none
Conditional sync switch with Metaverse attribute RRS feed

  • Question

  • Hi, 

    I currently have the scenario of a 2010 R2 FIM syncing from two AD forest to the metaverse (and then later to AAD, but this part is not relevant here). Objects from both forest sync to the same object in metaverse, i.e. forest A contributes some attribute to the metaverse object an forest B as well. There are also to phases in this scenario:

    • Phase 1: The MV object is completely determined by Forest A, all attributes are sync from forest A. However, a corresponding object in forest B is already joined to the same metaverse object, but no attributes flow from forest B.
    • Phase 2: Some Attribute are synced from forest A and some from forest B.

    The indication whether an object is in phase 1 or 2 is an AD attribute in forest A. If it is set then both forest should contribute to the MV object each writing its attribute set to it. If the indicator attribute in forest a is not set, forest A should sync all its attribute to the metaverse object and not only a susbset. The indicator attribute is also synced to the metaverse.

    One the side of forest A I have a custom flow rule that takes syncs attributes depending on whether the indicator attribute is set in forest A or not and this works fine with any run profile.

    One the side of forest B there is also a custom flow rule. Difficulty is, that the indicator attribute is not in forest B (only in A and the metaverse). Therefore I created a custom flow rule that only syncs from forest B if the indicator attribute for the connected object in the metaverse is set. My actual problem is now that I always need to perform at least a delta import full sync. Otherwise the switch logic does not work. Reason is: In Phase 1 the object in forest B is already joined to the MV object, the flow rule however prohibits the actual writing of data to the metaverse since the indicator attribute is not set in the metaverse. The FIM however "thinks" is has correctly synced data. Now the indicator attribute changes in forest A this triggers the correct sync of data from forest A (delta sync also works as there was a change in forest A in the indicator attribute). The indicator attribute is now also set in the metaverse. In forest B there is no change in any attribute. The management agent for forest B runs in delta import/delta sync mode. As there are no changes in the source as well as in the connector space, the FIM "thinks" that there is nothing to do, although the custom flow rule would now evaluate differently due changed indicator attribute in the metaverse.  However, due to the delta run and no changes in the forest B attributes this rule does not get evaluated (only in Full sync).

    Has anyone an idea how to have the same functionality in these scenarios without the drawback of always performing a full sync with forest B?

    Thanks in advance

    Tuesday, March 14, 2017 11:24 AM

All replies

  • Hello,

    beside the fact I do not understand the purpose of that solution, what about exporting the "indicator flag" to forest B objects ?

    With that you will have the indicator also in forest B

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Tuesday, March 14, 2017 12:05 PM
  • Hello,

    the purpose is that there is a migration in progress between forest A and B. Forest was initially an account forest also host Exchange and mailboxes. Accounts get migrated to forest B but mailboxes will remain hosted in forest A on the old user object, thus forest becomes in fact an Exchange resource forest. Therefore the solution is less on purpose than due to the circumstances.

    The solution of exporting the indicator attribute to forest B is in my opinion the best solution (no custom flow rule needed, easy filtering by indicator), but currently I want to write back as few data as possible to the forests (as they not administered by me directly). Therefore, i was looking for an alternative solution without writing to forest B. 

    Jan

    Tuesday, March 14, 2017 1:06 PM
  • Hello,

    you can of course consider to use a PowerShell connector to read both Forests from that one PS MA.

    Having that you can put your flow logic into PS and have access to the indicator attribute for both forests.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Tuesday, March 14, 2017 1:15 PM