ILM2 RC0 – Codeless Provisioning Step by Step

This post did start with a rant about how much trouble I had getting the codeless provisioning to work – but I’ve been working with it a bit more now, and have sufficiently got the hang of it, so I have rewritten the introduction to this post. This is not an attenpt to change history – I expect most readers come at my blog through google searches, and really, they don’t need my soap-boxing.

This post goes through the steps I took to provision user accounts into AD. For the extra configuration need to add Exchange 2007 mailboxes to those users accounts see this post.

All the objects you have to create

Synchronization Rule

I will say that I do like the codeless flow rules. All you have to do to get those working is create a Synchronization Rule in the portal, import it into MIIS and you’re away.

To get the Synchronization Rule to also do provisioning you need a few more bits and pieces.

Set

You must create a Set which will contain only those users which will exist in your target directory. (A tip on naming: start it with an underscore “_” so that it appears at the top of the list.)

Don’t do what I did and use “All People” because then it tries to create the Administrator and Built-In Synchronization accounts in your target directory.

Workflow

Next you create a Workflow of type “Action” which has, as its action, the Synchronisation Rule you created above.

Management Policy

Finally you create a Management Policy. I am still a little vague on all the things these objects can do, but in terms of provisioning, this is where you tie your Set and your Workflow together.

ILM MA

You also have to make sure you are flowing your data into the metaverse through the ILM MA, so that it will be there ready to be used by your synchronization rule. For unfathomable reasons the ILM MA still relies wholy on “classic” flow rules.

 

And now with pictures

Create the Synchronization Rule

In the portal, click on Administration -> Synchronization Rules -> New. The following pictures show how I configured my rule.

When creating your attribute flows make sure you include an “Inital Only” that sets the DN.

 

Create the Set

Click on All Sets -> New.

I created a set called “_All Users” with the following dynamic rule. Note the cheat on the employee ID – at the moment there is no “Is Present” test, again an inexplicable oversight. As I’m in a test environment at the moment I’m just ensuring all my employeeID values have a “1” in them. (Note that “employeeID is *” does not work.)

 

Create the Workflow

Click on Workflows -> New.

The following pictures show how I created the Workflow “_AD Create Users”.

Later note: I think maybe “Add” was not the right choice here because I had some trouble with not being able to remove ERLs later on. Perhaps I should have chosen “Based on Attribute Value” – more testing obviously needed.

Create the Management Policy

Click on Management Policies -> New.

The following pictures show how I created the Management Policy “_AD Create Users”. As I said above, I’m still learning about these objects, so I do not claim this is the right way to configure it – this just shows what I did to get provisioning working, after a fashion.

 

Configure the ILM MA

You now need to create Import flow rules on the ILM MA to flow all the attributes required by your Synchronization Rule into the metaverse.

Also you must add a flow rule for expected rules list. I never would have figured this out without help from people on the Connect news group.

 

Testing

Start by creating a user directly in the Portal. Make sure you populate whatever you need to so they are eligible for the Set you created above. You also need to populate the Start Date, so that it is either today, or a day in the past.

After creating the user, check their Provisioning tab – and if you’re really luck you should see that they have an expected rules list with a status of “Pending”.

You can also check the Search Requests page for information about what has (or has not) been going on in the background.

 

Once you’ve got that pending ERL in place, you should no be ready to run a Full Import and Full Sync of you ILM MA.

Was a new object created in your target MA?

About: Carol

I've been doing IT for 30 years, and IdM for 15. I live in Australia and build IdM solutions based on Microsoft Identity Manager. I also play the violin, but that doesn't help much with the IdM solutions.


11 thoughts on “ILM2 RC0 – Codeless Provisioning Step by Step”

  1. Hi Carol,

    Wonderful post. A very nice description of codeless provisioning.

    I am trying a workflow where administrator approves user creation. The email that the administrator gets has the Approve and Reject button grayed out (This after installing the Outlook 2007 add-on). Have you come across this scenario?

    Thanks,
    Adi

  2. Hi Adi – thanks for your nice comment.

    I’m afraid you’re ahead of me – I’m planning on working through such a scenario myself, but at the moment I’m approving in the portal as I still don’t have the emails working. Have you asked on the connect newsgroup?

  3. Thanks for quick response Carol.

    I haven’t asked this on connect newsgroup. I will do it now.

  4. Looks to me like there’s a problem on XP. I’ve got the approve buttons greyed out on XP, just like you, but it’s working on Windows 2008.

  5. Hi Carol, excellent blog btw, I’m keenly reading this as I’m in a similar situation as yourself except I have no experience with any previous versions of ILM/MIIS unfortunately.

    One thing that occured to me that you might have a quick answer too is in regard to login names when provisioning Active Directory accounts. These are normally some kind of concatination of first name and last name in one way or another but my question is how do you get ILM to check that this is unique and doesn’t already exist?

  6. Hi Greig,

    the correct ILM 2 approach to this type of problem would be to write a workflow action – either as part of your “Generate Account Name” action, or as a seperate “Confirm Uniqueness” action you can slot in.

    But don’t ask me how to do this just yet! More information is a coming on how to write workflow actions, but at the moment it’s a bit sketchy – there is some info in the SDK which you can get from Microsoft Connect, or see the Ensynch guys for their published examples – Brad Turner and Joe Zamora.

    But it’s all a bit beyond me at them moment so my cheat has been to use a SQL table and MA to generate values – see http://www.wapshere.com/missmiis/?p=367. You could use SQL triggers instead of export flow rule to check for uniqueness and use some kind of if-then-else sequence to generate a satisfactory value.

    I also have another post somewhere on this blog where I use one of the old-fashioned type of Advanced import flow rules to query the metaverse when checking for uniqueness.

    So there’s three possibilities but no easy answer – confused yet? 😉

  7. Hi Carol,

    I am using Windows 2008, so it doesn’t seem to be an issue with XP.

    I didn’t put anything on connect because I messed up the setup 🙂 and haven’t got a chance to get it working.

    Cheers,
    Adi

  8. Hi Carol,
    I am confused between attribute flow in the MA configuration and sync rules in the FIM portal what is the different between them and which one is processed first and how it affects the other one.

    Can you explain it to me little more.

  9. Hi busbar,
    this topic is going to confuse a LOT of people. Basically we can use both the new sync rules and the old style MA rules at the same time. I am not entirely clear myself on which gets precedence. Also, to add to the complications, inbound sync rules work differently to outbound. The inbound rules just work. For the outbound rules you need to do all the mucking around with workflows and MPRs, and then deal with the additional ERE and DRE objects.

    My general feeling on all of this at the moment is that I will stick to MA rules. Unfortunately if I want to get objects into the FIM portal I have to use one of the new style inbound sync rules and tick the “Create in FIM” option. So whichever way I look at it there will probably be a need to use both types, at the same time, and risk a confusing mess.

  10. Hi Carol,
    Thanks for your reply, Have been talking here http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/7b7decc2-eb5b-40f6-b4a2-0856be1ba9a9 about it since I was totally confused about Sync and MA rules.

    you will find in my last post that you can use the FIMscript box to identify the attribute flow precednence but as I said is my findings correct or not this is the question, I think yes.

    back to the topic, Can I use the sync rules only and get rid of the MA flows, have you tried that?
    Mahmoud

  11. You can use only codeless sync rules, as long as you don’t want to do anything too complicated. I have a couple of import flows which I know I won’t be able to convert to codeless: one of them substitutes non-ascii characters (eg., swapping è for e) and the other one reformats telephone numbers.

Comments are closed.