Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2008-12-16) Outbound Sync And Provisioning To Connected Data Sources May Not Work In ILM “2”

Posted by Jorge on 2008-12-16

You have created and configured the different MAs for the connected data sources in Identity Manager and additionally you also have created and configured an MA for the ILM "2" Portal Database. In that MA you have added attributes to the Import Attribute Flow (IAF) and the Export Attribute Flow (EAF). Finally in the ILM "2" Management Portal you have created Inbound Sync Rules and Outbound Sync Rules and for those sync rules you also created the corresponding management policy rules (MPR) and action workflows (AW). After doing the initial load of all sources and flowing data into the ILM "2" Management Portal, outbound synchronization and provisioning to those connected data sources may not work.

As you may know, the combination of a MPR and AW "link" a certain outbound sync rule to an object. The linking is done by adding a Expected Rule Entry (ERE) to the Expected Rule List (ERL) of an object. That information then needs to be synched from the ILM "2" to the Metaverse (MV). When it arrives in the MV, the engine applies those sync rules to those objects and outbound sync and provisioning occurs as configured in those sync rules. However, when creating and configuring the ILM "2" MA, a set of default attributes is added to the default list of IAF/EAF for each object of interest. Unfortunately the attribute called "expectedRulesList" is NOT added automatically for each object in the ILM "2" MA for which EAF and provisioning is required to some connected data source. It must therefore be added manually for each object in the ILM "2" MA for which EAF and provisioning is required to some connected data source. If you forget this, outbound sync and provisioning will not work for that object. The reason for that is that the values of the "expectedRulesList" attribute will never reach the MV and the sync engine will therefore never apply the outbound sync rules to a certain object.

See the picture below for an example. In this case I just did it for the PERSON object.


Although it is in the documentation to manually add this attribute to the IAF of the ILM "2" MA, it can be easily forgotten. I have made the suggestion to Microsoft to add that attribute to the default list of automatically added attributes when creating and configuring the ILM "2" MA.

* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
############### Jorge’s Quest For Knowledge #############
######### ########


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: