External Attribute Lookup RRS feed

  • Question

  • Hi all,

    Apologies if this is a silly question but I am quite new to FIM.  The use case I have is as follows.

    I have data flowing in to FIM from a file based MA.  When a user falls into the set "All Employees" for example, they automatically get provisioned to Active Directory.  This I have working today but what I need to do is to enhancement this.  A user will have a department ID, the user needs to be provisioned into the corresponding OU which is named after the department (i.e. Dept ID = 1, OU=Department 1; Dept ID=2, OU=Department 2).  In FIM what would be considered the best practice in this situation?

    In previous IDM systems I have made a dynamic lookup to an external database table - how would I go about such a thing in FIM?

    Thanks a lot for any help.

    Monday, November 25, 2013 12:39 PM

All replies

  • As I understand (or I assume) you are using synchronization rules for provisioning. Few options here then:

    1. Use additional activity in your workflow to select OU for a user based on department value and put it in a workflow data. Then use this workflow data attribute as parameter to your synchronization rule. To avoid writing your custom activity here you can use POwershell activity - - which will allow you easily to query some external data source for mapping values. 

    2. In the past I used some custom objects which defines that kind of mapping between value of attribute and some lookup value and then set of custom activities to manage these mapping and assignments to users. A bit more complicated but had few advantages (keeping everything in FIM as objects, recalculating values when something was changed etc.). This would require a bit more work on FIM (additional objects, activities to manage these assignments etc.). 

    3. If you have very few of these values you can put it directly in IIF statement in your synchronization rule. 

    Looking at what you are writing I would recommend option (1) for you. 

    Tomek Onyszko, memberOf Predica FIM Team (, IdAM knowledge provider @

    Monday, November 25, 2013 1:24 PM
  • If you have only Department ID in user attributes, you can use powershell activity (as Tomek said):

    1. Write ps script which reads user's GUID from workflow data, read user attributes using this guid (with Export-FIMConfig utility);
    2. With DepartmentID attribute, in script you can select DN path for user, regarding to Department ID in user attribute;
    3. Pass selected DN to workflow dictionary, for using it in sync rule.
    4. Then use this script in installed powershell activity, executing it in workflow before applying sync rule.

    Here are some ways to store DNs for user provisioning:

    1. Store them in script;
    2. Store them in csv file, loaded by script;
    3. If you want to play in hardcore mode, store each DN for department in object "Department", which you can create in FIM :) In script you need to read department you need from FIM, and use DN from its attribute. More complicated, but you can edit Department DNs from portal.

    • Edited by Pronin V Monday, November 25, 2013 3:07 PM
    Monday, November 25, 2013 3:05 PM
  • I tend to keep an extra attribute on the users and populate that attribute with the value from a lookup in other attributes (a list of departments / OU's) using my LookupValue workflow ( kinda like as Tomek Onyszko suggests.

    After this you can just do direct flow (I guess)

    Regards, Soren Granfeldt
    blog is at | facebook | twitter at!/MrGranfeldt

    Monday, November 25, 2013 7:43 PM
  • Thanks for all the replies guys.  Very helpful.

    I was expecting something like a call-out in a workflow as this is what I have used in other IdM tools.  Are there any tutorials people can recommend for looking at such call-outs?

    Wednesday, November 27, 2013 8:22 AM