none
Skipped: No Precedence issue on export to AD from FIM MA RRS feed

  • Question

  • Hi,

    I have an unexpected behaviour when changing an attribute in the AD, getting Skipped: No Precedence reported for the attribute that is changed.  Some background:

    I am running FIM 2010 R2 SP1.  The attribute in question is the email address.  The scenario is that when an employee leaves the company, we move the user to a different OU in the AD, disables the account, hide the user from the address book and changes the email address by adding a 0 in front to prevent email from been delivered to the user while in the exit OU in AD, we also change the proxy address to be the same.  This is done from the FIM portal with a sync rule modifying the attributes in the AD CS.  I have precedence defined in the MV for the AD on the email address and proxy address and another MA, not the FIM MA, the FIM MA is not contributing any of these attributes to the MV.

    Interestingly the proxy address is modified but not the email address giving the Skipped: No Precedence message on the email attribute.

    Is this expected, if so why does the proxy address gets updated but not the mail attribute?

    Any help is appreciated

    Thanks

    Johan Marais


    JkM6228

    Thursday, November 14, 2013 8:00 AM

Answers

  • ProxyAddress is multivalue attribute, email is single value so it works differently in case of equal precedence:

    "When you want to disable attribute precedence for a particular attribute, you can also configure an attribute to use equal precedence. Equal precedence is available for all types of attribute flows. For example, if you have multiple management agents that all must contribute values to a multi-value attribute in the metaverse, attribute precedence would, by default, force one of the management agents to have precedence and the others would be unable to update the attribute. By configuring the attribute to use equal precedence, the sync engine will accumulate the values from all the management agents and write them all to the multi-value attribute.  In the case of single-value attributes, the sync engine will propagate the value from the most recently synchronized management agent and write it to the single-value attribute.  The sync engine will allow the last synchronized management agent with a pending import to populate the metaverse attribute." (taken from: http://technet.microsoft.com/en-us/library/jj572803(v=ws.10).aspx)

    Regards

    Borys

    • Marked as answer by Johan Marais Friday, November 15, 2013 6:13 AM
    Thursday, November 14, 2013 3:25 PM

All replies

  • Hi,

    Do you have any import flow on the email attribute (from AD)?

    How is precedence set (in MV design) on this attribute?

    Thursday, November 14, 2013 9:23 AM
  • BorysM,

    Thanks for the reply.  Yes, the mail attribute from AD is flown into the MV form where it flows to FIM and another directory, this is also the same for the proxy address.  The FIM MA doesn't flow any of these to the MV.

    Precedence is set between the AD MA and the other MA which can also contribute to the MV with AD as number 1.

    When a user leaves the company, I change the mail address and proxy address directly in the AD CS with a SR which is similar to the following custom expression:

    IIF(Eq(tkmSaEmail,"No Mail"),"No Mail",IIF(Eq(Left(tkmSaEmail,1),"0"),tkmSaEmail,"0"+tkmSaEmail))=>mail attribute in AD CS.

    As indicated above, the proxy address has the exact same precedence than the mail attribute, but it doesn't give this error, it is updated. 

    Thanks

    Johan


    JkM6228

    Thursday, November 14, 2013 9:41 AM
  • Hi, 

    Export flows are also subject of precedence calculation - you can read it here: http://technet.microsoft.com/en-us/library/jj572803(v=ws.10).aspx

    Usually this means that same attribute is imported and exported through the same agent and FIM can't resolve this and decide if it should update this attribute or not. Simple solution might be to use separate attribute for importing the value and as a source for exporting value. 


    Tomek Onyszko, memberOf Predica FIM Team (http://www.predica.pl), IdAM knowledge provider @ http://blog.predica.pl

    Thursday, November 14, 2013 11:14 AM
  • Tomasz,

    Question then, why doesn't the proxy address also experience this problem when changing the value through the same SR?  The precedence for proxy address is exactly the same as for the mail attribute, this is what is confusing and not consistent.

    Thanks

    Johan


    JkM6228

    Thursday, November 14, 2013 11:52 AM
  • Tomasz,

    Further to this, the FIM MA doesn't flow the email or the proxy address to the MV, hence I can't configure precedence on FIM MA. But the email and proxy address can be updated by another system we use to allow users to select a custom email alias.  Precedence is defined between the AD and this other system.

    When a user leaves the company, I modify the mail and proxy address with a SR from the FIM portal, if I use equal precedence in the MV for mail and proxy address will this allow the SR to then update the mail value in AD ?

    Regards

    Johan


    JkM6228

    Thursday, November 14, 2013 12:08 PM
  • ProxyAddress is multivalue attribute, email is single value so it works differently in case of equal precedence:

    "When you want to disable attribute precedence for a particular attribute, you can also configure an attribute to use equal precedence. Equal precedence is available for all types of attribute flows. For example, if you have multiple management agents that all must contribute values to a multi-value attribute in the metaverse, attribute precedence would, by default, force one of the management agents to have precedence and the others would be unable to update the attribute. By configuring the attribute to use equal precedence, the sync engine will accumulate the values from all the management agents and write them all to the multi-value attribute.  In the case of single-value attributes, the sync engine will propagate the value from the most recently synchronized management agent and write it to the single-value attribute.  The sync engine will allow the last synchronized management agent with a pending import to populate the metaverse attribute." (taken from: http://technet.microsoft.com/en-us/library/jj572803(v=ws.10).aspx)

    Regards

    Borys

    • Marked as answer by Johan Marais Friday, November 15, 2013 6:13 AM
    Thursday, November 14, 2013 3:25 PM
  • Borys,

    I have configured equal precedence on the mail and the proxy address, it is working for me now and the mail address is updated in the AD.  Only problem now is that the change is not flown back to the MV with subsequent DI on AD because I write the value directly to the CS of the AD.

    I have a bi-weekly schedule for FI and FS on all MAs due to the number of objects in the MV.  But to have it work properly, I will change my SR to rather update the value in the MV and flow that to the AD.

    Thanks to everybody who contributed in solving this.

    Regards

    Johan


    JkM6228

    Friday, November 15, 2013 6:13 AM