Run on Policy Update - Retroactive Policy Enforcement

Run on Policy Update - Retroactive Policy Enforcement

  • Comments 1
  • Likes

Somewhat hidden within Forefront Identity Manager 2010, there is a very useful feature for action workflows called "Run on Policy Update". 

Here are the situations where you may find this feature useful:

1.  You are creating a new Management Policy Rule (MPR), such as one to provision all users an AD account, and you want one or more of the action workflows in your new MPR to be applied, upon creation of the MPR, to all the members of the MPR's Resource Final Set (also referred to as "Target Resource Definition After Request" in the portal's MPR wizard).  For example, you may be creating a new MPR to apply a new Synchronization Rule to all users.  You may want to retroactively enforce this new policy by applying the Synchronization Rule workflow to all users that already exist.

2. You are enabling a previously disabled MPR, and you want one or more of the action workflows in the MPR to be applied, upon enabling of the MPR, to all the members of the MPR's Resource Final Set.

3. You are adding a new action workflow to an existing MPR, and you want the new workflow to be applied to all the members of the MPR's Resource Final Set, immediately upon adding the workflow to the MPR.

4. You are modifying the Resource Final Set of an existing MPR to reference a new set, and you want one or more of the MPR's action workflows to be applied to all the members of the new Resource Final Set, immediately upon modification of the MPR.

5. You are manually modifying the membership of the Resource Final Set of an MPR, either by modifying the set's Filter or ExplictMember attribute, and you want one or more of the MPR's action workflows to be applied to all the *new* members of the new Resource Final Set, immediately upon modification of the set.

The "Run on Policy Update" feature is an option that lives on action workflow definitions, as an attribute labeled "RunOnPolicyUpdate" bound to the WorkflowDefinition resource type.  When this boolean attribute is set to "true" for a given action workflow, if any of the 5 scenarios above are encountered with an MPR that uses this workflow, the workflow will be automatically applied to the members of the Resource Final Set of the MPR.

Following is a table that summarizes the cases where a "Run on Policy Update" enabled action workflow is applied, in addition to the normal cases where a new Request satisfies all the criteria of an MPR that uses the workflow.

 

User Request

Resulting Action by the FIM Service

Create new MPR

Apply each "Run on Policy Update" enabled action workflow referenced by the new MPR to all members of the MPR's ResourceFinalSet.

Enable an existing MPR

Apply each "Run on Policy Update" enabled action workflow referenced by the enabled MPR to all members of the MPR's ResourceFinalSet.

Select a new ResourceFinalSet for an existing MPR

Apply each "Run on Policy Update" enabled action workflow referenced by the MPR, to all members of the new set referenced by the ResourceFinalSet attribute.

Add a new "Run on Policy Update" enabled action workflow to an existing MPR

Apply the newly added action workflow to all members of the MPR’s ResourceFinalSet.

Modify the filter of a set

For all MPRs whose ResourceFinalSet references the set being modified, apply each "Run on Policy Update" enabled action workflow  mapped to the MPR to each resource that transitions into the set because of the filter update.

Update explicit membership of a set

For all MPRs whose ResourceFinalSet references the set being modified, apply each "Run on Policy Update" enabled action workflow  mapped to the MPR to each resource that that is added to the set.

 

 

 

 

 

 

 

 

 

 

 

Note that simply enabling the “Run on Policy Update” option for a workflow does not result in the workflow being automatically run.  The workflow will only be run upon completion of one of the requests outlined in the table above.

Disabling the “Run on Policy Update” option for a workflow will allow you to perform any of the user requests outlined above, without the workflow being automatically run.

If you submit one of the user requests outlined above, thereby triggering the execution of a “Run on Policy Update” enabled action workflow, you can cancel all the workflows that have been triggered by simply cancelling the request that triggered them (eg. cancel the request tracking the creation of the MPR).

Cheers,

Nima

Comments
  • How does this change with Update 3? Run on Update only applies to Set Transition MPR's (which can only have action workflows).

    Since Set Transition MPR's only reference one set and they specify leaving or joining a set. So how does run on policy update work for MPR's that deal with leaving a set?

    Eg. If I have a set transition MPR for people leaving the Active Employees Set, with an action workflow to apply a sync rule to disable their AD accounts, and I update the filter on the Active Employee Set, what happens if run on policy update is enabled? Will it cause the action workflow to process each object not in the set?

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment