1. UNIFYBroker Forum
  2. UNIFYBroker/Plus
  3. Questions
0
Answered

Can't find any entities in a pre-provisioning outbound task during Baseline Sync for brand new entities in the Locker

Adrian Corston 5 years ago in UNIFYBroker/Plus updated by Beau Harrison (Senior Product Software Engineer) 4 years ago 11

I have a locker with a number of new entities that I am trying to provision to an adapter via a link.  The underlying connector (AD, "group" object type) requires certain entity data attributes to be set that aren't available in the Locker, so I am trying to use an Outgoing Pre-Provisioning Task to set those attributes.  However, I cannot see any entities in the Pre-Provisioning Task.

I followed these instructions:

Image 5560

Here is my synchronously executed outgoing pre-provisioning task:

$ProvisioningOU = "OU=Azure Entitlements Demo,DC=adrian,DC=unifysolutions,DC=net"
$Logger.LogInformation("***** Pre-Provision to '$ProvisioningOU' *****")

foreach ($entity in $sourceEntities) {
    $Logger.LogInformation("***** Pre-Provision sourceEntity *****")
}

foreach ($entity in $targetEntities) {
    $Logger.LogInformation("***** Pre-Provision targetEntity *****")
    $cn = $entity.SourceEntity["displayName"]
    $dn = "CN=$cn,$ProvisioningOU"
    $entity["ActiveDirectoryGroupDn"] = $dn
    $Logger.LogInformation("Provision '$cn' to $dn")
}

foreach ($entity in $joinedEntities) {
    $Logger.LogInformation("***** Pre-Provision joinedEntity *****")
}

$Logger.LogInformation("***** Pre-Provision Done *****")

Here is what I see in the error log (set to Diagnostic):

Image 5561

There do not appear to be any entities being passed to the Task.  The 5 entities not currently provisioned are marked as Incomplete (the other entity is pre-existing in the target connector/adapter).

In the Pre-Provisioning Task, how can I access the entities that are to be provisioned?

GOOD, I'M SATISFIED
Satisfaction mark
Satisfaction mark by Adrian Corston 4 years ago
Adrian Corston 5 years ago

Outgoing provisioning is enabled.

I also tried deleting the entities from the Locker and re-provisioning them from the source Adapter and the behaviour was no different.

Under review
Beau Harrison (Senior Product Software Engineer) 5 years ago

Hi Adrian,

If the entities you are trying to provision are "Incomplete" then the provisioning won't happen for those entities. It's not possible for the completeness check to take provisioning task behaviour into consideration. Run your PowerShell on an inbound provisioning task, populating a field on a the locker entities, then configure the locker<->AD link to map this new field to the required ActiveDirectoryGroupDn.

Adrian Corston 5 years ago

Thanks Beau.

What is the Outbound Pre-Provisioning Task used for then?  i.e. When would a brand new entity be anything other than Incomplete?

Adrian Corston 4 years ago

Hi Beau,
I'm back here again, trying to set up some fields on an object in order to prepare it for outbound provisioning, and once again I can't work out how to access those objects.  Could you please let me know how I can set all the fields required to make the object complete?  Should I just put dummy Mappings in, the use the outbound pre-provisioning task to set them correctly?

Thanks.

Answered
Beau Harrison (Senior Product Software Engineer) 4 years ago

Hi Adrian

Locker entities need to be complete before outbound syncing starts, as provisioning tasks run after the incompleteness check. Perform any entity modification in an inbound provisioning task.

Adrian Corston 4 years ago

Hi Beau,
For some solutions, some entities must only be set when provisioning the object.  For example when creating an AD user, a distinguished name must be specified, but often the customer then wants to be able to manually move that user to different OUs and not have that managed permanently by the solution.  In this case, what you are suggesting won't achieve the required outcome.
That's why I'm trying to use the outbound pre-provisioning task to only set a field value on "provision-only" fields, rather than have mappings that are enforced all the time.

Under review
Beau Harrison (Senior Product Software Engineer) 4 years ago

Sorry, I misread and misinterpreted your question. The fields you're trying to set are adapter field marked "Required", and don't have any mappings on the link, correct? If that's the case, setting values in the synchronous pre-provisioning tasks can be used to complete entities.

Did a quick test just to make sure, and it does work. This was my locker schema

and the adapter being synchronized to

Setup a link only on the id fields

and used this script in a synchronous pre-provisioning task to populate userdn. Note that I could have also gotten the mapped id from the target entity with $entity.TargetEntity['id'].Value as mappings are applied before provisioning tasks run.

foreach ($entity in $joinedEntities)
{
    $id = $entity.SourceEntity['ID'].Value
    $entity.TargetEntity['userdn'] = "cn=$id"
}

Adrian Corston 4 years ago

Thanks Beau, we are on the same page on what I'm trying to achieve.

I thought that's what I was doing when I saw the error.  I will double-check my work, but could you confirm you don't see the error in your log?  I am using an AD connector, in case that makes a difference.

Beau Harrison (Senior Product Software Engineer) 4 years ago

I get:

Request to sync locker to adapter completed.
Synchronization job completed syncing 1 changes on the 'ph to locker' link from the locker to adapter. Delayed: 0 Incomplete: 0 Denied: 0 Job ID: 6addd4fd-d626-4d12-8140-f5af0bb79795 Duration: 00:00:02.3250354

By 'error' do you mean this kind of message, just with a >0 count for Incomplete or an actual error?


Adrian Corston 4 years ago

Thanks Beau, I had a knowledge transfer session with Matt today and now have a better understand of all this, including why I was having problems and what to do about them.  You can close this ticket as it's no longer an issue.

Answered
Beau Harrison (Senior Product Software Engineer) 4 years ago

Customer support service by UserEcho