Understanding User Management - Inbound User Synchronization
Building on the concepts that we have previously discussed for Synchronization Rules Introducing Synchronization Rules - Part 1 and Introducing Synchronization Rules - Part 2 lets create an Inbound Synchronization Rule for User objects. In this example we will use Active Directory as the Data source for the User objects. Prior to Creating any Synchronization Rules you need the following pieces configured in the Synchronization Service.
- The MA (Management Agent) that will be used as the Source or Destination depending on the type of Synchronization Rule you are configuring.
- FIM Service MA
Additionally you will need to verify all necessary MPR's are enabled in the FIM Portal to allow the Synchronization Service to Synchronize the object type that is being synchronized into the FIM Service / Portal
Once you have all the required configuration in place you can proceed to Creating the Inbound Users Synchronization Rule.
To begin, navigate to the Portal home screen:
In the right-hand menu, select “Synchronization Rules”
This will open the Synchronization Rules menu.
In the top menu, click “New”
On the “General” tab, enter the following Information
- Display Name
- The Display Name should be something that clearly identifies what the Sync Rule is doing and what Direction the Data flow is into the Metaverse.
- Description
- The Description isn’t required but maybe useful to assist anyone who needs to understand the configuration of the FIM Sync and Portal.
- Data Flow Direction
- You are given 3 option which are used to determine the direction of data from the connected data source and the Metaverse, I rarely use Inbound and Outbound because I feel that it is easier for people to understand data direction flow when the sync rules are separated.
- Inbound
- Brings data from the Data Source Connector Space into the Metaverse
- Outbound
- Brings data from the Metaverse to the Datasource Connector Space
- Inbound and Outbound
- Is used to Synchronize Data in both directions to and from the Metaverse.
- Inbound
- You are given 3 option which are used to determine the direction of data from the connected data source and the Metaverse, I rarely use Inbound and Outbound because I feel that it is easier for people to understand data direction flow when the sync rules are separated.
- Apply Rule
- This is used to determine how the sync rule is applied to the data in the Metaverse
- To Specific metaverse resources of this type based on Outbound Synchronization Policy. Outbound Synchronization Policy consist of MPR, Set, and Workflow.
- To all metaverse resources of this type according to Outbound System Scoping Filter. Outbound System Scoping Filter is defined in the scope tab.
- This is used to determine how the sync rule is applied to the data in the Metaverse
Configure the General Page with the necessary information, Notice the apply rule section is greyed out this option is used specifically for outbound synchronization.
On the Scope Tab, configure the object types and the Connected MA that this Sycnrule will be synchronizing with.
Now notice the Inbound Scoping Filter option, This could be used to filter out all objects that don't meet the defined criteria. This filter is INCLUSIVE which means only objects that match the defined criteria will be synchronized (Managed) via this sync rule. for example if the filter was set to displayName starts with DEV_ than only user objects that have a displayName that starts with DEV_ will be Synchronized with this sync rule.
On the Relationship Tab you need to define the Relationship which is also know as the Join Logic for objects in the Connector Space of the Connected MA to be synchronized with the objects that already exist in the Metaverse. This is a crucial step to avoid duplicate objects.
Create Resource in FIM is used to project the object in the Metaverse, maybe you only want this synch rule to be applied to existing objects in that case you would leave this section unchecked.
Attribute Flows, The first thing you should know about attribute flows is all attribute flows will be applied of course the result still depends of attribute precedence, there is no initial flow for inbound synchronization.
Basic Attribute flow
Notice for domain there is a static value that is being defined for each object that this sync rule applies to. You may want to consider Using PowerShell To Generate The Custom Expression For The Domain Attribute Flow (Single or Multiple Domain) which will produce a custom expression which you could use instead of setting the domain with a single static value. This is extremely useful when syncing objects from a Forest with multiple domains.