I have an issue and I still haven't been able to get to the bottom of it.
We use FIM 2010 R2
All of the older users are able to access the portal. However, newer users, although they were created through FIM are not able to access the portal. a You do not have permission to access this site error occurs.
I have looked at the provisioning tab of older users and compared it with the provisioning tab of the newer users and found that older users which are able to access the portal have 2 detected rules that apply. The rules are something like DRE for AD Active CON accounts Sync and DRE for AD Active FTE Accounts Sync
I'm pretty sure that the issue has to be related in some way with this. The newer users don't have these rules detected.
Is there any way that they can be applied so that newer users would be able to access the portal?
In FIM's sharepoint site all authenticated users have read access, so there's not a permissions problem.
I have no ideea why older users are able to log on to the portal and newer ones not...
Actually no... and I have no idea how to do it. Furthermore, I was told by the last person who implemented it that at some point he messed something up and deleted 70 user accounts from AD
So I'm a bit reluctant on this matter, but If I could find a step by step tutorial maybe i'd try it....
At the moment I have to use old admin accounts to access the site and make modifications.
Furthermore, there are some admin accounts made by hand in AD which are not imported in FIM although several other accounts are...
There is article which explains process of loading users into portal here: How Do I Synchronize Users from AD DS to FIM.
However there are several ways of implementing this so your configuration can use different approach.
Be careful (FIM can be really destructive tool if you don't know what you are doing ;-) )
Borys Majewski, Identity Management Solutions Architect (http://IDArchitect.NET)
Can you help me with a step by step procedure? if I'm not asking too much?
I'm reluctant to do things on my own because of the mess that you can do with FIM if you screw something up... :)
You said it yourself that it can be a destructive weapon if used improperly
You can create a sync rule with mappings of various attributes. For those attributes you want to send to AD, use the Outbound mapping, and for those whose values you want to import from AD you can use inbound flow. If you want users to access portal then as said to you in above threads, do flow ObjectSID, Domain, Account Name back to portal from AD i.e. you can use these mappings in inbound flow also. For more details about creating a sync rule, you can refer to technet guide.