none
FIM user provisioning not quite working RRS feed

  • Question

  • Hi all

    I've been asked to take a look at a new installation of FIM to provide give some advice before my client gets a consultant in.  There a are few problems but it seems to me that they are quite close to having this working and we might be able to sort these few thing out.

    The design is:

    External AD - will only hold user accounts (10000+).

    FIM (4.1.3114.0) will be used as a portal to create/manage the External AD accounts.

    Internal AD - only used in this context as a source of users for FIM who are allowed to manage the External AD accounts.

    Problem 1: The users from the Internal AD do not get created in FIM.  They appear in the Metaverse with attributes: accountName,displayName, domain, email, firstName, lastName, objectSid and the attribute flow and sync rules are configured as shown below:

    If I do a preview the status for Inbound Synchronization of all the attributes in the sync rule shows as "Applied" but the Connector Updates EAF shows the final value of (deleted) for the DetectedRulesList attribute and the Connector is shown as Deprovisioned - Automatic Deletion.

    Is this something that will be straightforward to fix for a non-FIM guy like me? Any help or advice would be appreciated.

    I'll come back with Problem 2 once I've had another look at it.

    Thanks, Steve

    Thursday, May 30, 2013 12:36 PM

Answers

  • Ok. Is your first picture from FIM MA, because it seems that you only have flows from FIM Service & Portal to the Metaverse and just dn, MVObjectID and DRL to the FIM Service & Portal.


    You might also find this technet article helplful How Do I Synchronize Users from Active Directory Domain Services to FIM
    Thursday, May 30, 2013 1:39 PM
  • Right, well the first thing you need to know is that "FIM" is a product suite.

    So you seem to want to do this:

    - Bring a subset of users from Internal AD into the FIM Synchronization Service Metaverse

    - Have those subset of users be provisioned to the FIM Portal

    - Within the FIM Portal, these users are have rights to create "external users"

    - "external users" then flow from the FIM Portal into the FIM Sync Service Metaverse

    - "external users" are then provisioned from the FIM Metaverse into External AD

    If that's right, then you need the following:

    - An inbound Synchronization Rule (configured in the FIM Portal) on the Internal AD with "create this resources in FIM" enabled

    - An export attribute flow on the FIM MA  (configured in the FIM Sync Service) for the Internal AD user's attributes (provisioning occurs automatically if there is a flow)

    - Policies configured within the FIM Portal  (configured in the FIM Sync Service) to enable Internal AD users to create External Users

    - An import attribute flow on the FIM MA to bring External Users back into the FIM Metaverse

    - An outbound Synchronization Rule (configured in the FIM Portal) on the External AD to create the users in External AD.

    Hope that helps.

    Drop me a line when you're ready to look for a consultant - I may be able to point you to someone local.

    - Ross Currie


    FIMSpecialist.com | MCTS: FIM 2010 | Now Offering ECMA1->ECMA2 Upgrade Services

    Friday, May 31, 2013 7:03 AM

All replies

  • Have you checked that "Create resource in FIM" checkbox in your synchronization rule?
    Thursday, May 30, 2013 1:22 PM
  • Hi

    Yes, just checked and this box is selected and I've confirmed that "Enable Synchronization Rule Provisioning" is also selected in Tools -> Options.

    Thanks, Steve

    Thursday, May 30, 2013 1:30 PM
  • Ok. Is your first picture from FIM MA, because it seems that you only have flows from FIM Service & Portal to the Metaverse and just dn, MVObjectID and DRL to the FIM Service & Portal.


    You might also find this technet article helplful How Do I Synchronize Users from Active Directory Domain Services to FIM
    Thursday, May 30, 2013 1:39 PM
  • Yes it is the FIMMA.  Are you saying that I need to add export flows for the attributes that are currently only set as import?
    Thursday, May 30, 2013 1:48 PM
  • You need only those attributes that you need in FIM Service & Portal. See that article and section "configuring Fabrikam FIMMA"
    Thursday, May 30, 2013 1:55 PM
  • Thanks! That is at least showing all the attributes as "Applied" for both the Inbound Sync and EAF when I run a preview.  I don't see a user created in FIM though.  I'll look through that document and see if everything else matches up.

    Thanks, Steve

    Thursday, May 30, 2013 2:33 PM
  • so your goal is to provision a subset of users from internal AD out to external AD?

    - Ross Currie


    FIMSpecialist.com | MCTS: FIM 2010 | Now Offering ECMA1->ECMA2 Upgrade Services

    Thursday, May 30, 2013 7:44 PM
  • Hi

    The goal is to provision a subset of users into FIM (like helpdesk staff) who will use FIM as a portal for user management in the External AD.

    Thanks, Steve

    Friday, May 31, 2013 6:46 AM
  • Right, well the first thing you need to know is that "FIM" is a product suite.

    So you seem to want to do this:

    - Bring a subset of users from Internal AD into the FIM Synchronization Service Metaverse

    - Have those subset of users be provisioned to the FIM Portal

    - Within the FIM Portal, these users are have rights to create "external users"

    - "external users" then flow from the FIM Portal into the FIM Sync Service Metaverse

    - "external users" are then provisioned from the FIM Metaverse into External AD

    If that's right, then you need the following:

    - An inbound Synchronization Rule (configured in the FIM Portal) on the Internal AD with "create this resources in FIM" enabled

    - An export attribute flow on the FIM MA  (configured in the FIM Sync Service) for the Internal AD user's attributes (provisioning occurs automatically if there is a flow)

    - Policies configured within the FIM Portal  (configured in the FIM Sync Service) to enable Internal AD users to create External Users

    - An import attribute flow on the FIM MA to bring External Users back into the FIM Metaverse

    - An outbound Synchronization Rule (configured in the FIM Portal) on the External AD to create the users in External AD.

    Hope that helps.

    Drop me a line when you're ready to look for a consultant - I may be able to point you to someone local.

    - Ross Currie


    FIMSpecialist.com | MCTS: FIM 2010 | Now Offering ECMA1->ECMA2 Upgrade Services

    Friday, May 31, 2013 7:03 AM
  • Thanks Ross - that seems like an acceptable plan to me.

    Due to a change in project priorities I've been asked to do a domain migration before FIM will be implemented (new internal AD) so I'm going to mark this as answered as the advice provided looks solid.

    Cheers, Steve

    Friday, May 31, 2013 8:03 AM
  • No problem - don't forget, you can always use FIM to do your domain migration!

    - Ross


    FIMSpecialist.com | MCTS: FIM 2010 | Now Offering ECMA1->ECMA2 Upgrade Services

    Friday, May 31, 2013 8:07 AM