Evaluation order in criteria-based sets? RRS feed

  • Question

  • Is there a well-defined evaluation order for evaluating criteria from one set to another?

    The technet article for best practices for FIM 2010 has a section about modeling custom entitlements with Set Transition MPRs.  It recommends avoiding the same entitlement with different transition sets, and my question has to do with following that best practice.

    I have several criteria-based sets that get various combinations of entitlements, but let me simplify to illustrate my question.  Let's say I have three sets:

    • Set A, based on criteria coming from my HR system.  Set A has a Transition Out MPR with a custom workflow activity that sets a date attribute D some days into the future.
    • Set B is a temporal set based on D.
    • Set E is the set of all users whose "Resource ID is in A" or "Resource ID is in B."  The Transition In and Out MPRs that implement the entitlement are associated with Set E.

    The idea is that when the user enters A, she also enters E and gets the entitlement.  When she leaves A she enters B, remaining in E; and when she leaves B she also leaves E and loses the entitlement.  This all works if the criteria and workflows and such are evaluated in the order A, B then E, or if the criteria for A and B are re-evaluated when it checks to see if the user is in A (or B).  It could fall apart dramatically with a different order of evaluation.

    I am running FIM 2010 R2.  Is FIM smart enough to order the evaluations correctly (or re-evaluate as necessary)?  I think the alternatives are:

    1. Adding the entitlement TMPRs to each of the sets like A and B, going against the recommendations.
    2. Replicating the criteria for A and B into each entitlement set.  Eventually I'll have around a half dozen sets like A or B and a dozen or more entitlement sets, and it will cause a lot of work if the criteria ever are changed.

    Thanks in advance, -Les

    Wednesday, May 29, 2013 4:02 AM

All replies

  • If i am not mistaken every change/action re-evaluates the sets but there is no order which you can set for evaluation

    Need realtime FIM synchronization and advanced reporting? check out the new that supports FIM 2010, Omada Identity Manager, SQL, File, AD or Powershell real time synchronization!

    Wednesday, May 29, 2013 6:03 AM
  • Thanks, Paul.

    Can someone else verify what Paul said?  If it's true, then there is a basic flaw in some work that consultants did for us earlier this year that will lead to users getting deprovisioned when they shouldn't.

    Let me ask the more general question: can you safely provision using criteria-based sets where the criteria are set by a workflow in a Set Transition MPR on another set?  If the criteria for B are based on something that happens in a workflow in A and B is evaluated before A, will B ever be re-evaluated if nothing ever changes on the user record again?  If B is a temporal set, then maybe it will get reevaluated the next time the "update temporal sets" job is run, which could be the next day.  If B is not temporal, will it ever get updated again?

    Friday, May 31, 2013 7:41 PM