This post did start with a rant about how much trouble I had getting the codeless provisioning to work – but I’ve been working with it a bit more now, and have sufficiently got the hang of it, so I have rewritten the introduction to this post. This is not an attenpt to change history – I expect most readers come at my blog through google searches, and really, they don’t need my soap-boxing.
This post goes through the steps I took to provision user accounts into AD. For the extra configuration need to add Exchange 2007 mailboxes to those users accounts see this post.
All the objects you have to create
I will say that I do like the codeless flow rules. All you have to do to get those working is create a Synchronization Rule in the portal, import it into MIIS and you’re away.
To get the Synchronization Rule to also do provisioning you need a few more bits and pieces.
You must create a Set which will contain only those users which will exist in your target directory. (A tip on naming: start it with an underscore “_” so that it appears at the top of the list.)
Don’t do what I did and use “All People” because then it tries to create the Administrator and Built-In Synchronization accounts in your target directory.
Next you create a Workflow of type “Action” which has, as its action, the Synchronisation Rule you created above.
Finally you create a Management Policy. I am still a little vague on all the things these objects can do, but in terms of provisioning, this is where you tie your Set and your Workflow together.
You also have to make sure you are flowing your data into the metaverse through the ILM MA, so that it will be there ready to be used by your synchronization rule. For unfathomable reasons the ILM MA still relies wholy on “classic” flow rules.
And now with pictures
Create the Synchronization Rule
In the portal, click on Administration -> Synchronization Rules -> New. The following pictures show how I configured my rule.
When creating your attribute flows make sure you include an “Inital Only” that sets the DN.
Create the Set
Click on All Sets -> New.
I created a set called “_All Users” with the following dynamic rule. Note the cheat on the employee ID – at the moment there is no “Is Present” test, again an inexplicable oversight. As I’m in a test environment at the moment I’m just ensuring all my employeeID values have a “1” in them. (Note that “employeeID is *” does not work.)
Create the Workflow
Click on Workflows -> New.
The following pictures show how I created the Workflow “_AD Create Users”.
Later note: I think maybe “Add” was not the right choice here because I had some trouble with not being able to remove ERLs later on. Perhaps I should have chosen “Based on Attribute Value” – more testing obviously needed.
Create the Management Policy
Click on Management Policies -> New.
The following pictures show how I created the Management Policy “_AD Create Users”. As I said above, I’m still learning about these objects, so I do not claim this is the right way to configure it – this just shows what I did to get provisioning working, after a fashion.
Configure the ILM MA
You now need to create Import flow rules on the ILM MA to flow all the attributes required by your Synchronization Rule into the metaverse.
Also you must add a flow rule for expected rules list. I never would have figured this out without help from people on the Connect news group.
Start by creating a user directly in the Portal. Make sure you populate whatever you need to so they are eligible for the Set you created above. You also need to populate the Start Date, so that it is either today, or a day in the past.
After creating the user, check their Provisioning tab – and if you’re really luck you should see that they have an expected rules list with a status of “Pending”.
You can also check the Search Requests page for information about what has (or has not) been going on in the background.
Once you’ve got that pending ERL in place, you should no be ready to run a Full Import and Full Sync of you ILM MA.
Was a new object created in your target MA?