Presentation on theme: "Bob Bradley, MVP, MCTS, FIM Team founding member The Instant Replay MA for FIM."— Presentation transcript:
Bob Bradley, MVP, MCTS, FIM Team founding member The Instant Replay MA for FIM
Background Bob Bradley, FIM MVP 2012, 2013 Work for UNIFY Solutions in Australia with Carol Wapshere and other colleagues in “The FIM Team” Specialize in event-driven FIM solutions (you will see this in demo) Began working with MIIS full time in 2004 (then ILM2007) Have worked full time on FIM since mid 2009 Worked closely for 2 solid years with the MCS Identity Management Practice lead in Australia on the biggest FIM sites in Australia, neither of which were “OOTB” In working with FIM I came up with a couple of unique ideas – including this one
Presentation Outline Inspiration and Concept Construction and Demo Use Case Scenarios and Demo Additional use case: Maintaining References Advanced Implementation and Demo Conclusion
Inspiration The Replay MA was inspired by limitations encountered using the FIM MA … The FIM MA is very different from any other type Additional rules apply, e.g. – only one instance of the FIM MA allowed per sync service – only one FIM service connected to a single sync service – one-to-one “like with like” attribute mappings only – only direct flows configurable in the MA wizard only – no manual precedence allowed when FIM MA contributes an attribute value to the MV Constraints such as the ones above can impose solution limitations … ones that we might find ourselves looking for ways around
Concept The Replay MA is a very low-cost option (in terms of development as well as processing overhead) for providing the FIM Metaverse with an additional feed of the same objects already present in an existing MA (connected or not) In the special case of the FIM MA, this provides added benefits, including restoring the advanced flow rule and manual precedence options otherwise denied for the FIM MA, seemingly leaving you no option but to implement “equal precedence”
Concept (continued) This session will walk you through how to create a standard text file MA that works alongside the FIM MA, allowing you to overcome advanced flow and precedence restrictions. You will also see how, with a more advanced configuration, you can also achieve that sought-after flexibility with reference attributes.
Construction 1.Export the configuration of your target MA (FIM MA) 2.Run ReplayLDIF-GenerateSchema.ps1 to transform the DSML file to an LDIF file template for a new text MA 3.Create a new LDIF file MA from the template 4.Be selective in your attribute flows, flowing only those objects and properties that you want to 5.Configure enhanced precedence and advanced flow rules as necessary
Basic Implementation 1.Configure audit drop files for your target MA, and use these as the source for your Replay MA 2.Configure the ReplayLDIF-GenerateData.ps1 script to transform the DSML drop file into LDIF format 3.Test and refine 4.Use automation to orchestrate run profile sequencing on the back of the source run profile sequence
Use Case Scenarios Avoid using equal precedence Derive multiple/alternative import mappings from the same FIM Portal property Selectively import reference values Import reference values as strings (not just FIM MA) using direct or advanced flow rules Implement manual precedence for import flows involving the FIM Portal The following are 3 specific scenarios where my colleague Carol has used the Replay MA idea for her clients …
Use Case: FIM MA Not Precedent FIM MA HR Metaverse AD End Date HR Precedent for Staff Portal Precedent for Contractors Termination WF in Portal TermDate employeeEndDate EmployeeEndDate accountExpires Skipped: Not Precedent FIM MA precedent Equal precedence Manual precedence Replay MA EmployeeEndDate Direct Flows HR Precedent over Replay MA
Use Case: Advanced Import Flow FIM MA Metaverse AD Unique ID Generate Person ID Must not change personID ObjectID employeeID New portal object changes personID Replay MA ObjectID personID does not change Application ID Other uses Only flow if not present PersonID
Use Case: Selective Reference Flow FIM MA Metaverse AD Staged Group Migration Some precedent in Portal Some precedent in Notes Must be identical in Notes and AD member Member member Equal precedence FIM RTM – no scoped SRs Replay MA precedent over Notes Notes Members Selective Join FIMAuthoratative Replay MA Member FIMAuthoratative
Demo Basic solution use case scenario
FIM Back-links Use Case #1 Leveraging relative-to-resource MPRs – Relative-to-resource idea saves on set/MPR proliferation, which is a known cause for FIM performance degradation – This style of MPR comes with the hidden cost of maintaining the references – Multi-value reference must be maintained in sync with each collection of administrators for a location – High processing overhead in maintaining this via workflow – Need Housekeeping to ensure integrity (topic for another time!) – Sync option is far more attractive … just need to support deltas!
FIM Back-links Use Case #2 Set definitions on derived references to support MPRs – Maintain Person.memberOf multi-value property derived from group.member – ADUC console in AD shows a user’s group membership in the “Member Of” tab … however this is just a run-time inversion of the Group’s “Member” property, and cannot be synchronised – Could support set transition or request MPRs such as “All new users in the TEC2012 group are notified of their membership”, or simply “All users are notified of set membership changes”
Advanced Implementation 1.Configure audit drop files for your target MA 2.Use extended XSLT to transform the DSML file into an LDIF file 3.Configure additional derived “back link” MA properties 4.Be selective in your attribute flows, flowing only those objects and properties that you want to 5.Configure enhanced precedence and advanced flow rules as necessary, as well as derived “back-link” flows 6.Use an automation tool to orchestrate run profile sequencing
Maintaining References What’s involved in enforcing referential integrity in FIM? – Think of all the possible use cases – Identify all the relevant sets – Construct action workflows – Construct set transition MPRs – Cross your fingers and hope nothing breaks … Here the FIM Replay MA can give you that peace of mind you need …
Demo Advanced back-link generation scenarios
Conclusion The FIM Replay MA is a very simple, low cost option of providing the FIM Metaverse with an additional feed of the same data already present in an existing MA. In the special case of the FIM MA, this provides added benefits, including avoiding having to go down the “equal precedence” route.
My blog: bobbradley1967.wordpress.combobbradley1967.wordpress.com LinkedIn: au.linkedin.com/in/bradleybobau.linkedin.com/in/bradleybob Twitter: twitter.com/unificator (#FIM2010)twitter.com/unificator The FIM Team: thefimteam.comthefimteam.com My Company: FIM Forum: social.technet.microsoft.com/Forums/en- US/ilm2social.technet.microsoft.com/Forums/en- US/ilm2 Bob Bradley: More Info
PostScript On 09/18/12 9:52 PM, Jason Bell wrote (LinkedIn): I didn't realize you had it posted yet... It is funny, shortly after TEC - I was inspired by the Replay MA concept and developed a ECMA 2.0 that let you select the MA to replay from a dynamic drop down list. Does a full dynamic schema discovery. I got it all up and running for single value attributes and forgot about it... then the other day I needed it and got to thinking that I should share it with you when I get it fully functional. I have been working on various ECMA 2.0 Management Agents to easily perform tasks that have historically required out-of-band processes. The Replay MA idea fit into this category. So anyway, when I get it done - I would like to show it to you and make sure you get due credit. Hopefully we will see you again at TEC in Keep up the great Blogs!