The Problem
When it comes to attributes, MIM does two things well: setting them during object creation (initial flow), and setting them all the rest of the time (persistent flow). But setting things conditionally at other times often comes with gotchas.
In particular, FIM’s insistence on not exporting attributes to equal or higher precedence MAs means we can’t do a handy loop like this:
AD.description -> MV.description IIF(CustomExpression(IsPresent(description)),description,"Default Descript") -> AD.description
Bummer…
The Simple Solution
One simple solution here is to tick the Equal Precedence box on the import precedence page. Then MIM skips the above check, and all is (somewhat) well. But there is another way, which might be useful if you don’t want to turn on Equal Precedence for some reason…
The MIM Service Attribute Loop Solution
This solution loops the attribute value through the MIM Service. This lets us subvert the MIM precedence check mechanism and conditionally update attributes (to MAs other than the FIM MA/MIM Service) from scoped sync rules!
In order to subvert the precedence check, we need to somehow break the MIM’s knowledge of the common source and destination of our data. These flows loop AD’s current “description” attribute value through the MIM Service:
AD.description -> MV.description MV.description -> MIMService.Description MIMService.Description -> MV.existingDescription IIF(CustomExpression(IsPresent(existingDescription)),existingDescription,"Default Description") -> AD.description
If AD.description is populated, that will flow into the MIM Service (Description) then back out again into a different metaverse attribute (existingDescription) that is not associated with AD.description, so it can be used in our export scoped sync rule. By going through the MIM Service in this manner, MIM doesn’t realise that our source and destination are one and the same, so we now have the flexibility to do whatever we want in our scoped source rule.
Of course, with great power comes great responsibility. If the AD.description export rule does something foolish (like append to the description every time) then the above flows will loop without ceasing (extending AD.description on each cycle through). So you must configure your scoped sync rule so that the changes will eventually cease after a finite (and preferably very small) number of cycles.
Another Example
Using this pattern, the similar requirement from a previous post (where we wanted to set gidNumber based on objectSid, but only if it is currently blank) is now achievable. These flows give us what we want:
AD.objectSid -> MV.objectSid AD.gidNumber -> MV.gidNumber MV.gidNumber -> MIMService.gidNumber MIMService.gidNumber -> MV.existingGidNumber IIF(CustomExpression(IsPresent(existingGidNumber)),existingGidNumber,CustomExpression(Word(ConvertSidToString(objectSid),8,"-")+65536)) -> AD.gidNumber
But wait, there’s more…
The other thing that needs to be considered here is what happens with source-of-truth (mastering) for an attribute’s value when using this pattern. A change to the value of an attribute in the MIM Service will result in that value being exported to AD, but similarly a change to the value of the attribute in AD will result in that new value being updated in the MIM Service as well! So, rather interestingly this pattern essentially gives us an Equal Precedence solution, where the last update processed by the sync service “wins”. Which, amusingly enough, means that we’re actually back where we started with the ‘Simple Solution’ above! 🙂