Problema de Sync nos objetos From FIM 2010 to External System

Após a criação das regras de synchronismo poderá ocorrer os seguintes erros caso você não tenha habilitado as devidas MPR´s.

“Identity Manager Policy prohibits the request from completing.”

“"failed-creation-via-web services"

"failed modification via web services"

Looking at the detailed error trace here's the output:

There is an error executing a web service object creation request.
Type: Microsoft.ResourceManagement.WebServices.Client.PermissionDeniedException

Message: Fault Reason: Policy prohibits the request from completing.

Fault Details: <RequestFailures xmlns="http://schemas.microsoft.com/2006/11/ResourceManagement" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"></RequestFailures>

Stack Trace:    at Microsoft.ResourceManagement.WebServices.ResourceFactoryClient.Create(Message request)
   at Microsoft.ResourceManagement.WebServices.ResourceFactoryClient.Create(Create createBody)
   at Microsoft.ResourceManagement.WebServices.Client.ResourceTemplate.CreateResource()

Inner Exception: Policy prohibits the request from completing.

Como verificar quais MPR´s devem ser habilitadas?

Executar o script PowerShell abaixo

Using PowerShell to check your MPR configuration for synchronization

1. #-------------------------------------------------------------------------------------------------------------------------
2. # Name   : Using PowerShell to check your MPR configuration for synchronization
3. # Version: 2.0
4. #-------------------------------------------------------------------------------------------------------------------------
5.   Set-Variable -Name URI -Value "http://localhost:5725/resourcemanagementservice' " -Option Constant 
6.   Set-Variable -Name msgWarning -Value "Caution: Your current MPR configuration requires your attention!" -Option Constant
7.   Set-Variable -name msgOK -Value "Your current MPR configuration meets all requirements" -Option Constant
8. #-------------------------------------------------------------------------------------------------------------------------
9.  Function GetObjects 
10.  {   
11.     Param($Filter)   
12.     End
13.     {
14.        $ExportObject = Export-Fimconfig -uri $URI `
15.                              –onlyBaseResources `
16.                              -customconfig ($Filter) `
17.                              -ErrorVariable Err `
18.                                                                                      -ErrorAction SilentlyContinue
19.        If($Err){Throw $Err}
20.        Return $ExportObject 
21.      }
22.  }
23. #-------------------------------------------------------------------------------------------------------------------------
24.  Function ShowResults
25.  { 
26.     Param([ref]$bActionItem, $lstAttributes, $msgMissing) 
27.     End 
28.     {
29.        if([int]($lstAttributes.length) -eq 0) {return}
30.        $bActionItem.value = $true   
31.        Write-Host "`n$msgMissing" -foregroundcolor black -backgroundcolor yellow   
32.        ForEach($attributeName In $lstAttributes) {Write-Host " -$attributeName"} 
33.     }
34.  }
35. #-------------------------------------------------------------------------------------------------------------------------
36.  Function GetXmlDoc
37.  { 
38.     Param($exportObjects, $attributeName) 
39.     End
40.     {   
41.        $curAttribute = $exportObjects.ResourceManagementObject.ResourceManagementAttributes | `
42.                                Where-Object {$_.AttributeName -eq "$attributeName"}   
43.        Return "<root>$($curAttribute.Value)</root>" 
44.     }
45.  }
46. #-------------------------------------------------------------------------------------------------------------------------
47.  Function GetDataFromMpr 
48.  { 
49.     Param($mprName, [ref]$lstMissingMpr, [ref]$lstDisabledMpr) 
50.     End
51.     {
52.        $curMprObject = GetObjects -Filter "/ManagementPolicyRule[DisplayName='$mprName']"   
53.        If($curMprObject -eq $null) {$lstMissingMpr.value += $mprName}   
54.        Else
55.        {    
56.           $curAttribute = $curMprObject.ResourceManagementObject.ResourceManagementAttributes | `
57.                           Where-Object {$_.AttributeName -eq "Disabled"}    
58.           If($curAttribute.Value -eq "True") {$lstDisabledMpr.value += $mprName}   
59.        }  
60.     }
61.  }
62. #-------------------------------------------------------------------------------------------------------------------------
63.  Function GetResAttrsForMpr
64.  { 
65.     Param($mprName) 
66.     End
67.     {   
68.        $curMprObject = GetObjects -Filter "/ManagementPolicyRule[DisplayName='$mprName']"   
69.        If($curMprObject -eq $null) {Return @()}   
70.        $curAttribute = $curMprObject.ResourceManagementObject.ResourceManagementAttributes | `
71.                Where-Object {$_.AttributeName -eq "ActionParameter"}   
72.        If($curAttribute -eq $null) {Return @()}   
73.        return $curAttribute.Values 
74.     }
75.  }
76. #-------------------------------------------------------------------------------------------------------------------------
77.  Function GetEafAttributesForObjectType
78.  {  
79.     Param($cdObjectType, $mvObjectType, $xmlDoc)  
80.     End  
81.     {   
82.        $lstAttribute = @()   
83.        $typeNode = $xmlDoc.selectSingleNode("//export-flow-set[@cd-object-type='$cdObjectType' and @mv-object-type='$mvObjectType']")   
84.        If($typeNode -eq $null) {Return $lstAttribute}   
85.        ForEach($curNode in $typeNode.selectNodes("export-flow[direct-mapping]"))   
86.        {
87.           $lstAttribute += $curNode.selectSingleNode("@cd-attribute").get_InnerText()   
88.        }
89.   
90.        Return $lstAttribute  
91.     } 
92.  }
93. #-------------------------------------------------------------------------------------------------------------------------
94.  Function GetAttributeDiff
95.  { 
96.     Param([array]$lstSource, [array]$lstTarget) 
97.     End
98.     {   
99.        $lstAttributes = @()   
100.        ForEach($attrName in $lstSource)   
101.        {  
102.           If(!($lstTarget -contains $attrName)) {$lstAttributes += $attrName}   
103.        }
104.    
105.        Return $lstAttributes  
107.     }
108.  }
109. #-------------------------------------------------------------------------------------------------------------------------
110.  If(@(Get-PSSnapin | Where-Object {$_.Name -eq "FIMAutomation"} ).count -eq 0) {Add-PSSnapin FIMAutomation}
111. #-------------------------------------------------------------------------------------------------------------------------
112.  $exportObjects = GetObjects -Filter "/ma-data[SyncConfig-category='FIM']"
113.  If($exportObjects -eq $null) {Throw "There is no FIM MA configured on your system!"}
114.  [xml]$xmlExportFlow = GetXmlDoc -exportObjects $exportObjects `
115.                                  -attributeName "SyncConfig-export-attribute-flow"
116.  [xml]$xmlProjection = GetXmlDoc -exportObjects $exportObjects `
117.                                  -attributeName "SyncConfig-projection"
118.  
119.  [array]$lstEafAttributesPerson = GetEafAttributesForObjectType -cdObjectType "Person" `
120.                                                                 -mvObjectType "person" `
121.                                                                 -xmlDoc $xmlExportFlow
122.                                                                
123.  [array]$lstEafAttributesGroup = GetEafAttributesForObjectType -cdObjectType "Group" `
124.                                                                -mvObjectType "group" `
125.                                                                                                                                                                        -xmlDoc $xmlExportFlow
126.  
127.  If($lstEafAttributesGroup -contains "Member")
128.  { 
129.     $lstEafAttributesGroup = @($lstEafAttributesGroup | Where-Object {$_ -ne 'Member'}) 
130.     $lstEafAttributesGroup += "ExplicitMember" }
131.     If($xmlProjection.selectNodes("//class-mapping[@cd-object-type='Person']").get_count() -eq 0) {Throw "The FIM management agent does not manage person objects"}
132.    
133.     $bHasGroups = $xmlProjection.selectNodes("//class-mapping[@cd-object-type='Group']").get_count() -gt 0
134. #-------------------------------------------------------------------------------------------------------------------------
135.  $mprNames = @() 
136.  $mprNames += "General: Users can read schema related resources"
137.  $mprNames += "General: Users can read non-administrative configuration resources"
138.  $mprNames += "User management: Users can read attributes of their own"
139.  $mprNames += "Synchronization: Synchronization account can delete and update expected rule entry resources"
140.  $mprNames += "Synchronization: Synchronization account can read schema related resources"
141.  $mprNames += "Synchronization: Synchronization account can read synchronization related resources"
142.  $mprNames += "Synchronization: Synchronization account can read users it synchronizes"
143.  $mprNames += "Synchronization: Synchronization account controls detected rule entry resources"
144.  $mprNames += "Synchronization: Synchronization account controls synchronization configuration resources"
145.  $mprNames += "Synchronization: Synchronization account controls users it synchronizes"
146.  
147.  If($bHasGroups -eq $true)
148.  {
149.     $mprNames += "Synchronization: Synchronization account can read group resources it synchronizes" 
150.     $mprNames += "Synchronization: Synchronization account controls group resources it synchronizes"
151.  }
152. #-------------------------------------------------------------------------------------------------------------------------
153.  $bActionItem = $false
154.  $lstDisabledMpr = @() 
155.  $lstMissingMpr = @()
156.  
157.  ForEach($mprName In $mprNames)
158.  { 
159.     GetDataFromMpr -mprName $mprName `
160.                            -lstMissingMpr ([ref]$lstMissingMpr) `
161.                                                    -lstDisabledMpr ([ref]$lstDisabledMpr)
162.  }
163. #-------------------------------------------------------------------------------------------------------------------------
164.  Clear-Host
165.  Write-Host "`nFIM MPR Configuration For Synchronization Check"
166.  Write-Host "==============================================="
167.  ShowResults -bActionItem ([ref]$bActionItem) `
168.              -lstAttributes $lstMissingMpr `
169.              -msgMissing "Missing MPRs:"
170.             
171.  ShowResults -bActionItem ([ref]$bActionItem) `
172.              -lstAttributes $lstDisabledMpr `
173.              -msgMissing "MPRs that need to be enabled:"
174.  
175.  $mprName = "Synchronization: Synchronization account controls users it synchronizes"
176.  
177.  [array]$lstResAttributes = GetResAttrsForMpr -mprName $mprName
178.  [array]$lstMissingAttrs = GetAttributeDiff -lstSource $lstEafAttributesPerson `
179.                                             -lstTarget $lstResAttributes
180.  ShowResults -bActionItem ([ref]$bActionItem) `
181.              -lstAttributes $lstMissingAttrs `
182.              -msgMissing "Missing attributes of $($mprName):"
183.             
184.  If($bHasGroups -eq $true)
185.  { 
186.     $mprName = "Synchronization: Synchronization account controls group resources it synchronizes" 
187.     $lstResAttributes = GetResAttrsForMpr -mprName $mprName   
188.     $lstMissingAttrs  = GetAttributeDiff -lstSource $lstEafAttributesGroup `
189.                                          -lstTarget $lstResAttributes 
190.     ShowResults -bActionItem ([ref]$bActionItem) `
191.                 -lstAttributes $lstMissingAttrs `
192.                 -msgMissing "Missing attributes of $($mprName):"
193.  }
194. #-------------------------------------------------------------------------------------------------------------------------
195.  If($bActionItem -eq $true) {write-host "`n$msgWarning`n" -foregroundcolor white -backgroundcolor darkblue}
196.  Else {write-host "`n$msgOK"}
197. #-------------------------------------------------------------------------------------------------------------------------
198.  Trap
199.  { 
200.     Write-Host "`nError: $($_.Exception.Message)`n" -foregroundcolor white -backgroundcolor darkred  
201.     Write-Host $_.Exception.GetType().FullName -foregroundcolor white -backgroundcolor darkred 
202.     Exit 1
203.  }
204. #-------------------------------------------------------------------------------------------------------------------------

Source Script:

 Using PowerShell to check your MPR configuration for synchronization

Executar o script que ira trazer quais as MPR´s deverão ser habilitadas conforme mostra abaixo.

“MPRs that need to be anabled”

Basta habilitar as MPRs que os sincronismos irá ocorrer sem problemas.