Hello. Tim Macaulay here from the FIM Support team here at Microsoft. Recently I came across an issue that I felt needed a bit more clarification in how it works currently.
Recently I worked an issue where FIM was recognized as deleting the value from an attribute on outbound flow to Active Directory. Reviewing the Active Directory Outbound Synchronization Rule. The Active Directory Outbound Synchronization Rule contained an outbound attribute flow that contained a custom expression with an IIF statement. If the IIF statement evaluated to false then we passed the Null Function. This Null Function cleared the value for the destination attribute.
This seemed a bit weird, so I decided to reproduce the issue in my lab.
First I created a Synchronization Rule with an IIF statement. For my example, I am working with the department attribute.
Once I got the IIF Statement entered into the Synchronization Rule I got it into the Metaverse. I then brought my test user (SyncRule Tester) into the Metaverse and fully synchronized it. I then Previewed my test user object and found that nothing was happening to the Final Value column for the department attribute.
Since nothing was happening during the Preview of the object on the AD Outbound Synchronization Rule, I decided to Export the object to Active Directory to see if it updates the department attribute. As we can see the department attribute is not updated and still reflects the value of None.
I go back to the AD Outbound Synchronization Rule and on the Destination Tab, I place a check in the “Allow null value to flow to destination”.
Once I do this, I reproduce the test. Now we can see that the value is [Deleted] in the Final Value column.
We can also see this in the Pending Export tab as well.
In conclusion, we can understand the following:
- If you utilize the Null Function in a Synchronization Rule and do not check the “Allow null value to flow to destination” then nothing will happen to the Final Value of the attribute in question.
- If you utilize the Null Function in a Synchronization Rule and check the “Allow null value to flow to destination” then the Final Value of the attribute in question will be removed.
I did some additional research on this issue because there was the question of that this functionality did not exist in earlier builds of FIM. So prior to 4.1.2548 if the Allow Null check box was checked and you passed a Null using the Null Function, than it would do nothing as if the checkbox was not checked. This was found and fixed in 4.1.2548.
Here are some good references link that coincide with this blog.
- Introduction to Inbound Synchronization: https://technet.microsoft.com/en-us/library/ee534911(v=ws.10).aspx
- Introduction to Outbound Synchronization: https://technet.microsoft.com/en-us/library/ee534904(v=ws.10).aspx
Dealing with the Null Function
- FIM 2010 Functions Reference: https://technet.microsoft.com/en-us/library/ff800820(v=ws.10).aspx
- This is a general article with a listing of the different functions available inside of FIM.
- Using the Null Function to delete an attribute from a user in the metaverse: https://social.technet.microsoft.com/Forums/en-US/9c0ac6ee-4795-4aef-96f1-663cb50dc7d2/using-the-null-function-to-delete-an-attribute-from-a-user-in-the-metaverse?forum=ilm2
- This is a Forums posting that talks about the Null Function without the distinction of the Allow Null check box
- Best practices for FIM 2010: https://technet.microsoft.com/en-us/library/ff608274(v=ws.10).aspx