none
ERE & DRE still exists for a user, even though he left the Set RRS feed

  • Question

  • Hi,

    When a user entered a Set, the relevant ERE and (later) DRE was generated (as expected).

    Subsequently the Set criteria changed, and the user was removed from the Set.

    Why then is the ERE & DRE still associated with the user in the FIM Portal?

    Thank you,

    SK

    Monday, February 23, 2015 3:41 AM

Answers

  • Hi,

    this is because the Existence Test is configured in outbound sync rule but logically evaluated at the end of an inbound sync.

    So since you have a connector to the datasource Attribut the DRE is still evaluated:

    See: https://technet.microsoft.com/en-us/library/ff608269%28v=ws.10%29.aspx

    which states:

    As a result, the actual existence test cannot be applied during the
    outbound synchronization phase. For example, if your outbound
    synchronization rule called Fabrikam Outbound Synchronization Rule that
    you use to manage your Active Directory® resources that have existence
    test flow mappings configured, these flow mappings cannot be evaluated
    when the outbound synchronization rule is applied to a resource.

    In other words, while logically configured in an outbound
    synchronization rule, existence test flow mappings belong technically to
    an inbound operation. In our example, the actual existence test is
    performed during the inbound synchronization phase of a synchronization
    run on the related Active Directory management agent (MA).

    -Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    • Marked as answer by Shim Kwan Thursday, March 12, 2015 10:18 PM
    Wednesday, February 25, 2015 3:48 PM
  • Just some addition:

    before you removed the users from the scope of the outbound sync rule the Attribute with the "existence test" flag was exported to the target System, and on imports the value of that Attribute are checked and the DRE ist created.

    after removing the users from the scope of the sync rule this outbound sync rule became a "operational outbound sync rule", so attributes are not exported any more, but the sync engine checks all OSRs regarding to a datasource and evaluates only the "existing test" Attribute flows to check Attribute value in target System which generates the DRE.

    To get the DRE removes, you either Need to disconnect the object from DS or the value of CS and MV must be different (so existing test Attribute DRE will  be removed).

    -Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    • Marked as answer by Shim Kwan Thursday, March 12, 2015 10:18 PM
    Monday, March 2, 2015 6:59 AM

All replies

  • Hello,

    do you remove users from the scope of the syncrule when the leave the set with a workflow too ?

    -Peter 


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Monday, February 23, 2015 8:06 AM
  • no I don't.

    are you saying I need a transition-out MPR with a workflow calling the same Sync Rule set to "Remove"? Won't this delete the object from the target system (which is not what I want to do).

    Monday, February 23, 2015 6:28 PM
  • Hi,

    yes that the mpr and workflow you need.

    Objects deletes from the target system depends on your setting of either sync rule, mv deletetion setting and ma deprovision setting.

    From the sync rule point its safe when you disable this setting:

    In case of disable this setting only the export flows will stop, but since there is no disconnect there will be no delete in MV or MA.

    Also check this article on some more details: https://technet.microsoft.com/en-us/library/hh859718%28v=ws.10%29.aspx

    -Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Monday, February 23, 2015 6:44 PM
  • Thanks Peter, we have created a 'transition out' MPR, a 'remove' Sync Rule Workflows (Enable Deprovisioning unticked), refreshed the Set, and the ERE has now disappeared :)

    However, the DRE still exists for that Sync Rule on that specific user...should it also have been deleted?

    Tuesday, February 24, 2015 1:14 AM
  • Hi,

    this is because the Existence Test is configured in outbound sync rule but logically evaluated at the end of an inbound sync.

    So since you have a connector to the datasource Attribut the DRE is still evaluated:

    See: https://technet.microsoft.com/en-us/library/ff608269%28v=ws.10%29.aspx

    which states:

    As a result, the actual existence test cannot be applied during the
    outbound synchronization phase. For example, if your outbound
    synchronization rule called Fabrikam Outbound Synchronization Rule that
    you use to manage your Active Directory® resources that have existence
    test flow mappings configured, these flow mappings cannot be evaluated
    when the outbound synchronization rule is applied to a resource.

    In other words, while logically configured in an outbound
    synchronization rule, existence test flow mappings belong technically to
    an inbound operation. In our example, the actual existence test is
    performed during the inbound synchronization phase of a synchronization
    run on the related Active Directory management agent (MA).

    -Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    • Marked as answer by Shim Kwan Thursday, March 12, 2015 10:18 PM
    Wednesday, February 25, 2015 3:48 PM
  • Just some addition:

    before you removed the users from the scope of the outbound sync rule the Attribute with the "existence test" flag was exported to the target System, and on imports the value of that Attribute are checked and the DRE ist created.

    after removing the users from the scope of the sync rule this outbound sync rule became a "operational outbound sync rule", so attributes are not exported any more, but the sync engine checks all OSRs regarding to a datasource and evaluates only the "existing test" Attribute flows to check Attribute value in target System which generates the DRE.

    To get the DRE removes, you either Need to disconnect the object from DS or the value of CS and MV must be different (so existing test Attribute DRE will  be removed).

    -Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    • Marked as answer by Shim Kwan Thursday, March 12, 2015 10:18 PM
    Monday, March 2, 2015 6:59 AM
  • Thank you Peter
    Thursday, March 12, 2015 10:18 PM