Using the MIMWAL to create Policy objects

I worked with the FIMWAL in the past on a couple of MCS engagments, but hadn’t yet had the opportunity to use the open-sourced MIMWAL on an engagment. I have, however, just been converting something I’ve done before to all-MIMWAL workflows, in preparation for re-using the concepts on a new project.

This is a pretty complex “pack” of stuff, including schema, policy and UI. Part of the solution is that new, customised policy objects are generated in response to certain changes made in the Portal. Converting this solution to the MIMWAL has been a lot of fun, and really quite intuitive, with everything I wanted to do covered – and in some cases simplified compared to what I had before. A lot of the workflows I was replacing were PowerShell scripts – I now have only a very small amount of in-Workflow PowerShell left and no external scripts at all.

I’m going to share a policy-creation example today. The workflow creates a new notification workflow for a particular “Service”. The workflow itself is copied from a template workflow object, with a string replace used to change the Email Template name (other workflows copy the same template, with a different Email Template being inserted).

This picture shows the workflow – it creates a Set, Workflow and MPR, which is everything needed for this notification policy.

mimwal-wf-creates-policy

Create Set

The following creates a set of all active Entitlements for a particular Service (custom object types).

Setting Value Comment
Activity Display Name Set of Service Active Entitlements
Resource Type Set
Advanced Features Yes
Target for created Resource ID [//WorkflowData/SetActive] Saves the ObjectID of the created Set, so I can use it in the MPR creation step.
Attribute Population
DisplayName [//Target/ServiceName] + ” Active Entitlements”
Filter WrapXPathFilter(“/Entitlement[ServiceLink='” + [//Target] + “‘ and Status=’Active’]”) The WrapXPathFilter function adds the XML wrapper suitable for a Set or Group filter.
PolicyGroup SplitString(“Entitlement,PolicyOnModify”,”,”) This is a custom attribute I use to keep track of what functionality this policy object is associated with. I used the SplitString function to get a multivalued string.
ServiceLink [//Target] This is a custom attribute I use to track the policy object back to the “parent” object – ie the one that was changed to trigger this workflow.

Create Workflow

The following creates a notification workflow. Rather than trying to stuff the XOML into this workflow I created a workflow called “Service Template Notification” and this new workflow is based on it. (I have a number of other Template workflows for other selectable policy types.)

Setting Value Comment
Activity Display Name Notification Workflow
Resource Type WorkflowDefinition
Advanced Features Yes
Query Resources Yes
Queries
TemplateWF /WorkflowDefinition[DisplayName=’Service Template Notification’] Looking up my template WF.
Target for created Resource ID [//WorkflowData/WF] Saves the ObjectID of the created WF, so I can use it in the MPR creation step.
Attribute Population
DisplayName [//Target/DisplayName] + ” Action when entitlement is modified”
RequestPhase “Action”
XOML ReplaceString([//Queries/TemplateWF/XOML],”TEMPLATE EmailTemplate”,”Entitlement Modified”) Replacing the name of the email template.
PolicyGroup SplitString(“Entitlement,PolicyOnModify”,”,”) Custom attribute – described above
ServiceLink [//Target] Custom attribute – described above

Create MPR

The following creates the MPR to tie it all together.

Setting Value Comment
Activity Display Name MPR
Resource Type ManagementPolicyRule
Advanced Features Yes
Query Resources Yes
Queries
SetAllObjects /Set[DisplayName=’All Objects’] Will use this as the Requestor Set – ie any requestor, including Sync.
Attribute Population
DisplayName “Entitlement Workflow: ” + [//Target/DisplayName] + ” Run Action when entitlement becomes Active”
Description “Runs an action when a change is made to an Active entitlement, other than disabling it.”
ManagementPolicyRuleType “Request”
GrantRight false
ActionParameter “*”
ActionType “Modify”
PrincipalSet [//Queries/SetAllObjects]  From the Query lookup
ResourceCurrentSet [//WorkflowData/SetActive]  Passed from the Create Workflow step
ResourceFinalSet [//WorkflowData/SetActive]
ActionWorkflowDefinition [//WorkflowData/WF]  Passed from the Create Set step
PolicyGroup SplitString(“Entitlement,PolicyOnModify”,”,”) Custom attribute – described above
ServiceLink [//Target] Custom attribute – described above

About: Carol

I've been doing IT for 30 years, and IdM for 15. I live in Australia and build IdM solutions based on Microsoft Identity Manager. I also play the violin, but that doesn't help much with the IdM solutions.


Leave a Reply

Your email address will not be published. Required fields are marked *


*