Thursday, May 9, 2013

Adding Attributes to the FIM MV Schema Programmatically

Adding new attributes programmatically to the Metaverse is currently not supported by FIM in any of its forms, however, if you are willing to take the chance and make the changes needed directly to the database, this is possible.  This isn't necessary recommended and it is definitely not for the faint of heart. However, if you are determined to give it a try, here is what you have to do. First, make a backup of your database, then:

For single-valued non-reference attributes:

  1. Add a column to the mms_metaverse table with the appropriate name and data type
  2. Add a column to the mms_metaverse_lineagedate table with the appropriate name and a data type of datetime
  3. Add a column to the mms_metaverse_lineageguid table with the appropriate name and a data type of uniqueidentifier
  4. If you want the attribute to be indexed - add a new non-unique, non-clustered index to the mms_metaverse table with the name IX_mms_metaverse<attributeName>

Then, for all attributes (single or multi, reference or not) you will then need to:

  1. Update the mv_schema_xml column of the mms_server_configuration
  2. Close the client, restart the Sync Service and re-open the client

I have only done some preliminary testing, but so far it has worked okay. I have worked out a SQL Script to help you through the process.  Its called MVAttributeCreationScript.sql and you an download it from http://sdrv.ms/11oBRr8.

If you are uncomfortable attempting to update the schema in this fashion, there are a couple of other possibilities. However, these also carry their own risks:

  1. Export the MV Schema, update the xml export file and then re-import it
  2. Create a key stroke script to perform the updates through the UI as a user would

I will create some additional blog posts to expound on these two methods a little bit further, so be on the lookout!

Wednesday, May 8, 2013

Now On Twitter

You can now follow my escapades on Twitter.

Wednesday, March 27, 2013

The Last FIM Metaverse Extension You Will Ever Need

The third tool in the “The Last of” series is really another option for codeless provisioning (with out having to go to the FIM Service/Portal).  The Last FIM Metaverse Extension You Will Ever Need takes advantage of the configuration of a special MA to determine the initial flows needed to provision a new object.  This is done in two parts.  Here’s how it works. 

The Provisioning Management Agent
You will need to create an MA a special MA of type “Provisioning Management Agent (Insight)”.  This is an ECMA that inspects the configuration of the FIM Synch engine, allowing you to use the UI to define the provisioning rules for the other MAs in the environment.  You will not create run profiles for this MA, it will never be executed in that manner.

First, make sure you install the packaged Provisioning MA and the Insight.FIM.CodelessProvisioning.dll from http://fimmv.codeplex.com. Now, when configuring the MA, the first thing you will need to do (after giving it a name) will be to use the Connectivity tab to enable provisioning.  You can do this by MA and by MA object type.  One nice thing about this set-up, you can selectively turn on and off provisioning with out having to change any of the flow rules defined.  In this example, I have two MAs, the HR MA with one object type of person and a CRM MA with two types, person and group:
image

I have enabled provisioning for person objects in the HR MA and then clicked Next. Then, I clicked Next on the Configure Partitions and Hierarchies tab, we will be using the default values.

On the Object Types tab, you will see a list of Management Agents.  In essence, what this page is asking you is which MAs you want to define provisioning rules for.  At a minimum you will want to select the MAs that have at least item selected from the Connection tab. In this case I am going to define provisioning rules for the HR MA, which I have enabled for provisioning.  Additionally, I could define rules for the CRM MA if I plan on enabling it at some point in the future:
image

On the next tab, you will want to select the attributes that you are going to define initial flows for.  At a minimum you will need to check the attribute “Anchor”.  I have selected a few of the basic attributes I want to set during provisioning:
image

Next is the Anchors tab, leave the default values (Anchor attribute = Anchor) and click Next.

You should now be on the Configure Connector Filter tab, the provisioning code currently does not use this tab, but that could be a useful enhancement in the future.  Leave the filters blank and click Next.

Ditto with the Join and Project Rules, these won’t be used, leave them blank and click Next.

Now comes the interesting tab.  On the Attribute Flow section, define the flows that you want as your initial flows as Export flows for the MA and object type.  For example, if I want the ID, DisplayName, Email, FirstName and LastName set on a new HR MA person when the object is provisioned, I will define an Export flows for each of those:
image

Currently, only direct and constant flows are supported.  Although I am working on adding Advanced flows via the same mechanism as The Last FIM Management Agent Rules Extension You Will Ever Need in which the C# code that defines the advanced flow is placed directly in the Flow rule name.  Click Next when done defining the flow rules.

Click Next through the Deprovisioning and Extensions tab (you may need to provide a dll for the Rules extension name, you can simply use the Insight.FIM.CodelessProvisioning.dll).    That’s it!  You should now see your new Provisioning MA in the Sync client.  Don’t create more than one of these, currently only the first Provisioning MA found will be used.

Unfortunately, should you rename one of the MAs configured, you will need to update the schema of the Provisioning MA and then redefine the flow rules.

The Metaverse Extension
Okay, now all you need to do get this working is set the Metaverse Rules Extension to use Insight.FIM.CodelessProvisioning.dll and enable it:
image

Here’s what happens next.  When the provisioning code runs, it will go and look for a Provisioning MA.  It will then transverse the configuration of the MA to determine which objects to create and which flows to apply.  In this example, the provisioning code will see that I need to provision a new HR MA object of type person and set the ID, DisplayName, Email, FirstName and LastName on the object using the flow rules I defined.
image

Its an interesting concept and provides a well known UI to set up codeless provisioning without the overhead of the FIM Service. 

Let me know what you think!

Tuesday, February 19, 2013

The Last FIM Management Agent Rules Extension You Will Ever Need

For the next in the Last FIM series, I extended the concept introduced in The Last FIM Workflow You Will Ever Need to the Synchronization Engine.  In this case, this Management Agent Extension will take the Attribute Flow Name provided, compile it and run it like code.  So as an example, if you were creating an import flow to displayName and wanted to calculate it by concatenating  firstName + " " + lastName from the connector space, you could do the following as the Flow rule name: mventry[“displayName”].Value = csentry[“FirstName”].Value + " " + csentry[“LastName”].Value:

image

In order to make this work, download and install the CodePlex project from http://fimma.codeplex.com, then reference the Insight.FIM.CodelessSync.dll on the MA Extensions tab:

image

A few things to note, currently the code that you can place in the Flow rule name is limited to a single line, so only fairly simple calculations can be performed, but it may keep you from having to go to the Portal for "codeless" sync rules.  Only C# syntax is currently accepted, although a VB version could be written.  There may also be some value in writing a version that uses its own simplified syntax.  Only reference the .Value property of any mventry or csentry attribute.  The extension will inspect the data type to determine how to handle it from there.  Also, this can be nicely combined with an existing MA Extension code you might have, simply use it as your default call on your switch statement for import or export flow code:

 

public void MapAttributesForImport(string FlowRuleName, CSEntry csentry, MVEntry mventry)
       {
           switch (FlowRuleName)
           {
               case "existingFlowName":
                   //existing code
                   break;
               default:
                   runCommand(FlowRuleName, mventry, csentry, "mventry");
                   break;
           }           
       }

The extension is fairly new, so may still need some tweaking, but I wanted to get it out to the community for your feedback and contributions.  Let me know what you think!

Also, be on the watch for the next in the Last FIM series, The Last FIM Metaverse Extension You Will Ever Need.

The Last FIM Workflow You Will Ever Need, Part 2

A year ago I introduced the idea of a FIM Workflow that would allow you to use the UI to write the code that you wanted executed at run time. Since then I have updated the workflow to allow you to also specify additional references and using/import statements. 

image image

I also got approval to upload the project to CodePlex so that you can have access to it.  Check it out at http://fimwf.codeplex.com and let me know what you think!

Be on the lookout for the next item in Last FIM series,the Last FIM Management Agent Rules Extension You Will Ever Need.

Monday, January 21, 2013

FIM 2010 R2 Lab on Windows 7

I recently went about building out a FIM Lab on Windows 7 (64 bit).  Its completely unsupported, but in case it helps anyone, here is what I had to do.

With the basic FIM 2010 R2 installation instructions in mind, I began by installing IIS and SQL Server 2008 R2 on my Windows 7 machine.  Since this environment is just for my own personal lab use, I created all of the needed users and groups locally on the box.  Now comes the first challenge, getting SharePoint installed which requires a Server OS.  In order to install WSS, I downloaded and installed a neat little application called WSSOnVista from Bamboo Nation. This application uses API hooking to intercept the GetVersionEx call, fooling the install into believing its running on Windows Server. I used WSSOnVista to install WSS 3.0 with SP2.  Be sure to follow the instructions listed on the Bamboo Nation site, including using the WSS Advanced install option and selecting the Web Front End server type.

You will then need to download and install Orca.  You can use Orca to edit the FIM MSI packages, removing the server version checking requirements. You will need to copy the FIM install bits to some media that they can be edited (like a local drive).  Begin by right clicking the Synchronization Service.msi file and then selecting the “Edit with Orca” option.  You will then need to locate and remove the server OS version Launch Condition.  Right click the appropriate Row and click on the Cut Row(s) or Drop Row option:

image

Save your changes and launch the Synchronization Service.msi and install as you normally would.  You will need to perform a similar action on the Service and Portal.msi file, however, this time you are looking for the OSCheck under the CustomAction table.

image

Again, save the changes made to the msi file and then use it to install the FIM Service and Portal as you normally would.

I haven’t encountered any issues running on Windows 7 yet, but will update this article if any come up.