Wednesday, March 27, 2013

The Last FIM Metaverse Extension You Will Ever Need

The third tool in the “The Last of” series is really another option for codeless provisioning (with out having to go to the FIM Service/Portal).  The Last FIM Metaverse Extension You Will Ever Need takes advantage of the configuration of a special MA to determine the initial flows needed to provision a new object.  This is done in two parts.  Here’s how it works. 

The Provisioning Management Agent
You will need to create an MA a special MA of type “Provisioning Management Agent (Insight)”.  This is an ECMA that inspects the configuration of the FIM Synch engine, allowing you to use the UI to define the provisioning rules for the other MAs in the environment.  You will not create run profiles for this MA, it will never be executed in that manner.

First, make sure you install the packaged Provisioning MA and the Insight.FIM.CodelessProvisioning.dll from Now, when configuring the MA, the first thing you will need to do (after giving it a name) will be to use the Connectivity tab to enable provisioning.  You can do this by MA and by MA object type.  One nice thing about this set-up, you can selectively turn on and off provisioning with out having to change any of the flow rules defined.  In this example, I have two MAs, the HR MA with one object type of person and a CRM MA with two types, person and group:

I have enabled provisioning for person objects in the HR MA and then clicked Next. Then, I clicked Next on the Configure Partitions and Hierarchies tab, we will be using the default values.

On the Object Types tab, you will see a list of Management Agents.  In essence, what this page is asking you is which MAs you want to define provisioning rules for.  At a minimum you will want to select the MAs that have at least item selected from the Connection tab. In this case I am going to define provisioning rules for the HR MA, which I have enabled for provisioning.  Additionally, I could define rules for the CRM MA if I plan on enabling it at some point in the future:

On the next tab, you will want to select the attributes that you are going to define initial flows for.  At a minimum you will need to check the attribute “Anchor”.  I have selected a few of the basic attributes I want to set during provisioning:

Next is the Anchors tab, leave the default values (Anchor attribute = Anchor) and click Next.

You should now be on the Configure Connector Filter tab, the provisioning code currently does not use this tab, but that could be a useful enhancement in the future.  Leave the filters blank and click Next.

Ditto with the Join and Project Rules, these won’t be used, leave them blank and click Next.

Now comes the interesting tab.  On the Attribute Flow section, define the flows that you want as your initial flows as Export flows for the MA and object type.  For example, if I want the ID, DisplayName, Email, FirstName and LastName set on a new HR MA person when the object is provisioned, I will define an Export flows for each of those:

Currently, only direct and constant flows are supported.  Although I am working on adding Advanced flows via the same mechanism as The Last FIM Management Agent Rules Extension You Will Ever Need in which the C# code that defines the advanced flow is placed directly in the Flow rule name.  Click Next when done defining the flow rules.

Click Next through the Deprovisioning and Extensions tab (you may need to provide a dll for the Rules extension name, you can simply use the Insight.FIM.CodelessProvisioning.dll).    That’s it!  You should now see your new Provisioning MA in the Sync client.  Don’t create more than one of these, currently only the first Provisioning MA found will be used.

Unfortunately, should you rename one of the MAs configured, you will need to update the schema of the Provisioning MA and then redefine the flow rules.

The Metaverse Extension
Okay, now all you need to do get this working is set the Metaverse Rules Extension to use Insight.FIM.CodelessProvisioning.dll and enable it:

Here’s what happens next.  When the provisioning code runs, it will go and look for a Provisioning MA.  It will then transverse the configuration of the MA to determine which objects to create and which flows to apply.  In this example, the provisioning code will see that I need to provision a new HR MA object of type person and set the ID, DisplayName, Email, FirstName and LastName on the object using the flow rules I defined.

Its an interesting concept and provides a well known UI to set up codeless provisioning without the overhead of the FIM Service. 

Let me know what you think!

No comments: