Attribute Flow Precedence and Synchronization Rules
I am experiencing some strange and inconsistent behavior regarding Attribute Flow Precedence and Synchronization Rules.
It's a very simple scenario:
Management Agents: AD MA, FIM MA
Let's say I have the AD Attribute flow set using a Synchronization Rule, and I have attribute precedence on the "displayName" attribute set to: 1. FIM MA, 2. AD MA
When a new user is created within AD, the displayName is not being set in FIM when I do a sync run. However, according to the
About Attribute Flow Precedence document, the AD MA should be able to contribute a value to the MV displayName attribute "as long as the attribute has not been populated yet". This does not seem to be the case.
Now, If I remove displayName from the AD sync rule and add it to the attribute flow to the AD MA in the Sync Manager, and then perform the same test, the displayName is set as expected on a new user.
Shouldn't the behavior of the attribute precedence rules be the same, regardless of where the attribute flow is being set?
EDIT: Submitted this as feedback on Connect,
vote it up!
Thanks,
Mark
April 21st, 2010 5:45pm
Mark,
it is correct, the attribute should be in the metaverse but not in FIM(!).
A metaverse attribute value that was contributed by a management agent with a lower precedence value, cannot flow out to a target with a higher precedence.
You are correct, the precedence behavior should be for declarative synchronization rules the same as it is for non-declarative ones.
The attribute flows of the FIM MA are already non-declarative.
If you can repro this behavior, it is bug.
Cheers,
MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation
Free Windows Admin Tool Kit Click here and download it now
April 29th, 2010 6:19pm
Thanks for your reply Markus,
I have reproduced this behavior on two different servers. I posted feedback regarding this on connect, and the response was essentially 'For assistance with product issues you can post to the forum'. I'm not sure where to go from here.
Is there another way to report a bug to Microsoft?
May 5th, 2010 3:15pm
Mark,
I just ran through your scenario and I can't repro it.
My environment works as expected.
Just making sure - you had an inbound synchronization rule with a flow for the displayName:
The attribute flow precedence was configured to have the FIMM with the highest precedence:
Then, you have removed the flow mapping from the synchronization rule and you have added a direct flow for the attribute to the ADMA configuration.
Does this sound so far correct?
Have you actually checked the flow precedence configuration after adding the flow mapping to the ADMA?
My hunch is that you didn't - this would explain why the displayName went through.
After removing the SR flow mapping and adding the direct flow mapping to the MA, the ADMA has the highest precedence.
You need to modify the flow precedence again:
If you do this, you will achieve the expected results - displayName is on the outbound side blocked by precedence:
In both cases, the displayName is not populated in the portal:
Please verify the actual flow precedence configuration in your test cases and let me know what your configuration looks like.
Cheers,
Markus
Free Windows Admin Tool Kit Click here and download it now
May 5th, 2010 6:25pm
Thank you very much for your reply Markus, I greatly appreciate you taking the time to do so.
A question about your test - Does the account you have in AD have the displayName populated? If so, when that user is brought in to the metaverse, shouldn't it flow that displayName in, regardless of precedence, since that value has not yet been populated?
May 7th, 2010 5:58pm
Mark,
I might be wrong, but I have the impression that the flow targets are not clear yet.
The following picture might help:
In the synchronization engine, you have inbound flows (CS->MV) and and outbound flows (MV->CS).
Attribute flow precedence is applied in both cases!
In case of ranked flow precedence, a management agent can populate the metaverse with a value if:
There is no value in the metaverse yet The management agent has a precedence that is equal or higher as the precedence of the last metaverse contributor
In case of an outbound flow, a metaverse value that was contributed by a management agent with a lower flow precedence can never flow towards a connector space with a higher precedence.
It doesn't matter in this case, whether there is already a value for the attribute in question staged in the target connector space.
So, in my test case, displayName was populated in AD and I could flow the attribute value into the metaverse.
However, in order to also flow the value to FIM, it would be necessary to modify the flow precedence.
Does this help?
Cheers,
Markus
Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
Free Windows Admin Tool Kit Click here and download it now
May 7th, 2010 8:10pm
Markus,
That helped me alot, thanks! There were two things that were tripping me up here.
1) When changing where attribute flows are defined, the attribute precedence changes. So, when I went from defining the attribute flow in the Sync Rule to defining it in the MA properties in the Sync Manager, the attribute flow precedence changed.
2) Attribute flow precedence on outbound flows doesn't behave exactly as on inbound flows. Specifically, on an inbound (to MV) flow, a lower precedence MA can contribute a flow if there is no value yet. Conversely, on an outbound
flow, a value contributed to the MV by an MA with a lower precedence will never contribute a value to the connector space of another MA whose precedence is higher.
This sentence was particularly helpful:
"In case of an outbound flow, a metaverse value that was contributed by a management agent with a lower flow precedence can never flow towards a connector space with a higher precedence."
Thanks again for your help, Markus!
Mark
May 10th, 2010 5:01pm
Thanks.
Clearly mention the picture.
its not avail here.
Free Windows Admin Tool Kit Click here and download it now
November 2nd, 2010 6:50am
On Tue, 2 Nov 2010 10:47:05 +0000, Gnanavinodkumarnisha wrote:
Clearly mention the picture.
its not avail here.
I'm guessing that your post is referring to some graphics in Markus' post?
If so and you can't see them then you're probably using one of the NNTP
bridges to access this forum. To see the graphics go directly to the web
forum using a browser instead:
http://social.Technet.microsoft.com/Forums/en-US/ilm2/thread/13161bc6-d8a7-4f96-8efa-4204cf5561aa#b9069ec5-e426-46c3-b0ff-bfec7e050798
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
November 2nd, 2010 7:07am