ILM2 RC0 – Getting my head around the new Sync rules

I can see I have a lot to learn with ILM2 (and I’m still in the “I don’t wanna change” phase, so it’s heavy going), but I’m starting with something familiar, and that is import and export flow rules.

I knew that there was going to be a web portal way of doing flow rules with ILM2 – what I didn’t expect was that this would actually be a completely new type of flow rule. Meanwhile the old way (“classic” flow rules) still exists – so we’re going to have ourselves a situation where flow rules can be defined in two different ways through two different interfaces, and there’s no way to view them all together! I can’t say I think this is a very good thing right now.

These new fangled Synchronization Rules

I must say, despite an ever-increasing list of reservations, that the Sync Rules concept in the Portal looks like it will be a lot more intuitive that the old way. The filter, join, projection and attribute flow aspects have all been bundled into the one rule – though of course they’ve had to mess with all that terminology so we now have Connected Object Scope (filter), Relationship Criteria (join), Object Creation in ILM (projection) and just the Attribute Flows have retained the old nomenclature.

Two types of attribute flow rule

During my first attempt at installing this I imported the database from an ILM 2007 server along with all the existing MAs and their flow rules. When I went into the Portal I fully expected to find those rules magically displayed for me…  but it wasn’t the case. It turns out that our old “classic” flow rules can only be accessed through Identity Manager.

But I still assumed that a flow rule created in the Portal would somehow make it’s way into the MA configuration – but again this is not the case – at least not in a visible way. What it does is to create a Synchronization Rule object in your metaverse, which gets sync’d through like any other object, but which somehow, magically, causes invisible join, project and flow rules to run. If you’re used to ILM 2007 and MIIS this is quite disconcerting!

 

Creating flow rules in the Portal

Still, in an attempt to embrace the new I tried to recreate all our import flow rules from our HR source data as Portal rules.

Immediate plus points:

  • It’s very easy to do,
  • You can access multiple source attributes (for example, when concatenating FirstName and LastName),
  • There are a number of built-in functions available, and
  • If the functions don’t meet the need you can wring a bit more flexibility out of the Custom Expression option.

Negatives:

  • There were a couple I just couldn’t do, even using a Custom Expression, for example the Advanced Flow Rule we have that replaces all the characters like è,é,ä and ç with more ascii-friendly alternatives, and
  • It turns out you can’t write your own functions!

Hybrid Installations

It is possible to run some flow rules via these Synchronization Rule objects and some via the old classic flow rules, and this is what I did to add the couple of flow rules that I couldn’t do the new way. As you can see it appears that I only have two rules – even though I actually have another 17 configured through the Portal.

This is bothering me

I understand that we’re in a transistion period, and it’s good that we still can create true Advanced attribute flows… but I am worried about the troubleshooting and supportability of an installation that has used both types of rule.

The advantage of having the rules in the Portal is clear – MIIS/ILM has long suffered from being murky and backroom, not visible enough to those who need to see what it is up to … and yet, should people be able to create these rules and then not have access to the results of their actions? You can create a rule in the Portal, but you can’t preview it like you can in Identity Manager.

The type of people who I would want to use the Portal – Account Operators, Helpdesk – won’t even think to look for rules in Identity Manager and why should they? They’ve been given this nice web interface – why go anywhere else?

Perhaps all of this will become clearer to me when I start to understand the Workflow and Management Policy aspects of the Portal. I certainly hope so…

About: Carol

I've been doing IT for 30 years, and IdM for 15. I live in Australia and build IdM solutions based on Microsoft Identity Manager. I also play the violin, but that doesn't help much with the IdM solutions.