IntroFIM 2010 R2 was the first version that brings outbound system scoping filters into the synchronization rule. I decided to use this feature during a migration from FIM 2010 to eliminate some worfklows, sets and policy rules. This would reduce complexity and make the synchronization configuration more comprehensible. Instead of searching for the workflow that adds the sync rule, the MPR that triggers the workflow and then going to the set definition of the target population of the MPR, you can just examine the outbound scoping filter of the sync rule itself.
MethodologyI followed following flow:
- Check if set membership is a logical AND of conditions
- if yes: configure set conditions on outbound scoping filter of the synchronization rule and delete the wf-set-mpr triplet
- If not: leave config as is
ProblemWhile this methodology proved to be effect for most of my sync rules, one was causing problems. It was not being applied to the entries it should have been. I transfered the original set condition to the sync rule: But the sync rule status was "not applied".
SolutionAfter some googling, I found the origin of my problem in a blog post. The syntax of the outbound system scoping filter is different from the syntax used in set conditions. The correct way to configure this is by using "not-equal" the empty string: After submitting this change, you need to manually correct the syntax, because it will throw an error if you try to import it into the metaverse. Open the sync rule once again, go to the Advanced View and into the Extended Attributes tab: Edit the scoping filter attribute by converting
<scoping> <scope> <csAttribute>accountName</csAttribute> <csOperator>NOTEQUAL</csOperator> <csValue></csValue> </scope> </scoping>into
<scoping> <scope> <csAttribute>accountName</csAttribute> <csOperator>NOTEQUAL</csOperator> <csValue/> </scope> </scoping>