FIM 2010-A Case for Declarative Rule Use

I continue to work along within the design of a system and have been working with objects that have reference attributes that have to be flowed. For those of you who have followed my blog, I recently posted a discussion about precedence and how manual precedence issues have made a recent implementation a bit more complicated for me than I would have liked. See (“FIM2010-FIM MA and Precedence”)

Now, within the similar situation, I have an object that can either be authoritative in Active Directory or FIM. The object has reference attributes which are not to be updated except when the group is flagged as being managed in FIM.

In the classic sense, I would create a simple rules extension and define an advanced export attribute flow rule. But here’s the rub, when I try to create the rule, I get an error message in a dialog the reads “Metaverse reference attributes can not be defined as source attribute for rules extension export flow.” (I’ve included the box for colour below. Smile)

image

Although I have appropriate MPRs and such configured so that changes to the attribute containing the list of references will be denied, I also believe in the astute powers of human behaviour and the will to make systems do things in which they are not necessarily designed to do. (Or someone just not liking the error message they get on the unmanaged objects and therefore disabling the MPR causing the error to be thrown!) Smile

Long story short, in these cases within the classic rules paradigm, a change may be made and populated into the Active Directory although it shouldn’t.

Here’s where the declarative rules come into play. I can resolve this issue by having no export attribute flow rules defined in the Synchronization manager and simply create the outbound synchronization rule with my flows including the direct mapping of reference attribute source to reference attribute target.

A set of objects where the membership is based on the “managed” flag being set to true paired with a transition in MPR to add the outbound synchronization rule and a transition out to remove provides the solution to this issue.

Advertisements
This entry was posted in Best Practices, Forefront Identity Manager 2010. Bookmark the permalink.

2 Responses to FIM 2010-A Case for Declarative Rule Use

  1. Pingback: FIM2010-Referential Confusion | Identity Minded

  2. Pingback: FIM2010–“Deprecated Features and Planning for the Future” Technet Article… | Identity Minded

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s