One of the coolest features in FIM 2010 is the declarative provisioning. It allows you to do a lot of things by simply clicking together the desired items from within the Portal. The alternative is the “classical rules extensions”. This requires writing .net code to extend the possibilities of an MA. I prefer the declarative provisioning. I’m not saying you should abandon classical all the way though. I’m using the following logic to decide between them:
- Can it be done from within the Portal (using normal Synchronization Rules)
- If not: can it be done by writing a rule extension to be used in the MA
- If not: can it be done by writing a workflow to be used in the Portal
I’ve never done 3 to be honest. Most attribute flows and transformations I can manage by defining flows in the Portal. Creating a unique account name I do with a rules extension. I tend to take the best of two worlds. Some people, often seasoned MIIS/ILM folks, still prefer to use classical rules extensions because of the debugging options. I can’t blame them, with the declarative rules you’re sometimes left alone in the dark. So here are some checks to do when your MA of choice is just refusing to show those “provisioning adds” you desire.
This is how it looks when it’s not working, you run your import and synchronization profiles and no “provisioning adds” are being shown. All you see is some EAF’s back to FIM flowing “Not applied” for the “SynchronizationRuleStatus” attribute. And then you say: What, Not applied? Why? How? It sure as hell isn’t my fault, I did it all by the book!
So here is my list of things to check when it’s just not working. It’s not rocket science, but you might have that “Aaah” moment with one of these.
1. Did you check “Create resource in external system”
2. Do you have at least one “Initial Flow Only” flow configured? Even if you want to have all attributes flowed all the time, you should have at least one “Initial Flow Only” flow. Just add the same flow twice and check it once to have the desired effect if you want the attribute to be flowed always.
3. Is the Outbound Synchronization Rule being added to the object? If it’s not, it’s very likely something is wrong with the definition of the MPR. Or your object isn’t part of the correct set. Or it was already part of set before you created the MPR. Run on policy update might help you here. Verify the provisioning tab of the object:
No SR present:
4. Is the ERE present in the ExpectedRuleList attribute for the object in the Connector Space (CS) of the FIM MA? If it’s not, something is wrong with the import or the selected attributes of the FIM MA.
5. Is the ERE present in the ExpectedRuleList attribute for the object in the Metaverse? If it’s not, something is wrong with the synchronization or IAFs of the FIM MA.
6. Did you enable "Synchronization Rules Provisioning” in the Options for the Synchronization Manager. If it’s not checked, declarative provisioning will be disabled.
If you got all these covered, you should see the desired result:
And the update of the SynchronizationRuleStatus attribute:
This post was writing after providing all of the above as possible solutions for the following thread: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/1aa13147-e16c-4e99-a7da-76e3c9e8c10d