FIM Best Practice: Recall attributes on disconnection

There’s a box you can tick on the Deprovisioning Options page in your MA configurations – it says “Do not recall attributes on disconnection”. My advice: don’t tick this box.

The default behaviour is that when an object is diconnected in a connector space, either though deletion, filtering or something else, any attributes it contributed to the Metaverse are removed. If there is a lower precedent source for some of the attributes they can now be contributed from another MA, but the end result should be no attributes contributed from the connector space object that was just disconnected.

This is a good thing because it allows us to figure out which connectors a Metaverse object has by just inspecting the Metaverse object. With classic rules extensions you can count connectors, but Declarative Sync does not work this way – it only looks at the Metaverse object.

So say I want to provision to an application only after the AD account has been created. I flow something back from AD that I only could have sourced from there (I tend to use the DN) and that is my proof that the AD account exists. If the AD account is removed I want that Metaverse attribute to be cleared.

It’s also useful for reporting: it is very simple to query the mms_metaverse table to see the state of your metaverse objects, and while you can join to the mms_connectorspace tabe to get an idea of connectors, it’s certainly not as simple as just seeing if “ADDN” is populated in the mms_metaverse table.

There may be an argument for using this switch when clearing and re-importing a connector space – but even then I’d be wary. Objects may disappear on the re-import and now I’ve got Metaverse objects that look like they have a connector, but actually don’t.

Leave a Reply

Your email address will not be published. Required fields are marked *