none
MIM 2016 - AD and FIM Service - Declarative - Run Profile Order Advice RRS feed

  • Question

  • Hello,

    So here is the setup

    Only the AD and FIM MA are configured

    FIM Portal Declarative Import rule from AD to FIM - with all the standard attributes including phone, mobile, office
    FIM Portal Declarative Output rule from FIM to AD - with only phone, mobile, office

    FIM MA configured with Import and Export attribute flows for phone, mobile, office
    Export only for everything else

    Equal precedence configured on phone, mobile and office in FIM Sync

    Users will be created in AD outside of FIM

    Users need to update their phone, mobile, office using the FIM Portal

    What should my run sequence be?

    After the initial Full Import loads I can't find an order that will get Delta Import/Delta Sync run profiles to reliably flow changes from the FIM Portal to AD

    Ideally I want to capture everything from AD, provision to FIM Portal and then if there are changes in FIM Portal feed these back to AD. If either phone, mobile or office are updated in AD I am happy for the change to be lost... it should be done through the FIM Portal

    Friday, April 1, 2016 3:27 PM

Answers

  • Hi,

    if attribute value of mobile, office an phone should be overwritten in AD by the values of FIM Portal you can not use eqal precedence on those attributes.

    I assume you use equal precedence because of the first flow of AD Accounts to FIM and they already have those attributes populated in AD on create, right ?

    So best way is to disable equal precedence (which I only use if attribute must be modified on both sides) and use an additional attribute let say "phone_inital" and flow that to MV and portal.

    On user create, copy over those attribute to "phone" with a workflow (function evaluator) triggert by an MPR (request based, create resource operation).

    Or

    You can use an rules extension and do manual precedence within the DLL

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com


    • Edited by Peter_Stapf Friday, April 1, 2016 4:20 PM
    • Marked as answer by mtwelve Friday, April 1, 2016 6:43 PM
    Friday, April 1, 2016 4:19 PM
  • With only the profiles in correct order you can never be sure to not overwrite data you dont want, one mistaken sync and you maybe propage wrong values.

    In equal precedence last write wins, but writer in this case means Sync/Export. I would not do that.

    The solution with that MPR/Workflow is completly codeless but will least in having 2 attribute for each attribut needed, the "real" one and the inital. But its much safer and modify of attributes in AD will not get into portal.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    • Marked as answer by mtwelve Friday, April 1, 2016 6:43 PM
    Friday, April 1, 2016 6:13 PM

All replies

  • Hi,

    if attribute value of mobile, office an phone should be overwritten in AD by the values of FIM Portal you can not use eqal precedence on those attributes.

    I assume you use equal precedence because of the first flow of AD Accounts to FIM and they already have those attributes populated in AD on create, right ?

    So best way is to disable equal precedence (which I only use if attribute must be modified on both sides) and use an additional attribute let say "phone_inital" and flow that to MV and portal.

    On user create, copy over those attribute to "phone" with a workflow (function evaluator) triggert by an MPR (request based, create resource operation).

    Or

    You can use an rules extension and do manual precedence within the DLL

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com


    • Edited by Peter_Stapf Friday, April 1, 2016 4:20 PM
    • Marked as answer by mtwelve Friday, April 1, 2016 6:43 PM
    Friday, April 1, 2016 4:19 PM
  • Thanks for the answer Peter

    Yes I used equal precedence in an effort to allow the initial values (in AD) for the three 'user editable' fields to be fed in to FIM. The idea was that if I got the run profiles in the correct order then the FIM Portal value would always be processed last and then exported to AD

    Your highlighting of Equal Precedence potentially causing the issue would explain how I can get the values to the connector space with Delta Import / Delta Sync but then only with a Full Import / Full Sync get a pending Export to AD. Is this roughly what's happening?

    I'll have a look at the MPR/Workflow combo (have to keep it completely codeless) or I may just have our team who create accounts switch to FIM to provide the initial values for phone, mobile and location

    Friday, April 1, 2016 6:04 PM
  • With only the profiles in correct order you can never be sure to not overwrite data you dont want, one mistaken sync and you maybe propage wrong values.

    In equal precedence last write wins, but writer in this case means Sync/Export. I would not do that.

    The solution with that MPR/Workflow is completly codeless but will least in having 2 attribute for each attribut needed, the "real" one and the inital. But its much safer and modify of attributes in AD will not get into portal.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    • Marked as answer by mtwelve Friday, April 1, 2016 6:43 PM
    Friday, April 1, 2016 6:13 PM
  • Thanks again for confirming

    I'll finish the configuration aiming for the phone etc to be entered in the FIM Portal once the account has been created and imported... in theory if the day to day run profile doesn't take too long to complete the team won't have to wait too long to complete the account creation as I can run it a couple of times per day

    If not then I can always extend FIM with your suggested MPR/WF combo; very neat solution!
    Really makes you think about what else I could solve without any code

    Friday, April 1, 2016 6:43 PM
  • If I turn off Equal Precedence, leave FIM Service as the top MA for import flow precedence, leave the FIM MA Attribute Flow page with both an Import and Export flow I figured that a Delta Import / Delta Sync on the AD MA will cause a provision on the next export of the FIM MA that would include the values in AD as there were no previous values available... it didn't. The user appeared in the FIM Portal with no phone numbers.... equally when I then added some values in at the FIM Portal and ran both MA's through a DI/DS and an Export neither caused the AD MA to have a pending Update.... Am I missing something in my configuration or is this how you'd expect it to behave

    Is part of the issues because I have Import and Export flows configured on the Attribute Flow for the FIM MA...?

    My current run profile order is:

    • AD MA Export
    • AD MA Delta Import
    • AD MA Delta Sync
    • FIM MA Export
    • FIM MA Delta Import
    • FIM MA Delta Sync
    • AD MA Export

    • Edited by mtwelve Friday, April 1, 2016 7:03 PM
    Friday, April 1, 2016 7:02 PM
  • Hello,

    I've followed your advice and sorted out the Run Profiles.... everything is great but I'm getting an "exported-change-not-reimported" error on the _Initial attributes..... any ideas why or how to solve it?

    Sam

    Friday, April 15, 2016 3:18 PM