FIM2010–Playing with Precedence

Well, I decided that the “theory” behind equal precedence was pretty cool so now I’m going to put it into practice to see how I can meet a client requirement.

I have set up a sync engine environment with two MAs connecting to the same AD domain with container constraints limited to the area where my users (that I’m using for group members are located) as well as a different “group” container where similar groups that will join have different memberships.

So, for AD MA 1, there are 10 users and 1 group. The group has 3 members (Fred Flintstone, Wilma Flintstone and Pebbles Flintstone). This MA projects all the users and the groups into the MV.

For AD MA 2, it collects the same 10 user accounts and 1 group from a different OU (but with common characteristics so that I can join it to the one in the MV provided by AD MA 1). The group that AD MA 2 is managing has two members (Barney Rubble and George Jetson).

So to illustrate the initial group membership more clearly:

Group MA Membership
AD MA 1 Fred Flintstone
Wilma Flintstone
Pebbles Flintstone
AD MA 2 Barney Rubble
George Jetson

Baseline Test

In the baseline test, I imported and projected the group and users from AD MA 1. I then imported and joined the users and group from AD MA 2.

The precedence for the “member” attribute in the group object for the MV Schema was that AD MA 1 had precedence.

As expected, when I ran the synchronization for AD MA 2, there was a pending export queued up where the group membership was being modified such that Barney and George were being deleted (the original membership of the group) and Fred, Wilma and Pebbles were being added to the membership (the membership of the group from AD MA 1).

So to illustrate the initial group membership more clearly:

Group MA Membership
AD MA 1 Fred Flintstone
Wilma Flintstone
Pebbles Flintstone
AD MA 2 Fred Flintstone
Wilma Flintstone
Pebbles Flintstone

So lets have some more fun…. Smile

Initial Group Synchronization with Equal Precedence Turned On

As was seen in the previous example, without the equal precedence turned on, the system overwrote the membership of the lower precedent MA’s group. This was as we expected. With equal precedence, the expected behaviour is to see that the group memberships are merged.

So reimporting the objects and then synchronizing them, the group memberships did merge successfully. Pending exports for the missing members in each group were sent out to the other. So the group in AD MA 1 was updated with Barney and George and the group managed by AD MA 2 was updated with Fred, Wilma and Pebbles.

So the the final membership of the groups was:

Group MA Membership Contributor
AD MA 1 Fred Flintstone
Wilma Flintstone
Pebbles Flintstone
Barney Rubble
George Jetson
AD MA 1
AD MA 1
AD MA 1
AD MA 2
AD MA 2
AD MA 2 Barney Rubble
George Jetson
Fred Flintstone
Wilma Flintstone
Pebbles Flintstone
AD MA 2
AD MA 2
AD MA 1
AD MA 1
AD MA 1

Again, success and operating as expected…

Deleting A Group Member that was Exported to the Group Under Equal Precedence

Now here is where I started to have questions and wanted to “test” what would happen. What happens if I delete a member provided by AD MA 2 to the AD MA 1 group from the AD MA 1 group. Would it re-add the member or delete it from AD MA 2’s group.

So in this instance, referring to the table above, I went into the group for AD MA 1 and removed Barney Rubble as a member (as the contributing MA was AD MA 2), ran an import and a synchronization.

During the import, the group in AD MA 1 showed that Barney was no longer a member. However, after the synchronization was completed he was queued as a pending export back to the AD MA 1 to add him back in.

Group MA Membership Contributor
AD MA 1 Fred Flintstone
Wilma Flintstone
Pebbles Flintstone
Barney Rubble
George Jetson
AD MA 1
AD MA 1
AD MA 1
Readded
AD MA 2
AD MA 2 Barney Rubble
George Jetson
Fred Flintstone
Wilma Flintstone
Pebbles Flintstone
AD MA 2
AD MA 2
AD MA 1
AD MA 1
AD MA 1

This was the expected behaviour for me as this indicates that the contributing MA for equal precedence seems to be maintained at the attribute level but now to prove it…

Removing a Group Member from the Contributing Group using Equal Precedence

That really leaves one final test to validate the premise and verify that it operates… Removing a member that was contributed to the other MA’s group from the original group.

In this test, Pebbles will be removed from AD MA 1. Given the results seen in the previous test, it would be hoped that the group member would be removed from the group in AD MA 2.

The results of the test were:

Group MA Membership Contributor
AD MA 1 Fred Flintstone
Wilma Flintstone
Pebbles Flintstone
Barney Rubble
George Jetson
AD MA 1
AD MA 1
AD MA 1
AD MA 2
AD MA 2
AD MA 2 Barney Rubble
George Jetson
Fred Flintstone
Wilma Flintstone
Pebbles Flintstone
AD MA 2
AD MA 2
AD MA 1
AD MA 1
AD MA 1

As expected, Pebbles was deleted from the original source MA (AD MA 1) and therefore, subsequently deleted out of the group in the target MA (AD MA 2).

Given these results, it is pretty easy to see that group management when merging groups can be have some very interesting results. Administrators who are managing group members and removing them from groups may have interesting consequences depending on what object actually contributed them to the MV object.

So, be mindful of how you manage the group memberships as the downstream effects when using equal precedence although a great benefit to the management of overall group memberships may have unintended consequences.

Advertisements
This entry was posted in Best Practices, Forefront Identity Manager 2010. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s