Run Profiles in FIM 2010 R2

  • Article

Run profiles specify the parameters with which a management agent is run in Microsoft® Forefront® Identity Manager (FIM) 2010 R2. You can create one or multiple run profiles for a management agent. Further, each profile consists of one or more steps. By combining steps in a profile, you can more accurately control how your data is processed.

Run Profile Step Types

Run profiles are a series of steps defining actions to be executed on a management agent (MA). These actions can include importing and exporting data from the connected data source and synchronizing data with the metaverse.

Each MA requires at least one run profile that is made up of at least one step. Steps might include a complete synchronization of all attributes and values from a connected identity store or of only the changes since the last update. Any number of run profiles can be configured for a particular MA, each performing a specific set of steps. These run profiles are necessary to implement the different phases of the management agent that they are configured for.

The following operations are available for use in run profiles:

  • Delta Import (Stage only)

  • Full Import (Stage only)

  • Delta Synchronization

  • Full Synchronization

  • Export

  • Delta Import and Delta Synchronization

  • Full Import and Delta Synchronization

  • Full Import and Full Synchronization

Delta Import and Full Import

Importing from an external system occurs by discovering the external system and processing the selected objects and attributes configured on the management agent. There are two types of imports that can be processed against an external system, a delta import and a full import.

Delta Import

To run a delta import, the external system must have some mechanism to allow delta operations. For example, the MA for Active Directory Domain Services uses Update Sequence Number (USN) numbers to keep track of changes to the directory. You can use these USN numbers to import only the changes that have been made since the last MA run. Other directories use different mechanisms. For example, the management agent for Microsoft SQL Server has to have a delta table that is configured with a column that specifies the change type of the transaction to process. Sun ONE directory uses a changelog. If the changelog is enabled on that server, the FIM 2010 R2 synchronization service can read from the changelog and process only what is written to the changelog. Delta imports, and the fact that only changes are processed, are typically more efficient to run than running full imports.

Full Import

Full imports are typically much less efficient to run than delta imports. This is because running a full import requires importing the whole directory and not a subset of changes. However, there are a number of conditions where you may have to run a full import against the external system:

  • The initial MA import must be run as a full import because there is not a watermark on the MA to handle deltas. After the MA has run a full import, the watermark value is set.

  • The external system does not support delta imports.

  • A USN-based system should run a full import if either of the following is true:

    • The directory has been restored from backup.

    • The latency between import runs exceeds your tombstone lifetime

  • When discovering against an external system that uses change logs, and the change log has been truncated for some reason.

Delta Synchronization and Full Synchronization

During the synchronization phase, synchronization rules are processed. MAs use a set of rules to determine if and how objects in the connector space are synchronized with the metaverse. These rules determine how metaverse objects are created or linked to, how connector space objects are handled after a deletion, and how attributes of a connector space object are synchronized with a metaverse object. The metaverse also uses a set of rules to determine how changes to metaverse objects are provisioned to connector space, and how metaverse objects are handled after they are deleted.

Delta Synchronization

To run a delta synchronization, the MA processes changes only to those objects and attributes staged in the connector space that have changed. Those objects and attributes are then synchronized with the metaverse or disconnected, depending on the configuration of your synchronization rules. Therefore, any object with a pending add, modify, or delete will be evaluated and only attributes with changes will process attribute flow rules and update the metaverse. Any attribute that has not been updated on the object will not process.

Full Synchronization

A full synchronization is used to evaluate and apply synchronization rules to all objects in the connector space. Those objects and attributes are then synchronized with the metaverse or disconnected depending on the configuration of the synchronization rules. Therefore, regardless of what attribute has been updated in the connector space or metaverse, all synchronization rules will be evaluated and applied to all objects.

Typically, a full synchronization is required when the synchronization rules in the metaverse have been updated.

Export

After running an export to an external system, a delta import and delta synchronization should immediately follow to confirm the hologram and make sure that the system state has been confirmed. It is typically easier to additional steps to the export run profile. By doing this, the delta import and delta synchronization will be called immediately after the export has been run.

If delta imports are not supported for the external system, a full import and a delta synchronization should be configured instead.

Combining these run profiles step types can make scheduling management agent runs less complex.

Delta Import and Delta Synchronization

The delta import and delta synchronization run profile step type combines a delta import and a delta synchronization into one single step type.

This run profile step type imports only those objects and attributes from the connected data source whose values have changed since the last time the management agent was run. During the following delta synchronization step, only the objects that have pending changes from the delta import are processed,

Important

This feature has been deprecated and will be removed in future versions. Use run profiles with two steps instead.

Full Import and Delta Synchronization

The full import and delta synchronization run profile step type combines a full import and a delta synchronization into one single step type.

This run profile step type imports all objects and attributes from the external system. During the following delta synchronization step, all objects that have pending changes are processed.

Important

This feature has been deprecated and will be removed in future versions. Use run profiles with two steps instead.

Full Import and Full Synchronization

The full import and full synchronization run profile step type combines a full import and a full synchronization into one single step type.

This run profile step type imports all objects and attributes from the external system. During the following full synchronization run, all normal disconnectors are processed. By running this step, you also reapply attribute flow rules.

Important

This feature has been deprecated and will be removed in future versions. Use run profiles with two steps instead.