Hi all,I populate the FIM2010 Portal with an Inbound Synchronization Rule (ISR) from a HR target system. The ISR creates a user object in the portal with an employeeType = "Non Approved HR Person". There is also a corresponding set that reflects the employeeType. So far so good, the ISR works fine and the set membership also works as expected.Now I want to trigger a MPR that starts first an AuthZ workflow (for all members of the set "Non Approved HR Person" request an approval from admins) and after success approval an Action workflow (Outbound Synchronzation Rule to provision the account in Active Directory). How can I set up this scenario with the follwing boundary condition: "When the FIM Synchronization Service engine is exporting, all authentication (AuthN) and authorization (AuthZ) workflows are ignored and only action workflows will run"Any comments are appriciatedThomas

There are a couple of options but I would recommend performing a custom Action Workflow Activity that has an explicit Actor Id set that IS NOT the Sync Service ID.. As you noted, the Sync Service ID automatically skips AuthN and Auth Z. Then create another MPR that only fires for that Actor ID to send an approval request for you activity. This accomplished three things: 1) Works around the noted limitation in the Sync Service ID for follow-on approvals. 2) Still puts the person data in the database not matter the approval status. 3) Creates a very restricive approval MPR that is unlikely to fire accidentially if other people make similar requests.Many people don't consider #3 to be that important but as the number of MPRs grows, accidential triggering of MPRs will become more difficult to prevent. So making as restrictive of MPRs are reasonable will help prevent accidents as you implementation evolves. EricEric

Eric,do you mean with "explicit Actor ID" the creator attribute/property of the FIM user object?I've created an activity workflow that updates the [//Target/Creator] with the GUID of a dummy account and linked it with a meaningful MPR. Now, when I populate the FIM portal with new users I can seethat the Creator property of a new creatd portal userchanges from "Built-In Synchronization Accoun"t to "my Dummy Account".However, when I create the second MPR that should start the approval and outbound sync the result is as before. The AuthN is not excecuted, the OutboundSync workflow starts immediatly.Did I miss anything else?Thanks for any feedbackWolfgang

Sorry for not catching this.. it fell through...Strange since the new Request should have been automatic.. If you review the request from "my dummy account" you should see the MPRs that are fired on it.. You approval MPR should have fired.Also in Update 3, there is a new "Set Transition MPRs". They may also be an option as they are independent of request. I haven't verified that they would work but I;m pretty sure they should.Eric

Requests that are created by the synchronization service or FIM workflow activities will not trigger authentication or authorization workflows.To trigger an approval workflow from a workflow activity, you will need to submit the request from a custom activity that issues the reuqest through a Web Service client instead of one of the FIM activities. The FIM PowerShell cmdlets can be used, for example, to submit a request through the FIM Web Service.

What about a custom activity that fires its own "Approval Activity"??? The reason I asks is that I too would like to fire an approval flow from a change in set membership, but this is not an options via transistional sets. I have also tried getting an approval workflow to fire from a change caused by a action workflow, but the approval workflow is not started.

One of my partners tested that. The approval activity just doesn't fire even if it's embedded in a custom workflow.Eric