Let me start off by saying this forum is great and a very helpful resource. Thanks to all who contribute to it. My question is regarding attribute flows on the management agents and how they fit in with the attribute flows on a Sync Rule. I am trying to test out a provisioning scenario and I am hitting some roadblocks in understanding the flow. Below is my current scenario and what I am trying to understand: I have a FIM MA with 'Export' attribute flows setup for it. I have a AD MA with 'Import' attribute flows setup for it. I have a AD Sync Rule (Inbound and Outbound) with Inbound and Outbound attribute flows setup for it. It is connected to the AD MA (Active Directory) My question are the following: 1. First off, what is the point of the Sync Rule if you already have attribute flows on the management agents? 2. Is the Configure Attribute Flow Settings on the MAs purely for getting data (attributes) back and forth between the Data Source and CS? i.e. does 'Import' mean push from the CS to the Data Source and does 'Export' mean push from the Data Source to the CS? 3. Is the Synchronization Rule on the AD MA setup for getting data (attributes) back and forth between the MV and the AD CS? i.e. does 'Inbound Attribute Flow' mean push from the MV to the CS and does 'Outbound Attribute Flow' mean push from the CS to the MV? 4. Lastly, is an Export from a CS to the connected Data Source and does it kick off the Sync Rule is doing so on the associated MA? Just confirming that it is NOT from the MV to the Data Source. Thanks in advance for anyone's help. We are beating our heads over this stuff! Daniel Lackey

1. First off, what is the point of the Sync Rule if you already have attribute flows on the management agents? A synchronization rule controls more than just attribute flow.With the exception of the FIMMA, you shouldn't have non-declarative attribute flows configured on your management agents.The non-declarative way is for migration scenarios - from ILM to FIM. 2. Is the Configure Attribute Flow Settings on the MAs purely for getting data (attributes) back and forth between the Data Source and CS? i.e. does 'Import' mean push from the CS to the Data Source and does 'Export' mean push from the Data Source to the CS? No, the option is intended to be used by MAs that can't be migrated right away to use declarative flow rules. 3. Is the Synchronization Rule on the AD MA setup for getting data (attributes) back and forth between the MV and the AD CS? i.e. does 'Inbound Attribute Flow' mean push from the MV to the CS and does 'Outbound Attribute Flow' mean push from the CS to the MV? Close :o) - inbound means from the CS to the MV; outbound means from the MV to the CS. 4. Lastly, is an Export from a CS to the connected Data Source and does it kick off the Sync Rule is doing so on the associated MA? Just confirming that it is NOT from the MV to the Data Source. There are no synchronization rules involved in case of an import or export run profile.Synchronization rules are only part of a synchronization run, which is the "CS-MV-CS" transition.Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Hi Markus,Thanks for the response, it does help. Before I mark it for the 'Answer' however could you clarify a couple of things for me? A synchronization rule controls more than just attribute flow. With the exception of the FIMMA, you shouldn't have non-declarative attribute flows configured on your management agents. The non-declarative way is for migration scenarios - from ILM to FIM. When you say "non-declaritive" attribute flows, does that mean the Configure Attribute Flow Settings on the MAs? Are you essentially saying that with a properly configured sync rule, inbound and outbound, that the only place I need to do attribute flows on the MA is on the FIM MA? Sorry if I am repeating a question, but that's a tough one to understand. No, the option is intended to be used by MAs that can't be migrated right away to use declarative flow rules. Could you please clarify a little bit what that means? There are no synchronization rules involved in case of an import or export run profile. Thanks for clarifying that one. Can you please confirm what I was saying is correct, in that the Export on a MA is from the CS to the Data Source? Thanks again Markus, you are making learning FIM much easier for a lot of people. Daniel

When you say "non-declaritive" attribute flows, does that mean the Configure Attribute Flow Settings on the MAs? Are you essentially saying that with a properly configured sync rule, inbound and outbound, that the only place I need to do attribute flows on the MA is on the FIM MA? Sorry if I am repeating a question, but that's a tough one to understand. This is correct. No, the option is intended to be used by MAs that can't be migrated right away to use declarative flow rules.Could you please clarify a little bit what that means? One design goal for declarative provisioning is to be 100% compatile to the "old way" of doing things.The "old way" means how one would would have done it in ILM.As you can see in your example, you can configure attribute flow mappings in a synchronization rule and you can do it in the management agent's configuration.There is a new way of doing things and there is an old way of doing things.You can even configure provisioning in form of a metaverse extension in FIM.Developing a complete solution in ILM is an investment and migrating a solution from the old way to the new way can take a while. It is basically up to tp pick and choose who you want to get your objects from a connector space to the metaverse and from the metaverse to other connector spaces... Can you please confirm what I was saying is correct, in that the Export on a MA is from the CS to the Data Source? This is correct.Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Thanks Markus! That helped clear things up for me. I will give it a try and post here again if I have any issues. Daniel

What was / is the most confusing part for you?Is it about the relationship of declarative synchronization rules and the "old way" of doing it?If you could summarize this in a few sentences, I may write an article about it...Cheers,Markus Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

I think an article for this would be an excellent idea. The main confusion for me was understanding that the Sync Rule is what handles everything from the Connector Spaces to the Metaverse for any Data Source. Also it helped to understand that the Import (run profile) on a Data Source is implied (besides on the FIM MA), and no Attribute Flow configuration is needed on the Management Agents. It makes sense though that it is needed on the FIM MA because that one cannot have a sync rule setup to handle moving the attributes. I think the "old way" never applied to me because I am new to FIM and have never used ILM. My situation was coming in and setting up a new environment that involved getting Active Directory synced up with FIM and configuring provisioning/deprovisioning both directions. I am still working on getting this setup but I am closer now with the better understanding of the data flow. In summary, if you could write an article that described the proper way to set this up from an Configure Attribute Flow and a AD Inbound/Outbound Sync Rule perspective maybe with some illustrations, I am betting it would help a lot of people to understand it better. An explanation of the difference between "declarative" and "non-declarative" synchronization rules would also be good to explain. Hope that helps, Daniel

Thanks a lot, Daniel, this is really helpful.If you can think of more topics that are missing, please feel free to post something to the Suggestion Box.Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation