me.  

    We have many customers without a dedicated developer resource and your suggestion would require them to hire someone, which would be for the current scenario inacceptable.

     

     

    Cheers,

    Markus

     

    ///////////////////////////////////////////////////////////////////////
    Markus Vilcinskas

    Technical Writer
    Microsoft Identity Integration Server
    mailto:markvi@microsoft.com.NO_SPAM

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/copyright.htm
    ///////////////////////////////////////////////////////////////////////

    Thursday, February 1, 2007 8:19 PM
    Moderator
  • Your not understanding Markus.

    This is how the flow is setup...

    Oracle                                                    MV                                                                           Active Directory

    TITLE    direct import flow =>             titile               direct export flow(Allow Nulls) =>              title

    He wants to clear out the Active Directory "title" attribute.

    By Removing the the import flow in the Oracle MA, it would leave the already present Metaverse attribute value in the metaverse.

    Now when you change it in Active Directory and run your delta import it will update the title attribute for everybody in Active Directory.

    That's fine, but if you keep the direct export flow rule when you run a full sync, you will end up updating the title attribute with the value that is in the metaverse.

    All you have to do is remove the "direct export flow rule" and you would be fine........

    I understand that you want to find an approach without coding...It definitely makes sense.... I just wouldn't knock something that could be done with code....

    Now since you are saying that my envioronment is misconfigured.. Explain it to me what is misconfigured... Have you tried this scenario in a dev environment?

    or maybe a "laptop" environment...

    HTH,

     

    Joe

    Thursday, February 1, 2007 8:52 PM
  • I have come across this exact same problem - Using OracleMA and the Title attribute.  I have written a little piece of code that will delete the value from the metaverse for any attribute.  The metaverse attribute that will be deleted is the one selected in the import attribute flow.  I have found this to be handy when we get some data in the MV that needs to be cleared out.  Now this is not exactly the most efficient code to run – but when you need to only run it once – it will work.

     

    void IMASynchronization.MapAttributesForImport( string FlowRuleName, CSEntry csentry, MVEntry mventry)

            {

     

                switch (FlowRuleName)

                      {

                    case "NullMetaverseAttribute":

                        mventry[FindSelectedAttrib(mventry)].Delete();

                        break;

                      }

            }

     

    public static string FindSelectedAttrib(MVEntry mventry)

    //We don’t know which metavere object to delete.

    //Loop through each one and determine which is

    //writeable and return the name.

            {

                string temp = "";

     

                foreach (string name in mventry)

                {

                    try

                    {

                        mventry[name].Value = mventry[name].Value;

                        temp = name;

                        break;

                    }

                    catch

                    {

                        //Didn't work Try Another.

                    }

                }

                return temp;

            }

    Thursday, May 31, 2007 4:25 PM
  • A common problem I have, is getting what I call "Bogus" data from various sources who have poor controls on their data.  It's not identified as a bogus until it's discovered, but by that time it's already in the Metaverse object.  You can use rules to filter it out from coming, but existing values seem to persist.

     

    One way I have used this is simply like this as an example of an IAF rule for "mail":

     

    if (csentry["mail"].IsPresent && Custom.MIIS.Text.TextFormatTool.isBogusData(csentry["mail"].Value.ToString()) == false)

    {

           mventry["mail"].Value = csentry["mail"].Value.ToLower().Trim();

    }

    else if(mventry["mail"].IsPresent && mventry["mail"].LastContributingMA.Name.Equals(csentry.MA.Name))

    {

      // it's not a good value, so if it made it into the MV, let's remove it

    mventry["mail"].Delete();

    }

     

    Basically if this MA contributed the value to the MV object, but it is no longer on the CSentry,  delete that value from the MA.   There are other wrappers to try to insure that the csentry that contributed the MVentry value is the same, but if it is,  this rule above will fire off.

     

    So if a new piece of data is added to the "isBogusData" list that returns TRUE, and it is found in the MV,  this will cause it to be deleted.

     

    The same holds true, if you had the attribute defined in a rule, and removed the rule, leaving the value to linger.  if the MA was listed as the last contributed, but was no longer part of the CSentry, it would be deleted.

     

    Jef Kazimer

     

     

    Friday, June 1, 2007 4:56 AM