{"id":7,"date":"2007-05-23T10:52:42","date_gmt":"2007-05-23T10:52:42","guid":{"rendered":"https:\/\/www.wapshere.com\/missmiis\/?p=7"},"modified":"2023-01-09T07:34:48","modified_gmt":"2023-01-09T07:34:48","slug":"keeping-provisioning-logic-out-of-the-provisioning-code","status":"publish","type":"post","link":"https:\/\/www.wapshere.com\/missmiis\/keeping-provisioning-logic-out-of-the-provisioning-code","title":{"rendered":"Keep Provisioning Logic out of the Provisioning Code"},"content":{"rendered":"

Early on in my MIIS project I had a consultant in to give me some pointers. He showed me how to create two functions ShouldObjectExist<\/em> and ReadyForCreation<\/em> at the top of my MVExtensions<\/a>, and use them to control provisioning.<\/p>\n

Private Function<\/span> ShouldObjectExist(<\/span>ByVal<\/span> mventry <\/span>As<\/span> MVEntry<\/span>) <\/span>As<\/span> Boolean<\/span>
\n\u00a0<< Evaluate mventry to determine if CS object should exist >><\/em><\/span>
\nEnd<\/span> Function<\/span><\/span><\/p>\n

Private Function<\/span> ReadyForCreation(<\/span>ByVal<\/span> mventry <\/span>As<\/span> MVEntry<\/span>) <\/span>As<\/span> Boolean<\/span>
\n\u00a0 << Check all required attributes are populated in the metaverse to allow creation of CS object >><\/em><\/span>
\nEnd <\/span><\/span><\/span><\/span><\/span><\/p><\/blockquote>\n

The Provision Sub will then use these functions to determine the appropriate action:<\/p>\n

Public <\/span>Sub<\/span> Provision(<\/span>ByVal<\/span> mventry <\/span>As<\/span> MVEntry) <\/span>Implements<\/span> IMVSynchronization.Provision<\/span><\/span>
\n\u00a0Dim<\/span> ObjectShouldExist <\/span>as<\/span> ShouldObjectExist(mventry)<\/span><\/span>
\n\u00a0 If<\/span> csObj <\/span>Is<\/span> Nothing<\/span> AndAlso<\/span> ObjectShouldExist <\/span>AndAlso<\/span> ReadyForCreation(mventry) <\/span>Then <\/span>
\n<\/span>\u00a0 \u00a0CreateObject(mventry)
\n\u00a0 ElseIf<\/span> Not<\/span> csObj <\/span>Is<\/span> Nothing<\/span> AndAlso<\/span> Not<\/span> ObjectShouldExist <\/span>Then<\/span><\/span>
\n\u00a0 \u00a0csObj.Deprovision()
\n\u00a0 End<\/span> If<\/span><\/span>
\nEnd<\/span> Sub<\/span><\/span><\/p><\/blockquote>\n

Before long, however, I came to the conclusion that provisioning code<\/a> is not the place for provisioning logic. Some reasons:<\/p>\n

    \n
  1. The rules on who gets access to what are determined by business drivers, which have a habit of changing. Who wants to have to recompile code every time the boss changes their mind?<\/li>\n
  2. Burying the rules in compiled code goes against my broad goal to reduce Fear and Loathing of IdM by making the system visible<\/a>.<\/li>\n
  3. If you change your code you’re going to have to run a Full Sync (on your test server of course) to find out whether you’re about to inadvertently delete half your user population. Depending on the number of objects in your system, this could take some time.<\/li>\n<\/ol>\n

    Luckily for me my source data was coming from SQL, and I was already using a view to aggragate the required fields. It was a simple enough matter to add calculated fields to this view that encapsulated all the provisioning logic.<\/p>\n

    I introduced a series of fields all named in<Something><\/em> that could either be “Yes” or “No”. To illustrate, here is the part of the view that determines who gets to be in Active Directory:<\/p>\n

    CASE<\/span>
    \n\u00a0 WHEN<\/span> Status = <\/span>‘Remove’<\/span> THEN <\/span>‘No’<\/span>
    \n\u00a0 WHEN<\/span> NOT Mailhost = <\/span>‘Exchange’<\/span> THEN <\/span>‘No’<\/span>
    \n\u00a0 WHEN<\/span> Role IN (<\/span>‘Staff’<\/span>,‘Student’<\/span>,‘Contractor’<\/span>) THEN <\/span>‘Yes’<\/span>
    \n\u00a0 ELSE<\/span> ‘No’<\/span>
    \nEND AS<\/span> inAD,<\/span><\/p><\/blockquote>\n

    The logic element of the provisioning code then becomes beautifully simple:<\/p>\n

    Public <\/span>Sub<\/span> Provision(<\/span>ByVal<\/span> mventry <\/span>As<\/span> MVEntry) <\/span>Implements<\/span> IMVSynchronization.Provision<\/span><\/span>
    \n\u00a0 If<\/span> csObj <\/span>Is<\/span> Nothing<\/span> AndAlso<\/span> mventry(“inAD”).Value = “Yes”<\/span> Then<\/span>
    \n<\/span>\u00a0 CreateObject(mventry)
    \n\u00a0 ElseIf<\/span> Not<\/span> csObj <\/span>Is<\/span> Nothing<\/span> AndAlso<\/span> mventry(“inAD”).Value = “No” <\/span>Then<\/span><\/span>
    \n\u00a0 csObj.Deprovision()
    \n\u00a0 End<\/span> If<\/span><\/span>
    \nEnd<\/span> Sub<\/span><\/span><\/p><\/blockquote>\n

    And now, when the rules change, all I need to do is change the view in SQL. A quick<\/p>\n

    SELECT COUNT (*) FROM <View><\/em> WHERE inAD = ‘Yes’<\/span><\/p><\/blockquote>\n

    before and after the view change will tell me whether I’m about to make a horrible mistake. And best of all – the code doesn’t need to be touched!<\/p>\n","protected":false},"excerpt":{"rendered":"

    Early on in my MIIS project I had a consultant in to give me some pointers. He showed me how to create two functions ShouldObjectExist and ReadyForCreation at the top of my MVExtensions, and use them to control provisioning. Private Function ShouldObjectExist(ByVal mventry As MVEntry) As Boolean \u00a0<< Evaluate mventry to determine if CS object…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"footnotes":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":[]},"categories":[34,28,3,5,30],"tags":[],"class_list":["post-7","post","type-post","status-publish","format-standard","hentry","category-ilm2007","category-miis2003","category-philosophising","category-sql","category-vbnet"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pkp1o-7","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/posts\/7","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/comments?post=7"}],"version-history":[{"count":4,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/posts\/7\/revisions"}],"predecessor-version":[{"id":3327,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/posts\/7\/revisions\/3327"}],"wp:attachment":[{"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/media?parent=7"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/categories?post=7"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/tags?post=7"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}