none
OU management in FIM - anything new to container rename issue? RRS feed

  • General discussion

  • Hi,

    as you might remember from MIIS you can't rename a container object / organizational unit. The only solution was to create a new connector and disconnect an old one. and them move all objects to the new OU.

    Question: as FIM can do hierarchical provisioning now and automatically create new OUs for user/group objects provisioning - what will happen with old OUs no longer is use?

    Scenario 1: user DN is set to  DisplayName + Department + restofDN. once we have a new department FIM will provision proper OU and move user object (change DN) to the new OU. its ok.

    How to handle empty OUs to delete them?

    Scenario 2: for some reasons I need to rename OU contaning some groups during Sync run. Any ideas how to do this? create new OU, find all objects inside old OU and change their DNs to the new one, deprovision old OU?

    tried to move groups to the new OU during Provisioning for OU object using utils.findMVEntries - got an error that connectors are read only. Sure I can turn of OUs provisioning and leave OU management to FIM - it will solve most of problems, but there will be to many empty OUs which are not in used...

     

    I don't think there's anything new for this issue, but in a case there is - I have to ask this again :) 

    Tuesday, June 22, 2010 2:51 PM

All replies

  • Markus just reminded me that its not an issue anymore.

    I found a workaround for OUs renaming with MIIS/ILM/FIM/whatever....

    but it will work with FIM sync engine only, not with MIIS/ILM.

    imagine this: you need to provision FIM portal objects called 'roles' to AD under 1 specific OU. But you have so many roles, so finally you want to group roles by OU related to roles parent object (application).

    you need to dynamically create OUs under that 1 specific OU and if a parent application was renamed you need do cascading updates to all roles and change their DNs...

    sounds easy with FIM and custom WF activities that is started by MPR watching for application name change.

    once application is renamed and all roles have pending exports to change their DNs you have to somehow rename application OU holding these roles.

    it wasn't an easy thing for MIIS but for FIM sync engine you can turn on automatic OU creation in AD MA and you will get new OU automatically.

    Great! but how do I remove an old OU which is empty now?

    and here's an old school and MV provisioning rules extension come in. Setting deprovisioning rule to delete objects in AD MA and this small code will remove all empty OUs under OU=Business Applications (plus some join rules, "UPN" attribute value to be linked to ADDN value and so on...)

     

     If mventry.ObjectType.Equals("organizationalUnit") Then
      numADConnectors = ADMA.Connectors.Count
      numWSS_ServicesConnectors = ITReqMA.Connectors.Count
      numFIMConnectors = FIMMA.Connectors.Count
    
      If 0 = numFIMConnectors And _
      mventry("UPN").IsPresent Then
      If mventry("UPN").StringValue.Contains("Business Applications") = True Then
       ITReqMA.Connectors.DeprovisionAll()
       ADRolesMA.Connectors.DeprovisionAll()
      End If
      Else

     

    the key idea here is that every OU with proper name under "Business Applications" has to be linked to FIM "applications" objects.

     

    I don't know whether its easy to understand or am I explaning it good enought, but OUs renaming is not an issue anymore.

     

    ps. sure you can rename an empty OU with FIM/MIIS, but you can't if it has child objects. So you have to create new OU and delete an old one.

    Saturday, December 25, 2010 7:37 PM