UNIFYBroker/Plus importing AD Users into a locker.  The 'member' field is locker-to-adapter mapped.  When I change the member field value in AD and run an Import All on the AD users connector, the following error is logged:

20210118,04:24:11,UNIFYBroker,Change detection engine,Error,"Changes register item processing on failed.
Parameter name: collection. Duration: 00:00:00.0139980
Error details:
Parameter name: collection. Duration: 00:00:00.0139980
Error details:
System.ArgumentNullException: Value cannot be null.
Parameter name: collection
at System.Collections.Generic.HashSet`1..ctor(IEnumerable`1 collection, IEqualityComparer`1 comparer)
at Unify.Product.IdentityBroker.MultiRelationalTransformationContribution.GetChangedMultiValues(IEntityPair entityPair, Boolean relevantFieldsChanged)
at System.Linq.Enumerable.d__23`3.MoveNext()
at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
at Unify.Product.IdentityBroker.EntityPartitionPostgreSqlContextBase`3.GetEntitiesByFieldValues(TEntityKey field, IEnumerable`1 values)
at Unify.Product.IdentityBroker.MultiRelationalTransformationContribution.d__25.MoveNext()
at System.Linq.Enumerable.d__17`2.MoveNext()
at System.Linq.Enumerable.d__17`2.MoveNext()
at System.Linq.Enumerable.d__64`1.MoveNext()
at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
at Unify.Product.IdentityBroker.ChainedTransformationChangeProcessor.PublishChange(IEntityPair[] changedEntityPairs, DateTime changeProcessTime, ICollection`1 changeRecords)
at Unify.Product.IdentityBroker.ChainedTransformationChangeProcessor.ProcessChangeReport(IDictionaryTwoPassDifferenceReport`4 changesReport, DateTime changeProcessTime)
at Unify.Framework.Visitor.Visit[T](IEnumerable`1 visitCollection, Action`2 visitor)
at Unify.Product.IdentityBroker.ChangeReportProcessor.ProcessCurrentReport(IEnumerable`1 adapterTransformationProcessors, IDictionaryTwoPassDifferenceReport`4 differenceReport, DateTime changeTime)
at Unify.Product.IdentityBroker.ChangeReportProcessor.CreateAndProcessReport[T](ITransformationChangeProcessor[] adapterTransformationProcessors, ICollection`1 sourceEnumerable, DateTime changeTime, HashSet`1 invalidEntities, Action`2 addAction, Func`3 addCheck)
at Unify.Product.IdentityBroker.ChangeReportProcessor.ProcessReport(IChangeReportProcessingRequest request)",Normal

This is not urgent, just noting it here for completeness.  I don't believe it will impact the solution I'm currently working on.

See also: https://voice.unifysolutions.net/en/communities/6/topics/57-import-all-entitiesfrom-connector-workday-employee-failed-with-reason-value-cannot-be-null for the same error message - ticket closed but it may be that the underlying issue was not identified or fixed.

After a locker object was deprovisioned, the following warning started appearing when Baseline Sync was run:

20210118,02:44:56,UNIFYBroker,ProvisioningExecutor,Warning,The following entities [Count:1] for the link Entitlement Groups > Azure Cloud Groups (fa3bdd0f-5e3c-4fea-83c0-f7560800340c) are missing the field used for the join criteria: 723878ee-5950-4949-a5a0-3546820373a1: [ Cloud Group Name ],Normal

There is no entity with ID 723878ee-5950-4949-a5a0-3546820373a1 in the Broker/Plus UI.  I suspect this is a locker entity that didn't get properly deleted, and this warning is appearing because the locker no longer has a value for 'Cloud Group Name'.  But I am unsure if this is the only contributing cause.

Customer environment details are in the first comment.  I am currently seeing if I can reproduce the issue.

The follow error is appearing in my UNIFYBroker/Plus log.  Could you tell me more about what it means?

Request to sync changes on link failed.
Request to sync changes on link Employees > AD Users (6410cee2-8159-4cc3-89d6-0a3cc3d46fdb) in direction outgoing failed with message Could not complete synchronization on link '6410cee2-8159-4cc3-89d6-0a3cc3d46fdb' due to a converging join error.
First source entity id: cb04dfa0-66e9-46fd-862d-54512e11f2c3
Second source entity id: fb3ee77f-5370-44e7-b1ce-0b01c39c0f88
Offending target entity id: 4ffd33d1-ec16-464d-90cc-ab0fe7d7b93a [Count:6492]. Duration: 00:00:02.2246402
Error details:
System.Exception: Could not complete synchronization on link '6410cee2-8159-4cc3-89d6-0a3cc3d46fdb' due to a converging join error.
First source entity id: cb04dfa0-66e9-46fd-862d-54512e11f2c3
Second source entity id: fb3ee77f-5370-44e7-b1ce-0b01c39c0f88
Offending target entity id: 4ffd33d1-ec16-464d-90cc-ab0fe7d7b93a
at Unify.Product.Plus.LinkSynchronizer`2.JoinAndMap(IEnumerable`1 filterResult, IDictionary`2 changesDict)
at Unify.Product.Plus.Link.SynchronizeChanges[TSourceEntity,TTargetEntity](IEnumerable`1 changes, IEnumerable`1 syncTasks, Func`1 getTargetContextAccessor, IConnectionsContext connectionContext, ISynchronizationHelper`2 helper, IProvisioner`2 provisioner)
at Unify.Product.Plus.Link.SynchronizeAdapterChanges(IEnumerable`1 changes)
at Unify.Product.Plus.LinkNotifierDecorator.<>c__DisplayClass42_0.<SynchronizeAdapterChanges>b__0()
at Unify.Framework.Notification.NotifierDecoratorBase.Notify[TResult](ITaskNotificationFactory notificationFactory, Func`1 function)
at Unify.Product.Plus.LinkNotifierDecorator.SynchronizeAdapterChanges(IEnumerable`1 changes)
at Unify.Product.Plus.LinkAuditingDecorator.SynchronizeAdapterChanges(IEnumerable`1 changes)
at Unify.Product.Plus.AdapterToLockerSynchronizationJob.RunBase()
at Unify.Product.Plus.SynchronizationJobExecutor.<ThreadAction>d__8.MoveNext()

I have a UNIFYBroker/Plus link with outgoing deprovision configured to a CSV adapter/connector, and when a joined locker entity is deleted the joined adapter/connector entity isn't deleted when a Changes Sync is run on the link.  It isn't deleted when a Baseline Sync runs on the link, either.

I tried the same process with a PowerShell connector and the same behaviour was apparent (i.e. the adapter/connector entity was not deleted).  I added logging and confirmed that the entity was not passed to the PowerShell connector's Delete script at all.

For reference, after Sync the Remove Joins page for the link did not show the deleted entity for either the locker or the adapter.

I don't know of anyone from Professional Services who has used Outgoing Deprovision in a UNIFYBroker/Plus solution before, so it may be worth checking around to see if this functionality has every been exercised before.

Can you tell me what circumstances might cause this error to happen?  I'm not sure where to start investigating.  I can't find any problems with what the solution is doing, just this error that occurs whenever I run a Baseline Sync on one of the links.

Thank you

In a Link pre-provisioning task I would like to generate a unique value for an adapter field.  I tried using $components.CheckFieldUniqueness to check $targetEntities, but that variable only contains adapter entities that are being provisioned, and not all the others that already exist in the adapter.

I also looked at $joinedEntities, but it similarly only includes the entities being provisioned.

Can you suggest some way that I can perform a unique value check for a field across all adapter entities?

In the MH solution I used a call-out to AD directly (via the ActiveDirectory PowerShell module) rather than using $components.CheckFieldUniqueness() so I didn't see this behaviour.

Unfortunately in this solution the field value clashes will be very common because the customer wants the first UPN that gets tried to be derived solely from the person's first name.

$components.CheckFieldUniqueness appears to be case sensitive, but UserPrincipalName in AD is case insensitive.

In my solution I am doing a check to ensure my UserPrincipalName field value is unique and $components.CheckFieldUniqueness tells me it is, but my update to AD fails because there that value is already present with different case.

i.e. "tom@contoso.com" vs "Tom@contoso.com"

How can I perform a case insensitive unique value check?

UNIFYConnect instance created some new users in an AD connector, but then the next time it ran the following error appeared:

When a lower priority incoming adapter source field value change is processed by a Changes Polling operation, higher priority field values from the target locker are not written back to the adapter entity.  When a Baseline Sync operation runs they are.  The practical outcome of this is that UNIFYBroker only enforces managed field values in downstream systems when a Baseline Sync is run.

Here's an example from a UNIFYConnect instance: MemberDNs is a multi-valued string field for managing group membership.

Incoming from Azure Cloud Groups:

Outgoing to AD Groups:

The mapping priorities in the Locker are as follows (i.e. Azure Cloud Groups is set as a higher priority mapping than AD Groups):

When the MemberDNs field of the Azure Cloud Groups entity changes (i.e. add or remove a value) that change goes through to the AD group and the AD group's membership is updated with the current values from the Azure Cloud Group and locker entity, as expected.

However, if the group membership's membership is then changed directly in AD that change then comes back as far as the adapter entity, but doesn't flow into the locker entity (and neither should it, because there are already a higher priority values mapped into the locker from the Azure Cloud Group adapter).  However, the correct values from the locker are not being written back to the adapter, which is the functionality we would like to have, so that when a change is made to a managed attribute in a downstream system UNIFYBroker/Plus will quickly revert that change and enforce the correct upstream value.

When a subsequent Baseline Sync is run on the AD Groups link the correct value from the locker is written to the adapter and the downstream system is updated to enforce the value.  This is a functional workaround, but scheduling frequent Baseline Sync operations has an operational overhead.

On the Remove Joins screen the Created and Modified dates are both set to "00001-01-01 00:00:00Z" for Adapter entities:

This is not impacting me in any way and I'm just mentioning it for completeness.