Provisioning is the process of creating, connecting, and disconnecting objects in a connector space, based on changes to objects in the metaverse. Provisioning performs object-level actions, such as:


Export attribute flow rules are always called after provisioning rules have been run. Be aware that export attribute flow rules could modify attributes that were set by the provisioning rules. For this reason, any "one-time" operations, such as setting an initial password, should be done in the provisioning rules, not the export attribute flow rules.

To implement provisioning, you create and enable a rules extension. When you enable provisioning rules, they affect all objects in the metaverse. Provisioning rules are called whenever a metaverse object is modified by the following methods:

The rules extension for provisioning rules can take advantage of the transactional capabilities of Microsoft® Forefront Identity Manager (FIM) 2010. In a case in which a connector space object is provisioned to multiple connected data sources and one of the provisioning rules fails, the complete synchronization operation will be rolled back by default. However, whenever a provisioning rule fails, it will report a rules exception to FIM. You can write a rules extension to identify exceptions and handle them on a management agent basis by doing the following:

The following flow chart shows the sequence in which provisioning rules are applied.

Provisioning rules
Provisioning rules

If you synchronize the metaverse with a connected data source that uses a hierarchical structure, it is important to note that FIM will synchronize attributes between containers, but it will not create the containers. That is, if you are provisioning a child object, FIM does not create the parent automatically. Import the Active Directory container hierarchy before provisioning objects to the connector space. You can do this by creating a management agent for Active Directory that does not contain any join or projection rules, and then run it in import mode. This creates disconnector objects in the Active Directory connector space for each of the selected containers.

For more detailed documentation on provisioning, see the FIM Developer Reference and "Simple Account Provisioning" (FIM_Account_Provisioning.doc) at