AD group membership: sync rules vs. MA attribute flows? RRS feed

  • Question

  • Ran across a curious behavior, and I'm wondering if I'm doing something wrong?

    The initial configuration (from a consultant) came with an AD MA with a single outbound attribute flow "member => member" for groups.  (Member does not flow in from AD, either.)  There is also an outbound sync rule with a small number of persistent flows, including "member => member".  The sync rule basically works because I can create a group in the portal and AD MA will create a corresponding group.  Further, if I change something with another tool (say, change a group's displayName via Powershell) FIM picks up on that and changes it back using the outbound sync rule.

    A synchronization preview, however, always shows "Not applied" for the rule's member flow, and "Applied" for everything else.

    I removed the AD MA attribute flow for member, and now the synchronization preview says "Applied" for the member flow.  The problem is that the membership in the AD group is never updated!  Unlike displayName, if I change the membership using an outside tool (ADUC), FIM synchronization will never change it back.  And if I create a new criteria-based group in the portal, a corresponding group in AD is created, but members are never added.  "View members" in the portal lists members, and the MV object's members match.

    I am not using deferred evaluation; and just to make sure, I let things run in this state overnight in my QA system.  The AD group's membership never gets in sync with FIM.

    Do I really have to specify an attribute flow for member in the MA rather than use a sync rule?

    Running FIM 2010 R2.  Thanks in advance, -Les

    Thursday, October 9, 2014 11:02 PM

All replies

  • Hi Les,

    You shouldn't have to use classic rules to flow the member attribute to Active Directory.

    With regards to the Sync Rule that is supposed to map member=>member I would suggest you check the following:

    1. If the sync rule is using the new Outbound Scoping Filters that was introduced with R2, check that the groups in question satisfy the filter specified in the Outbound System Scoping Filter in the sync rule (these are inclusion rules)

    2. If the sync rule is using the original Set->MPR->WF model then check that the group in question has an Expected Rule entry for this sync rule.

    In either case, I have previously seen sync rules not get applied when there is some sort of corruption on the sync rule, maybe use the Preview (Commit) Sync function in the metaverse and review for any additional errors.

    Friday, October 10, 2014 2:50 AM
  • Hi Les,

    The reason you see "Not applied" when the flow is configured both in the sync rule and the MA export attribute flows is that the MA EAF will take precedence, so the sync rule flow is in effect not applied.

    As you've noted, if you remove the MA member EAF, then memberships don't get updated at the AD; the quick fix is adding the MA EAF flow, since it will always be applied, and not be subject to the vagaries of the sync rule.

    I've seen this before and it's related to how the "member->member" outbound attribute flow is defined in the sync rule. On the "Destination" tab, you'll see a drop-down for the "Flow Scope".  If this is not properly set, the attribute flow will simply not work.  Unfortunately, off the top of my head, I can't remember which is the right selection to get this working, but I have managed to get it working in the past.  I would suggest you try various options, including not setting if possible, until the membership starts flowing.



    Marc Mac Donell, VP Identity and Access Solutions, Avaleris Inc.

    • Proposed as answer by Peter_Stapf Friday, October 24, 2014 7:38 AM
    Friday, October 10, 2014 2:06 PM
  • In addition to @Marc i would say, the definition of "Flow Scope" schould match the object types that the group members are. (ex. only Users or Users and Groups).


    Peter Stapf - ExpertCircle GmbH - My blog:

    Friday, October 10, 2014 6:22 PM