none
FIM MA Failed-cration-via-web-services RRS feed

  • Question

  • Hello,

    I have an SQL MA which is used to create users in the FIM portal, these users are then provisioned to AD via declarative provisioning. Sometimes a user may drop out of the SQL MA and return a few days later, while I have a join rule set to the users' unique IDs (accountName), the SQL MA fails to join the user and I receive a failed-creation-via-web-services error as FIM MA attempts to create a duplicate user with the same accountName.

    What might I be doing wrong?

    Thanks

    Monday, September 15, 2014 9:24 AM

Answers

  • Hello,

    I have an SQL MA which is used to create users in the FIM portal, these users are then provisioned to AD via declarative provisioning. Sometimes a user may drop out of the SQL MA and return a few days later, while I have a join rule set to the users' unique IDs (accountName), the SQL MA fails to join the user and I receive a failed-creation-via-web-services error as FIM MA attempts to create a duplicate user with the same accountName.

    What might I be doing wrong?

    Thanks

    What is the Object Deletion Rule in Metaverse? It seems that:

    1. New user appears in SQL (With HR_ID=111)
    2. User from SQL is created fine in Metaverse (HR_ID=111 is visible in Metaverse)
    3. User is exported to FIM Portal and other data sources.
    4. User is dropped from SQL.
    5. After Import and synchronization user is removed from Metaverse or his attributes (at least HR_ID=111) are removed from Metaverse
    6. User is re-created in database
    7. After Import, FIM gets HR_ID from source (111) and FIM is looking for object with HR_ID=111 in metaverse, but - as step 5 removed it, it cannot be joined - such object does not exist in Metaverse. So new object is being created.
    8. New object has the same account name as user created during step 3. So you have failed-creation error.

    So, even if you have such object in FIMPortal it doesn't say you have such in Metaverse, so join cannot be performed.

    You would have to re-think when to delete user from metaverse.

    Or, if object from metaverse is not removed but only its attributes are removed, add import flow from FIMService of HR_ID attribute and make sure you have "Allow Nulls" deselected during export of this attribute. And make sure precedence is higher from SQL than from FIM.


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    • Marked as answer by FIM-EN Monday, September 15, 2014 1:25 PM
    Monday, September 15, 2014 12:08 PM

All replies

  • When you say the user drops from the MA, do you mean it is deleted from the MA's connector space? 

    If you are using an MPR-WF-SR tuple, make sure you have one to remove the Sync rule from the user once he/she drops out of the set.

    Monday, September 15, 2014 11:22 AM
  • Apologies for not being clear there- users may be removed from the SQL view that FIM consults, when they return I get the failed-creation error.

    I do use the MPR-WF-SR tuple but ideally the AD connector should still manage the user in AD based on the information it has in the portal - for example, expiry date. So when the user is removed from the SQL view, the FIM portal and AD connectors should carry on as normal and the SQL MA should be disconnected from the MV object - when the user returns to the SQL view, it should reconnect to the MV object. ....did that make sense?

    Monday, September 15, 2014 11:30 AM
  • Hello,

    I have an SQL MA which is used to create users in the FIM portal, these users are then provisioned to AD via declarative provisioning. Sometimes a user may drop out of the SQL MA and return a few days later, while I have a join rule set to the users' unique IDs (accountName), the SQL MA fails to join the user and I receive a failed-creation-via-web-services error as FIM MA attempts to create a duplicate user with the same accountName.

    What might I be doing wrong?

    Thanks

    What is the Object Deletion Rule in Metaverse? It seems that:

    1. New user appears in SQL (With HR_ID=111)
    2. User from SQL is created fine in Metaverse (HR_ID=111 is visible in Metaverse)
    3. User is exported to FIM Portal and other data sources.
    4. User is dropped from SQL.
    5. After Import and synchronization user is removed from Metaverse or his attributes (at least HR_ID=111) are removed from Metaverse
    6. User is re-created in database
    7. After Import, FIM gets HR_ID from source (111) and FIM is looking for object with HR_ID=111 in metaverse, but - as step 5 removed it, it cannot be joined - such object does not exist in Metaverse. So new object is being created.
    8. New object has the same account name as user created during step 3. So you have failed-creation error.

    So, even if you have such object in FIMPortal it doesn't say you have such in Metaverse, so join cannot be performed.

    You would have to re-think when to delete user from metaverse.

    Or, if object from metaverse is not removed but only its attributes are removed, add import flow from FIMService of HR_ID attribute and make sure you have "Allow Nulls" deselected during export of this attribute. And make sure precedence is higher from SQL than from FIM.


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    • Marked as answer by FIM-EN Monday, September 15, 2014 1:25 PM
    Monday, September 15, 2014 12:08 PM
  • The second scenario you described resolved this. I was not importing the accountName from the FIM portal, joins are now working correctly. Thank you!
    Monday, September 15, 2014 1:25 PM
  • Fantastic explanation! :)
    Monday, September 15, 2014 1:32 PM