There is no documented way to set the third and fourth fields (which I will call 'module' and 'submodule') of each UNIFYBroker log entry when calling the $logger component.  It would be nice to be able to set them to more informative values, rather than always having them as 'UNIFYBroker' and 'PowerShellTask' respectively.

It's ~9:30am and I just added and enabled an Import All and Import Changes schedule to a connector.  The Import All I set to run at 12:55:57am, and the Import Changes every 1 minute.  The following appeared, which doesn't look right - 1am isn't an hour away, and one minute is not 10 hours away:

In UNIFYBroker we could edit the connector and adapter extensibility files to re-order the connectors and adapters in the web UI.  Could you please add a facility to do this in UNIFYConnect?

UNIFYBroker v5.3.2 with Chris21.

Chris21 Person adapter is configured with a Join transformation to a Chris21 placement connector with a Sliding Window and type Relevant.  A placement with a start date in the past and a NULL end date is not being selected (a NULL end date means ongoing placement, with no scheduled end date).  Instead, the most recent placement with a non-NULL end date is selected.

Here is the placement data:

Here is the configuration:

The transformed adapter data shows an incorrect posstart and posend (and all other selected attributes):

This problem did not occur in Identity Broker v4.

It may also be relevant to note that the 'First' or 'Priority Selection' radio box does not appear for the Relevant type.  It used to appear for this transform and type in Identity Broker v4.

In this morning's MS Identity Advisors session MS provided a clear indication that they are planning to move towards a call-out model for on-demand Access Request integration with external systems.  To get ahead of the curve on this, we could look at offering an extensible REST API endpoint in UNIFYBroker.

Typical usage would be:

Azure sends UNIFYBroker a request for user "bobsmith" asking UNIFYBroker for a certain attribute for that user (e.g. department number) or asking UNIFYBroker to provide an answer to a question (such as "is this user allowed to get access to resource X at the moment?")  UNIFYBroker responds and Azure uses that information to approve or deny an in-flight Access Request.

My suggested solution is that the request for user "bobsmith" (and/or "resource X") would map to a adapter record lookup, and the "answer" UNIFYBroker gives back would be the value of one or more fields for that matching record.

Hi Team,

In IDB 4, the Join Transformation has this configuration (see attached screenshot) 

Whereas, in IDB 5 looks like this (see attached screenshot) 

How come in IDB 4 its a - sign between [posstart] and time offset, whereas in IDB 5 its a + sign? What are the difference? Thank you

Regards,
Marc Laroza

When running an import on AD Groups, the objectSid field is defined as a string on the connector schema. SQL can import this field fine (although shows as jargon on the UI). Postgres fails to import with the following error:

Connector Processing page 1 for connector On-Prem Groups failed with reason 22P05: unsupported Unicode escape sequence. Duration: 00:00:08.3359933.
Error details:
Npgsql.PostgresException (0x80004005): 22P05: unsupported Unicode escape sequence
at Npgsql.NpgsqlConnector.<>c__DisplayClass161_0.<<readmessage>g__ReadMessageLong|0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Npgsql.NpgsqlConnector.<>c__DisplayClass161_0.<<readmessage>g__ReadMessageLong|0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Npgsql.NpgsqlDataReader.<nextresult>d__46.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Npgsql.NpgsqlDataReader.NextResult()
at Npgsql.NpgsqlCommand.<executedbdatareader>d__100.MoveNext()</executedbdatareader></nextresult></readmessage></readmessage>

Changing the field type to 'binary' and attempting an import yields a different error at an earlier stage:

nify.Product.IdentityBroker.EntitySchemaValidationException: Invalid binary - the value was a string, but was not able to be converted as a base64 encoded string from: ??? ? ---> System.FormatException: The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters.
at System.Convert.FromBase64_Decode(Char* startInputPtr, Int32 inputLength, Byte* startDestPtr, Int32 destLength)
at System.Convert.FromBase64CharPtr(Char* inputPtr, Int32 inputLength)
at System.Convert.FromBase64String(String s)
at Unify.Product.IdentityBroker.EntityBinaryTypeSchemaValidator.CreateValue(Object dataValue)

Hi,

Recently we had an issue come up where the server ran out of disk space while writing the XML config files.

Would we be able to request a feature where the existing file is renamed to a .bak file before writing a new XML file.

If the server runs out of disk space, the file will fail to rename, preventing the mentioned issue.

Thanks

At the UNIFYBroker site I am presently working on there are now 7 Broker-driven management agents for MIM, most of which interact with multiple adapters.  I have found that it starts to get unwieldy when it a single schema change in a single connector requires a schema/interface refresh of all 7 management agents.  Furthermore, when deploying MIM sync configuration and using the schema matching dialog, there is a need to deselect all of the adapters (LDAP partitions) which are not relevant to each particular MA, complicating the deployment process.

It would be great if there was a way to limit visibility of the UNIFYBroker adapter set on a per-management agent basis - and the most obvious way I could think of achieving this would be by using multiple LDAP user accounts, and extending the Settings page to support mutli-selection of adapters per LDAP user.  In this way, adapters visible to any given MIM MA would be determined by the use of an appropriate user account - rather than the current practice of using the same LDAP user for every MA.

This would address both of my above scenarios as follows:

1. A single connector schema change would potentially limit the need for schema refreshes to a single MA; and
2. Partitions not visible to the LDAP account would no longer appear on the partition matching dialog, and in most cases this would reduce the number of partitions requiring deselection (and in many cases eliminate the partition matching dialog being displayed altogether) when importing MIM sync server config XML.

I have an adapter with the following transform:

This transform works as expected in both directions, but when an update comes from the LDAP gateway to delete the DN value that LDAP request is successful, but the old values for the DN (SubsectionDN) and the source attribute (Subsection) are retained.