none
Changing a user's OU RRS feed

  • Question

  • After following this guide I am successfully flowing users from an SQL database to AD.

    In step 6 of the guide, where the AD Outbound SR is created, the guide specifies "Important: Verify that you have selected Initial Flow Only for the attribute flow that has the DN as the destination.". 

    My problem is that the users' OUs need to change based on their age; if a user's OU is set as initial flow only, how do I go about changing their OU at a later date? I've tested without ticking initial flow only and it does appear to work as I want it to but is there a reason I shouldn't be doing this? 

    Any advice would be much appreciated.



    • Edited by FIM-EN Friday, January 4, 2013 2:39 PM
    Friday, January 4, 2013 2:17 PM

Answers

  • Well initial flow is important, when you are provisioning (creating new users) it is ONLY used with provisioning, AS DN is absolutely needed when you are provisioning users.

    You should always have an initial flow for the DN attribute.

    In ADDITION to that as Tomasz suggested create another similar attribute flow to the DN

    So in the end you will have two (2) similar attribute flows to the DN attribute, one with the initial flow and one without the initial flow.

    That should do it.

    • Marked as answer by FIM-EN Monday, January 7, 2013 12:16 PM
    Saturday, January 5, 2013 7:59 AM
  • for subsequent attribute flow of the DN create a new flow, probably using the age variable in the DN and do not configure the flow as initial only
     

    Cheers,


    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always evaluate/test yourself before using/implementing this!
    * DISCLAIMER:
    http://jorgequestforknowledge.wordpress.com/disclaimer/
    -------------------------------------------------------------------------------------------------------
    ################# Jorge's Quest For Knowledge ###############
    ###### BLOG URL:
    http://JorgeQuestForKnowledge.wordpress.com/ #####
    #### RSS Feed URL:
    http://jorgequestforknowledge.wordpress.com/feed/ ####
    -------------------------------------------------------------------------------------------------------
    <>

    "FIM-EN" wrote in message news:d8666e0c-6d1c-4368-a23e-7c13f9520ae4@communitybridge.codeplex.com...

    After following this guide I am successfully flowing users from an SQL database to AD.

    In step 6 of the guide, where the AD Outbound SR is created, the guide specifies "Important: Verify that you have selected Initial Flow Only for the attribute flow that has the DN as the destination.".

    My problem is that the users' OUs need to change based on their age; if a user's OU is set as initial flow only, how do I go about changing their OU at a later date? I've tested without ticking initial flow only and it does appear to work as I want it to but is there a reason I shouldn't be doing this?

    Any advice would be much appreciated.




    Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/
    • Marked as answer by FIM-EN Monday, January 7, 2013 12:15 PM
    Monday, January 7, 2013 10:11 AM
  • >>>>I would have a sync rule with two flows into DN, one ticked as initial and one not ticked as initial
    Correct!
     
    >>>>Should the DN with initial flow ticked be to a static OU rather than one dictated by a user's age?
    both flows can be static or based upon some variable. It does not matter, as long as the DN path exists in AD
    you can have the initial flow for the DN to include the age variable if you want
     

    Cheers,


    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always evaluate/test yourself before using/implementing this!
    * DISCLAIMER:
    http://jorgequestforknowledge.wordpress.com/disclaimer/
    -------------------------------------------------------------------------------------------------------
    ################# Jorge's Quest For Knowledge ###############
    ###### BLOG URL:
    http://JorgeQuestForKnowledge.wordpress.com/ #####
    #### RSS Feed URL:
    http://jorgequestforknowledge.wordpress.com/feed/ ####
    -------------------------------------------------------------------------------------------------------
    <>

    "FIM-EN" wrote in message news:b4eebaca-d1c7-4b9e-a2ea-1b6b525b63d2@communitybridge.codeplex.com...

    Thanks to everyone for the replies.

    Going by what you say here Jorge, I would have a sync rule with two flows into DN, one ticked as initial and one not ticked as initial. Should the DN with initial flow ticked be to a static OU rather than one dictated by a user's age?


    Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/
    • Marked as answer by FIM-EN Monday, January 7, 2013 12:15 PM
    Monday, January 7, 2013 11:29 AM

All replies

  • Setup another synchronization rule or flow in same rule which will be updating user DN based on your requirements. If this is based on well defined criteria like age I would probably create some sets and set of synch rules with updating DN and assign users to approperiate synch rules when they will enter appropriate set.

    Tomek Onyszko, memberOf Predica FIM Team (http://www.predica.pl), IdAM knowledge provider @ http://blog.predica.pl

    Friday, January 4, 2013 4:01 PM
  • Well initial flow is important, when you are provisioning (creating new users) it is ONLY used with provisioning, AS DN is absolutely needed when you are provisioning users.

    You should always have an initial flow for the DN attribute.

    In ADDITION to that as Tomasz suggested create another similar attribute flow to the DN

    So in the end you will have two (2) similar attribute flows to the DN attribute, one with the initial flow and one without the initial flow.

    That should do it.

    • Marked as answer by FIM-EN Monday, January 7, 2013 12:16 PM
    Saturday, January 5, 2013 7:59 AM
  • for subsequent attribute flow of the DN create a new flow, probably using the age variable in the DN and do not configure the flow as initial only
     

    Cheers,


    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always evaluate/test yourself before using/implementing this!
    * DISCLAIMER:
    http://jorgequestforknowledge.wordpress.com/disclaimer/
    -------------------------------------------------------------------------------------------------------
    ################# Jorge's Quest For Knowledge ###############
    ###### BLOG URL:
    http://JorgeQuestForKnowledge.wordpress.com/ #####
    #### RSS Feed URL:
    http://jorgequestforknowledge.wordpress.com/feed/ ####
    -------------------------------------------------------------------------------------------------------
    <>

    "FIM-EN" wrote in message news:d8666e0c-6d1c-4368-a23e-7c13f9520ae4@communitybridge.codeplex.com...

    After following this guide I am successfully flowing users from an SQL database to AD.

    In step 6 of the guide, where the AD Outbound SR is created, the guide specifies "Important: Verify that you have selected Initial Flow Only for the attribute flow that has the DN as the destination.".

    My problem is that the users' OUs need to change based on their age; if a user's OU is set as initial flow only, how do I go about changing their OU at a later date? I've tested without ticking initial flow only and it does appear to work as I want it to but is there a reason I shouldn't be doing this?

    Any advice would be much appreciated.




    Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/
    • Marked as answer by FIM-EN Monday, January 7, 2013 12:15 PM
    Monday, January 7, 2013 10:11 AM
  • Thanks to everyone for the replies.

    Going by what you say here Jorge, I would have a sync rule with two flows into DN, one ticked as initial and one not ticked as initial. Should the DN with initial flow ticked be to a static OU rather than one dictated by a user's age? 

    Monday, January 7, 2013 10:25 AM
  • >>>>I would have a sync rule with two flows into DN, one ticked as initial and one not ticked as initial
    Correct!
     
    >>>>Should the DN with initial flow ticked be to a static OU rather than one dictated by a user's age?
    both flows can be static or based upon some variable. It does not matter, as long as the DN path exists in AD
    you can have the initial flow for the DN to include the age variable if you want
     

    Cheers,


    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always evaluate/test yourself before using/implementing this!
    * DISCLAIMER:
    http://jorgequestforknowledge.wordpress.com/disclaimer/
    -------------------------------------------------------------------------------------------------------
    ################# Jorge's Quest For Knowledge ###############
    ###### BLOG URL:
    http://JorgeQuestForKnowledge.wordpress.com/ #####
    #### RSS Feed URL:
    http://jorgequestforknowledge.wordpress.com/feed/ ####
    -------------------------------------------------------------------------------------------------------
    <>

    "FIM-EN" wrote in message news:b4eebaca-d1c7-4b9e-a2ea-1b6b525b63d2@communitybridge.codeplex.com...

    Thanks to everyone for the replies.

    Going by what you say here Jorge, I would have a sync rule with two flows into DN, one ticked as initial and one not ticked as initial. Should the DN with initial flow ticked be to a static OU rather than one dictated by a user's age?


    Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/
    • Marked as answer by FIM-EN Monday, January 7, 2013 12:15 PM
    Monday, January 7, 2013 11:29 AM
  • Many thanks! 
    Monday, January 7, 2013 12:16 PM
  • ur welcome
    no problem
     
     

    Cheers,


    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always evaluate/test yourself before using/implementing this!
    * DISCLAIMER:
    http://jorgequestforknowledge.wordpress.com/disclaimer/
    -------------------------------------------------------------------------------------------------------
    ################# Jorge's Quest For Knowledge ###############
    ###### BLOG URL:
    http://JorgeQuestForKnowledge.wordpress.com/ #####
    #### RSS Feed URL:
    http://jorgequestforknowledge.wordpress.com/feed/ ####
    -------------------------------------------------------------------------------------------------------
    <>

    "FIM-EN" wrote in message news:b534cfca-6c3b-4982-a342-73e0870b06f3@communitybridge.codeplex.com...
    Many thanks! 

    Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/
    Monday, January 7, 2013 12:25 PM
  • I wouldnt entirely agree with jorge on the DN path exists matter, even if the OUs are not there, and you are using the Configure Provisioning Hierarchy the OUs will be created automatically.
    Tuesday, January 8, 2013 9:02 AM
  • Thanks. There are only a limited number of OUs in this case so they do all exist already but I will look into Provisioning Hierarchy, it's something I've not really touched on that may prove useful some day. Would you suggest that it's a good idea to configure OU -> OrganizationalUnit in provisioning hierarchy? 
    Tuesday, January 8, 2013 11:46 AM
  • Yes thats what i usually do. And it always creates the OU if it dosent exist.
    Tuesday, January 8, 2013 12:07 PM
  • Sounds like a good plan then. Thank you.
    Tuesday, January 8, 2013 12:11 PM
  • Most Welcome
    Tuesday, January 8, 2013 12:13 PM
  • only if you want FIM to create the OU when these do not exist. It is not a bad/best practice, just enable it if you want/need it
     

    Cheers,


    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always evaluate/test yourself before using/implementing this!
    * DISCLAIMER:
    http://jorgequestforknowledge.wordpress.com/disclaimer/
    -------------------------------------------------------------------------------------------------------
    ################# Jorge's Quest For Knowledge ###############
    ###### BLOG URL:
    http://JorgeQuestForKnowledge.wordpress.com/ #####
    #### RSS Feed URL:
    http://jorgequestforknowledge.wordpress.com/feed/ ####
    -------------------------------------------------------------------------------------------------------
    <>

    "FIM-EN" wrote in message news:b793b3fb-b445-489e-a56a-b0619e2844cf@communitybridge.codeplex.com...
    Thanks. There are only a limited number of OUs in this case so they do all exist already but I will look into Provisioning Hierarchy, it's something I've not really touched on that may prove useful some day. Would you suggest that it's a good idea to configure OU -> OrganizationalUnit in provisioning hierarchy? 

    Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/
    Tuesday, January 8, 2013 1:58 PM