Filtering objects in Inbound Synchronization Rule

Hi 
i want, under certain conditions, to stop an inbound sync on a user object that is in FIM metaverse based on a condition that exists in metaverse and not in the CS of the managemnet agent. 
that is, I want when a metaverse attribute is updated on a user, this user should not be part of the inbound sync any more. i i want all attribute flow to stop for this user. 
is it possible to do that?
thank you.
MM

Once you have corrected your import flow in sync rule, you have to do the following:
- Import on FIM MA (Delta would be enough)
- Full Synch on FIM MA (as Sync rules were changed)
- Full Synch on AD MA - to import objectSID of every object from AD.
- Export to FIM MA (to update objectSID - make sure you have suitable flow in synch engine)
If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

Similar Messages

  • Add attributes to an AD Inbound syncronization Rule with Powershell

    Hi all,
    i created an AD inbound synchronization rule and after i run the sync i can't access the portal even with the fimadmin account, i guess it's missing the objectSID and domain attributes, can i add these attributes with power-shell script and if yes what is
    the commands.
    Thanks
    Teka

    No, you cannot set those values as you don't have any account that can be used to do so. You can try to do it, but you would fail as you have to have valid credentials to access FIMService and update any values there. And if you don't have such credentials,
    you'd be unable to update them.
    You can use Sync engine if FIM MA service account still works as expected to fill those attributes - create direct import flow from AD and export to FIM (remember that your direct flow has to be precedent)
    Or restore your copy of FIMService database that you did before making changes.
    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

  • "sync-rule-inbound-flow-rules-invalid" error on synchronizing an Inbound Sync Rule from the FIM connector space to the Metaverse

    I have created an inbound sync rule in the FIM portal to import groups from an external system (SQL Server) into the metaverse.  I can import the rule from the FIM MA into the FIM connector space but when I run a full sync on the FIM MA I get the error
    "sync-rule-inbound-flow-rules-invalid".  The only way I have found around the error is to remove all the attributes from Inbound Attribute Flow in the sync rule.  However, this defeats the purpose of having the sync rule in the first place.  Searching
    the Web, I have come across posts from other people with "sync-rule-inbound-flow-rules-invalid" problems but the solutions do not seem to work in my situation. 
    A little background about the sync rule
    Metaverse Resource Type: group
    External System Resource type: group
    Relationship Criteria: accountName (metaverse) = "string field" (ConnectedSystemObject)
    Create resource in FIM: yes
    Inbound attribute flow:
    - Domain
    - Member
    - DisplayName
    - accountName
    - MembershipLocked
    - MembershipAddWorkFlow
    - Type
    - Scope
    I am new to FIM so it's possible I have overlooked something in the setup of this sync rule.  Any suggestions on possible causes of this issue would greatly appreciated.

    There is no scope filter.   In regards to the attribute flows, no functions are used.  Here is further information about the attribute flows
    Set up of Inbound attribute flow for the inbound Synchronization Rule.
    Metaverse External System (SQL Server View)
    - Domain  Domain (string)
    - Member Member (multi value attribute)
    - DisplayName ObjectDescription (string)
    - accountName ObjectID (string)
    - MembershipLocked 'false' (set up as a string literal)
    - MembershipAddWorkFlow 'Owner Approval' (set up as a string literal)
    - Type 'Security' (set up as a string literal)
    - Scope 'Universal' (set up as a string literal)
    Is this the info you were asking for?  If not, please clarify what details you are looking for in regards to the  sync rule.

  • How to pass any type of objects into Portal's rules engine?

    Is that possible to pass any type of objects into Portal's rules engine? Or BEA's Portal service rules engine can only allow to pass a limited number of objects?
    Are there any information about BEA's rules engine? and Can we use its rules engine without using its Portal service?
    Thank you.

    I worked on BEA rules engine 4 months back. I'm sure you can pass any JAVA object to it's working meomory. I am giving my sample rules here, hope it will be helpful for you.
    I just replace pcakage name, other than that everything is from wroking project. Open in xml spy, it should be clear from the desc. If you have any questions post back.
    <cr:rule-set is-complete="true" xmlns="http://www.bea.com/servers/p13n/xsd/expression/expressions/2.1.1" xmlns:cr="http://www.bea.com/servers/p13n/xsd/rules/core/2.1.1" xmlns:literal="http://www.bea.com/servers/p13n/xsd/expression/literal/1.0.1" xmlns:string="http://www.bea.com/servers/p13n/xsd/expression/string/1.0.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.bea.com/servers/p13n/xsd/rules/core/2.1.1 rules-core-2_1_1.xsd">
         <cr:rule is-complete="true">
              <cr:name>TaxForm1040</cr:name>
              <cr:description>If salary is 70,000 then this rule makes 1040 as required form</cr:description>
              <cr:conditions>
                   <multi-and>
                        <multi-and>
                             <equal-to>
    <instance-method>
    <variable>
    <name>SalaryField</name>
    <type-alias>com.blah.field.REInputObject</type-alias>
    </variable>
    <name>getKey</name>
    </instance-method>
    <literal:string>Salary</literal:string>
    </equal-to>
    <equal-to>
    <instance-method>
    <variable>
    <name>SalaryField</name>
    <type-alias>com.blah.field.REInputObject</type-alias>
    </variable>
    <name>getValue</name>
    </instance-method>
    <literal:integer>70000</literal:integer>
    </equal-to>
                        </multi-and>
                   </multi-and>
              </cr:conditions>
              <cr:actions>
                   <new-instance>
                        <type-alias>com.blah.field.RequiredField</type-alias>
                        <arguments>
                             <literal:string>1040</literal:string>
                        </arguments>
                   </new-instance>
              </cr:actions>
         </cr:rule>
    </cr:rule-set>

  • ABAP objects for transfer/update rules - does this apply to include stateme

    I have a question about the new requirement for the code in the update/transfer rules to be written in ABAP Objects standards.  Does this still apply if in your update rules you using include programs?  Does this mean that when we upgrade we will have to follow the ABAP Objects standards (ie no header lines)?

    Routines will method based.
    In addition to what Chetan has sent, check this how to also.
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/6090a621-c170-2910-c1ab-d9203321ee19
    Ravi Thothadri

  • IDOC inbound conversion Rules

    Hi to all,
    I'm Implementing an Inbound Interface for Cost Centers using idoc message COSMAS and IDOC type COSMAS01.
    I want to modify IDOC data changing the cost center code by another one stored locally in a param table (Z*). 
    I think the best way to do this is by creating a conversion rule in BD72 than maintain and assign to Message type. The problem is that i have to select data from the Z* Table i need two parameters from the IDOC(LogicalSystem and cost center). How can I create a custom conversion routine or something to get this data from the Z table into the IDOC field (KOSTL).
    The conversion exits only have one import parameter and one export parameter.
    Do anyone had one problem like this?
    Thanks in advance to all.

    Hi,
    Please check the documentation in WE60 tcode and see if the fields are required to be passed...
    Regards,
    Nagaraj

  • ASDM multiple network objects vs group for rules

    I was just curious if there are any performance benefits of using multiple network objects on multiple rules vs consolidating them into fewer rules by grouping them? 
    For example, I have about 10 lines of NAT exempt rules from the same source to multiple destinations.  Is there anything to be gained if I consolidated those into a single rule using an object group for the multiple destinations aside from cleaning up the clutter in ASDM?
    Thanks

    Hello Tony,
    Of course, it will be better because the processing that the ASA is going to use to determine witch rule to match would be decremented, also it would take less space on the configuration file (memory). those are some of the pros regarding creating groups for particular rules.
    Sometimes a huge configuration file can increment the CPU usage,etc,etc. so it is better to keep it as small and organized as possible.
    Please rate helpful posts.
    Regards,
    Julio

  • Modifying locked object of a synchronization block

    Hi everyone,
    Does someone know what happens if an object used as lock in a synchronization block, is modified into the same block?
    Look to the belowe example to clarify my question:
    Object out is modified into the synchronization block: other threads that try to executed another synchonization block (with out as lock object) become able to execute it because now the reference is changed?
    Thank you very much in advance.
    Diego
    synchronized (out) {
              try {               
                   out = new PrintStream (new FileOutputStream (file));
                   out.println ();
              } catch (FileNotFoundException e) {
    .................

    DiegoCarzaniga wrote:
    Thank you very much Kajbj.
    This means that JAVA synchronization uses object references to implement locks... is it correct?No. A monitor lock is associated with an instance and not with the reference to an instance.
    E.g.
    Object lock = new Object();
    Object sameLock = lock;Here lock and sameLock are referencing the same object and that object only has one monitor so you can either synchronize on lock or sameLock (but I would advise against it since it might cause confusion)
    Kaj

  • Gmail filters vs. Mail Inbox Rules: Who wins?

    I have both Gmail filters and Apple Inbox Rules. If both Gmail and Apple Mail are running, whose filter runs first?

    mdh98368 wrote:
    If both Gmail and Apple Mail are running ...
    I believe this part of your question is irrelevant.  For "both Gmail and Apple Mail to be running", it sounds like you're talking about running two separate, independent, but possibly conflicting apps on your Mac.  If that's what you're doing, you should shut one of them down.
    The normal series of events would be that incoming email would hit your gmail account (out there on the web) and your gmail filters would be applied at that time.  Then, the gmail server would send the incoming message to your Apple Mail, which would apply its rules at that time.  This assumes you have your gmail account set up in the Apple Mail app.

  • Object Code for distribution Rules

    Hi all,
       what is the object code for the distribution rules (in Cost Accounting menu).
    Urgent...
    Thanks
    Sandeep

    Hi Deshpande,
    If you use the DI API help file and search for the OOCR table you find out that profit centers are not exposed yet in the DI API.
    That means that no object is available for distribution rules.
    Regards Chris

  • SA 540 INBOUND FIREWALL RULES NOT WORKING

    Hi all,
    I am having trouble configuring the firewall for the SA 540.
    client 1 (160.222.46.154) ----- switch ------ sa 540 ------ cisco 887 W ------ client 2 (50.0.0.10).
    client 1 can ping client 2, however client 2 cannot ping client 1. The default outbound policy (allow all) is set on the sa 540, and I have tried configuring a blanket ipv4 rule on the sa 540 to allow 'all' to 'any' (for all services) related to traffic from the WAN to LAN, and visa versa. The output from the logs are as follows:
    Fri Jan 7 13:43:04 2000(GMT +1000) WARN FIREWALL 50.0.0.10 160.222.46.154 [firewall] LOG_PACKET[DROP] IN=WAN OUT=WAN SRC=50.0.0.10 DST=160.222.46.154 PROTO=ICMP TYPE=8 CODE=0
    Component: KERNEL
    Fri Jan 7 13:43:09 2000(GMT +1000) WARN FIREWALL 50.0.0.10 160.222.46.154 [firewall] LOG_PACKET[DROP] IN=WAN OUT=WAN SRC=50.0.0.10 DST=160.222.46.154 PROTO=ICMP TYPE=8 CODE=0
    Component: KERNEL
    Fri Jan 7 13:43:14 2000(GMT +1000) WARN FIREWALL 50.0.0.10 160.222.46.154 [firewall] LOG_PACKET[DROP] IN=WAN OUT=WAN SRC=50.0.0.10 DST=160.222.46.154 PROTO=UDP SPT=60737 DPT=53
    Component: KERNEL
    Basically any connection identified as coming in from the WAN (i.e. IN=WAN) is dropped. I set up a new vlan on the cisco 887 W, in the 160.222.46.x address space, and connected a spare port directly to the sa 540 and had no problem testing connectivity to any device via ping. Obviously the zone communication is LAN to LAN and firewall treats the traffice differently.
    I assumed that creating an all encompassing rule to allow all trafiic, for all services, between the LAN and WAN (in both directions) would be equivalent to placing the appliance in PASS THROUGH mode? There is no securtiy set on the 887 W or the switch.
    Also is anybody could explain what 'SELF' means in the conttext IN=SELF or OUT=SELF it would be much appreciated. Firmware is latest.
    Thank you.
    Regards
    Marc

    On closer analysis and with some help from Experts Exchange it did seem non sensical to have both the IN and OUT as the WAN interface, but I had literally exhausted every avenue possible bar 1- changing the routing mode to CLASSIC and configuring a static route (which was at a higher administrative level than my RIP advertised routes) and took preferece when forwarding the packets.
    Now the SA540 firewall rules work as I would expect and I can route between all zones. To summise it appears as if the Double NAT from the router (887W) and then the SA540 was the issue, and the innability to configure any workaround in the interface of the SA54O firewall rules.
    It really makes you appreciate the power of the command line and the full scope of CIsco's command line options. Does anybody know if (and how) it would be possible to configure Double NAT on the SA540?
    Regards
    Marc

  • FIM Object Visualizer for Synchronization Service

    Does this tool work if all we are running is the Synchronization Service?  It appears that it looks for the FIM Portal:
    $uri = "http://" + $args[0] + ":5725/resourcemanagementservice"
    I need to be able to extract my IAF and EAF settings.  There used to be a set of utilities for MIIS/ILM, but I can't find them on the web now and lost my copy of them when I migrated to FIM.
    Thanks.
    Ed Bell - Specialist, Network Services, Convergys

    That might help except that none of the download links work:
    "The Archive Gallery has been retired."
    When did MS start getting so sloppy about this stuff?  They use to have one of the best support sites in the business, but it is really falling apart...
    I posted a comment (
     Powershell MA (Microsoft) missing documentation) in July that the documentation for the PowerShell MA (http://social.technet.microsoft.com/wiki/contents/articles/23647.windows-powershell-connector-for-fim-2010-r2-sample-connector-collection.aspx)
    was incomplete; it is like no one cares.
    Ed Bell - Specialist, Network Services, Convergys

  • FIM Object Visualizer

    Name
    Latest Version
    FIM Object Visualizer
    6.0
    Description:
    The FIM Object Visualizer is a community script to display and document configurable objects such as Synchronization Rules, Workflows and Management Policy Rules:
    Display – because the script has a UI to render your configuration
    Document – because you can copy a displayed configuration to the clipboard and save it to a file.
    The script is based on the HTA (HTML Application) framework – a framework that enables you to develop scripts that look like Windows applications without the need of writing code in Visual Studio.
    Important
    To run the script, you need a FIM server with PowerShell installed.
    Please read the FIM ScriptBox Read Me First prior to running this script
    The FIM Object Visualizer is a customizable community script to display and document configurable objects such as Synchronization Rules, Workflows and Management Policy Rules.
    You can use this script to document your current FIM deployment or to provide configuration information in case of a troubleshooting scenario.
    The script consist of two main components:
    Data Request
    Data Display
    The script assumes that all PowerShell scripts that are located in the Collection folder are scripts to request object information from your FIM server.
    When you start the script, the script code locates all these scripts and adds them to the left list box in the toolbar:
    To request new or update existing object information for a specific object type, select the object type you are interested in from the list box, and then click Get Objects.
    You can extend the number of supported object types by adding additional PowerShell scripts to the Collection folder.
    The second list box lists the object types for which you have already requested object information.
    To list the display names for an object type, select the object type from the list box, and then click Get Names:
    To display the configuration of an object, click the object's display name:
    As mentioned eelier in this post, the FIM Object Visualizer is a community tool.
    This means, the objective of this download is to get you started with the process of documenting your deployment; however, I expect that you will modify the components of this script.
    For example, if you don't like the "look & feel" of how an object type is rendered, you can easily customize it by modifying the related XSLT file.
    If you have questions, comments or even extensions for this script, please respond to this post.
    To download this script, use this link.
    To get to the FIM ScriptBox, use this link.
    Markus Vilcinskas, Technical Content Developer, Microsoft Corporation

    The goal of this script is to enable you to create reports of various configurations.
    The most recent version supports the following reports:
    Active Metaverse Schema
    Attribute Flow Precedence
    FIMMA Schema
    FIM Resource
    Management Policy Rules
    Metaverse Schema
    Provisioning Triple
    Schema Object Definitions
    Selected Management Agent Attributes
    Synchronization Rules
    Replication Configuration
    Workflows
    Below are some examples for what you can do with this script and also abbreviated examples
    Active Metaverse Schema - This report shows  the inbound population of your metaverse grouped by object type:
    Metaverse Active Schema Configuration
    Metaverse object type: group
    Metaverse Attribute
    Type
    Multi-valued
    Indexed
    Import-Flows
    membershipLocked
    Boolean
    no
    no
    1
    membershipAddWorkflow
    String (non-indexable)
    no
    no
    1
    domain
    String (non-indexable)
    no
    no
    1
    accountName
    String (non-indexable)
    no
    no
    1
    member
    Reference (DN)
    yes
    no
    1
    type
    String (non-indexable)
    no
    no
    1
    scope
    String (non-indexable)
    no
    no
    1
    displayName
    String (non-indexable)
    no
    no
    1
    csObjectID
    String (non-indexable)
    no
    no
    1
    Replication Configuration - This report shows your active metaverse schema configuration and whether an export attribute flow rule exists on the FIM MA for each metaverse attribute
    Metaverse Active Schema and FIMMA EAF Configuration
    Metaverse object type: group
    Metaverse Attribute
    Type
    Multi-valued
    Indexed
    Import-Flows
    Replicated
    membershipLocked
    Boolean
    no
    no
    1
    yes
    membershipAddWorkflow
    String (non-indexable)
    no
    no
    1
    yes
    domain
    String (non-indexable)
    no
    no
    1
    yes
    accountName
    String (non-indexable)
    no
    no
    1
    no
    member
    Reference (DN)
    yes
    no
    1
    no
    type
    String (non-indexable)
    no
    no
    1
    yes
    scope
    String (non-indexable)
    no
    no
    1
    yes
    displayName
    String (non-indexable)
    no
    no
    1
    yes
    csObjectID
    String (non-indexable)
    no
    no
    1
    no
    Attribute Flow Precedence - This report shows how each attribute in the metaverse is populated and the order:
    Metaverse Attribute Flow Configuration for group
    accountName, ranked
    Management Agent
    Object Type
    Type
    Source Attributes
    Fabrikam ADMA
    group
    sr
    sAMAccountName
    scope, ranked
    Management Agent
    Object Type
    Type
    Source Attributes
    Fabrikam ADMA
    group
    sr
    CustomExpression(IIF(Eq(BitAnd(2,groupType),2),"Global",IIF(Eq(BitAnd(4,groupType),4),"DomainLocal","Universal")))
    type, ranked
    Management Agent
    Object Type
    Type
    Source Attributes
    Fabrikam ADMA
    group
    sr
    CustomExpression(IIF(Eq(BitOr(14,groupType),14),"Distribution","Security"))
    FIMMA Schema - This report shows the schema definition of your FIMMA:
    FIM MA Schema
    Object type: Group
    Attribute Name
    Data Type
    Required
    Multi-Valued
    AccountName
    String
    no
    no
    CreatedTime
    DateTime
    yes
    no
    Creator
    Reference
    no
    no
    DeletedTime
    DateTime
    no
    no
    Description
    String
    no
    no
    FIM Resource - This report shows the generic representation of an object in the FIM data store:
    Export Object - Person
    ObjectID
    7fb2b853-24f0-4498-9534-4e10589723c4
    AccountName
    administrator
    CreatedTime
    1/20/2010 11:33:37 AM
    Creator
    7fb2b853-24f0-4498-9534-4e10589723c4
    DisplayName
    administrator
    Domain
    FABRIKAM
    DomainConfiguration
    1aff46f4-5511-452d-bcbd-7f7b34b0fe14
    MailNickname
    administrator
    MVObjectID
    {1FDD4880-9B68-4509-BAB1-AC34ABF50AC1}
    ObjectSID
    AQUAAAAAAAUVAAAAVn2Q+4bZuFuYINe99AEAAA==
    ObjectType
    Person
    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

  • Replica info - filtered vs. read/write of the root partition

    Hello all,
    According to Craig's setup guide, the BM server should be in the its own partition of which it is the master replica and it should contain a read/write replica of the root partition.
    We currently have this setup but the one issue we are having is that our content filter is using LDAP to monitor eDir authentication and it seems to be grabbing some workstation authentications as opposed to the user authentications.
    One suggestion to resolve this issue is to use a filtered replica which only sees users and user groups. Is this an option with our BM servers or should I be looking at using a different server for LDAP authentication and put a filtered replica on that one.
    Any thoughts are greatly appreciated.
    Steve D.

    BorderManager needs to read license objects when it launches, filtering
    objects from NDS, access rules from NDS and its own configuration from
    NDS. It also needs to read NMAS-related information from NDS.
    I have found that the most efficient way to a) get BMgr to read its
    information and b) fix filtering issues is to have the BMgr server in
    its own OU. In the past, there was also a Site-Site VPN dependency on
    reading a root replica, but that was fixed sometime ago. (VPN may
    launch faster if the BM server has a root replica, but it doesn't have
    to have it).
    BM wants to read licenses initially from the root of the replica ring,
    so it helps if the BM server is the master of the replica ring holding
    the licenses. This is not a requirement, but it makes BM launch faster
    usually, and it especially important in branch offices with a site-site
    VPN. BM read filters from the NBMRuleContainer, which is almost always
    in the same ou as the server. It is easier to fix filtering issues if
    you can simply delete them all and remigrate them into NDS without
    having to worry about filters from some other BM server being in the
    same container. These are the main reasons I like to have BM in its
    own partition and the master of that replica ring.
    It may help to have a replica of the security container on the server
    as well, for nmas-related VPN logins, but I'm not sure on that. If you
    are running NMAS RADIUS on the same server, you need to have replicas
    of the user partitions also on the server. And with NMAS-related
    logins for VPN, you really want all the clients and all the servers
    with user replicas up to the latest version of NMAS.
    Access rules are normally applied to the server object, but if they are
    applied to ou's above BM, it may help to have replicas holding those
    OU's on the server, but it's not required. (BM will have to read the
    OU's from some other server if it can't get them from itself though).
    Offhand, those are the NDS-related requirements I can think of for BM.
    I would be putting my efforts into fixing the LDAP calls that the
    application is using so that it doesn't look at workstation objects
    rather than try to filter those objects out. However, perhaps you
    could alter your NDS design and put all the workstation objects into
    one or more OU's that the LDAP app doesn't look at?
    Craig Johnson
    Novell Support Connection SysOp
    *** For a current patch list, tips, handy files and books on
    BorderManager, go to http://www.craigjconsulting.com ***

  • Importing manager attribute in FIM

    Experts,
    I have two tables:-
    users:-
    employeeid:firstname:lastname:deptnumber
    department
    deptnumber:deptname:manager
    A SQL view combines this two tables and I am importing data through SQL MA and inbound synch rule.
    All attributes are coming except manager. I have choose manager as 'Reference' in SQL MA. I am sure employee exists.
    All attributes are getting imported except manager.
    Thanks,
    Mann

    Hello,
    What is the format of 'manager' in the SQL table 'department'? It's the same that 'employeeid' in the SQl table 'users'?
    'Manager' are imported in the CS of SQL and not in MV? Or it's not present in the CS?
    And your flow 'manager' is for 'department' object, and not for 'user' object: With you current configuration, you cant' flow manager on user object through inbound synch rule.
    Regards,
    Sylvain

Maybe you are looking for