Quantcast
Channel: Forum Microsoft Identity Manager
Viewing all 4767 articles
Browse latest View live

How to best choose i distinguished name(dn)

0
0

Hello!
I flow the following Direct on Inbound into MV
Firstname
Lastname
Address
SocialSecurityNumber
City
TelephoneNumber
MiddleName

The following flow by using Rules Extension
FirstName,LastName,SocialSecurityNumber -> uid
FirstName,LastName,MiddleName, SocialSecurityNumber -> mail

uid is always unique and might look like for Nisse Hult nihul01
mail is also unique and might look like nisse.h.hult@projekt.se

So now to my question what is the best choice to select a dn from these.
The only requirement as I understand is that it must be unique.
So in my case I choose uid.
Should I have chosen a different dn for example SocialSecurityNumber.

//Tony

 


A question about understanding

0
0

Hello!

I have tested but this row will never contain more then 1 even if the CS contains more object.
int foo = mventry.ConnectedMAs["MyTestAgent"].Connectors.Count;

Can somebody explain when will the above statement contain more then 1

Please explain also what is a connector.

//Tony


I have data in MV but the code for provision is not called when doing Full Sync

0
0

Hello!
I'm must say that I'm a beginner in MIM.

In tools->Option I have check marked "Enable provisioning rules extension" and I have added the new MessageWorkFlow.dll  to MIM Config,xml as you can see below.

<MV-Extension-To-Run>
      <DLL>Devexus.MIM.VAG.MVE.Active Directory Exchange.dll</DLL>
      <DLL>Devexus.MIM.HIT.MVE.Elevrapport.dll</DLL>
  <DLL>MVE - TESTHDAgent.dll</DLL>
  <DLL>MVE - ProjektAgentHemkatalog.dll</DLL>
  <DLL>MVE - MessageWorkFlow.dll</DLL>
         <DLL>VAG.MVE.Homedirectory.dll</DLL>
    </MV-Extension-To-Run>

This Provision method below is never called when I run profile Full Sync on agent MessageWorkFlow . I have set a BP in this method but nothing happen.
void IMVSynchronization.Provision(MVEntry mventry)
        {
            //Kolla om det är person
            if (mventry.ObjectType == "personT")
            {
                ProvisionMessageWorkflow(mventry);
            }
        }

I have also set two rules extension but because provisioning is not being called I can't have any export flow.
Can anybody help me why the provision is not being called.
This agent MessageWorkFlow  is of type extensible connectivity.

//Tony

What are the requirement for provision being called

0
0

Hello!

I just wonder when I do a full sync what are the requirement for provision(method below) being called.

 void IMVSynchronization.Provision(MVEntry mventry)
{
...
 }

//Tony

New version of MIM Config Documenter tool now availiable on GitHub

0
0
Just want to cross post that a new version of MIM Configuration Documenter tool is now open sourced on GitHub at: https://github.com/Microsoft/MIMConfigDocumenter/releases. Apart from a couple of bug fixes, it has significant perf improvements so the config report should get generated much faster now.

How can you call MapAttributesForExport and read from csentry

0
0

Hello!

I must say that I'm new to MIM.
I have understood that this method MapAttributesForExport below is used for preparing the Connector space with data that will be used for export. When you have export flow that you can flow direct from MV to CS you don't need to specify them in MapAttributesForExport. 
Can somebody explain how is it possible to read from csentry as is done in this method below. I can't understand that. 

void IMASynchronization.MapAttributesForExport(string FlowRuleName, MVEntry mventry, CSEntry csentry)
        {
            bool sentOk = false;

            if (csentry["sentOk"].IsPresent)
            {
                if (csentry["sentOk"].Value.ToLower() == "true")
                {
                    sentOk = true;
                }
            }

 switch (FlowRuleName)
            {
                case "message":
                    //Sätt/uppdatera endast värden endast om inte alla mail redan skickats
                    if (sentOk == false)
                    {
                        if (csentry["objectType"].Value.ToString().ToLower() == "employee")
                        {

//Tony

Upgrading the MIM server from windows server 2008r2 to 2012

0
0

Hi,

I need to upgrade my MIM sync server and 4 MIM portal servers from Windows server 2008 R2 to windows server 2012.

I prefer inplace upgrade for all portal sevrers since I can take one out at a time from Load Balancer and upgrade. But for MIM sync server I am confused whether to perform an inplace or a new server approach. 

I doubt if there will be any issues to the applications (MIM portal and MIM sync) if we follow any of the above approach.

Will there be any problem with the .NET framework?

Kindly assist me.

Thanks


Rajesh

Pending Export does not call ExportEntry

0
0

Hello!

I have noticed that even though you have object that have status pending export
only BeginExport and EndExport is being called and not ExportEntry.

If I delete all the CS and run the profile again the ExportEntry is called.
Now I test this. I set a BP on the first row in ExportEntry and when the BP is hit I stop the debugger.
I can now see that the object is still in status pending Export so I attach the debugger again and set a BP on the same first row in this method ExportEntry  and run profile ExportEntry now for some strange reason only BeginExport and EndExport is being called and not ExportEntry event though all objects had status pending Export.
This is very strange?

public void ExportEntry(
            ModificationType modificationType,
            string[] changedAttributes,
            CSEntry csentry)
        {
            logHeader = true;

How is this possible. 

//Tony


 

Run miisclient.exe on a workstation/different computer

0
0

Is there a way to run miisclient.exe (the FIM/MIM management client GUI) on a computer other than the one where the sync service is running?  We have a general mandate (which is in line with MS best practices) to use server core for servers where possible and to not use remote desktop or similar crutches for anything except service or disaster recovery. 

One problem with FIM/MIM is that it looks like the management client only runs on the computer where the sync service is installed.  That basically means that you have to connect to the server running security-sensitive operations (like password sync, for example) with a remote desktop interactive login to do anything but a limited set of the most basic management. Sure there are a few things you can do with powershell or WMI, but that is very limited and often doesn't provide anywhere near the required functionality for administrative operations.

So is there some way to run miisclient.exe on a computer other than the one running the sync service and have it manage the sync service?

Thanks,

About best practice to validate SocialSecurityNumber

0
0

Hello!

I have one agent to read the datasource and one agent to create homedir.

I use Extensible Connectivity Agents and wonder about one thing. Assume SocialSecurityNumber has invalid format in the database. Where would I validate this.

HomeDir  CS   MV   CS   CD(datasource)

Is there any best practice about this. This validation can be done in many different places.

//Tony

Export based on Metaverse attribute property

0
0

There is an MV attribute "employeeStatus" that is either A (Active) or I (Inactive). I am creating a text file MA that will only have an Export run profile, and I only want to export person objects that have employeeStatus = A.

Additionally, I do not want to export that attribute, just check its value. I could not see how to do this, so any help much appreciated.

About to understand full import

0
0

Hello!

I have read about full import and I just want to confirm that I have understood it correct.
So assume you do a full import where the database table consist of just 10 rows you will have 10 objects in CS after the full import. You also do a full sync after full Import. 

We also assume that socialSecurityNumber is the primary key in the database table and we will use socialSecurityNumber as the MAID in CS.
Now assume that I change a telephone number on one row, delete a row in the database table and add a new row in the database table and now you do a full import. You still have 10 rows in the database table What will happen.
I believe this.

1. The whole CS is refresh again so everything will be new it's like remove everything from CS and load everything from the database table.
2. If you do Search connector space you will still have Connector=true for those object in MV where the socialSecurityNumber still exist. As I mentioned before socialSecurityNumber is the MAID.
3. You will have Connector=true for all except one which is the one you added there you have Connector=False.


//Tony

MIM 2016 SP1 PAM request privileged on behalf

0
0

Hi colleagues,

is it possible to request privileges using MIM PAM or the MS PAM Portal (Github) on behalf of a user?

My idea is to have a unprivileged user logged in to a PAW and request privileged roles for his differen users in tier 0, tier 1 oder tier 2.

As far as I understand the MIM PAM system I can only request privileged roles for my self (my priv user in the bastion forest), right?

Maybe someone can help me with this question or push me into the right direction.

Thanks

Chris

Microsoft Identity Management

0
0

Does Microsoft provide any MOC on Microsoft Identity Management and the Labs for preparing it.

If yes what is the course code for the it.

 I have a class next month and I need PPT and Book and VM for training. 

MIM Portal Sync Rules have become orphaned

0
0

We are running a MIM 2016 (latest patch) Portal/Service and Sync system (separate servers).  We created a few Synchronization rules within the MIM portal to perform data syncs from a SQL agent into an AD enviroment (group membership management).  The environment was not touched for a few weeks and when we came back to it the Portal was offline.  Upon starting the portal and going into the list of Synchronization rules each rule lists the following beside it:

<guid>
The referenced Management Agent has been deleted. Please delete this Synchronization Rule, update the external system field or re-import the deleted Management Agent)

Please note.  We did NOT remove any of the management agents from the sync server.  We did not change any MA configuration such as service account details, etc.

We checked the workflow history in the portal and found that the Built-in Synchronization account deleted the ma-data for each agent off the portal and when attempting to add it resulted in a error.

Anyone experience something similar before and managed to resolve without wiping everything out and re-creating?


AK


A simple question about JOIN

0
0

Hello!

I have two agents one is reading a AD database table and the other is reading a HR table.
The AD table contain SSN short for socialSequrityNumber and firstName, lastName and some more. I have set this SSN as the primary key.
The HR table contain SocialSecurityNumber, firstName, lastName and some more.
SocialSecurityNumber is the primary key.
I have a direct join on SSN with SocialSecurityNumber and if not success I project.
I have this direct join for both agents.

In the database I have set firstName to NisseFromAD in the AD table and
NisseFromHR in the HR table.

Now I do the following.
I start with clearing the CS
Full Import AD (I can see that firstName = NisseFromAD in CS)
Full Sync AD
(Now I can see that firstName =NisseFromAD in MV)
Full Import HR (I can see that firstName = NisseFrom HR in CS)
Full Sync HR
(Now I can see that firstName =NisseFromAD in MV)

My question why is not firstName = NisseFromHR 
I mean why was it not changed when I run Full Sync HR

It seems to me that the first agent that is writing to MV will be the owner to the attribute.
The agent that is comming after can't change it because he is not the owner.

How can I change so that AD is always the owner to the attribute firstName and lastName so that AD should always override if a value already exist for firstName and lastName in MV.


//Tony



Who will be announced as the next FIM Guru? Read more about August 2018 competition!!

0
0


What is TechNet Guru Competition?

Each month the TechNet Wiki council organizes a contest of the best articles posted that month. This is your chance to be announced as MICROSOFT TECHNOLOGY GURU OF THE MONTH!

One winner in each category will be selected each month for glory and adoration by the MSDN/TechNet Ninjas and community as a whole. Winners will be announced in dedicated blog post that will be published in Microsoft Wiki Ninjas blog, a tweet from the Wiki Ninjas Twitter account, links will be published at Microsoft TNWiki group on Facebook, and other acknowledgement from the community will follow.

Some of our biggest community voices and many MVPs have passed through these halls on their way to fame and fortune.

If you have already made a contribution in the forums or gallery or you published a nice blog, then you can simply convert it into a shared wiki article, reference the original post, and register the article for the TechNet Guru Competition. The articles must be written in September 2018 and must be in English. However, the original blog or forum content can be from before September 2018.

Come and see who is making waves in all your favorite technologies. Maybe it will be you!


Who can join the Competition?

Anyone who has basic knowledge and the desire to share the knowledge is welcome. Articles can appeal to beginners or discusse advanced topics. All you have to do is to add your article to TechNet Wiki from your own specialty category.


How can you win?

  1. Please copy/Write over your Microsoft technical solutions and revelations to TechNetWiki.
  2. Add a link to your new article on THIS WIKI COMPETITION PAGE (so we know you've contributed)
  3. (Optional but recommended) Add a link to your article at the TechNetWiki group on Facebook. The group is very active and people love to help, you can get feedback and even direct improvements in the article before the contest starts.

Do you have any question or want more information?

Feel free to ask any questions below, or Join us at the official MicrosoftTechNet Wiki groups on facebook. Read More about TechNet Guru Awards.

If you win, people will sing your praises online and your name will be raised as Guru of the Month.

PS: Above top banner came from Paul Long.

Thanks in advance!
Ninja [Kamlesh KumarTechNet Wiki Council



Thanks,
Kamlesh Kumar

If my reply is helpful please mark as Answeror vote as Helpful.

My blog | Twitter | LinkedIn

This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.


Microsoft Identity Manager

0
0

Hi Team, 

Do we have connector build it with MIM for SAP integration for Identity Synch? If yes, Please help me with some links that would help in integrating MIM with SAP. If there any consolidated article that would help in knowing what other products can be integrated with MIM out of the box/supported with MIM and have connectors?

Any inputs will be appreciated. Thanks 

Regards,

Group management- Self Service Query

0
0

Hello All,

    I want that in SSPR users should be able to search Security Groups (which contains there department name)  and request to join them. I am not sure about the exact steps to follow . The default behaviour is that user is not able to search for the security groups created so far. So i think the following steps needs to be followed But getting lost as unable to put the pieces together (which i think i attribute to MIM processes like mprs etc)

Taking the department of Finance as example

a- A set for particular department "Finance" needs to be created.

b- A search scope for "My entitlements" needs to be defined.

c- A MPR/MPR's needs to be defined for the users to request 

Can anybody guide me in achieving this . 

Thanks in advance


   

How to control the update to attribute

0
0

Hello!

I'm new to MIM so I will try to do implement the solution in this article
https://social.technet.microsoft.com/wiki/contents/articles/26099.fim-2010-r2-metaverse-attribute-flow-precedence-and-dealing-with-blank-values.aspx#Code

Introduction

In FIM Attribute flow precedence determines which Management agent (MA) gets priority when more than one is contributing to a field in the Metaverse. If an MA does not have a value then the value of the next one down in the priority list is used. This can become a problem if you have a MA at the top of the list who you have designated as the authoritative source for that field. So if the field is blank in the authoritative MA you want the field value exported out to the remote system to be blank even where other contributing MAs have a value. The example below uses the Middle initial field to illustrate this problem and a work around that I did.

 Case Overview

Contoso wants to update their Active directory (AD) with data from Human Resources (HR) database. One of the fields that will flow from the HR MA to the AD MA is the middle initial field. AD already has pre-existing data that should be overwritten. Not all users in AD are managed in HR system so there is need to maintain the AD records of some users.

Contoso would like the following requirements for the synchronisation of middle initial

  1. If a value exists in HR then overwrite AD.
  2. If a value does not exists in HR then set AD value to blank.
  3. If HR is not contributing to the AD object then use the value in AD.

Solution requirement
  1. We want user data from Contoso AD projected into the FIM metaverse (MV)
  2. We want a join between HR MA connector space (CS) object and the MV object.
  3. We want to be able to identifying when an HR MA object is connected to the MV object.
  4. We want to capture the AD object Initials separate from the HR MA Initials.
  5. We want to export the initials based on Contoso?s requirements.

Solution design

We want user data from Contoso AD projected into the FIM metaverse (MV). Create a person projection rule for the AD MA
  1. We want a join between Contoso HR MA connector space (CS) object and the MV object. Create a join for a field (e.g email or employee number) in the Contoso HR MA to the MV.
  2. We want to be able to identifying when an HR MA object is connected to the MV object. Create a string field in MV for person Object called HRFeed. Add an advanced attribute flow in Contoso HR MA which will flow a constant value of ?HR? into the MV.HRFeed.
  3. We want to capture the AD object Initials separate from the HR MA Initials. In the Contoso HR MA flow the Middle Initial to MV.Middlename. In the AD MA Flow the Initials to MV.Initials
  4. We want to export the initials based on Contoso?s requirements. In the AD MA create an Advance export flow, take MV.Middlename,Initials,HRFeed flowing to CS.Initials, call the name of the flow rule ?ExportInitials?. Write C# logic in the sync engine.

Code logic

The ExportInitials flow rule.

  1. If MV.HRFeed Ispresent then HR is connected to MV object, use the MV.middlename if it is present. 
  2. If  MV.HRFeed is not Present, then HR is not connected to the MV object, use the MV.Initials if it is present. 

I need some help about this. I have done the following.
I have created a project rule so that object from the AD is projected  into the FIM metaverse (MV).

What does this mean under solution design

  1. We want a join between Contoso HR MA connector space (CS) object and the MV object. Create a join for a field (e.g email or employee number) in the Contoso HR MA to the MV.
    Is this just an import flow.

    //Tony


Viewing all 4767 articles
Browse latest View live




Latest Images