FIM ScriptBox Item
Summary
When you manage resources with FIM, it is possible that a resource was accentually brought into the scope of the wrong outbound synchronization rule. The objective of this article is to explain how to fix this.
To manage your resource in external systems with FIM, you need to bring them into the scope of the related synchronization rules. This means, you link a resource with an outbound synchronization rule by creating an Expected Rules Entry (ERE). The following picture outlines the related architecture:
This process is defined by your synchronization policy. A synchronization policy consists of 4 components:
The following picture outlines the related architecture:
The process of bringing a resource into the scope of a synchronization rule starts with the transition of the resource into a specific set. After the resource has transitioned into this set, the FIM service invokes the set transition MPR you have defined in your synchronization policy. The MPR invokes the configured workflow. In your workflow definition, you must have a synchronization rule and an action defined. To bring the resource into the scope of a synchronization rule, an Add must be defined as action:
When this process has completed, your resource is in the scope of the synchronization rule:
You can find a more detailed description of this process in “Understanding Data Synchronization with External Systems”.
If you need to remove a resource from the scope of a synchronization rule, you also need to implement a synchronization policy that consists of temporary components. The main difference is that your temporary workflow is configured to remove the resource form the scope of the synchronization rule:
While it is possible to create the required components manually, it helps you to safe some time by automating this process in form of a script. The script would first check whether your temporary MPR, workflow and set already exist. If so, the script deletes them.
After the object information about the resource and the synchronization rule have been retrieved the script creates the required temporary components of the synchronization policy. When you develop the script, the only little challenge is the definition of the Workflow activity because the related attribute has a complete XML block as attribute value. You can get the required XML block from an existing workflow definition. The only part, the script code needs to update, is the ID of the synchronization rule:
Creating the temporary MPR is a straight forward process. In your script code, you set the following attributes:
<><><><><>To trigger a set transition in your temporary set, the script code makes the related resource a static member. As a last step, the script deletes the temporary components again. When the script has completed successfully, you should review the provisioning status of your resource. Your resource should have a pending remove operation for the related synchronization rule.
To actually remove the relationship between the resource and the synchronization rule, a synchronization cycle is required. This means, you need to run the following run profiles on your FIM management agent:
To trigger a set transition in your temporary set, the script code makes the related resource a static member. As a last step, the script deletes the temporary components again.
When the script has completed successfully, you should review the provisioning status of your resource. Your resource should have a pending remove operation for the related synchronization rule:
Script Code