Transcript The Instant Replay MA for FIM Bob Bradley, MVP, MCTS, FIM Team founding member.
Slide 1
The Instant Replay MA for FIM
Bob Bradley, MVP, MCTS, FIM Team founding member
Slide 2
Background
• Bob Bradley, FIM MVP 2012, 2013
• Work for UNIFY Solutions in Australia with Carol Wapshere and
other colleagues in “The FIM Team”
• Specialize in event-driven FIM solutions (you will see this in demo)
• Began working with MIIS full time in 2004 (then ILM2007)
• Have worked full time on FIM since mid 2009
• Worked closely for 2 solid years with the MCS Identity Management
Practice lead in Australia on the biggest FIM sites in Australia,
neither of which were “OOTB”
• In working with FIM I came up with a couple of unique ideas –
including this one
Slide 3
Presentation Outline
•
•
•
•
•
•
Inspiration and Concept
Construction and Demo
Use Case Scenarios and Demo
Additional use case: Maintaining References
Advanced Implementation and Demo
Conclusion
Slide 4
Inspiration
The Replay MA was inspired by limitations encountered using the FIM MA …
• The FIM MA is very different from any other type
• Additional rules apply, e.g.
– only one instance of the FIM MA allowed per sync service
– only one FIM service connected to a single sync service
– one-to-one “like with like” attribute mappings only
– only direct flows configurable in the MA wizard only
– no manual precedence allowed when FIM MA contributes an attribute
value to the MV
• Constraints such as the ones above can impose solution limitations … ones
that we might find ourselves looking for ways around
Slide 5
Concept
• The Replay MA is a very low-cost option (in terms of
development as well as processing overhead) for providing
the FIM Metaverse with an additional feed of the same
objects already present in an existing MA (connected or not)
• In the special case of the FIM MA, this provides added
benefits, including restoring the advanced flow rule and
manual precedence options otherwise denied for the FIM MA,
seemingly leaving you no option but to implement “equal
precedence”
Slide 6
Concept (continued)
• This session will walk you through how to create a standard
text file MA that works alongside the FIM MA, allowing you
to overcome advanced flow and precedence restrictions.
• You will also see how, with a more advanced configuration,
you can also achieve that sought-after flexibility with
reference attributes.
Slide 7
Construction
1. Export the configuration of your target MA (FIM MA)
2. Run ReplayLDIF-GenerateSchema.ps1 to transform
the DSML file to an LDIF file template for a new text MA
3. Create a new LDIF file MA from the template
4. Be selective in your attribute flows, flowing only those
objects and properties that you want to
5. Configure enhanced precedence and advanced flow
rules as necessary
Slide 8
Basic Implementation
1. Configure audit drop files for your target MA, and use
these as the source for your Replay MA
2. Configure the ReplayLDIF-GenerateData.ps1 script to
transform the DSML drop file into LDIF format
3. Test and refine
4. Use automation to orchestrate run profile sequencing
on the back of the source run profile sequence
Slide 9
Demo
• Construction
Slide 10
Use Case Scenarios
• Avoid using equal precedence
• Derive multiple/alternative import mappings from the
same FIM Portal property
• Selectively import reference values
• Import reference values as strings (not just FIM MA)
using direct or advanced flow rules
• Implement manual precedence for import flows
involving the FIM Portal
• The following are 3 specific scenarios where my colleague
Carol has used the Replay MA idea for her clients …
Slide 11
Use Case: FIM MA Not Precedent
HR
End Date
HR Precedent for Staff
Portal Precedent for Contractors
Termination WF in Portal
TermDate
FIM MA
Skipped: Not Precedent
AD
EmployeeEndDate
Metaverse
employeeEndDate
Replay MA
EmployeeEndDate
accountExpires
Direct Flows
HR Precedent over Replay MA
FIM MA precedent
Equal precedence
Manual precedence
Slide 12
Use Case: Advanced Import Flow
Other uses
Application
Unique ID
Generate Person ID
Must not change
ID
PersonID
FIM MA
AD
ObjectID
employeeID
Metaverse
personID
Replay MA
ObjectID
Only flow if
not present
New portal object changes personID
personID does not change
Slide 13
Use Case: Selective Reference Flow
Notes
Members
Staged Group Migration
Some precedent in Portal
Some precedent in Notes
Must be identical in Notes and AD
FIMAuthoratative
FIM MA
AD
Member
member
Metaverse
member
FIMAuthoratative
Replay MA
Member
Equal precedence
FIM RTM – no scoped SRs
Replay MA precedent over Notes
Slide 14
Demo
• Basic solution use case scenario
Slide 15
FIM Back-links
Use Case #1
• Leveraging relative-to-resource MPRs
– Relative-to-resource idea saves on set/MPR proliferation, which
is a known cause for FIM performance degradation
– This style of MPR comes with the hidden cost of maintaining the
references
– Multi-value reference must be maintained in sync with each
collection of administrators for a location
– High processing overhead in maintaining this via workflow
– Need Housekeeping to ensure integrity (topic for another time!)
– Sync option is far more attractive … just need to support deltas!
Slide 16
FIM Back-links
Use Case #2
• Set definitions on derived references to support MPRs
– Maintain Person.memberOf multi-value property derived from
group.member
– ADUC console in AD shows a user’s group membership in the
“Member Of” tab … however this is just a run-time inversion of
the Group’s “Member” property, and cannot be synchronised
– Could support set transition or request MPRs such as “All new
users in the TEC2012 group are notified of their membership”, or
simply “All users are notified of set membership changes”
Slide 17
Advanced Implementation
1. Configure audit drop files for your target MA
2. Use extended XSLT to transform the DSML file into an
LDIF file
3. Configure additional derived “back link” MA properties
4. Be selective in your attribute flows, flowing only those
objects and properties that you want to
5. Configure enhanced precedence and advanced flow
rules as necessary, as well as derived “back-link” flows
6. Use an automation tool to orchestrate run profile
sequencing
Slide 18
Maintaining References
• What’s involved in enforcing referential
integrity in FIM?
–
–
–
–
–
Think of all the possible use cases
Identify all the relevant sets
Construct action workflows
Construct set transition MPRs
Cross your fingers and hope nothing breaks …
• Here the FIM Replay MA can give you that peace
of mind you need …
Slide 19
Demo
• Advanced back-link generation scenarios
Slide 20
Conclusion
• The FIM Replay MA is a very simple, low cost
option of providing the FIM Metaverse with an
additional feed of the same data already present
in an existing MA.
• In the special case of the FIM MA, this provides
added benefits, including avoiding having to go
down the “equal precedence” route.
Slide 21
More Info
My blog: bobbradley1967.wordpress.com
LinkedIn: au.linkedin.com/in/bradleybob
Twitter: twitter.com/unificator (#FIM2010)
The FIM Team: thefimteam.com
My Company: www.unifysolutions.net
FIM Forum: social.technet.microsoft.com/Forums/enUS/ilm2
• Bob Bradley: [email protected]
•
•
•
•
•
•
Slide 22
PostScript
On 09/18/12 9:52 PM, Jason Bell wrote (LinkedIn):
I didn't realize you had it posted yet... It is funny, shortly after TEC - I was inspired
by the Replay MA concept and developed a ECMA 2.0 that let you select the
MA to replay from a dynamic drop down list. Does a full dynamic schema
discovery. I got it all up and running for single value attributes and forgot about
it... then the other day I needed it and got to thinking that I should share it with
you when I get it fully functional.
I have been working on various ECMA 2.0 Management Agents to easily perform
tasks that have historically required out-of-band processes. The Replay MA idea
fit into this category.
So anyway, when I get it done - I would like to show it to you and make sure you
get due credit.
Hopefully we will see you again at TEC in 2013. Keep up the great Blogs!
Slide 23
Questions?
The Instant Replay MA for FIM
Bob Bradley, MVP, MCTS, FIM Team founding member
Slide 2
Background
• Bob Bradley, FIM MVP 2012, 2013
• Work for UNIFY Solutions in Australia with Carol Wapshere and
other colleagues in “The FIM Team”
• Specialize in event-driven FIM solutions (you will see this in demo)
• Began working with MIIS full time in 2004 (then ILM2007)
• Have worked full time on FIM since mid 2009
• Worked closely for 2 solid years with the MCS Identity Management
Practice lead in Australia on the biggest FIM sites in Australia,
neither of which were “OOTB”
• In working with FIM I came up with a couple of unique ideas –
including this one
Slide 3
Presentation Outline
•
•
•
•
•
•
Inspiration and Concept
Construction and Demo
Use Case Scenarios and Demo
Additional use case: Maintaining References
Advanced Implementation and Demo
Conclusion
Slide 4
Inspiration
The Replay MA was inspired by limitations encountered using the FIM MA …
• The FIM MA is very different from any other type
• Additional rules apply, e.g.
– only one instance of the FIM MA allowed per sync service
– only one FIM service connected to a single sync service
– one-to-one “like with like” attribute mappings only
– only direct flows configurable in the MA wizard only
– no manual precedence allowed when FIM MA contributes an attribute
value to the MV
• Constraints such as the ones above can impose solution limitations … ones
that we might find ourselves looking for ways around
Slide 5
Concept
• The Replay MA is a very low-cost option (in terms of
development as well as processing overhead) for providing
the FIM Metaverse with an additional feed of the same
objects already present in an existing MA (connected or not)
• In the special case of the FIM MA, this provides added
benefits, including restoring the advanced flow rule and
manual precedence options otherwise denied for the FIM MA,
seemingly leaving you no option but to implement “equal
precedence”
Slide 6
Concept (continued)
• This session will walk you through how to create a standard
text file MA that works alongside the FIM MA, allowing you
to overcome advanced flow and precedence restrictions.
• You will also see how, with a more advanced configuration,
you can also achieve that sought-after flexibility with
reference attributes.
Slide 7
Construction
1. Export the configuration of your target MA (FIM MA)
2. Run ReplayLDIF-GenerateSchema.ps1 to transform
the DSML file to an LDIF file template for a new text MA
3. Create a new LDIF file MA from the template
4. Be selective in your attribute flows, flowing only those
objects and properties that you want to
5. Configure enhanced precedence and advanced flow
rules as necessary
Slide 8
Basic Implementation
1. Configure audit drop files for your target MA, and use
these as the source for your Replay MA
2. Configure the ReplayLDIF-GenerateData.ps1 script to
transform the DSML drop file into LDIF format
3. Test and refine
4. Use automation to orchestrate run profile sequencing
on the back of the source run profile sequence
Slide 9
Demo
• Construction
Slide 10
Use Case Scenarios
• Avoid using equal precedence
• Derive multiple/alternative import mappings from the
same FIM Portal property
• Selectively import reference values
• Import reference values as strings (not just FIM MA)
using direct or advanced flow rules
• Implement manual precedence for import flows
involving the FIM Portal
• The following are 3 specific scenarios where my colleague
Carol has used the Replay MA idea for her clients …
Slide 11
Use Case: FIM MA Not Precedent
HR
End Date
HR Precedent for Staff
Portal Precedent for Contractors
Termination WF in Portal
TermDate
FIM MA
Skipped: Not Precedent
AD
EmployeeEndDate
Metaverse
employeeEndDate
Replay MA
EmployeeEndDate
accountExpires
Direct Flows
HR Precedent over Replay MA
FIM MA precedent
Equal precedence
Manual precedence
Slide 12
Use Case: Advanced Import Flow
Other uses
Application
Unique ID
Generate Person ID
Must not change
ID
PersonID
FIM MA
AD
ObjectID
employeeID
Metaverse
personID
Replay MA
ObjectID
Only flow if
not present
New portal object changes personID
personID does not change
Slide 13
Use Case: Selective Reference Flow
Notes
Members
Staged Group Migration
Some precedent in Portal
Some precedent in Notes
Must be identical in Notes and AD
FIMAuthoratative
FIM MA
AD
Member
member
Metaverse
member
FIMAuthoratative
Replay MA
Member
Equal precedence
FIM RTM – no scoped SRs
Replay MA precedent over Notes
Slide 14
Demo
• Basic solution use case scenario
Slide 15
FIM Back-links
Use Case #1
• Leveraging relative-to-resource MPRs
– Relative-to-resource idea saves on set/MPR proliferation, which
is a known cause for FIM performance degradation
– This style of MPR comes with the hidden cost of maintaining the
references
– Multi-value reference must be maintained in sync with each
collection of administrators for a location
– High processing overhead in maintaining this via workflow
– Need Housekeeping to ensure integrity (topic for another time!)
– Sync option is far more attractive … just need to support deltas!
Slide 16
FIM Back-links
Use Case #2
• Set definitions on derived references to support MPRs
– Maintain Person.memberOf multi-value property derived from
group.member
– ADUC console in AD shows a user’s group membership in the
“Member Of” tab … however this is just a run-time inversion of
the Group’s “Member” property, and cannot be synchronised
– Could support set transition or request MPRs such as “All new
users in the TEC2012 group are notified of their membership”, or
simply “All users are notified of set membership changes”
Slide 17
Advanced Implementation
1. Configure audit drop files for your target MA
2. Use extended XSLT to transform the DSML file into an
LDIF file
3. Configure additional derived “back link” MA properties
4. Be selective in your attribute flows, flowing only those
objects and properties that you want to
5. Configure enhanced precedence and advanced flow
rules as necessary, as well as derived “back-link” flows
6. Use an automation tool to orchestrate run profile
sequencing
Slide 18
Maintaining References
• What’s involved in enforcing referential
integrity in FIM?
–
–
–
–
–
Think of all the possible use cases
Identify all the relevant sets
Construct action workflows
Construct set transition MPRs
Cross your fingers and hope nothing breaks …
• Here the FIM Replay MA can give you that peace
of mind you need …
Slide 19
Demo
• Advanced back-link generation scenarios
Slide 20
Conclusion
• The FIM Replay MA is a very simple, low cost
option of providing the FIM Metaverse with an
additional feed of the same data already present
in an existing MA.
• In the special case of the FIM MA, this provides
added benefits, including avoiding having to go
down the “equal precedence” route.
Slide 21
More Info
My blog: bobbradley1967.wordpress.com
LinkedIn: au.linkedin.com/in/bradleybob
Twitter: twitter.com/unificator (#FIM2010)
The FIM Team: thefimteam.com
My Company: www.unifysolutions.net
FIM Forum: social.technet.microsoft.com/Forums/enUS/ilm2
• Bob Bradley: [email protected]
•
•
•
•
•
•
Slide 22
PostScript
On 09/18/12 9:52 PM, Jason Bell wrote (LinkedIn):
I didn't realize you had it posted yet... It is funny, shortly after TEC - I was inspired
by the Replay MA concept and developed a ECMA 2.0 that let you select the
MA to replay from a dynamic drop down list. Does a full dynamic schema
discovery. I got it all up and running for single value attributes and forgot about
it... then the other day I needed it and got to thinking that I should share it with
you when I get it fully functional.
I have been working on various ECMA 2.0 Management Agents to easily perform
tasks that have historically required out-of-band processes. The Replay MA idea
fit into this category.
So anyway, when I get it done - I would like to show it to you and make sure you
get due credit.
Hopefully we will see you again at TEC in 2013. Keep up the great Blogs!
Slide 23
Questions?