Transcript Presentation Title

Tic, tock, tic, tock – When Time
Passes By
Tomasz Onyszko, Connected Dots
1
2
3
4
Catching the moment …
… WHAT’S THE PROBLEM
Time in IdM process
• Time related actions in hire & fire scenarios
• Temporary actions or assignments
• Periodic actions (reviews, access attestation)
• Notifications
Old way …
… HANDLING TIME IN ILM
Chellanges in ILM
• Synchronization engine is state based
– To trigger an action change in object state has to
be detected
– Engine is unable to trigger actions on its own
Handling time – design pattern
• Operational Management Agent
– Stores information about events which should
trigger actions in future
• Manage events through provisioning process
into MA connector space
• Triger actions through attribute flow from MA
Scheduling event
Data source
MV
Delayed actions
operational MA
Event definition
• Event triggering date
• Action type
– Avoid placing same type actions
– If needed, introduce additional distinguisher
• MV GUID (optional - recovery scenarios)
Triggering an event
• Delta view based on event list
• Showing only active events based on fire date
SELECT
(...)
CAST ( 'Active' AS NVARCHAR(10)) AS IsActive,
'Modify' AS ChangeType
WHERE (ActionDate <= GETDATE())
Trigger event execution
Delayed actions
operational MA
MV
Account rename
Notification
Event cleanup
• Remove scheduled actions
– De-provisioning
– Automatic clean-up at SQL DB
• Event should stay in MA as long as triggering
condition exists
– Synchronization logic should incorporate that
ILM delayed actions
… SHORT DEMO
After the break …
… HERE COMES FIM
Changes introduced in FIM
• FIM Synchronization Engine
– Same story as for ILM 2007
• FIM Service
– Filter definitions can contain time related
statements
– FIM process time driven events on scheduled
basis
Evaluation mechanics
• SQL Agent job
– FIM_TemporalEventsJob
• Contains two separate jobs
– FIM_MaintainSetsStep
– FIM_MaintainGroupsStep
• Runs every day at 1 AM
– Scheduled: temporaleventsjobschedule
Job schedule
• FIM temporal job schedule defines time „tick”
for system
• Time when job is executed defines Today for
FIM
• Changes in job schedule can affect how
Today() is evaluated
XPath elements related to time
• dateTime: data type which represents time
• Xpath statements
–
–
–
–
–
current-dateTime
add-dayTimeDuration-to-dateTime
add-yearMonthDuration-to-dateTime
subtract-dayTimeDuration-from-dateTime
subtract-yearMonthDuration-from-dateTime
Temporal sets \ groups
• Objects which conditions are related to a time
• Membership evaluated:
– When FIM runs temporal job
– When actual attribute on object is changed
First of all
• Date and Time information has to be flown to
FIM Service in correct format
Definition of temporal sets
… SHORT DEMO
True meaning of Today
• Today
– It is defined by FIM „tick” events
• Before today
– Before FIM SQL job will run
• After today
– After FIM SQL job will run
Today
2011-04-17
1:00 AM
2011-04-17
0:05 AM
2011-04-17
8:05 AM
Today
2011-04-17 10:30
2011-04-17
1:00 AM
Prior to
True
Equal to
2011-04-16
False
After
False
Today
2011-04-17 10:30
2011-04-17
1:00 AM
Prior to
False
2011-04-17
Equal
to
10:30
True
After
False
Today
2011-04-17 10:30
Prior to
False
2011-04-17
1:00 AM
Equal
to
2011-04-17
True 10:31
After
True
Setting time based criteria
• Remember about meaning of Today()
• Use range based criteria rather than specific
date
What is it all about …
… USAGE PATTERNS EXAMPLES
Notifications
• Common tasks:
– Send notification befoe something will happen
• Password Expiration
– Send notofication if something will not happen
• Reminder for signing NDA
Notifications – customer case
Notifications – customer case
Time based notifications
… SHORT DEMO
Dynamic (time based) assignments
• Assignment to group or role for given period
of time
• Additional assignment object
– Resources (person, group)
– Valid From date
– Valid To date
Dynamic assignments: IN
Dynamic assignments: OUT
Dynamic assignments
… SHORT DEMO
Time is running out …
… SUMMARY
Blog: http://blogs.dirteam.com/blogs/tomek/
E-mail: [email protected]
WWW: http://www.cdots.pl
… THANK YOU !!!