none
What's the correct process for adding a file based fitler rule? RRS feed

  • Question

  • Hi,

    I have a fim sync process which works as follows:

    1. File MA - imports CSV information from a file
    2. FIM MA - imports CS information from File MA into MV
    3. AD MA - then exports the FIM MV info into AD

    My file MA, has the following filter rule:

    If CSV field "DN" contains "OU=WinVista" then import row

    The above works great and I'm only importing the WinVista users. What I want to do now is import Windows 7 and I was thinking of changing my File MA filter rule to the following:

    If CSV field "DN" contains "OU=WinVista" then import row
    OR
    If CSV field "DN" contains "OU=Win7" then import row

    Can I simply amend the filter rule on my File based MA and then run the import run profile?
    Do I need to run the FIM MA run profiles to update the sync rules (for example, I know I have to run the FIM sync profiles if I update sync rules in the FIMportal)

    I'm looking at doing this in the least intrusive manner as I already have accounts in production and would hate, for example if my Windows Vista users were wiped out, but I gained Windows 7 users.

    Thanks

    Tuesday, September 3, 2013 10:48 AM

Answers

  • Yeah you are right, i've checked this in my own File MA.

    The not contains Thing wired me, sorry for that.
    Seems that i spend to much work on Portal SyncRules ;-)

    As it is in the documentation:

    ImportantImportant
    Filters are combined with an AND operator if all conditions in all filters are met. Filters are combined with an OR operator if a condition in the first or previous filter is not met. If any condition in a single filter is not met, that filter is not applied.

    In my file ma i put in a filter with two "not contains" criterias, and only that two objects are flowing to mv, rest is filtered.

    So in your case also put the to criterias in one filter.

    Regards

    Peter

    • Marked as answer by Peter.Siffredi Thursday, September 5, 2013 9:24 AM
    Thursday, September 5, 2013 9:13 AM

All replies

  • Since what you currently have ist working, so i think you use SyncRules in the FIM Portal and currently are working with the inbound scoping filter of them.

    These scoping filter are combined by an AND and you can not Change this to an OR.

    You can use a 2nd SyncRule that is nearly identical to the current one, except of the scoping filter.

    or

    You can exclude all of the OU you dont want with a NOT CONTAINS except of the two OU you want.
    Depends on how much OU us have.

    Hope this helps

    Tuesday, September 3, 2013 11:30 AM
  • Hi Peter,

    I'm not planning on modifying the portal sync rules.

    I'm wondering whether I can simply modify the File Management Agent filter rule to include another OU by using an OR operator with the appropriate OU selection.

    Thanks

    Tuesday, September 3, 2013 4:43 PM
  • ahh ok, i see.

    but then i dont unterstand your current File MA Filter, as Connector Filter in MA are Exclude Filter.
    If the contition is matching the object become a filtered disconnector.

    And you current filter says DN contains "OU=WinVista" so these objects must be currently blocked from synchronization.

    So normally with all details above this schould not work.

    Can you provide some pictures maybe to clearify the current configuration to us.

    Regards

    Peter

    Tuesday, September 3, 2013 5:36 PM
  • Sorry, you're right, I've double checked and the configuration is shown as below

    Within the File MA, I have a declared import filter configured under "connector filter"

    The rule is "DN" "Does not contain" ",0U=WinVista",

    So this filters out all rows in my CSV which do not have a DN entry with "OU=WinVista"

    What I would like to do is ensure my Windows 7 users are ALSO ADDED. Can I just add another filter disconnector rule so that my rules would be:

    "DN" "Does not contain" ",0U=WinVista".
    "DN" "Does not contain" ",0U=Win7".

    Looking at the Technet article below, I'd expect the following behaviour:

    - WinVista users to be imported as normal (existing accounts stay the same)
    - Win7 users to be added
    - Anything not within the WinVista or Win7 OU to become a filtered disconnector

    http://technet.microsoft.com/en-us/library/jj590228(v=ws.10).aspx

    I'm tempted to snapshot the server before making this change as I'm reluctant to make a change that will potentially affect several thousand accounts.

    Thanks in advance

    Tuesday, September 3, 2013 10:40 PM
  • ahh now it make sense.

    yes you can do a second filter with another not contains OU=xxx and the additional objects will flow to the metaverse.

    But you must add it as a second filter with a condition (this means OR) and NOT just a second condition to the current filter (which means AND).

    you can then check this by testing the filter with an preview on either one disconnector in OU=Win7 of the connector space and one object which is not OU=Win7.

    Peter

    • Marked as answer by Peter.Siffredi Wednesday, September 4, 2013 9:47 AM
    • Unmarked as answer by Peter.Siffredi Thursday, September 5, 2013 8:40 AM
    Wednesday, September 4, 2013 4:53 AM
  • Thanks Peter, I'll make sure to add a second condition as OR

     I like the idea of your preview suggestion, but am not sure how to implement it.

    At the moment, my file based MA has 1 run profile - "full import and delta sync" (which I believe populates the File MA connector space). This works fine.

    Could I simply create a new run profile "full import, stage only" for my file MA, run this and then preview the inbound projections to check the new users?

    At this point, if the filters work as expected, can I just re-run my "full import and delta sync" run profile as normal?

    If the filters don't work as expected, can I just change my filter rules and re-try?

    Thanks again

    Wednesday, September 4, 2013 6:05 AM
  • Yes you can add an as much Run Profiles as you need.

    I have an Full Import (Stage only) profile on all my MAs
    Then use the CS search function to preview, which is was i think one of the most powerful features since the old miis times.

    If the filter works you can then run your normal RunProfile.

    If you remove the filter and do an Sync the objects become a filtered disconnector.

    If you add a wrong filter you can repair all objects metaverse state by simple correct the error and Import/Sync again, till all objects are in desired state.

    If you dont do an Export nothing happen to the connected sources, so you have all the time to correct your mv.

    Wednesday, September 4, 2013 7:54 AM
  • Thanks Peter, much appreciated :-)
    Wednesday, September 4, 2013 9:47 AM
  • Peter,

    I tried this last night, but it seems I actually need to add another filter condition to the EXISTING filter rather than add a new one.

    I added a second filter as you recommended to exclude users who are not in the WinVista OU and then ran a preview. Checking a valid user account in the Win Vista OU shows as being "filtered" which will not import the account and effectively delete the valid user account if I did a "full import and delta sync"?

    Surely I need to add a filter condition to the existing filter so that the filters are combined as an OR statement?

    Thx

    Thursday, September 5, 2013 8:40 AM
  • Yeah you are right, i've checked this in my own File MA.

    The not contains Thing wired me, sorry for that.
    Seems that i spend to much work on Portal SyncRules ;-)

    As it is in the documentation:

    ImportantImportant
    Filters are combined with an AND operator if all conditions in all filters are met. Filters are combined with an OR operator if a condition in the first or previous filter is not met. If any condition in a single filter is not met, that filter is not applied.

    In my file ma i put in a filter with two "not contains" criterias, and only that two objects are flowing to mv, rest is filtered.

    So in your case also put the to criterias in one filter.

    Regards

    Peter

    • Marked as answer by Peter.Siffredi Thursday, September 5, 2013 9:24 AM
    Thursday, September 5, 2013 9:13 AM