none
Default Disconnect accounts reporvisioned RRS feed

  • Question

  • Hi,

    I know this might sound like a noobie question

    but when I Disconnect (Default) an object, why does FIM reprovision the account?

    should I use an explicit disconnect?

    after a time we need to rejoin the account but it only looks at the new provisioned account, and never picks up the old account

    Monday, December 12, 2016 10:39 AM

Answers

  • Two things: 1. Set the HR MA to an explicit disconnector so that it won't attempt to re-provision and 2. make sure you have a join rule on your HR MA so that it can rejoin once you change the explicit disconnector to a normal disconnector.  

    The HR MA needs a join rule so that it can tie together that unique HR connector space object with that unique MV object.  You need that HR object to join to the existing MV object which is in turn connected to what I would expect to be the AD object.  If the join rule isn't there on the HR MA or there's not data on the MV object for it to join back to the HR object, the sync engine will think it needs to create a NEW MV object which in turn would trigger provisioning of a new AD object or whatever target systems you have.

    Also note that you want to keep out of the explicit join business and let the system re-join automatically.  The reason for this is that once you create an explicit join, those objects do not have to follow current or future connector filter rules.

    Hope that helps.

    Best,

    Jeff Ingalls

    • Marked as answer by Killer47x Monday, December 19, 2016 6:35 AM
    Thursday, December 15, 2016 4:24 AM

All replies

  • Hello Werner,

    Can you provide the below information to better understand your situation:

    1. Are you using Sync Rules in the Portal or code in the Sync Engine for provisioning accounts?

    2. Are you manually disconnecting these accounts or do you have some logic that is disconnecting accounts?

    Thanks.

    Monday, December 12, 2016 8:14 PM
  • Hi,

    1. We are using Sync Rules in the Portal.

    2. I am manually disconnecting the objects in the Linage tab and then disconnecting the HR Database Management Agent, its always a per case scenario.

    Tuesday, December 13, 2016 6:05 AM
  • Two things: 1. Set the HR MA to an explicit disconnector so that it won't attempt to re-provision and 2. make sure you have a join rule on your HR MA so that it can rejoin once you change the explicit disconnector to a normal disconnector.  

    The HR MA needs a join rule so that it can tie together that unique HR connector space object with that unique MV object.  You need that HR object to join to the existing MV object which is in turn connected to what I would expect to be the AD object.  If the join rule isn't there on the HR MA or there's not data on the MV object for it to join back to the HR object, the sync engine will think it needs to create a NEW MV object which in turn would trigger provisioning of a new AD object or whatever target systems you have.

    Also note that you want to keep out of the explicit join business and let the system re-join automatically.  The reason for this is that once you create an explicit join, those objects do not have to follow current or future connector filter rules.

    Hope that helps.

    Best,

    Jeff Ingalls

    • Marked as answer by Killer47x Monday, December 19, 2016 6:35 AM
    Thursday, December 15, 2016 4:24 AM