ILM quick solution: getting attribute data from a referenced object

(draft, still under investigation…)

Some background information:

When ILM directly imports a reference attribute (CS>MV), it tries to maintain the reference, using the technique of referential integrity.

ILM automatically translates the link between the 2 objects (user > manager) from CS to Metaverse.

The MV object does not have a DN, but an ObjectGUID.

ILM translates the reference from CS DN to MV GUID.

A small example:


In MV the reference is translated to:


So you can’t use the CSEntry.DN value to search the metaverse directly.

Neither can you search the connector space in extension code. There is no FindMVentries equivalent for the connector space.

Also, you can’t access a MVEntry reference attribute .

More information:

How to get reference object in provisioning

Reference values not accessible on MV objects

This import flow code will fail:

Public Sub MapAttributesForImport( _

 ByVal FlowRuleName As String, _

 ByVal csentry As CSEntry, _

 ByVal mventry As MVEntry) _

 Implements IMASynchronization.MapAttributesForImport


 Select Case FlowRuleName

  Case "cd.user:manager->mv.user:department"

   ‘can’t search in connector space

   ‘trying to search metaverse

   If mventry("manager").IsPresent Then

    Dim findResultList() As MVEntry = _

     Utils.FindMVEntries("ObjectGUID", mventry("manager").Value.ToString, 1)


    If findResultList.Length > 0 Then

     Dim firstMVEntryFound As MVEntry = findResultList(0)

     mventry("department").Value = firstMVEntryFound("department").Value.ToString

    End If

   End If

  Case Else

   Throw New EntryPointNotImplementedException()

 End Select

End Sub

Error message:”System.InvalidOperationException: Unable to access attribute manager. Reference values not accessible on MV objects.”


So we need another approach.

We need some (non-referential) link to the manager, to be able to search the MV.

To document this post I was using an AD MA.
The only link between the user and manager in AD is still a reference (by DN) and you can’t change that.

(There is no other attribute linking them…)

As an example :


But you can store the DN as string value in an additional attribute like “ADdn” (string).

So: flow the CS <DN> into the MV.


(Or another ‘simple’ attribute if you have one to link to the manager…)

Next create a import flow rule to import an attribute from a referenced object:



Public Sub MapAttributesForImport( _

ByVal FlowRuleName As String, _

ByVal userCSEntry As CSEntry, _

ByVal userMVEntry As MVEntry) _

Implements IMASynchronization.MapAttributesForImport

 Select Case FlowRuleName

 Case "cd.user:manager->mv.user:department"


  ‘simple sample code block to flow managers department into MV

  ‘can be made more complex to flow only when user is manager

  If userCSEntry("department").IsPresent Then

   userMVEntry("department").Value = userCSEntry("department").Value

  End If


   ‘code block to flow manager’s department in user’s department

  If userCSEntry("manager").IsPresent Then

   ‘search for the manager

   Dim findManagerResultList() As MVEntry = _

    Utils.FindMVEntries("ADdn", userCSEntry("manager").Value.ToString, 1)

   If findManagerResultList.Length > 0 Then

    ‘get first entry

    Dim mvManagerFound As MVEntry = findManagerResultList(0)


    ‘if department filled, flow it

    If mvManagerFound("department").IsPresent Then

     userMVEntry("department").Value = mvManagerFound("department").Value

    End If

   End If

  End If

 Case Else

  Throw New EntryPointNotImplementedException()

 End Select

End Sub


Look at this example



First sync the manager to have the department attribute available:

(Eg preview > Commit preview, like shown below)


Next sync the user:

preview > Commit preview, like shown below


The user department has now been filled with the Manager’s department.


This is one of the possibilities to solve the issue, alternative and/or options might exist…

I’ll keep you updated when found.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.