none
Approval for modification person's information RRS feed

  • Question

  • Hi everyone
    Our system typical have 4 role below:
    1. HRMS: Human Resources Management System
    2. MIM
    3. AD
    4. ADFS
      Synchronization flow HRMS => MIM => AD with 3 MA (HRMS, MIM, AD), 3 MPR (HR, MIM outbound, AD inbound).

    For adding new person on HRMS, I using this MIMWAL https://github.com/Microsoft/MIMWAL/wiki/New-Accounts-Approval to approve / reject before provision on AD. it's work very nice. But I don't know how to config for modifying person's information in HRMS and approving before synchronizing to AD as addnew function

    I'm newbie on MIM, please help me.

    Thank you for any suggestion!

    Monday, September 30, 2019 9:26 AM

All replies

  • Normally, we accept the information from HR as authoritative for many attributes. If possible it would be better for the approval workflow to be in the HRMS (if it can do that). If not then depending on your goals a notification workflow may make sense so that people at least know after the fact.

    If it must be approved first then you would need to do something similar to the workflow described in your example but as follows: Add two new attributes in the MV and the Portal: Proposed Last Name and Proposed First Name, and flow the First Name and Last Name from HRMS to those attributes. Then build the a set of Proposed Name != Name and Proposed Name=*, and a set transition MPR that fires a workflow that copies the Proposed Name to the Name,  tick the "Apply Authorization Policy". Then create an MPR and workflow that requires authorization as your desire.


    David Lundell, Twitter | Hire Identity Managed | FIM Best Practices book | How to Be an MVP in Life book

    Tuesday, October 1, 2019 3:19 AM
  • Thank you David for you suggestion

    As you suggestion. We have multi-attribute but not just First name, Last Name. Create a Set for Job Title, Department, Employee Status .. I think it's not suitable with Set condition and performance. 

    Is there any other way?

    Thursday, October 3, 2019 4:42 AM
  • You could still do what I suggested except that instead of a set transition based MPR you could do a standard MPR, that triggers when an update occurs to First Name, Last Name, Job Title, Department, and Employee Status. You still need the proposed attributes. Have the HR attributes sync to proposed attributes, then do a workflow that will update the actual updates. 

    David Lundell, Twitter | Hire Identity Managed | FIM Best Practices book | How to Be an MVP in Life book

    • Marked as answer by diepkv Thursday, October 3, 2019 3:37 PM
    • Unmarked as answer by diepkv Thursday, October 17, 2019 7:58 AM
    Thursday, October 3, 2019 3:28 PM
  • Hi David

    How can I create a Set with those operator != to filter member who has changed information

    As you mentioned "..a set of Proposed Name != Name and Proposed Name=*,.."

    Could you please help me more detail

    Thank you!

    Friday, October 4, 2019 7:15 AM
  • You could still do what I suggested except that instead of a set transition based MPR you could do a standard MPR, that triggers when an update occurs to First Name, Last Name, Job Title, Department, and Employee Status. You still need the proposed attributes. Have the HR attributes sync to proposed attributes, then do a workflow that will update the actual updates. 

    David Lundell, Twitter | Hire Identity Managed | FIM Best Practices book | How to Be an MVP in Life book

    Hi David

    This is what I understand what you say. Is that true? 

    Thank you for spending time for me!

    Thursday, October 17, 2019 8:00 AM