FIM Best Practice: Always have Join rules, and simple ones at that

When creating an MA that is a projection source or a provisioning target it is easy to overlook the join rules, as the objects are effectively already joined. But you should still have them.

The other part to this is about complex join rules. While joining a new directory for the first time you may join on anything you can use – email address, names, phone numbers, location…. Your aim, however, should be to replace this with a single, simple join rule once the discovery phase is done.

Here’s something to keep in mind: always plan to clear and re-import the connector space.

There are various reasons you may have to do this and it should not be an unexpected occurrence. If your connector space can only be re-joined using complex rules and manual joins, then you’ll have a nasty operation ahead of you.

Breadcrumbing goes hand-in-hand with your join rules. If a connected system was difficult to join then export a unique identifier that allows a simple join rule to always work in the future. If you can’t update this directory then reverse-breadcrumb it: import an identifier to the Metaverse and then export it somewhere else, such as the FIM Portal, ensuring you will have that information to join back on when needed.

If you’re using Declarative Sync then you will already have been obliged to use simple join rules (aka “relationship criteria”) and this best practice is effectively enforced.

Got something to add? Disagree? Comments are open!

About: Carol

I've been doing IT for 30 years, and IdM for 15. I live in Australia and build IdM solutions based on Microsoft Identity Manager. I also play the violin, but that doesn't help much with the IdM solutions.


Leave a Reply

Your email address will not be published. Required fields are marked *


*