Update a value used by join logic --> how to automatically update joins ? RRS feed

  • Question

  • Hi everyone,

    I'm facing a problem that I've never encoutered before.
    As explain here: (I'm already the one that commented at the end of the article, to ask for help/advice), when an attribute used by join logic is update, FIM does not re-evaluate previous join that have been made.
    Is there a way to make FIM detect that the attribute has been update, remove the old join and make a new one with the new fresh value update?

    Everything needs to be automatic, don't tell me to make the object as disconnector and re-Sync the agent, the objective is to make this fully automatic
    I'm trying to do this this since this morning and i'm going to run out of idea soon.

    Any help appreciated.
    Thx everyone.

    Friday, November 13, 2015 4:46 PM

All replies

  • You could create some provisioning code to evaluate the join logic and call Deprovision on the connector if need be. That would require the join logic to be re-evaluated subsequently.


    Consulting | Blog | AD Book

    Friday, November 13, 2015 5:36 PM
  • Itch,

    I read your blog and I am sorry, but I have to respectfully disagree with this.
    1. You are using AD MA example to generalize on a broader topic. Wrong! Each MA type behaves differently.
    2. You are confusing anchor object with Join Rules.  If you did this in any other MA, but AD MA, it would be different
    3. Let me explain how this works.
    -AD uses GUID as Anchor Object not sAMAccountName or emplouyeeNumber.  AD MA is a special MA.  
    - Once the object is joined, the join rules are not relevant anymore.  So it is OK to change the attributes used in join rules. Remember you can manually join 2 objects with no relationship at all, using manual join
    - Unless you change the anchor object, the join will not break
    - In a nutshell - Your misconception is with the fact that you are thinking sAMAccountName is anchor and that is the part that is not true

    So the solution, as Brian stated is to do a "Join based on rules extensions" which is writing code essentially.

    Nosh Mernacaj, Identity Management Specialist

    Saturday, November 14, 2015 2:42 PM