FIM2010–FIM MA and Precedence

I have to admit, sometimes I just want to find out the reason behind some decisions that are made when a product is designed. From the perspective of the FIM MA, I have to admit, I honestly and truly miss manual precedence.

I want to use manual precedence because I have one object that can be authoritative from either the FIM Service or AD depending on whether or not the object is set to be “FIM Managed”. I’m not looking to do anything difficult, just validate a flag to see whether or not the attribute is true or not and flow attribute accordingly.

Without manual precedence, I am looking at a bunch of different things which take up more processing time and simply add load to either the synchronization engine or the FIM service depending on the solution approach I take. I’m looking towards the FIM service approach at this time so that I may migrate the data successfully without having to play with different object types or bring in two different MA’s for the one AD source (one scoped for the managed objects and another scoped for the non-managed objects). The source just has too many objects in it for me to want to build out the environment in that manner.

My solution to my problem is many faceted and complicated for support. I am going to import all the AD attributes that I require into both the standard MV entry fields (if they are not already populated) as well as secondary “AD Sourced” fields. This will allow me to set up export flow rules to FIM to populate the “AD Sourced” fields.

In FIM, I will have to create MPRs for each of the attributes (as I don’t want to have a tonne of workflows firing for a change to a range of attributes during steady state) that will copy the “AD Sourced” values back to the standard values (e.g. AD Source Members to the Members attribute) so that the objects can be formed correctly. (Note that for initial load, I will flip the precedence on the standard attributes and disable the MPRs that are doing this for purposes of expediency and removal of unnecessary delays due to having to process over 300,000 items and move multiple attributes across).

This will allow the FIM system to have higher precedence in AD for the core attributes so that any new objects created or changed to FIM managed can then be updated normally.

Within AD, because of the FIM system providing the authoritative data to the system, I’ll need to use an advanced rules extension for each of the attributes “filtering” the attribute flows so that only the “FIM managed” groups can update the attributes set up using the export attribute flows if the flag is set appropriately. Otherwise the values will be left as they are. Which in effect is half of the manual precedence equation that I was wishing I already had.

I do hope that the product team revisits this decision. I really could use manual precedence for the attribute flows. I’m not asking for them to enable a full rules extension capability but please, manual precedence for attribute flows would be simply outstanding and solve a lot of the issues that cannot be resolved using equal precedence or standard precedence when dealing with the FIM MA data.

Advertisements
This entry was posted in Forefront Identity Manager 2010. Bookmark the permalink.

4 Responses to FIM2010–FIM MA and Precedence

  1. I totally agree with you on this one. Perhaps a new Connect item? I’d be happy to vote for it.

  2. Hi Carol,

    I will do that. I have to admit it has been a bit of a thorn in my side and something not easily resolved except using the fuzzy logic I’ve identified above.

    Thanks for reading! 🙂

    B

  3. Blain – if you’re attending TEC2012 you should attend my “The Instant Replay MA for FIM” session – for an abstract scroll to the bottom of http://www.theexpertsconference.com/us/2012/directory-identity/session-abstracts/ – this is a left-field way of allowing you to use manual precedence with the FIM Portal still contributing attributes to the metaverse 🙂

    • Hi Bob. I don’t believe I am going to TEC although it would be a good event. I am always interested in the content there. Can you validate manual precedence in your system for Reference attributes? Everytime I get an error stopping me from using References in rules extensions. That is the primary reason I need the manual precedence in the current case. Thanks!
      B

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s