Dependencies - not just for avoiding taxes!

bobbygill — Sat, 02 May 2009 00:16:00 GMT

What's our name again?

Whoa, new product name! For those of you who have been chasing butterflies for the past month, what was once known to us as Identity Lifecycle Manager "2" is now called Forefront Identity Manager. I know, it's not the sexiest name in the world and is probably the 5th different name the product has had since it's conception, but it reflects the combination of Microsoft's security and identity product lines into the Forefront brand announced last year.

Personally, I wanted to name the product "Black Thunder II", but then again there are a myriad of reasons why I am not allowed to name Microsoft products.

But back onto the topic at hand...

Synchronization Rule Dependency

I decided to take some time off today to briefly talk about Synchronization Rule Dependencies, a powerful yet not well understood part of ~~ILM~~ FIM's synchronization capabilities. In brief, a Synchronization Rule Dependency allows one to construct and apply a series of outbound Synchronization Rules ontop of each other. The scenarios that spring to mind whereupon this functionality is useful are things such as adding/removing Exchange mailbox provisioning, or adding/removing VPN access upon a user's Active Directory account (with the former 2 being dependent on the latter).

If an Outbound Synchronization Rule (the dependent) is marked as having a dependency on another Synchronization Rule (the root), the dependent rule will apply itself ontop of the connector that the root Synchronzation Rule is applied on. At run time, when a FIM Action Workflow attempts to add an Expected Rule Entry (ERE) object for the dependent Synchronization Rule onto a FIM Resource's Expected Rules List (ERL) , there needs to also exist an ERE-Add object for the root Synchronization Rule on the ERL. (I am just going to take a minute here and say I don't think there has been that many acronyms stuffed into one sentence since the merger between the wrestling giants WWF and WCW was announced). Conversely, if an Action Workflow adds a ERE-Remove entry for a root Synchronization Rule, all EREs that correspond to Synchronization Rules further up the dependency tree will be removed.

Its important to note that when you design an Action Workflow to add or remove a series of EREs that correspond to a Synchronization Rule dependency chain, the root rule must be added to the workflow surface prior to any other dependent rules.

Multiple levels of dependency can be created, with more than one Synchronization Rule being made to depend on a single Synchronization Rule.

In the Synchronization Rule Designer, to create a Synchronization Rule Dependency is relatively straightforward. The first page of the designer allows you to select another outbound Synchronization Rule to make a new Synchronization Rule depend on. When selected, the Scope and Relationship pages are automatically greyed out. Once a Synchronization Rule is made to depend on another rule, the only settings that are adjustable on that rule are the workflow parameters and the outbound attribute flows. Conceptually, this falls cleanly from the fact that a dependent Synchronization Rule is being applied "on top" of another rule.

I wish I could paste some screenshots of what this looks like, but the FIM UI has changed markedly since the RC 0 release and I dont want to ruin the surprise just yet :)

The canonical scenario in which Synchronization Rule Dependency's are used are around creating business processes to manage the provisioning/deprovisioning of capabilities that stem from attributes set on a Active Directory user account. In a typical provisioning scenario, one would construct a base "Active Directory User Synchronization Rule" which, as the name implies, would create a new AD User object, flow the necessary base DN, samAccountName and name information. On top of that, you could then model a dependent Synchronization Rule for granting an Exchange mailbox. This Synchronization Rule would be dependent on the Active Directory User Synchronization Rule, and as a consequence would only have a single flow to the homeMDB attribute. Modelling the user account provisioning seperately from the mailbox provisioning, through the use of Synchronization Rule dependency, allows you to define independent business processes around the lifecycle management of the two through Management Policy Rules and workflow.

As always, feel free to email me any questions you might have and I will do my best to get back to them.

Bobby

ILM "2" also comes as a hybrid...

bobbygill — Tue, 18 Nov 2008 21:26:00 GMT

For those of you who are MIIS / ILM 2007 pros, when seeing the Codeless Provisioning functionality one of the first questions that comes to mind is "can I use my existing rules extension in ILM "2"?".

Of course.

At a basic level, with ILM "2" RC, you can take an existing ILM 2007 deployment and migrate it's synchronization engine component straight into ILM "2" RC. You can do this by copying the IdentityIntegrationServer DB to a ILM "2" server, and upon installing ILM "2" point to this database instance during the setup of the synchronization component. The installer will then migrate that data forward such that all existing MA and MV configurations are ready to use right away, including rules extensions.

But if you want to go beyond this, its important to note how Codeless Provisioning works side-by-side with existing ILM synchronizaiton concepts. That is, while Codeless Provisioning bubbles up a business process driven approach to synchronization it is inherently underpinned by the same basic mechanics which power the ILM synchronization engine. As such, the adding of this functionality should not in any way change the behaviour of how MA's work, how rules extensions are called or how traditional metaverse provisioning is done.

This side-by-side coexistence is collectively referred to as a hybrid deployment.

Metaverse Provisioning

In fact, it is supported to run Codeless Provisioning based provisioning logic side by side with traditional metaverse extensions. Codeless Provisioning is driven through the processing of Expected Rule Entry (ERE) objects, these determine which MV objects are provisioned a connector and how flows are applied on top. For a MV object being sync'ed, this processing is done prior to the calling of the Metaverse rules extension. Hence if for any reason the ERE's attached to a MV object do not achieve a desired outcome in a CS, you can use a Metaverse extension to provision additional connectors, apply initial flows and deprovision existing connectors just you would have done with ILM 2007.

Custom Functions = Rules Extensions

Metaverse extensions are just one aspect of a hybrid scenario. A more common use case is for scripted flow. ILM "2" RC contains around 20 built in functions, which for the most part should satisfy most basic needs. However if this is not true, then you can always use an traditional Rules Extension to apply a transformation on a outbound flow. Using an MA, you can defined an advanced flow like before. This flow will be applied after any Sync Rule flows have been pushed onto an object, thus allowing you to append or overwrite attribute flow data that was provided by a Sync Rule.

Join / Projection Rules

On the inbound side, the traditional Join/Projection concepts live on as you remember them in ILM 2007. Just like the extension points, you can use traditional declared/advanced join projection rules along side Synchronization Rule concepts. In this case, if you have defined a Inbound Synchronization Rule on an MA that also has traditional join/projection rules defined the Synchronization Rule will be evaluated first. So if a disconnector exists within this MA such that it matches a Synchronization Rule's connected scoping filter, than this disconnector will be attempted to be joined/projected to the MV based on that Synchronization Rule definition. If the evaluation of that disconnector against the Synchronization Rule results in the CS object remaining a disconnector, then the existing declared join/projection rules will be executed against it.

Bobby and Nima's Forefront Identity Manager Blog : Expected Rules List

Dependencies - not just for avoiding taxes!

ILM "2" also comes as a hybrid...