Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Understanding Joining
Published Nov 01 2019 02:54 PM 1,434 Views
Microsoft

First published on MSDN on Jan 19, 2017

Update 1/19/2017

There are 3 ways to set up Join Logic for objects in the Connector Space of an MA to “Join” to objects in the Metaverse.

1st.

Direct Join on the MA , configured on the MA within the properties and by selecting "Join and Projection", yes this is the same section you would configure projection. The Below image is the most basic of Join Logic on an MA and is a Direct Mapping from Connector Space with an Object in the Metaverse.

The biggest thing to remember is you need to make sure you select the correct Metaverse Object Type when setting up the Direct Join, i cant tell you how many times i have had customers with join issues and its a basic direct Join except instead of selecting Person or Group or what ever the object they wanted to try and join to the left it with the default Metaverse object type of "Any" just make sure you select the correct Object Type you wish to to try and join to in the Metaverse

Doesn't get much more basic than that, in the below example the Join logic on the MA looks at the object in the Connector Space ( more specifically the sAMAccountName of the object) and looks in the Metaverse of a Person object with a matching accountName attribute value.

2nd

Using Sync Rules, in an environment where Sync Rules are being used sometime this environment is called "Code less" or "Code Light"

When configuring A Sync Rule on the Relationship Tab this is where you would configure the Join "logic" that can be used to join objects from the Connector Space to the Metaverse, the image below shows the same "join logic" that was configured on the MA except this is just a different way to achieve the same result.

Now remember when I said careful that you select the correct object type to join to when configuring the Join logic in the MA, what same thing applies with Sync Rules except with Sync Rules its controlled in the  Scope Tab of the Sync Rule Configuration UI, The image below shows where the selection of Object Type is made, this step is “Doubly” important on the Sync Rule because this also can affect what type of object is Created in the Portal.

Very Important to note that the Join Logic on a Sync Rule is only applied to Inbound Sync Rules, when you configure an Outbound Scoping Filter Sync Rule it will allow you to configure the Join logic but once you complete the Sync Rule Configuration if you open up the Sync Rule that you just configured the Relation Tab is gone

The first 2 methods for Configuring "Join Logic" are very basic and are able to cover a Large Percentage of the scenarios for Joining objects from a Data Source to the Metaverse, now for some reason if you have Join Logic configured on the MA as well on A Sync Rule that connect to that same MA, the Join Logic set on the MA will get applied first.

Now I know I have said a few times within this post that you need to make sure that you have selected the correct Object Type for Joining Weather it be on the MA Join Configuration or the Sync Rule Configuration, There are times that you may need to Join 2 objects that are not of the same object type best example is User or Person Objects to “FSP’s” (foreignSecurityPrincipalys). See the following blog for more info Cross Forest Management – (Create groups with FSP’s as Members) Part 1

 

3rd

Using a Custom MA Extension, There are many reasons you would need to use a custom MA Extension that would include complex Join Logic and it would be impossible to go over every scenario, but an example  would be the following Scenario

2 Forest

Forest 1 Contoso

Forest 2 Fabrikam

Group objects from the Contoso Forest are created in Fabrikam with 2 Separate MA’s, 1 MA is created with the Same Information from Contoso, Same displayName, samAccountName, memberships etc. the 2nd MA creates the group with the characters “SP_” in the beginning of each the groups displayNames, samAccountName etc. ideally I would have used a separate attribute to write the value of the source info and did a join like extenisionAttribute1 to accountName but some times we are working in environments where you don't have extra attributes or you are coming behind someone else and you are playing cleanup.

Please see the following Post Rules Extensions – MapAttributesForJoin for writing the code for Join Logic in a Custom MA Extension.

 

 

Questions? Comments? Love FIM/MIM so much you can’t even stand it?

EMAIL US!

>WE WANT TO HEAR FROM YOU<

## https://blogs.msdn.microsoft.com/connector_space # #

Version history
Last update:
‎Feb 20 2020 01:13 PM
Updated by: