Upper limit on Filter Scope Configuration Configuration

I’ve been working for the past fortnight or so on a FIM POC, and getting myself very well aquainted with the nuances of RC0 .  Most of the issues we’ve hit so far have been documented to some extent by the likes of David Lundel & co, but today we came across something that had us stumped for a couple of hours until we realized what the issue must be … an (apparently) undocumented upper limit on the number of Allowed Attributes that you can add to a filter scope, which appears to be 254.
My MS colleague had been extending the schema with some attributes of our own for the POC, and found that every time he got to a certain point of adding them into the Admin filter scope, the next time he returned to the scope definition he was presented with an error – and from that point onwards the filter scope cannot be edited.
He discovered that a work-around was to delete the custom attribute entirely, but we had both assumed that the problem was with the schema and not the filter definition itself.  I had noted that the Application Event log was full of "Event 5, System.ServiceModel" (Message Logging task) messages complaining about a "Diagnostics.PlainXmlWriter+MaxSizeExceededException".
We put 2 and 2 together and figured that there might be an upper limit on the number of attributes – so we’ve implemented a work-around whereby we define an "Administrator Filter Scope Ex" (in addition to the default Administrator Filter Scope), and include our additional bound schema attributes in there.  These are then appended as an additional AuthZ workflow item, thereby allowing our new schema attributes to appear in the Attribute drop down lists.
Hopefully this one will be resolved by RC1 …

About bobbradley1967

Microsoft Identity and Access Professional with 2 decades of successful IAM implementations in APAC, specialising in MIM and its predecessors (FIM/ILM/MIIS) and now with SoftwareIDM. A Microsoft IAM MVP prior to that with a background in MS.Net applications development/SI. Now with a particular interest how Identity and HyperSync Panel provide the Identity and Access orchestration presently missing in the Azure Entra Suite to effectively enforce Zero Trust on the M365 platform.
This entry was posted in FIM (ForeFront Identity Manager) 2010 and tagged . Bookmark the permalink.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.