I have to admit, sometimes I just want to find out the reason behind some decisions that are made when a product is designed. From the perspective of the FIM MA, I have to admit, I honestly and truly miss manual precedence.
I want to use manual precedence because I have one object that can be authoritative from either the FIM Service or AD depending on whether or not the object is set to be “FIM Managed”. I’m not looking to do anything difficult, just validate a flag to see whether or not the attribute is true or not and flow attribute accordingly.
Without manual precedence, I am looking at a bunch of different things which take up more processing time and simply add load to either the synchronization engine or the FIM service depending on the solution approach I take. I’m looking towards the FIM service approach at this time so that I may migrate the data successfully without having to play with different object types or bring in two different MA’s for the one AD source (one scoped for the managed objects and another scoped for the non-managed objects). The source just has too many objects in it for me to want to build out the environment in that manner.
My solution to my problem is many faceted and complicated for support. I am going to import all the AD attributes that I require into both the standard MV entry fields (if they are not already populated) as well as secondary “AD Sourced” fields. This will allow me to set up export flow rules to FIM to populate the “AD Sourced” fields.
In FIM, I will have to create MPRs for each of the attributes (as I don’t want to have a tonne of workflows firing for a change to a range of attributes during steady state) that will copy the “AD Sourced” values back to the standard values (e.g. AD Source Members to the Members attribute) so that the objects can be formed correctly. (Note that for initial load, I will flip the precedence on the standard attributes and disable the MPRs that are doing this for purposes of expediency and removal of unnecessary delays due to having to process over 300,000 items and move multiple attributes across).
This will allow the FIM system to have higher precedence in AD for the core attributes so that any new objects created or changed to FIM managed can then be updated normally.
Within AD, because of the FIM system providing the authoritative data to the system, I’ll need to use an advanced rules extension for each of the attributes “filtering” the attribute flows so that only the “FIM managed” groups can update the attributes set up using the export attribute flows if the flag is set appropriately. Otherwise the values will be left as they are. Which in effect is half of the manual precedence equation that I was wishing I already had.
I do hope that the product team revisits this decision. I really could use manual precedence for the attribute flows. I’m not asking for them to enable a full rules extension capability but please, manual precedence for attribute flows would be simply outstanding and solve a lot of the issues that cannot be resolved using equal precedence or standard precedence when dealing with the FIM MA data.