ADMA to ADMA group member sync

Question

Hi,

Current environment: Forefront Identity Manager 2010r2

What I am trying to do:

We have two domains that are not trusted for various reasons, we currently sync/provision users from source to destination domain including password.

Id like to sync certain group members from source to destination groups. Users accounts are an apples to apples naming scheme and the groups are already created on the destination.

I've been able to get the meta verse to include the group I want to sync the members with. What I can't figure out is how to get the members attribute to populate in the metaverse. I have read that I need to make sure the user accounts are also in my connector space, and I believe they are. I understand its a reference attribute, and it needs the users in the connector space.

Is it as easy as just including users/OU, or do I need to do a join on the users or flow user attributes into the metaverse as well? Or is my 2010r2 environment not capable of this?

Thanks!

Answer 1

Hello Justin,

Yes, you have to join user objects between your two AD, with a person object in the Metaverse. MIM is working with reference and needs to know the object to be able to add/remove it from a group membership.

If you see the users as string in the Metaverse, it means that you are not using a reference type attribute to store them in the MV.

From your source AD, you should project users as person in the MV, and from your target AD, you should add a join rules to do the Join (based on the account name for example).

Answer 2

Update, I got the group and members to populate in the metaverse now. The member shows up as a string.

Any help on how to get the members into the group for the other domain/AD MA?