none
Flowing Group Membership Attribute from SQL MA to Metaverse - 'not precedent' error RRS feed

  • Question

  • I am trying to create AD groups and populate their membership attribute via FIM using a SQL MA as the account name and member attribute source.

    Server: Windows 2k8 R2
    FIM: Identity Manager 2010 R2 Version 4.1.3114.0

    So far I have:

    1. Created an MA (called MA_Synergetic GrpList) to create the AD group via a sync rule in the FIM portal. This works successfully and I have flowed these groups out to AD via the FIM portal.
    2. Created an MA (called MA_Synergetic Grp Populate) to populate the groups created by the previous MA. I followed an article (Link:www.css-security.com/blog/fim-multivalued-attribute-tables-2) on multvalue attribute tables  and have succesfully populated the connector space of the MA with the groups and users. Each group shows as having members when I search the connector space.
    3. I created Join and Projection Rules and attribute flow rules in the MA, as per the article, and run a full sync
    4. Unfortunately, apart from an initial join where the groups from the second MA connect with the pre-existing groups, I am unable to flow members into the metaverse and therefore AD.
    5. When searching the metaverse and viewing a group object in the metaverse it shows the membership attribute as not visible, or not populated. The indication from the preview results is that the membership attribute is 'Skipped: Not precedent"

    I have checked the following with no luck.

    • Metaverse Designer | Group | Member | Attribute flow - the MA_Synergetic Grp Populate MA is at the top of the list
    • I tried achieving the same outcome via a sync rule and MPR - with the same result
    • I tried using 'equal precendence'

    Note: I have successfully creating FIM portal sourced groups and flowing them to AD okay

    Help. What am I missing?

    thanks
    Michael

    Friday, March 1, 2013 11:44 AM

Answers

  • Michael,

    If I understand you correctly, you're using 2 management agents to connect to one target. I see no need for this in your scenario and would recommend to consolidate these into one management agent.

    Please read this paragraph from the FIM 2010 R2 course book, which explains some important characteristics of precedence and its effects during export attribute flow:

    Precedence Issues
    If the value of an attribute in the MV comes from an MA with a lower precedence than this MA (with the export flow), the export will not be processed. No statistics are displayed to indicate this (you can use preview to examine the synchronization process in detail; if precedence is preventing export, you will see the message Skipped – Not Precedent in preview).
    If you have an import attribute flow from a source, and you wish also to have an export attribute flow (unusual, but not unheard of), then even if that import is the only one for the MV attribute concerned, the export flow will not flow against it unless you select equal precedence for that attribute (in the metaverse designer).

    Your solution will probably be to only have an import flow on the 'member' attribute from the FIMMA and one export flow to the 'member' attribute in your Active Directory management agent.

    Please let me know if this helps you.


    Best regards,
    Pieter.


    Pieter de Loos - Consultant at Traxion (http://www.traxion.com) http://fimfacts.wordpress.com/

    Friday, March 1, 2013 12:39 PM

All replies

  • Michael,

    If I understand you correctly, you're using 2 management agents to connect to one target. I see no need for this in your scenario and would recommend to consolidate these into one management agent.

    Please read this paragraph from the FIM 2010 R2 course book, which explains some important characteristics of precedence and its effects during export attribute flow:

    Precedence Issues
    If the value of an attribute in the MV comes from an MA with a lower precedence than this MA (with the export flow), the export will not be processed. No statistics are displayed to indicate this (you can use preview to examine the synchronization process in detail; if precedence is preventing export, you will see the message Skipped – Not Precedent in preview).
    If you have an import attribute flow from a source, and you wish also to have an export attribute flow (unusual, but not unheard of), then even if that import is the only one for the MV attribute concerned, the export flow will not flow against it unless you select equal precedence for that attribute (in the metaverse designer).

    Your solution will probably be to only have an import flow on the 'member' attribute from the FIMMA and one export flow to the 'member' attribute in your Active Directory management agent.

    Please let me know if this helps you.


    Best regards,
    Pieter.


    Pieter de Loos - Consultant at Traxion (http://www.traxion.com) http://fimfacts.wordpress.com/

    Friday, March 1, 2013 12:39 PM
  • Hi Pieter,

    Thanks for your sugestion. I will re-engineer some queries when I get back to work tomorrow and see how consolidating the MAs works.

    Thanks
    Michael

    Sunday, March 3, 2013 9:13 AM
  • Micheal,

    Did you ever figure this out?  To me, it looks like the proposed answer has nothing to do with the import of group memberships into the MV.  I have basically the same issue, but I am running this under one MA.  The CS populates, but the MV doesn't.

    Greg

    Monday, March 24, 2014 8:00 PM