For those of you who have used ILM "2" Beta 3, you have probably used in some form the new codeless provisioning functionality included within it. There is a ton of functionality encapsulated within this one area, and one of the less-talked about and centrally important pieces of this functionality is something we call the Detected Rules Entry (DRE). Do not confuse this with the Expected Rule Entry (ERE) object as they are two ends of two different sticks. The DRE very simply is an object that is created by the ILM "2" synchronization engine and associated to an ILM managed object when the synchronization engine detects that the flows as defined within a specific Synchronization Rule have been confirmed to exist within the connected system. More simply, the DRE is designed to provide the truth with regards to an object's state in a connected system, with the lingua franca in this case being communicated via definitions of logic which are Synchronization Rules. If the ERE can be thought of what we want the desired state of an object to be in a connected system, the DRE is the actual state of the object.
How are DRE's created?
You may have noticed within the Synchronization Rule designer a check box on the attribute flow page which says "Use as Existence Test?". When checked, the conjunction of all flows marked as being Existence Tests are evaluated by the synchronization engine against all connectors associated with any ILM object. This evaluation is done during synchronization of a management agent and obviously done on connector objects which are being processed as part of that synchronization run. If a connector space object is detected as having met the conditions of the Synchronization Rule, the synchronization engine creates a DRE object in the Metaverse, and places a forward link from the ILM Metaverse object to which the aformentioned connector object is joined to. From an ILM Metaverse object perspective, it has an attribute called "Detected Rules List", which is a multi-valued reference attribute to all DRE objects associated with it.
Ok, so why should I care?
Aha. This is the important part. DRE's allow you to create and launch business processes after a particular state is confirmed to exist within a connected system. (Think of needing to create a home directory after an AD user account is created) DREs are only ever created based off of changes that are confirmed within the connected system (i.e. brought in through in an import), this allows you to then launch actions after having a particular state pushed to a connected system. After creation, DRE's are pushed via the ILM MA to the ILM Resource Management service. They are then subject to MPR and Process evaluation just like every other change coming to the web service.
So if we take an example of an Active Directory User Account synchronization rule. You may have anywhere from 5-20 flows for an AD User account synchronization rule. However, ask yourself this, what's the limited set of flows that you need in order to confirm that a particular ILM object is associated with a confirmed AD user account? Probably 2, one for detecting the state of the userAccountControl attribute being set to 512 and the other matching the samAccountName on the user account with the managed:AccountName attribute on the Person object. By setting these 2 flows as existence flows within the Synchronization Rule designer, you can then trigger the creation of DRE's anytime the Synchronization Engine confirms those two flows on a connector object.
Some scenarios where this may be useful:
- Triggering the granting of other out-of-band provisioning tasks that require an Active Directory user account to be present prior to launch.
- Compliance detection. DRE's are triggered on changes brought in from other systems. You can use DRE's to detect if somebody has an account in a system which was not granted via ILM, and then use MPR and Process to launch a workflow notifying their manager or an administrator of the existence of such an account.
Caveats in Beta 3:
- Existence flows cannot be defined for function flows and reference attribute flows
- Currently no mechanism to trigger workflow decisions based on the parent object of a DRE
concerning this section:
Compliance detection. DRE's are triggered on changes brought in from other systems. You can use DRE's to detect if somebody has an account in a system which was not granted via ILM, and then use MPR and Process to launch a workflow notifying their manager or an administrator of the existence of such an account.
is there a detailed way how to do it? or an update to it on RTM?
In fact we are interested in detecting changes done by system administrators on a connected system and performing actions based on them.