The other day while working in the FIM Service, I added an attribute type to the schema and bound it to one of the resource types that was being picked up and synchronized via the Synchronization Service. I noticed however, that after the change was made and the attribute was populated with data that I received the “app-store-import-exception” when trying to do the delta imports.
Turns out the issue was quite simple. The FIM MA was getting updates from the FIM Service that included an attributeType that was not included in the MA’s record of the schema.
To fix the issue, all that was required was to simply refresh the FIM MA schema and redo the import which worked fine.
This did lead me to ask myself, why did this happen. Turns out it was a configuration shortcut that I had taken a while back when first building the system for testing that never got corrected. The MPR that granted permission to the synchronization engine for reading the objects was set to “all attributes”. So therefore, simply adding the attribute to the FIM Service and that resource type made it immediately available to the FIM MA.
Those who have attended my training classes for FIM 2010 as well as myself have yet another reason as to why I like to avoid that “All Attributes” selection when granting permissions. It can be the root of a lot of different issues not limited to the improper disclosure of data to people or systems who should not be otherwise authorized.