Microsoft Identity and Access Management - Provisioning and Workflow

Chapter 1: Introduction to the Provisioning and Workflow Paper

Executive Summary

Today's large organizations often have complex and poorly designed processes for provisioning systems with information for computer network users. For example, in some organizations, it can take up to two weeks before new information workers can access e-mail and the applications that they need for their jobs. The manual, task-intensive processes that are typically involved in identity provisioning add overhead, delay employee productivity, and often lead to a network environment that is not secure.

This paper discusses how to provision identities automatically into multiple directories and identity stores in a heterogeneous environment. It also discusses managing security and e-mail group memberships, and describes a workflow process that can extend automated processes.

You can use the information in this paper to enable the automated administration of user identities and reduce costs while you increase the availability and security of information resources. This paper also provides detailed configuration tasks that you can use to achieve these results by using Microsoft® Identity Integration Server 2003, Enterprise Edition with Service Pack 1 (MIIS 2003 with SP1).

The Business Challenge

Organizations store identity information in numerous repositories, or data stores. Using a product that includes metadirectory functionality allows you to synchronize existing data so that it is consistent across these stores. The Identity Aggregation and Synchronization paper, which is part of this series, describes this synchronization capability in detail. The provisioning challenge is to use technology to automate the addition of new identities to these stores. Deprovisioning, which refers to processes that remove and disable accounts at the end of an identity object's life cycle, is closely related to this challenge. Your environment might require workflow processes to provide discretionary input to provisioning tasks. For example, in cases that involve security-oriented or special-purpose requirements.

The manual administration of provisioning tasks is slow and typically does not enforce policies for access and authorization in a consistent manner. Without reliable, automated processes it will often not be practical even to attempt to implement all desirable policies.

The business challenges that relate to provisioning include how to:

  • Reduce costs associated with the creation and removal of accounts.
  • Expand an organization's people and IT resources without increasing its IT staff.
  • Meet legal compliance and regulatory requirements for data access and privacy.
  • Ensure that all key accounts are created, modified, and disabled or deleted in a timely and reliable manner, and in accordance with defined policies.
  • Maintain security identities in the correct organizational units (OUs) and groups in accordance with defined policies, and remove or disable them in a timely manner.

The Business Benefits

The business benefits that organizations can achieve through efficient, largely automated administrative processes for provisioning and deprovisioning based on reliable technologies include:

  • Lower total cost of ownership (TCO) for maintaining digital identity information in multiple data stores.
  • Higher IT administrator productivity through automated time-consuming activities.
  • Higher employee productivity through correct access granted in a timely manner.
  • Stronger security through accurate and reliable OU and group maintenance, and the timely removal or disabling of accounts.

Who Should Read This Paper

The intended audience for this paper includes system architects, IT professionals, managers, technical decision makers, and consultants involved in identity life cycle management efforts.

Reader Prerequisites

This paper assumes that readers have a moderate knowledge of the identity and access management concepts and technologies described in the Fundamental Concepts paper in this series.

To implement any of the solutions in this paper, readers should understand the infrastructure described and implemented in the Platform and Infrastructure paper in this series. In addition, implementing the solutions in this paper requires the following prerequisites:

  • A strong familiarity with the Identity Aggregation and Synchronization paper in this series.
  • A familiarity with managing groups by using the Microsoft Active Directory® directory service.
  • An appreciation for workflow principles and using Authorization Manager to control who may perform defined tasks.

To properly understand the solution, it is also helpful to know Microsoft Visual C#® and Visual Basic® .NET, as well as MIIS 2003 with SP1.

Paper Overview

This paper explains how you can design, plan, build, and operate provisioning and workflow solutions by using the following technologies:

  • MIIS 2003 with SP1, an identity integration product that includes metadirectory and provisioning capabilities that will interoperate with many identity data sources by using protocols such as Lightweight Directory Access Protocol (LDAP).
  • Active Directory, which provides authentication and authorization for network operating systems and is a key provisioning target for MIIS 2003 with SP1.
  • A Group Management Web application and Group Populator program, which extend the capabilities of MIIS 2003 with SP1 to include security and distribution group membership.
  • A sample Self-Service Provisioning Web application.

Scenarios

In addition to a general discussion of provisioning and workflow approaches, this paper also provides detailed prescriptive guidance on implementing solutions based on three typical scenarios for Contoso Pharmaceuticals, a fictitious organization.

HR-Driven Provisioning

In this scenario, synchronizing identity information is only part of the required solution for Contoso. In addition to enabling a comprehensive view of its users, the company needs a provisioning solution. Data that resides in Contoso's mySAP ERP Human Capital Management system (SAP HR system) drives this solution to initiate automated provisioning operations.

This scenario describes how Contoso implements automated full-time employee account provisioning using MIIS 2003 with SP1.

Tools and Templates

You can use a set of configuration files, source code, scripts, and other data files to quickly and effectively implement the solution for this scenario.

Group Management

In this scenario, Contoso manages the following groups in its environment:

  • Security groups for setting entitlements through access control lists (ACL).
  • Distribution groups for e-mail distribution lists to enable effective e-mail communication throughout the organization.

Historically, Contoso has found it difficult to both place users in the appropriate groups during the provisioning process, and manage groups as users change roles, positions, and locations during their careers. This situation has led to user frustration, increased help desk call volume, and inappropriate access granted to some users.

This scenario describes how Contoso implements automated group management in its environment by using a group management application.

Tools and Templates

A sample Group Management Web application is provided in this scenario. The application can provide a solution for simple cases, and you can extend it for more complex ones. Contoso developed this tool to provide the following additional functionality:

  • A user interface (UI) to manage rules on how groups should be populated, which includes:
    • Automatically-created groups that are data-driven and can generate entire families of groups based on an attribute.
    • Manually-created groups that are query-driven.
  • The ability to include or exclude individuals who do not meet group membership definitions.
  • A facility to import group modifications.
  • A configurable "grace period" before removing a group.
Self-Service Provisioning

In this scenario, although the Contoso SAP HR system is considered the authoritative source for full-time employees, department managers hire contractors on a case-by-case basis. Because there is not an authoritative data source to drive fully-automated provisioning for contractors, Contoso requires managers to use a separate mechanism to request contractor accounts. To provide adequate security and safeguards for accounts, members of the IT administrators group must approve all such provisioning requests.This scenario describes how Contoso implements a Web application to provision contractor accounts. The application includes simple workflow capability.

Tools and Templates

The sample workflow-driven provisioning application provides the following functionality:

  • Active Directory roles to secure the solution.
  • A one-step approval process.
  • Contoso's existing notification service.
  • Additional attributes that enhance functionality.

Useful configuration and other data files are also provided in this scenario.

Chapter Arrangement

Chapters 3 through 7 in this paper provide design and implementation details for the following three scenarios:

  • HR-Driven Provisioning
  • Group Management
  • Self-Service Provisioning

This paper includes the following seven chapters:

Chapter 1: Introduction

This chapter provides an executive summary, introduces the business challenges and benefits, suggests the recommended audience for the paper, lists reader prerequisites, and provides an overview of the chapters and scenarios in the paper.

Chapter 2: Approaches to Provisioning and Workflow

This chapter builds on the information provided in the Fundamental Concepts and Identity Aggregation and Synchronization papers in this series. It discusses approaches to provisioning, group management, and workflow.

Chapter 3: Issues and Requirements

This chapter defines the background, technology, security issues, and requirements for the HR-Driven Provisioning, Group Management, and Self-Service Provisioning scenarios. Contoso Pharmaceuticals, a fictitious organization, is used to illustrate the scenarios.

Chapter 4: Designing the Solution

This chapter highlights the key elements of the solution for each scenario; introduces the concepts, prerequisites, and architecture; and discusses how the proposed solution addresses the initial requirements.

Chapter 5: Implementing the Solution

This chapter builds on the infrastructure described in the Platform and Infrastructure and Identity Aggregation and Synchronization papers in this series to provide implementation details for the scenarios discussed in this paper. It also includes step-by-step configuration instructions.

Chapter 6: Testing the Solution

This chapter describes how to validate the implemented solution, including some troubleshooting steps to overcome common implementation challenges.

Chapter 7: Operational Considerations

This chapter discusses ongoing operational activities that must occur to ensure the continued success of the solution for each scenario.

Chapter 2: Approaches to Provisioning and Workflow

Large organizations typically have dozens of data stores for identity information. The Identity Aggregation and Synchronization paper in this series addresses the challenge of aggregating and synchronizing identity information that already exists in such data stores. Readers of this Provisioning and Workflow paper should be familiar with the information in the Identity Aggregation and Synchronization paper.

The Provisioning and Workflow paper focuses on provisioning new identity information to data stores. This chapter explores various approaches to provisioning, and the closely associated processes for deprovisioning, group management, and workflow. Subsequent chapters in this paper describe how these approaches address the three scenarios identified in Chapter 1, "Introduction."

What Is Provisioning?

New employees need physical objects such as a phone, a desk, and an ID card to do their work. In addition to these physical objects, there are many collections of digital information that describe who the employee is and define the employee's roles and entitlements within the organization. The allocation of these objects and creation of the digital identity information that enables services for a user is known as provisioning.

Other papers in this series have discussed digital identity information that is not related to people. However, this paper focuses primarily on provisioning people-related identity information.

Many individuals who are not employees of an organization also need provisioning, such as business partners, vendors, and customers. However, this paper focuses on the special needs of provisioning employees and contractors. The following section introduces various aspects of provisioning digital identity information in an organization.

The Identity Information Life Cycle

The life cycle of an identity, and therefore of identity information, comprises three main steps:

  • Provisioning
  • Maintenance
  • Deprovisioning

Provisioning Identity Information

When the life cycle of a new identity starts (such as when an employee joins an organization), information that describes the person is typically provisioned into a human resources (HR) system, operating system directories, application directories, and so on.

From these resources, additional information that describes the identity's roles and entitlements within the organization is created. For example, a person's job title may be used to determine membership of a group, which entitles the person to access non-public information.

Maintaining Identity Information

The initial information that is collected and distributed about a person in an organization undergoes modification throughout the full cycle of the relationship between the person and organization.

The Identity Aggregation and Synchronization paper in this series discusses ways to synchronize identity information between different data stores. However, when you create new information that describes a user, or group of users, it is typically called a provisioning process, not a synchronization process. This is a subtle but very important point.

For example, during an employee's relationship with an organization, the employee might be promoted into a new position that entails new roles and responsibilities. When this occurs, the employee's identity information must be reprovisioned to reflect the person's new entitlements. To reflect the unique relationship between a person and her new team or department, you might have to provision new accounts and other data objects in various data stores.

Deprovisioning Identity Information

When an identity reaches the end of its life cycle, the accounts that correspond to it must be removed or disabled. Accounts that are not deprovisioned in a timely and accurate manner present a security risk, and potentially make the organization liable from a regulatory compliance perspective. In addition, outdated identity information inhibits efficient business processes and may create legal exposure.

For example, when an employee permanently leaves an organization, someone in the organization will have to access the employee's record in the HR database, the person's account in any operating system directories, and corresponding information held in any other identity stores. In each case, you must decide which of the following actions to take:

  • Delete the account.
  • Disable the account and retain it.
  • Disable the account and delete it later.

You might need to disable an account temporarily during an identity's life cycle. However, temporary account disabling is generally considered maintenance, not deprovisioning. Of course the convenience of being able to reactivate a temporarily disabled account has to be balanced against other considerations such as security risk.

Deleting Accounts

When you delete an account from a data store, this might also remove valuable history information. And deleted or disabled accounts might not be properly removed from the groups or distribution lists to which they formally belonged unless the groups or lists are automatically updated.

Disabling Accounts

There are reasons for disabling rather than deleting some accounts. For example, in the case of an account that uses the Active Directory® directory service, you might not want to lose the account security identifier (SID). This is because you might need to reactivate the account. And for an e-mail directory, you might want to retain an account to forward e-mail but disable access to it.

Disabled accounts are typically placed in their own organizational unit (OU) so that you can easily locate them and not confuse them with active accounts.

Disabling and Deleting Accounts

Disabling and then later deleting an account helps protect against accidentally deleting it, which can sometimes result from an erroneous edit in an HR application.

Using Technology Products for Provisioning

Appropriate technology products can provide highly effective solutions to address the challenges associated with provisioning. These products can save time and money, enhance security, improve regulatory compliance, and increase productivity.

The subsequent sections describe using technology for automated provisioning, management, and deprovisioning, specifically:

  • Understanding existing processes
  • Data sources for provisioning
  • Approaches to identity life-cycle management
  • Data-driven provisioning
  • Data-driven group management
  • Self-service (workflow-driven) provisioning

Understanding Existing Processes

You are unlikely to ever deal with a brand new organization when implementing identity information provisioning. Any organization will likely have processes in place that might be manual or that employ various kinds of technology.

When you start a project that involves applying technology to solve problems related to identity life cycle management, first carefully assess the existing business processes. Plan to implement technology that provides at least the existing levels of functionality. However, you should also seek opportunities to streamline and improve, or even replace processes to gain maximum benefit from the technology that you use.

A major challenge when implementing a technology solution is to identify these opportunities. Often existing manual processes are not properly formalized, and many organizations do not know what processes they are using. Analyzing the existing situation often reveals unreliable, wasteful, or even unnecessary activities. Clear process definition is a vital precursor to design and implementation.

For more information about process definition, see the MIIS 2003 Design and Planning Collection.

Data Sources for Provisioning

As you analyze existing processes, also identify the data sources that are available. The triggering event for provisioning is typically the creation of a new account in a particular authoritative data source. This source will be authoritative for some attributes but might not be for all attributes. Any data source can hold authoritative attribute values, and synchronization ensures that these values flow correctly as described in the Identity Aggregation and Synchronization paper in this series.

It is possible for more than one data source to be authoritative, but this is not often the case. It is also very likely that more information is stored in these data sources than required for provisioning purposes. This section describes some typical provisioning data sources, and then discusses how you might extract a data subset.

Human Resource Systems as Data Sources

Many organizations treat their HR system as a primary authority. The HR department is often the first to know about an employee's hiring or departure. Access to this data is often limited because of legal constraints, privacy and security concerns, interdepartmental politics, or limitations of the HR system.

Sometimes the mechanism to retrieve data from the HR system may introduce delays in provisioning accounts or updating information. For example, a nightly extract-to-text file will prevent accounts from being provisioned for 24 hours, while a "live" database view into the relevant HR tables and attributes may significantly reduce this delay.

A Directory as a Data Source

Some organizations are organized around their IT departments. In such cases, a directory service such as Active Directory might be the first data source in which a new user appears or is disabled. Access might be restricted to read-only.

Dedicated Data Sources

In some cases you might not be able to identify an existing primary authoritative data source for provisioning and deprovisioning actions. In these cases, it might be appropriate to introduce a dedicated data source. Identities are then added through a suitable user interface (UI) and stored in this new data source, which then becomes the driver for provisioning.

Selecting Data Subsets in Data Sources

Whatever the nature of the data source, it is likely to contain some objects that should be ignored for provisioning and deprovisioning purposes, such as service accounts in a directory or records in an HR system of employees who have left the organization. All objects might have more attributes than are needed. So a filtering method is required to select the required data subset.

As changes arise, the identity management system must import the changes and take appropriate actions. The most efficient import process is one that imports only objects and attributes that have changed. To achieve this, a data source must be able to support such "delta" imports by providing this special subset of data.

Filtering

Some data sources provide filtered views, or the ability to specify a selection of containers or OUs for import. Others might only be capable of providing a full information report. In this case, the identity management system must provide filtering capability. You should assess the impact of the unnecessary traffic and the processing resources it requires.

Delta Imports

The most economical import is one that includes only the identity information that has changed since the last import. For such "delta" imports to work, both the data sources and the identity management systems must support them, and not all data sources do. This factor has a large impact on performance. For this reason, ensure that the identity life-cycle management system that you choose can manage both situations optimally.

Approaches to Identity Life-Cycle Management

After you understand the existing processes in the organization, and have identified the data sources, you can start to consider what might be the most appropriate solution approach. Common approaches to identity life-cycle management include the following:

  • Manual administration
  • Manual entry
  • Custom scripts
  • Dedicated tools
  • Identity life-cycle management products

The following subsections provide information about each of these approaches.

Manual Administration

Manual administration is the default mechanism that the Identity Aggregation and Synchronization paper in this series describes in detail.

This approach requires that someone must create a record and type information into fields through one interface, so that HR functions can be fulfilled. Then, by using a different interface, someone must create an account in an operating system directory and populate attributes with much of the same information. They must also manually add the account to the correct security and distribution groups. They will repeat these actions as accounts are created and attributes are populated, sometimes in many data stores.

There are some potential drawbacks to this approach. Different teams may create different account types. And the communication between these teams may be unreliable and inefficient. For example, one team may type information into a document that it then sends to another team, only to have that team retype it.

A metadirectory product can synchronize information between data stores to help mitigate this problem. However, note that the effectiveness of the metadirectory relies on an ability to connect the existing objects that belong to an identity, which in turn relies on the accuracy of certain attributes. If the metadirectory product also provides provisioning, this reliance may not be important for new objects, because this integrity can be enforced as part of the provisioning process.

Manual Entry

The following details the advantages and disadvantages of manual entry.

Advantages

  • Minimal initial investment.
  • Minimal organizational coordination.
  • Reduced planning requirements.

Disadvantages

  • Time wasted duplicating effort. In a fully-manual provisioning system, much of the same information typically has to be entered in all the relevant data stores. Deprovisioning actions also require you to remove the information from each data store. And you must maintain expertise with a number of different tools and interfaces.
  • Effort expended managing groups. It is not unusual for an organization to have as many groups as it has users. A change to one user can result in changes to many groups, which are sometimes repeated across many data stores.
  • Danger of conflicting information. Manual operations inevitably lead to errors. Wrong information has to be corrected or, even worse, might go unnoticed.
  • Communication delays. Often information is not conveyed to all of the appropriate administrators that accounts should be disabled or removed in a timely fashion.
Custom Scripts

When manual administration becomes cumbersome, the next step is typically for the IT administrator to create scripts that will provision new objects in various data stores.

Advantages

  • Easy to create. Script-based identity synchronization solutions are generally easy to create using powerful scripting languages that are available.
  • Administrative savings. Well designed scripts can save you a great deal of manual effort.

Disadvantages

The Identity Aggregation and Synchronization paper in this series discusses in detail the following disadvantages of using a scripting approach:

  • Lack of central control.
  • Limited exception handling.
  • Dependence on the people who write them.
  • Undesirable security characteristics.
  • Limited "what if" capabilities.
Dedicated Tools

A dedicated provisioning tool provides an interface to add new users. You can then use the tool to provision accounts in multiple data stores according to implemented business rules.

Advantages

Dedicated provisioning tools overcome many of the disadvantages of the script-based approach and often include one or more of the following features:

  • Auditing and reporting
  • Workflow capability
  • Graphical display of processes
  • Group population

Disadvantages

The main disadvantage of a dedicated provisioning tool is that it does not include aggregation and synchronization capability, which typically means one of the following:

  • Manual data maintenance remains necessary.
  • Maintenance stays centralized, and local autonomy is lost.

A distinct advantage of the synchronization approach is that much authority stays with the individual data stores.

Identity Life-Cycle Management Products

An identity life-cycle management product is designed to provide the dedicated-tool features without the associated disadvantages. Such products can also provide features that would be very difficult to implement with scripts.

Desirable Features

Identity life-cycle management products typically provide the following set of provisioning features in addition to synchronizing identity information:

  • Automated provisioning according to business rules that minimize duplication.
  • Automated deprovisioning according to business rules that reduces security risk.
  • Automated updating of group membership lists with new identities.
  • A preview mode and debugging facilities.
  • Well-defined and reliable security characteristics.
  • Workflow functionality.
  • Self-service interface for optional provisioning requirements.
  • Reporting and auditing functionality.
  • Management and operational interfaces.

Advantages

  • One stop shopping.
  • Administration is reduced to single points – the authoritative source for each piece of data.
  • Identity Management products can become the first step to Role Based Access Control (RBAC) although a significant amount of process work might be required.
  • Single point to monitor and manage.

Disadvantages

  • Depending on the package and scenario, there might be significant implementation cost or development effort.
  • Some packages may require agents to be installed on data sources.

The reporting and auditing feature requires the following additional explanation.

Communications: Reporting and Auditing Functionality

Legal and other issues will lead to requirements to audit provisioning and related processes. You can write key events such as account creation, deletion, and group membership changes into logs for future analysis if required.

Periodically, you might require detailed and summary reports. For these requirements, you can implement a dedicated monitoring and reporting service; your choice depends on auditing, compliance, and security considerations.

You may send individual notifications for particular provisioning activities, such as provisioning administrator accounts. You may also require other types of notification, such as randomly generated user passwords sent to managers. You can send these notifications securely by e-mail, perhaps, as part of a formal notification service.

Data-Driven Provisioning

After you have made a decision to implement an identity life-cycle product, from a technology perspective, fully automated provisioning is the easiest to accomplish. Provisioning decisions are based on data attributes such as department, role, and job title, which are retrieved from an authoritative data source.

For example, suppose that an HR system is identified as authoritative, and that new records entered into the system are used to trigger provisioning actions. An employee in the sales department who travels a lot might require an extranet as well as an intranet account. Other employees might only require an intranet account. Employees in one part of an organization might require mailboxes in Lotus Notes and to be mail-enabled users in Active Directory. Other employees might need to be Microsoft Exchange 2003 mailbox-enabled users in Active Directory.

The values entered into certain attributes determine what is to be provisioned and to where. This produces a data-driven (in this case an HR-driven) provisioning scenario.

The actual mechanism for retrieving this information depends on the nature and capabilities of the data source. For example, some sources store data in data tables that are easily accessible. However, other data sources can only be accessed through a proprietary interface or through an exported flat file. Flat file use increases reliance on properly timed external batch processes. In either of these cases, you might be limited to read-only access or a restricted view. Although these types of access are still very powerful improvements on manual and scripted solutions, they are not always adequate. The following "Workflow-Driven Provisioning" section discusses this topic further.

Data-Driven Group Management

Data-driven provisioning addresses a clear business need, but you are unlikely to realize the full advantages of data-driven provisioning without group management. This is because it is usually through groups that authorization is controlled. Initial group management is really a special case of provisioning. When you start using groups, you provision them in much the same way that you provision user accounts. You must provision groups of various types and scopes.

The rules that might define the membership of groups include:

  • All users in a particular department.
  • All users working for a given manager.
  • All users at a site.
  • All users with the same job role.

You may establish some groups for only special purposes that might require manual maintenance. You can define other groups purely in terms of rules, which makes them obvious candidates for an automated process. Other groups might be rules-based, but will require the ability to make manual adjustments to them.

It is necessary to maintain group memberships to reflect the following events:

  • Provisioning users.
  • Deprovisioning users — possibly with a defined delay of n days.
  • Reassigning users to new roles, job titles, or departments.
  • Changing rules that define membership.

Groups also have deprovisioning requirements — your organization might require you to retire them at some point.

Self-Service (Workflow-Driven) Provisioning

A workflow-driven provisioning system accepts requests from users and routes them to users (typically managers) with sufficient authority to make decisions about specific requests. If the decision is favorable, provisioning can proceed. If not, a request can be denied or routed to a higher authority.

This approach contrasts with the automated data-driven provisioning just described, in which an authorized person can initiate automated provisioning actions simply by adding a user to an HR system.

User accounts are usually associated with identities. The following account types all require special treatment, and are good candidates for a workflow approach to provisioning.

Administrative Accounts

Administrative accounts are powerful accounts with extended rights and privileges that must be treated with care. It is a best practice to provide administrators with user accounts that they should use whenever they do not have to use their administrator accounts.

You can think of such cases as one identity with two accounts, or two separate identities. Either way, it is a security risk to rely on a check box or other option on a form as the sole reason to go ahead and provision such a powerful account. A workflow system can route the request to someone with appropriate authority for approval before proceeding to provision such an account.

Service Accounts

Organizations must also provision special accounts called service accounts. These accounts are used to provide an identity with access to services and applications that run on various host computers. Service accounts do not link on a one-to-one basis with any particular user. Instead, they provide application services. There are usually a relatively large number of people in an organization who need service accounts, but a much smaller number who actually create or approve service accounts. This type of account type might also benefit from workflow provisioning.

Temporary Accounts

Temporary accounts also require special treatment. For employee accounts, you would typically enter detailed information into the HR system, and you can make provisioning decisions based on that information. For temporary worker accounts, minimal information may be stored, and data-driven provisioning may not be viable. Because temporary workers might not go through typical HR hiring procedures, workflow provisioning might be appropriate. In addition, you can set an expiration dates for the temporary accounts because the process for notifying temporary workers whose contracts have expired may not always be clear.

Workflow-Driven Group Management

The group management approaches previously discussed in this chapter have mostly been data-driven. However, workflow requirements are also associated with group management. The following group management requests might require a workflow-driven provisioning solution. And they apply to both security and distribution groups:

  • Requests for a new informal or special-purpose group.
  • Requests for a new rules-based group, which will require a new rule.
  • Requests for a modification to a rule.
  • Requests for an exception to a rule, such as including or excluding a specific user.
Workflow Product Features

Your workflow product choice depends on the complexity of the implementation, the requirements for audit and legal compliance, and various other factors.

A simple workflow product might include the following features:

  • Single-step authorization of provisioning actions.
  • Task assignment based on role.
  • A notification service to orchestrate events and inform users about actions.
  • An audit trail.

A complex workflow product might include the following features:

  • Multi-step processes with parallel paths.
  • Graphical interfaces for workflow design.
  • Task time limits.
  • Escalation capability to higher authorities.
  • Delegation capability when someone is out of the office.
  • Task-tracking interfaces to determine the status of a request.

Single-Step Workflow

The complex workflow features just described might be unnecessary in some cases. For many of the requirements discussed in this chapter, a simple workflow product is sufficient. The advantage of using simple workflow processes is that you can often implement them rapidly and easily. Typically, such workflow features require the following:

  • Suitable interfaces for entering requests.
  • The ability to notify managers about pending decisions.
  • Awareness of user roles and required privileges.
  • Integration with the chosen identity life-cycle management product.

Identity Life-Cycle Management Products

This section briefly describes a few life-cycle management products.

Microsoft Products

Microsoft offers two identity life-cycle management products:

  • Microsoft Identity Integration Server 2003, Enterprise Edition, with Service Pack 1 (MIIS 2003 with SP1)
  • Identity Integration Feature Pack for Microsoft Windows Server™ 2003 Active Directory

The Identity Aggregation and Synchronization paper in this series provides detailed information about these products and their software requirements.

Workflow Products

Microsoft BizTalk® is an engine which allows you to build complex workflow solutions that provide each of the features described previously. However, this product is not integrated with MIIS 2003 with SP1.

Chapter 3: Issues and Requirements

An effective provisioning implementation requires a detailed analysis of the key business and technology issues and requirements. This chapter records these issues for the fictitious Contoso Pharmaceuticals environment, and then lists the solution requirements and the security vulnerabilities that the following closely-related scenarios will address:

  • HR-Driven Provisioning. This scenario builds on the aggregation and synchronization scenario that the Identity Aggregation and Synchronization paper in this series describes.
  • Group Management. This scenario extends the HR-Driven Provisioning scenario to include group management.
  • Self-Service Provisioning. This scenario adds workflow capability to the HR-Driven Provisioning scenario. It allows managerial sign-off before accounts are provisioned for Contoso contractors.

For more information about the Contoso Pharmaceuticals example organization, see the Platform and Infrastructure paper in this series.

HR-Driven Provisioning

Contoso has already deployed Microsoft® Identity Integration Server 2003, Enterprise Edition, with Service Pack 1 (MIIS 2003 with SP1) as an aggregation and synchronization tool. The current scope of the implementation is limited to the following data sources:

  • Intranet Active Directory®
  • Extranet Active Directory
  • Lotus Notes
  • Sun ONE Directory Server 5.1 (formerly iPlanet Directory Server)

However, like many organizations, the identity information for Contoso resides in the company's mySAP ERP Human Capital Management system (SAP HR system). Contoso now wants to widen this system's scope to make it the authoritative source of provisioning activity for the company.

Background

Contoso had a provisioning system that involved some manual processes, some scripting, and an internally-developed provisioning tool. This resulted in inconsistency, a lack of security, lack of monitoring, user frustration, errors, and omissions. The company considers the SAP HR system as the authority for new identities and for many associated attributes. Data conflicts are usually resolved in favor of the HR system. However, any data source could be authoritative for any attribute.

Contoso intends to implement an automated provisioning system for employee accounts in the HR database. The company will handle temporary contractor accounts through a workflow system. Administrative and service accounts are outside the implementation scope. Provisioning partner accounts into the extranet Active Directory also is outside the scope.

Contoso selected MIIS 2003 with SP1 as the identity life-cycle management product to handle provisioning because the company already uses the product for synchronization.

Business Issues

Contoso identified the following business issues in the HR-Driven Provisioning scenario:

  • Duplicated effort. Many data stores receive the same data. Contoso has to train staff to manage redundant data stores with disparate interfaces.
  • Wasted productivity. Provisioning is not handled in a timely manner, which results in a poor user experience and lost productivity.
  • Inconsistent processes. There is no formally defined end-to-end process and no central control over individual processes.
  • Inconsistent data. The company suspects that Active Directory, Lotus Notes, and Sun ONE Directory Server 5.1 data is not synchronized with SAP.
  • Reporting and auditing. There is little auditing and reporting capability.

Technical Issues

Contoso identified the following technical issue in the HR-Driven Provisioning scenario:

  • Limited access. The SAP HR system provides a one-way flat file HR data report on demand.

Security Issues

Contoso identified the following security issues in the HR-Driven Provisioning scenario:

  • Account sharing. Users "borrow" accounts because their own accounts are not provisioned quickly enough.
  • Password delivery. There is no defined procedure to deliver new account passwords.
  • Stale accounts. Accounts are not deprovisioned (disabled or removed) promptly.
  • Help desk access. Help desk personnel need administrative access to support manual administration.
  • Inappropriate access. Because rules are not rigorously applied users might have access to information, such as pharmaceutical test information, which might violate applicable privacy and information laws.

Solution Requirements

From the issues that the previous sections discuss, Contoso produced the following requirements for the HR-Driven Provisioning scenario:

  • HR-driven. The SAP HR system must serve as the single authoritative source for new identities. This system will provide a one-way feed by using a data interchange file.
  • Aggregation and synchronization. The SAP HR system data must be aggregated and synchronized with all other data sources. The flow of attributes will not be the same as for the aggregation and synchronization solution, because many HR attributes are now authoritative.
  • Automatic provisioning of employees. When a new user is added to the SAP HR system, all other data stores must be provisioned in accordance with data-driven business rules. Users who work for Fabrikam, another fictitious company in this scenario, will be provisioned with Sun ONE iNetOrgUser accounts, Lotus Notes mailboxes, and mail-enabled intranet Active Directory user accounts. Contoso users will be provisioned with Lotus Notes contact attributes and Microsoft Exchange 2003 mailbox-enabled intranet Active Directory user accounts. In addition, all Sales employees will be provisioned with an extranet Active Directory shadow account.
  • Attribute update on key events. Key events such as job changes, title changes, location changes, and manager changes must cause attribute updates in user accounts, and the accounts must be reprovisioned if necessary.
  • Preview before commit. During testing, it must be possible to preview provisioning actions before committing them. When testing is complete, provisioning must be fully automatic.
  • Password delivery. The identity management system must send the passwords that the provisioning process generates to managers through the secure Contoso e-mail system. For more information about how Contoso secured its e-mail system, see the "Securing Your Exchange Messaging Environment" section under Configuring Exchange Server 2003 for Client Access of the Exchange Server Client Access Guide on Microsoft TechNet at http://go.microsoft.com/fwlink/?LinkId=47568.
  • Ongoing synchronization. The system must synchronize ongoing changes in accordance with business rules that include reprovisioning if necessary. For example, a transfer or promotion might require a new account or a new organizational unit (OU) to be created.
  • E-mail notification. An e-mail must be sent to each user to inform them of provisioning actions.
  • First run consistency check. There must be a facility to check data consistency after the identity management system first runs so that administrators can check and resolve any differences between SAP HR data and other data. Issues to look for include:
    • Non-unique displayNames.
    • Inability to join SAP HR system records to existing data because of non-matching employeeIDs.
    • Non-matching attributes, such as phone numbers.
  • Automatic deprovisioning. When an identity reaches the end of its life cycle, a status attribute must be set in the HR system. This setting will trigger deprovisioning actions to disable or remove digital identity objects in all connected data stores in accordance with business rules.
  • Immediate disabling of accounts. Manual disabling of an Active Directory account must also trigger deprovisioning activity. It is acceptable that current Active Directory sessions will not be immediately disabled.
  • Expiration notification. An e-mail must be sent to users to inform them of the time-to-live (TTL) for their accounts and advising them to contact HR if they want to extend them.

Group Management

Organizations typically use distribution groups to distribute e-mail and security groups to conveniently group users with similar entitlements. The challenge is to manage these different types of groups to ensure that the correct entitlements are granted or revoked in a timely manner in accordance with business rules, while providing the most efficient e-mail routing and the best user experience.

Background

Contoso has a large number of groups in both its intranet and extranet Active Directory stores and in Lotus Notes. The company previously managed these groups manually through calls and e-mail messages to the help desk.

Contoso recognized the need for automated group management. Its primary goal was to automatically manage groups based on the information in its directories. These data-driven groups, which represented the majority of groups within Contoso, can be defined as attribute-based queries such as "John Smith's Direct Reports" or "All Sales."

Contoso planned to extend the automation of group management to a full self-service application later. Such a system would handle informal or special-purpose groups created quickly, as well as hierarchically nested groups.

Business Issues

Contoso identified the following business issues in the Group Management scenario:

  • First day access. New users are unable to gain access to required resources after they have been provisioned, which affects employee performance and requires help desk resources to resolve.
  • Help desk costs and time. It takes 24 to 48 hours for group requests to be expedited, in addition to any delays that Active Directory replication causes.
  • User frustration. Some users are members of the wrong e-mail distribution lists.
  • Lack of an effective audit. There is no reliable way to demonstrate compliance with rules for group membership.
  • Regulatory compliance issues. Distribution lists and security groups contain inappropriate accounts, which can lead to potential privacy breaches and data protection law violations.

Technical Issues

Contoso identified the following technical issues in the Group Management scenario:

  • Stale membership lists. Users are not promptly removed from groups when they should.
  • Stale groups. Groups are not removed when no active users remain in their membership lists.
  • Redundant e-mail. A significant amount of redundant e-mail is sent and, to some extent, stored because users are not removed from group memberships when they should.
  • Use of Dynamic Distribution Lists (DDL). Contoso has implemented some DDLs. Some of these lists may be replaced, but those that are not replaced should be left untouched and remain functional.

Security Issues

Contoso identified the following security issues in the Group Management scenario:

  • Entitlements are not removed. Users are rarely taken out of groups when they change roles, managers, jobs, or locations, which results in inappropriate access.
  • Too many administrator accounts. Many users need privileged access to adjust group memberships manually.

Solution Requirements

From the issues listed in the previous sections, Contoso produced the following requirements for the Group Management scenario:

  • Easy administration of group definitions. The solution must provide an intuitive Web-based application to create, preview, read, update, and delete query-based rules. This application will support the following example groups:
    • Manager groups
    • Location groups
    • Title groups
    • Custom query groups (based on attributes)
  • Query syntax test and commit. The Web application must allow you to test query syntax that will return a result of zero or some users, with an option to commit after the test.
  • History log. The Web application must keep a group event history log.
  • Processing of user changes. If changes to user information require groups to be updated, the updates must happen automatically during the next scheduled run.
  • Notification. Users must receive confirmation e-mail when they are added or removed from a group.
  • Exclusions and inclusions. Managers must be able to manually include or exclude members from query-based groups.
  • Support for role transition. As an option, managers must be able to configure a user to be retained in a group for n days after they would have been automatically removed. This option must be based on a change in attributes that reflects a change in an employee's role within the organization.

Self-Service Provisioning

There are many circumstances in which it might be advantageous for a large subset of users to request provisioning actions. However, only a designated person should approve such requests. A solution for this scenario type requires a simple workflow capability.

Background

In addition to employee provisioning, which lends itself to an automated data-driven solution, Contoso has an ongoing need to provision a large number of temporary contractor accounts. Each of these special-purpose accounts requires authorization.

The existing process was for a manager to draft an agreement, and then when the start date was known, send an e-mail message to the IT department. Upon receiving the e-mail message, the IT department would attempt to create accounts in Active Directory and Lotus Notes, a process that usually involved further communication to find missing key attribute information.

Business Issues

Contoso identified the following business issues in the Self-Service Provisioning scenario:

  • Total cost of ownership. Administrators spend too many hours on manual provisioning, and hiring managers take too much time negotiating account provisioning.
  • Delays. The current process is confusing and inefficient, which leads to delays in provisioning. In addition, contractors are unable to do their jobs.

Technical Issues

Contoso identified the following technical issue in the Self-Service Provisioning scenario:

  • MIIS 2003 with SP1 is already in use. Other provisioning is provided through MIIS 2003 with SP1, and the logic for account provisioning is already implemented. Contoso determined that the most cost-effective way to provide self-service provisioning is to avoid duplication and use MIIS 2003 with SP1.

Security Issues

Contoso identified the following security issues in the Self-Service Provisioning scenario:

  • Stale accounts. Accounts are not deprovisioned immediately after contracts expire, which leads to inappropriate access.
  • Password delivery. Passwords are not reliably transmitted to contractors through a well-defined and secure process.
  • Duplicate accounts. Too many unnecessary or duplicate accounts are created because administrators do not systematically verify valid manager requests for contractor accounts. Only a few administrators should be able to perform such a check.

Solution Requirements

From the issues listed in the previous sections, Contoso produced the following set of requirements for the Self-Service Provisioning scenario:

  • User interface. The user interface (UI) must provide an accurate template of all the information needed to provision contractors in IT systems.
  • Approval and authorization. The UI must allow only designated managers to request new contractor accounts, and only designated administrators to approve them.
  • Automated provisioning across identity stores. Contractor accounts can be created automatically based on authorized information that managers provide. When approved, the accounts will be provisioned by using the same rules for employees.
  • Notifications. All administrators who can approve an account request must be notified when a request is pending. The hiring manager must receive a timely notification whenever the status of the account request changes (pending, approved, provisioned, or denied).
  • Password delivery. After provisioning has taken place, the manager must receive a secure notification of the new user's initial password, which is generated during the provisioning process.
  • Expiration notification. The managers of all contractors who have been approved and provisioned must receive an account expiration warning notification that includes the time-to-live (TTL) for these contractor accounts.

Chapter 4: Designing the Solution

The previous chapter in the paper considered the business, technology, and security issues and requirements for the following three provisioning scenario solutions:

  • HR-Driven Provisioning
  • Group Management
  • Self-Service Provisioning

This chapter presents solution concepts, prerequisites, and architectures, and also introduces the following topics:

  • Why use Microsoft® Identity Integration Server 2003, Enterprise Edition, with Service Pack 1 (MIIS 2003 with SP1)? This section includes the reasons to choose . MIIS 2003 with SP1
  • The IdM Notification Service. All three scenario solutions require this service.

The chapter then discusses the three scenario solutions in detail.

Why Use MIIS 2003 with SP1?

When Contoso decided to add provisioning to its identity life-cycle management system, it could have taken one of several approaches (see the discussion in Chapter 2, "Approaches to Provisioning and Workflow," in this paper). Although many of these approaches had merit, the company chose to use MIIS 2003 with SP1 to meet the company's provisioning requirements.

Contoso decided that MIIS 2003 with SP1 would provide the most cost-effective way to achieve its solution requirements while overcoming all of the company's business, technology, and security issues. Contoso also determined that there were many advantages to tightly integrating the company's aggregation and synchronization system with its provisioning system.

The IdM Notification Service

This section describes the IdM Notification Service that the solutions described in this chapter will depend on.

Contoso recognized in the early stages of its implementation that the company had many scheduled activity requirements for various application and directory components that in turn had to notify each other to trigger actions. The following sections define requirement examples for each scenario.

HR-Driven Provisioning

Requirements:

  • When the IdM system provisions an Active Directory® account for a new user, it generates and sets the new user's password. The IdM system then sends that password, in an e-mail, to the new user's manager.
  • Support delayed actions, such as specifying when to delete an Active Directory account.

Group Management

Requirement:

  • Inform users when they have been added or removed from a group.

Self-Service Provisioning

Requirements:

  • Route requests for temporary contractor accounts to an authorized administrator.
  • Route approval or denial notices to the manager.
  • Send "account about to expire" notifications to managers.

To address these requirements, Contoso designed and built a generalized notification service — a Microsoft Windows® service written in Microsoft Visual C#® — to support all of the company's identity life-cycle management notification needs. Basically, this service monitors a number of systems and conditions, such as group membership requirements, message queues into which the identity life-cycle management system might place predefined requests, and Active Directory account expiration dates (so that e-mail notices can be sent).

HR-Driven Provisioning

This section describes the solution for the HR-Driven Provisioning scenario. It includes information about the concept, prerequisites, architecture, design, functionality, and possibilities for extending the solution.

Solution Concept

The following figure depicts the scenario concept for HR-driven provisioning in the Contoso environment:

Figure 4.1. The HR-Driven Provisioning scenario for Contoso

The solution for this scenario provisions objects into the connected directories based on the data in the mySAP ERP Human Capital Management system (SAP HR system). When a new Contoso employee is hired, an HR employee directs the system to automatically create an account in the intranet Active Directory, and a Microsoft Exchange mailbox. If the employee is in the Sales department, the IdM system creates a user account in the extranet Active Directory. When a new Fabrikam employee is hired, the IdM system automatically creates an account in Active Directory, as well as a Lotus Notes mailbox and a Sun ONE Directory Server 5.1 (formerly iPlanet Directory Server) account.

Solution Prerequisites

Contoso has the same prerequisites that were defined for the aggregation and synchronization solution in this series. The addition of the SAP HR system created the following additional prerequisites:

  • An HR system that contains information about all full-time employees. The system provides flat-file exports because direct access to the SAP databases might not be available.
  • An intranet Active Directory forest that contains Contoso and Fabrikam user information.
    • Contoso users in Active Directory have Exchange mailboxes defined because they use Exchange Server 2003.
    • Fabrikam users in Active Directory are authorized to use e-mail and have Lotus Notes mailboxes.
  • An extranet Active Directory forest that contains Contoso users in the Sales department.
  • A Lotus Notes Release 6 installation that contains mailboxes for all Fabrikam employees and contacts for all Contoso employees.
  • A Sun ONE Directory Server 5.1 server that contains Fabrikam user information to use with an application.

This solution is based on the one described in the Identity Aggregation and Synchronization paper in this series, although the new solution is HR-driven and not Active Directory-driven. Microsoft recommends that you read that paper to fully understand the concepts presented in it before proceeding with this solution.

To fully understand the concepts involved to aggregate and synchronize data, and then prepare it for provisioning, read the section "How the Solution Works" of Chapter 4, "Designing the Solution." In particular, ensure that you understand the following concepts:

  • Metaverse
  • Connector space
  • Different run profile types
  • Projection
  • Joining
  • Inbound and outbound synchronization with associated attribute flow
  • Rules extensions

Solution Architecture

You can design and plan an MIIS 2003 with SP1-based provisioning solution in the same way that you would design any other IT project. The process requires gathering requirements; implementing conceptual, logical, and physical designs; building a proof of concept; and then creating project plans, a schedule, and a budget.

For more information about architecting a MIIS 2003 solution, see the MIIS 2003 Design and Planning Collection.

Note   The papers in this series focus on the unique aspects of each solution scenario rather than the normal activities of a technology project life cycle. For more information about how to plan, build, and deploy technology solutions of all kinds, see the Microsoft Solutions Framework guidance on the "MSF for Agile Software Development" Web page on the Microsoft MSDN® Web site.

Contoso followed several planning and design activities for MIIS 2003 with SP1 to create an architecture for its identity aggregation and synchronization solution.

The following sections describe the architectural elements and focus on the differences between the provisioning solution and the aggregation and synchronization solution, which include:

  • Comparison with the aggregation and synchronization solution. It is important to grasp the differences between this provisioning solution and the aggregation and synchronization solution.
  • Connected data sources. What data sources are available, and which of them are authoritative?
  • Provisioning rules — metaverse rules extension. For any MIIS 2003 with SP1 implementation, you must provide a special .dll module called the "metaverse rules extension." This module implements a number of methods, one of which performs provisioning actions according to the required business logic.
Comparison with the Aggregation and Synchronization Solution

There are similarities between this solution and the aggregation and synchronization solution. For example, for both solutions, when you first run the IdM system, you must, initially aggregate and synchronize the data according to rules that you specify. During later runs, the same rules maintain the synchronization.

However, major differences between the two solutions include the following:

  • HR data source. The SAP HR system data source now exists in the HR-Driven Provisioning solution and is the primary authority.
  • Different rules. The rules for projection, joining, and attribute flow are different in the two solutions to reflect the fact that the IdM system is now HR-driven, as described later in this chapter.
  • Provisioning. When you have finished aggregation and synchronization of the existing identity information, the HR-Driven Provisioning solution automatically provisions new accounts as it detects new records in the HR system.

Rule Differences

Because the SAP HR system data source is now the primary authority, its management agent (MA) has a projection rule that generates a new metaverse object for each new HR record that is imported. All other objects join to this object by using their employeeID attributes, as described in the Identity Aggregation and Synchronization paper. The SAP HR MA also has a join rule. Although it might seem superfluous and the provisioning process certainly does not use this rule, it might be needed again under some circumstances. For example, if the metaverse must be rebuilt or if an administrator manually breaks a link.

Some of the attribute flow rules for the aggregation and synchronization solution will be altered, and a complete set of new ones are required for the SAP HR MA, as described in detail in Chapter 5, "Implementing the Solution."

Connected Data Sources

A central part of the provisioning solution is to establish which identity stores are the authoritative sources for object creation, and to define the object types and object attributes. The MAs that Contoso chose for this scenario are the same as those for the aggregation and synchronization scenario, with the addition of the SAP HR MA. The following table lists each MA and its associated data source; the subsequent section describes these data sources in more detail.

Table 4.1. Contoso Management Agents

Data source

MA type

Data source description

SAP HR system

File

The SAP HR system contains identity information about all Contoso and Fabrikam full-time employees. This information will be provided through a one-way transfer file.

Intranet directory

Active Directory

The intranet directory contains all Contoso and Fabrikam users who are authorized to use e-mail.

Extranet directory

Active Directory

The extranet directory contains shadow accounts for users in the Sales department.

Lotus Notes Release 6.5.4

Lotus Notes

The Lotus Notes address book (NAB) contains users from Fabrikam who will continue to use Lotus Notes e-mail until they migrate to Exchange Server 2003. It also contains contacts for Contoso employees.

Sun ONE Directory Server 5.1

Sun and Netscape Directory Servers

Sun ONE Directory Server 5.1 contains entries for users from Fabrikam to support authentication requests for an application.

Note   Management Agents required for the other scenarios are described later in this chapter.

SAP HR System Data Source

The SAP HR system is the authoritative source for user objects in this scenario. New objects will be projected into the metaverse based on this source. The SAP HR system is also authoritative for most of the person object attributes, except for the mobilePhone attribute and others that are specific to Active Directory, Exchange Server 2003, and Lotus Notes, such as sAMAccountName or mail.

In particular, at Contoso the SAP HR system is the authoritative data source for user account status (Enabled or Disabled) based on the status of the employee (Active, Leave, or Retired). This authoritative data source also enables or disables Active Directory accounts. However, it is possible to immediately disable a user's account directly within Active Directory. For example, you can use the Active Directory Users and Computers Microsoft Management Console (MMC) to make Active Directory the master repository for the user account's status. If you re-enable the user account, then the SAP HR system will again become the authoritative source.

Intranet Active Directory Data Source

This data source performs the same function as it did in the Identity Aggregation and Synchronization paper except that it is no longer the authoritative source for Contoso user objects, and it is responsible for fewer attributes. In this HR-Driven Provisioning scenario, the SAP HR system is the authoritative source for Contoso user objects and for many attributes. The Active Directory accounts join to objects that the SAP HR MA has projected.

Lotus Notes Management Agent

This data source performs the same function that it did in the Identity Aggregation and Synchronization paper except that it is no longer the authoritative source for Fabrikam user objects, and it is responsible for fewer attributes. In this HR-Driven Provisioning scenario, the SAP HR system is the authoritative source for Fabrikam user objects and for many attributes. The Lotus Notes accounts join to objects that the SAP HR MA projects.

Extranet Active Directory Data Source

This data source performs the same function that it did in the Identity Aggregation and Synchronization paper, except that only Contoso employees in the Sales department will have shadow accounts.

Sun ONE Directory Data Source

This data source supports the Fabrikam system. All Fabrikam employees require an account with this data source.

Provisioning Rules — Metaverse Rules Extension

After you understand the data sources, you can decide how to implement the business rules for provisioning them. All provisioning actions are implemented in the Provision method of the metaverse rules extension. This method expresses the business logic. For example, the method defines what to provision under which circumstances.

The MIIS 2003 with SP1 Provision method runs each time a metaverse object is involved in the synchronization process. The method runs when a new metaverse object projects into the metaverse after a new record has been entered into the SAP HR system, and whenever any change causes attribute flow during synchronization.

The following sections describe key Provision method features:

  • State-driven, not event-driven. The state-driven nature of MIIS 2003 with SP1, and the Provision method, is vital to an effective design.
  • Provisioning code for other purposes. The Provision method has many purposes, for example, deprovisioning.
  • Initial passwords. Any accounts that you provision in an enabled state require you to set initial passwords for them.
  • Business rules that the Provision method implements. For this scenario, the Provision method enables you to implement specific business rules.

State-Driven, Not Event-Driven

The provisioning code is state-driven; it does not react to events. It does not work any differently when the IdM system projects a new object than it does when an attribute changes. The MIIS 2003 with SP1 Provision method always examines the state of the connector space. For example, if this method detects that a connector space object that should be present is not, then the method creates it. Such newly created objects are "pending adds" that will be exported to the relevant directories during the next export run. The MIIS 2003 with SP1 Provision method normally does this after it detects a new identity in the HR application, but the method will also do this later if it detects that an object that should exist has somehow been deleted.

Provisioning Code for Other Purposes

The provisioning code is not only for provisioning. You can also use it for many other metaverse and connector space object activities. For example, in this solution the code also resets the distinguished name (DN) of any objects that need it. The code also moves intranet Active Directory accounts to a special organizational unit (OU) when they are disabled.

Initial Passwords

When a new user account is enabled, a pseudo-random initial password is generated for it. This information is automatically stored in an encrypted form until the account is exported to the data store (Active Directory, Sun ONE Directory Server 5.1, or Lotus Notes). The IdM Notification Service explained earlier in this chapter also sends it to the new user's manager.

Business Rules That the Provision Method Implements

In this scenario, the Provision method of the metaverse rules extension implements the following business rules for provisioning:

  • For each new full-time Fabrikam employee, the method creates:
    • An Active Directory account for a user authorized to use e-mail, including an initial Active Directory pseudo-random user password based on an algorithm that adheres to the Complex Password Group Policy in the intranet Active Directory.
    • A Lotus Notes mailbox, along with an ID file in the C:\LNR6Idfiles folder on the MIIS 2003 with SP1 server, which also includes the same password.
    • A Sun ONE Directory Server 5.1 inetOrgPerson object that includes the same initial password based on an algorithm.
  • For each new full-time Contoso employee, the method creates:
    • A mailbox-enabled intranet Active Directory user account in the appropriate OU depending on the identity status. This action also creates an Exchange 2003 mailbox and password.
    • A Lotus Notes contact, which allows Fabrikam Lotus Notes users to look up Contoso Exchange Server 2003 users in the Notes Address Book.
    • A shadow user account in the extranet Active Directory for Sales employees.
  • Uses the IdM Notification Service explained earlier in this chapter to send the password and other user information to the user's manager.
  • Whenever the provisioning code detects an identity change, it resets the identity's DN in Active Directory to the correct value.

Logical Design

The following figure illustrates the logical design of the Contoso HR-Driven Provisioning scenario solution for full-time Contoso employees. The MIIS 2003 with SP1 elements in this diagram are explained in Chapter 4 of the Identity Aggregation and Synchronization paper in this series.

Figure 4.2. The logical design of the process for provisioning a new Contoso employee

The following figure illustrates the logical design of the Contoso HR-Driven Provisioning scenario solution for full-time Fabrikam employees.

Figure 4.3. The logical design of the process for provisioning a new Fabrikam employee

How the Solution Works

The HR-Driven Provisioning solution is based on the Identity Aggregation and Synchronization solution. To fully understand the concepts involved in aggregating and synchronizing data to prepare it for provisioning, read the "How the Solution Works" section of Chapter 4, "Designing the Solution."

HR-Driven Provisioning Operations

After implementation, these operations build the initial metaverse, keep it regularly synchronized, and coordinate the provisioning, maintenance, and deprovisioning for your user community.

  • Initial operations. You must perform these prerequisite actions before you start a regular cycle of activity.
  • Provisioning on an ongoing basis. After the initial operations are complete, you must perform a regular update cycle to ensure synchronization.
  • Notifications. Managers and users receive key event notifications.
  • Deprovisioning. The solution also includes actions that must take place at the end of the identity life cycle.
Initial Operations

After you implement the solution according to the instructions in the next chapter, you can perform the following initial operations. Chapter 5, "Implementing the Solution," explains these operations in detail:

  • Initial import and synchronization (discovery)
  • Check for data consistency
  • Export changes
  • Provision any missing accounts

The following sections describe these operations.

Initial Import and Synchronization (Discovery)

You must run each MA with a Full Import (Stage Only) run step type, and then a Full Synchronization run step type with provisioning disabled. If you do not disable provisioning, you might create incorrect accounts or receive an error if MIIS 2003 with SP1 attempts to create an account in an OU that it is not aware of yet.

The order in which you run the MAs is important. Run the SAP HR MA first, because the SAP HR system is the authoritative information source for Contoso users, and it will project new objects into the metaverse. You can then run the other MAs in any order to establish joins to the new metaverse objects.

The synchronization process causes attributes to flow in accordance with the configured rules. Authoritative values replace any missing or erroneous non-authoritative values. For example, attribute values for manager, job title, or location might flow from SAP HR system objects to Active Directory and Lotus Notes objects. Other attribute values, such as phone numbers, might flow between the objects that other MAs manage. By design, nothing flows to the SAP HR system because it is a read-only identity information source.

Check for Data Consistency

During this task monitor the Identity Manager user interface (UI). You will find reports on any data issues, such as non-unique displayNames or the inability to join existing data to SAP HR objects because of non-matching employeeIDs. Establish the cause of each exception, correct the data in the relevant data source, and then repeat the previous the process.

Export Changes

You must now export any changes to the data sources. To accomplish this task, run each MA in turn (except the SAP HR MA) with an Export run step type, and then a Full Import (Stage Only) run step type to confirm the export, and then a Delta Synchronization run step type. This last step is not always necessary, but it does make sure any changes just imported are synchronized. It also rejoins any connector space objects that have become accidentally disconnected by manual administration (provided there is a suitable join rule). Therefore, it is considered a good practice to include such a step after any confirming import, and to include a suitable join rule in every management agent. At this stage, all accounts in all the data sources are synchronized, but no new accounts have been provisioned. There might be "missing" accounts — objects that did not exist before synchronization, but that should exist according to the provisioning rules. For example, a user might exist in SAP, but during the previous manual provisioning for Active Directory, the user was not included. You should now allow the IdM system to create these missing accounts based on the records imported from SAP.

Provision Any Missing Accounts

The next operation is to re-enable provisioning and then run the provisioning code against every metaverse object. One way of ensuring that this happens is to perform a full synchronization for all MAs that have projected any metaverse objects. In this case you need only to run this process for the SAP HR MA because it is the only MA that has projected any objects. Finally, you must perform an Export run step type for each MA that received newly provisioned objects (as reported in the Identity Manager). It is this final step that actually creates new accounts in the data sources.

The following figure illustrates the tasks in this initial provisioning process.

Figure 4.4. Concept of data flow through MIIS 2003 with SP1

The following table explains which MA runs achieve the different steps in the previous figure.

Table 4.2. Contoso Management Agents

Diagram step

Management agent

Run step type

1

SAP HR MA

Full Import (Stage only).

2

SAP HR MA

Initial full synchronization with provisioning disabled.

3

SAP HR MA

Full synchronization after provisioning has been enabled.

4

Any affected MA

Export.

Provisioning On an Ongoing Basis

After the existing accounts are consistent across all connected data sources, a regular cycle of imports, synchronizations, and exports can take place. Contoso created a regular job that runs each MA through several run profiles, as shown in the following table:

Table 4.3. Contoso Ongoing Run Cycle for HR-Driven Provisioning

Management agent

Run step type

SAP HR

Delta import, and delta synchronization

Intranet Active Directory

Export, delta import, and delta synchronization

Extranet Active Directory

Export, delta import, and delta synchronization

Lotus Notes

Export, delta import, and delta synchronization

Sun ONE Directory

Export, delta import, and delta synchronization

A Windows Management Instrumentation (WMI) script controls the run cycle. If any errors occur, the cycle stops, and you may take remedial action. When this cycle runs continuously, it accomplishes the following actions:

  • Imports new or modified records from the SAP HR system.
  • Projects new objects into the metaverse.
  • Creates new accounts for each MA (except the SAP HR MA) in the connector space according to business rules described previously.
  • Flows attribute updates into the metaverse and out to the connector space through all management agents (except the SAP HR MA).
  • Exports changes (new and updated accounts) to all data sources (except the SAP HR system).
  • Re-imports exports to confirm them, and at the same time imports any attribute changes detected in the data sources. These attribute changes flow into the metaverse and out to the connector space through all MAs (except the SAP HR MA). They will be exported to the relevant data stores during their next export run.
Notifications

The provisioning code uses the IdM Notification Service as follows:

  • To send e-mail containing pseudo-random passwords for users to managers.
Deprovisioning

As part of the run cycle described previously, the attribute flow rules ensure that the accounts are enabled or disabled when users are not active. For example:

  • If you indicate in the SAP HR system that an employee is on leave, the metaverse employeeStatus attribute is set accordingly, and the employee's userAccountControl attribute is modified to disable the person's intranet and extranet Active Directory accounts.
  • If you indicate in the SAP HR system that an employee is active, the metaverse employeeStatus attribute is set accordingly, and the employee's userAccountControl attribute is modified to enable the person's the intranet and extranet Active Directory accounts.
  • If you indicate in the SAP HR system that a user has retired permanently from the organization, the metaverse employeeStatus attribute is set accordingly, and the user's userAccountControl attribute is modified to disable the user's intranet and extranet Active Directory accounts. Also, the AccountExpiry attribute is set.
  • If you disable an intranet Active Directory account directly by using the Active Directory Users and Computers MMC for example, the HR system will not attempt to re-enable it. You can only re-enable it directly in Active Directory. This approach meets the Contoso requirement to immediately disable accounts. Note, however, that if you delete an intranet Active Directory account (by using the Active Directory Users and Computers MMC), this is not permanent, as MIIS 2003 with SP1 will simply recreate the account during its next run cycle. The re-created account will be a new account with all the same characteristics, but it will have a different security identifier (SID) and globally unique identifier (GUID).

Extending the Scenario

The remaining two scenarios in this chapter extend the HR-Driven Provisioning solution to include group management and self-service provisioning for contractor accounts. Contoso also plans to extend the scenario as follows:

  • Reporting. Contoso requires reporting capabilities to meet various legal requirements. You can create views in the MIIS 2003 with SP1 Microsoft SQL Server database based on metadirectory and other data. You can then create reports that are based on these views by using the standard Contoso report generating product, Microsoft SQL Reporting Services.
  • Extensible management agent. Currently, the SAP HR system produces a flat file that MIIS 2003 with SP1 then imports. As an option, Contoso might use the MIIS 2003 with SP1 extensible MA to provide a direct connection to HR data through SAP's Business Application Programming Interface (BAPI) interface. This approach will avoid the dependency of running a separate batch process to generate the flat file.
  • Deleting accounts after they are disabled. Contoso will implement a process to delete accounts that are inactive for a specified length of time.
  • Self-service "My Info." Contoso will build a self-service interface for users to update certain identity information that does not come from the SAP HR system. Users also can use this UI to request changes to SAP HR system data.

Group Management

This section describes the solution for the Group Management scenario, and includes the concept, prerequisites, architecture, design, functionality, and some possibilities for extending it.

Solution Concept

The solution for the Group Management scenario has a number of elements:

  • The Group Management Web application. Provides a UI through which you can create, update, and delete group definitions. Group definition information is stored in a SQL Server database.
  • The Group Populator program. Uses the group definitions to create and modify groups according to stored definitions. As part of this process, the Group Populator gathers information about users from the metaverse. The completed group and user information is also stored in the SQL Server database in a format that MIIS 2003 with SP1 can import.
  • MIIS 2003 with SP1. Reads the user and group data and flows it to the metaverse and then to the target directories.

The following figure depicts the solution concept for managing group membership lists in the Contoso environment.

Figure 4.5. The Group Management concept for Contoso

The numbered portions of the diagram are explained as follows:

  1. An authorized user defines groups through the Group Management Web application. These groups are defined according to attribute values. You can also make exceptions to the rules that define the group membership by using user data pulled directly from the metaverse. As part of the definition, you can specify a group type, such as domain security or distribution list, and then store these definitions in a SQL Server database.
  2. The Group Populator program runs periodically. It creates the groups and group memberships based on the group definitions. It then stores all the groups and associated user data in another SQL Server database.
  3. A MIIS 2003 SP1 MA connects to SQL Server and imports the groups and users. Users are joined to their counterparts in the metaverse, and new groups are projected. Group attributes flow into the metaverse, including the member attribute. The presence of the users in the same import flow ensures that the member references flow correctly.
  4. The provisioning code creates a full set of properly populated groups in the metaverse, including group type and membership. The provisioning code creates new Active Directory and Lotus Notes groups in the connector space that are the correct type. If the groups already exist, the attribute flow updates the member attribute. This method exports new and updated groups.

Solution Prerequisites

The solution for the Group Management scenario is built on the HR-Driven Provisioning solution. The additional prerequisites are to:

  • Define the SQL Server databases.
  • Install the Group Management Web application.
  • Install the Group Populator program.
  • Define the Group Management MA.
  • Modify the Intranet Active Directory MA and the Lotus Notes MA to handle groups.
  • Ensure that the provisioning code has the correct logic to handle groups.
  • Modify the run cycle to include the Group Populator program.

Solution Architecture

The following sections describe the architecture of the solution for the Group Management scenario.

Group Management Web Application

A Web-based application was created for managing groups and is available to authorized users. The Universal Resource Locator (URL) authorization feature of Active Directory Authorization Manager handles authorization to secure the ASP.NET Web UI. The application stores its data in a SQL Server database called miisGroupManagement.

This database is the authoritative repository of group data for those groups that the Group Management Web application manages. Groups that the Web application does not manage include:

  • Special-purpose or informal groups that are not query-based.
  • Groups that must contain other groups.
  • Groups designated in the Group Management Web application as Not Managed.

The Group Populator program previously populated this final category, but the management rights for it have since been granted to Active Directory.

The Web application allows you to create new groups and manage the membership and other group attributes. After you have created some groups, MIIS 2003 with SP1 can synchronize them with Active Directory, as the following sections explain.

Group Populator Management Agent

An additional MA now exists — the Group Populator MA — to import and synchronize information stored in the miisGroupManagement SQL Server database by using the Group Management Web application.

Inbound Flow Rules

Because the Group Management MA is the authority for groups, it has a projection rule for group objects. The MA also imports users that are joined to their metaverse counterparts. Users are included in the synchronization process so that membership references work correctly. They have to be joined to the metaverse so that connector space references (to anchors) can be translated into metaverse references (to MIIS 2003 with SP1 GUIDs).

Chapter 5, "Implementing the Solution," fully lists and discusses the flow rules required in this scenario. However, the key attribute is the group member attribute, which flows into the metaverse. Note that the attribute flows for different objects — user and group — are quite independent, and so are the rules for projection, joining, and filtering.

Provisioning – Metaverse Rules Extension

The provisioning code, which is a key part of the scenario, now must include group provisioning as well as user provisioning. As before, the MIIS 2003 with SP1 Provision method in the metaverse rules extension implements this provisioning.

Each time a metaverse object is involved in the synchronization process, such as when a modification is detected, the MIIS 2003 with SP1 Provision method runs. This method examines the connector space state, and then detects whether to create new group connector space objects or not. New objects are "pending adds" that will move to the relevant directories during the next export run.

Continuously enforcing these rules causes the provisioning process to recreate groups as needed. For example, the process would recreate an accidentally deleted group in Active Directory.

Outbound Flow Rules

After the provisioning code has run, any outbound flow rules are applied. In this case, attribute flow takes place from the metaverse to the intranet Active Directory and Lotus Notes connector space objects. Again, member is the key attribute.

Logical Design

The following figure illustrates the logical design of the solution for the Contoso Group Management scenario.

Figure 4.6. The logical design for group provisioning

How the Solution Works

The following sections outline the prerequisite steps for implementing Group Management, its ongoing day-to-day activities, and the notifications its users will receive.

Initial Operations

After you implement the solution according to the instructions in the next chapter, perform the following initial operations to prepare the environment for normal operations:

  1. Define groups.
  2. Populate groups.
  3. Perform initial import and preview synchronization.
  4. Perform projection, and provisioning and export changes.

Define Groups

You must create some groups to establish the correct implementation. You can add group definitions through the Group Management Web application.

There are two main group types that you manage differently by using the Group Management Web application:

  • Groups that you create in the Web application.
  • Groups that you create automatically.

"Manual" Groups That You Create in the Web Application

For groups that you create in the Web application, define properties such as name, description, group type (corresponding to Active Directory group types), and whether the group is authorized to use e-mail.

You can either type or use a query builder to build the criterion for membership. The criterion takes the form of a SQL WHERE clause that uses metaverse attributes. For example, you could use l = Palo Alto, or jobTitle = Secretary.

You can also specify exceptions to include or exclude individuals, and deliberately limit the number to 10 for each group to enforce the concept. You can use a simple search tool to choose the individuals from the metaverse.

A preview button allows you to ensure that your WHERE clause produces the results that you want and that users are meeting the criteria.

Finally, you can indicate that this new group is not managed, which grants control to Active Directory, along with the current membership.

"Attribute" Groups That You Create Automatically

The Group Management Web application can also generate group "families" based on attributes.

For example, you can choose a metaverse attribute such as department and automatically create a managed group for each unique department value. To do this, define a generic name for each group, such as "Everyone in the <department attribute value> department." The Group Populator program will then generate a group called "Everyone in the <department attribute value> department" and then populate it with anyone whose identity information includes the specified department attribute value. Group Populator will then continue to generate groups for each department that exists as a department attribute value for at least one user in the metaverse.

A variant of group "families" that you can automatically create is one that you can generate by using a reference attribute, which is a pointer to another metaverse object. For example, the manager attribute is a reference attribute that you can use to generate a series of automatic groups, such as "Jeff Chia's Direct Reports." The Group Populator program can generate a group for each manager as long as there is at least one metaverse user to reference each manager.

After these groups have been generated, you can manage them the same way that you manage the groups created in the Web application.

Populate Groups

You next run the Group Populator program to create groups based on your definitions. All the user and group information is stored in the SQL Server database.

Perform the Initial Import

To perform the initial import, run the Group Management MA with a Full Import (Stage Only) run step type. When complete, the MIIS 2003 with SP1 connector space will contain all data that relates to your groups.

Preview Synchronization

Before going ahead with full synchronization, preview a sample of imported group objects through the synchronization process. Resolve any issues reported in the Identity Manager before performing the full synchronization.

Perform Projection and Provisioning

To accomplish this task, run the Group Management MA with a Full Synchronization run step type. The synchronization process projects group objects into the metaverse. The provisioning rules extension creates new connector space objects for export to Active Directory and Lotus Notes.

Export Changes

After the initial import and synchronization, you can run the intranet Active Directory and Lotus Notes MAs an Export run step type, and then a Delta Import (Stage Only) run step type to confirm the export. The new groups should now appear in the Active Directory and Lotus Notes data sources.

Ongoing Run Cycle

After initial operations are complete, you are ready to initiate an ongoing run cycle. Contoso adjusted its run cycle to include the group management processes in the following table.

Table 4.4. Group Management Ongoing Run Cycle for Contoso

Management agent or process

Run step types for MAs

SAP HR MA

Delta import, and delta synchronization

Group Populator program

N/A

Group Management MA

Delta import and delta synchronization

Intranet Active Directory MA

Export, delta import, and delta synchronization

Extranet Active Directory MA

Export, delta import, and delta synchronization

Lotus Notes MA

Export, delta import, and delta synchronization

Sun ONE Directory MA

Export, delta import, and delta synchronization

Changes that you make through the Group Management Web application are reflected when the next cycle completes. More significantly, changes to user data are reflected. For example, a title or location change in the SAP HR system might require a group change when the membership rules are applied. In this way, the group management solution becomes a regular part of the identity management update cycle.

Removal From Groups

Users are removed from groups in the same systematic way that they are added to them. You can also set a delay so that removal is not immediate.

Notifications

The Group Management Web application uses the IdM Notification Service to e-mail users when the following conditions occur:

  • They have been added to a group.
  • They have been removed from a group.

Extending the Scenario

Contoso can extend the Group Management Web application in the future to handle the following:

  • Nested groups.
  • Special purpose and informal groups created quickly for small teams by using a self-service application. Users will be able to request new groups. This capability will be workflow-enabled. Another potential feature is automated expiration of self-service groups.

Self-Service Provisioning

This section describes the solution for the Self-Service Provisioning scenario, including the concept, prerequisites, architecture, design, functionality, and some possibilities for extending it.

Solution Concept

The HR-Driven Provisioning scenario is data-driven. Accounts are provisioned into the intranet Active Directory and other data sources for every full-time employee are imported from the SAP HR system.

The solution for the Self-Service Provisioning scenario is workflow-driven, because the HR system does not manage contractors at Contoso. Authorized managers can use this self-service system to request temporary contractor accounts. Authorized administrators can then approve or deny these requests. MIIS 2003 with SP1 provisions the approved account requests.

The following figure depicts the solution concept for provisioning contractor accounts in the Contoso environment:

Figure 4.7. The contractor provisioning concept for Contoso

This section explains the numbered portions in the diagram as follows:

  1. An authorized manager uses the Self-Service Provisioning Web application to request a contractor account. The manager types in details that include the contract start and finish dates. The tool stores the request and notifies all authorized administrators that there is a pending approval that requires someone's attention.
  2. An authorized administrator approves the request. The tool stores this status change and notifies the manager.
  3. MIIS 2003 with SP1 imports the new contractor record. It only does this after the contract start date becomes either on or before today's date.
  4. MIIS 2003 with SP1 provisions accounts according to Contoso business rules, including an account expiration date:
    1. Contoso contractors are provided with an Exchange 2003 mailbox-enabled user account in the intranet Active Directory.
    2. Fabrikam contractors are provided with a user account that is authorized to use e-mail in the intranet Active Directory and a mailbox in Lotus Notes.

In addition, the following activities can take place.

  • The contractor account expires after the designated period. A warning notification is sent to the manager a number of days before the account expires (you can configure the number of days).
  • The manager can terminate the account at any time in which case it will be deprovisioned. Provided the Full Import run profile is run), the account will be deprovisioned on its expiration date. In any case the account will be disabled.

Solution Prerequisites

This solution is built on the HR-Driven Provisioning scenario. It does not depend on whether you have implemented the Group Management solution.

The additional prerequisites for this solution are to:

  • Define the miisWorkflow SQL Server database.
  • Install the Self-Service Provisioning Web application.
  • Define the Contractor MA.
  • Modify the run cycle to include the Contractor MA.

Solution Architecture

The following sections describe the Self-Service Provisioning Web application architecture.

Self-Service Provisioning Web Application

Contoso created a Web-based application for managers to request and administrators to approve contractor accounts. Windows Authorization Manager handles authorization to secure the ASP.NET Web UI.

The Self-Service Provisioning Web application stores its data in a SQL Server database called miisWorkflow. This database is the authoritative repository for contractor account data. The tool uses the IdM Notification Service described previously in this chapter.

Self-Service Provisioning Management Agent

An additional MA imports and synchronizes information stored in the miisWorkflow SQL Server database.

Inbound Synchronization Rules

Attributes flow into the metaverse based on those stored in the database. Some of these attributes were automatically generated based on information about the requesting manager (such as the manager's ID, department, and location).

Provisioning-Metaverse Rules Extension

The provisioning code, which is modified from the previous scenarios, examines the connector space state, and then detects whether to create new objects or not. New objects are "pending adds" for export to the relevant directories to create accounts during the next export run.

Unlike accounts for full-time employees, the provisioning code sets a designated expiration date. The provisioning process continuously enforces these rules to recreate accidentally deleted accounts as needed.

Outbound Synchronization Rules

Attribute values flow out to the new accounts so that they are fully formed in accordance with Contoso business rules. Export attribute flow also sets a flag in the miisWorkflow SQL Server database so that you can see the provisioned status in the Self-Service Provisioning Web application.

How the Solution Works

The following sections outline the initial prerequisite steps to implement the self-service provisioning scenario, its ongoing day-to-day activities, how it tracks and monitors requests, and how managers and administrators receive notification through the simple workflow process.

Initial Operations

After following the instructions in Chapter 5, "Implementing the Solution," there are a few initial operations that you must perform to prepare the environment for normal operations. These include:

  • Request and approve some contractors.
  • Ensure that MIIS 2003 with SP1 has imported and provisioned them.
  • Export the changes and ensure that Active Directory received them.

Request and Approve Some Contractors

You need some data to establish the correct implementation. The same UI is used for requests and approvals. However, the UI functionality depends on your role. When you open the initial page to make a request, you can enter a new contractor request or examine the status of previous requests (pending, approved, denied, or provisioned).

You must request some contractor accounts, and then approve them before they will be presented to MIIS 2003 with SP1. MIIS 2003 with SP1 automatically runs after it receives an approved request.

Check MIIS 2003 with SP1 Processing

Use the MIIS Operations tool to ensure that the correct runs have taken place, including:

  • The Full Import (Stage Only) run step type that imports any new contractor accounts into the connector space.
  • The Delta Synchronization run step type that projects new contractors into the metaverse. The provisioning rules extension creates new connector space objects for export to Active Directory and Lotus Notes.
  • The Contractor MA that is also run with an Export run step type, then a Delta Import (Stage Only) run step type (to confirm the export) and then a Delta Synchronization run step type. This action indicates to the contractor approval system that provisioning has taken place.

Export New Accounts

Next run the intranet Active Directory and Lotus Notes MAs with an Export run step type to export the new accounts, and then follow these with Delta Import and Delta Synchronization run step types to confirm the export.

The new accounts should then exist in the Active Directory and Lotus Notes data sources. Examine these data sources directly to check for them.

Ongoing Run Cycle

After the initial tasks are complete and error-free, you are ready to initiate an ongoing run cycle. Contoso adjusted its run cycle to include the contractor processes listed in the following table.

Table 4.5. Contoso Ongoing Run Cycle for Contract Account Provisioning

Management agent or process

Run step types

SAP HR MA

Delta import, and delta synchronization

Group Populator program (if present)

 

Group Management MA (if present)

Delta import and delta synchronization

Self-Service MA

Delta import and delta synchronization, Export and Delta Import (stage only)

Intranet Active Directory MA

Export, delta import, and delta synchronization

Extranet Active Directory MA

Export, delta import, and delta synchronization

Lotus Notes MA

Export, delta import, and delta synchronization

Sun ONE Directory MA

Export, delta import, and delta synchronization

From time to time (for example, every night) the Self-Service MA should be run in Full import and delta synchronization mode, to ensure that expired accounts are deleted from MIIS 2003 with SP1 and deprovisioned from Active Directory.

Tracking and History

The person who made the request can review the status of all requests at any time. Windows Event Log records each significant event, including the user who made the change.

Notifications

The Self-Service Provisioning Web application uses the IdM Notification Service to:

  • Notify all authorized administrators that there are approvals pending.
  • Notify the requesting manager when a request has been approved or denied.

Extending the Scenario

Contoso might extend the Self-Service Provisioning scenario to handle the following:

  • Account expiration warnings. The company can extend the IdM Notification Service to send a warning notification to the user of an account that it is about to expire so that they can request to extend it.
  • Workflow enhancements. The company can extend the contractor approval system to take advantage of advanced capabilities in Microsoft BizTalk® Server, which includes escalation and out-of-office rerouting features.
  • Enhanced Reporting. The company can generate reports based on changes to identity information.
  • Management of additional attributes. The company can extend the application that this series is based on to meet new particular requirements.

Chapter 5: Implementing the Solution

The previous chapters in this paper provided information about the typical issues, requirements, and design criteria for solutions that address the following scenarios:

  • HR-Driven Provisioning
  • Group Management
  • Self-Service Provisioning

This chapter provides prescriptive guidance about how to implement these solutions. Guidance for each scenario is divided into the following sections:

  • Tools and Templates
  • Implementation Prerequisites
  • Implementation Tasks
  • Initial Identity Integration Operations

After you implement the solutions, you can verify them by using the guidance in Chapter 6, "Testing the Solution."

Tools and Templates

The Identity and Access Management download package includes Identity and Access Management Tools and Templates.msi, which is the Tools and Templates installer file. The Tools and Templates that are part of this download include text-based scripts, code samples, and configuration files that are related to identity and access management, but do not include any executable programs or compiled code.

Note   These samples are provided as examples only. Be sure to review, customize, and test these tools and templates before you use them in a production environment.

When you run the installer file, the resulting folder structure will look similar to the one displayed in the following figure, depending on where you install it.

Figure 5.1. The Tools and Templates folder structure

This guide assumes you have installed the Tools and Templates into the default location of %UserProfile%\My Documents\Identity and Access Management Tools and Templates. If you use a different installation location, ensure that you use this path in all the steps in this document.

Note   The Tools and Templates MSI package can sometimes produce an error during the installation process. See the Identity and Access Management Series Readme.htm file for more information.

HR-Driven Provisioning

The following sections describe the solution for the HR-Driven Provisioning scenario.

Folder: IdMNotificationSvc

This folder contains the sample code for the IdM Notification Service that Contoso uses. The IdM Notification Service is a sample Microsoft® Windows® Service written in Microsoft Visual C#® that you must compile and install in order to make many of the other scenario solutions in this paper fully functional.

Table 5.1. Primary Notification Service Files

File name

Purpose

AssemblyInfo.cs

An information file that contains metadata about the assemblies in a project, such as name, version, and culture information.

AcccountExpirations.cs

The Visual C# file that implements notifications for account expirations.

AcccountProvisioning.cs

The Visual C# file that implements notifications for the provisioning solutions in this paper.

ContractorWorkflow.cs

The Visual C# file that implements notifications for the Self-Service Provisioning Web application in this paper.

IdMNotificationSvc.cs

The Visual C# file that implements the main service function.

miisGroupManagement.cs

The Visual C# file that implements notifications for the group management scenario in this paper.

PasswordExpirations.cs

The Visual C# file that implements notifications for extranet password expirations. See the Password Management paper in the IdM Solution Series for more information.

SMTPMailer.cs

The Visual C# file that implements the Simple Mail Transfer Protocol (SMTP) messaging used for all notifications.

IdmNotificationSvc.csproj

The project file that contains the configuration and build settings and keeps a list of files associated with the project.

Folder: HR Driven Provisioning

This folder has a number of subfolders that contain configuration and other files that you need to implement this solution.

Subfolder: SAP HR Information

This subfolder contains a program to extract information from the mySAP ERP Human Capital Management system (SAP HR system) in the required format, along with documentation and some sample extractions. The sample extractions are delta extracts (changes only) provided for testing purposes. If you want to use your own SAP data, you must modify and use the provided program.

The SAP HR Extract Program is an Advanced Business Application Programming (ABAP) program called Z_SAP_TO_MIIS. It is stored in the file z_sap_to_miis.txt. To enter the program into SAP, use transaction SE38 and then select the Create option. The configured program reflects the fictitious MSS IdM companies Contoso and Fabrikam. For this reason, you must adjust it.

Full details are available in the SAP Extraction Program documentation. The file MSS IdM SAP HR Information.doc contains full information about the extraction program, including the configuration, fields used, and parameters you might have to modify. The program can extract either full or delta information.

Sample files are provided to help you perform initial operations and ongoing tests. Place these files in the SAP HR subfolder of the <MIIS Installation Directory>\madata folder after you have created the SAP HR management agent (MA).

Table 5.2. SAP HR Extraction Files

File name

Purpose

demo1.csv

This file contains an extract of the HR identity information for four new Contoso or Fabrikam employees. You can import the file to check that the accounts are provisioned in the other directories in accordance with the business rules.

demo2.csv

This file contains delta HR identity information for modifications to two of the accounts imported through Demo1.csv. You can import these and check that the Active Directory® accounts are correctly modified as a result.

demo3.csv

This file contains modified delta HR identity information for one employee that you can use to test certain business rules.

demo4.csv

This file contains delta HR identity information for various additional changes.

Updates.csv

This file lists the field headers for the import process.

SAP HR FULL Import.csv

This file contains a larger set of SAP HR data.

Note   For audit and regulatory compliance reasons, no one is ever actually removed from the Contoso SAP HR system. Identity information is never deleted.

Subfolder: MA Configuration

This subfolder contains two Extensible Markup Language (XML) files that are explained in the following table:

Table 5.3. Configuration Files

File name

Purpose

ContosoExtensions.xml

Use this configuration file to import configuration data that you can change without modifying the source code for configuration-specific information. Place this file in the <MIIS Installation Directory>\Extensions folder.

MVSchemaExport.xml

This file contains an export of the Contoso metaverse schema for this solution, including required attributes that are not part of the default metaverse schema that is created when you install Microsoft® Identity Integration Server 2003, Enterprise Edition, with Service Pack 1 (MIIS 2003 with SP1), Enterprise Edition. You import this file to define the correct schema to avoid manually defining the schema.

The metaverse and all the MA rule extensions use the same XML-formatted configuration file. The configuration elements defined in the configuration file are shown in the following table.

Table 5.4. Configuration Elements

Configuration group

Configuration element

Usage

Example value

Intranet-container

Root

The root organizational unit (OU) in the intranet Active Directory.

OU=ContosoCorp,dc=na,dc=corp,dc=contoso,DC=com

Intranet-container

Employees

The OU for employees.

OU=Employees

Intranet-container

Disabled

The OU for disabled accounts.

OU=Disabled

Intranet-container

Contacts

The OU for contacts.

OU=Contacts

Intranet-container

Groups

The OU for groups.

OU=Groups

Intranet-container

homeMDB

The default Microsoft Exchange Server 2003 mailbox store for new employee mailboxes.

CN=First Mailbox Store (SG1),CN=First Storage Group,CN=InformationStore,CN=FFL-NA-MSG-01,CN=Servers, CN=First Administrative Group,CN=Administrative Groups, CN=Contoso Corp,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com

Intranet-container

fabrikamSMTPdomain

The Internet e-mail domain that the Fabrikam Lotus Notes uses.

@fabrikam.com

Intranet-container

ln-certifier

The OU name of the certifier in Lotus Notes.

O=Fabrikam

Intranet-container

ln-nab

The name of the Notes Address Book (NAB).

NAB=names.nsf

Intranet-container

ln-mailserver

The name of the Lotus Notes mail server. Must match the exact case of the name in Lotus Notes.

FFL-SA-LOTUS/Fabrikam

Intranet-container

ln-idfilehomedir

The directory on the MIIS 2003 with SP1 server in which the Lotus Notes ID files for new Lotus Notes mailboxes are stored.

C:\LNR6IdFiles

Extranet-container

Root

The root OU in the extranet Active Directory.

OU=Accounts,dc=perimeter,dc=contoso,DC=com

Extranet-container

Employees

The OU for employees.

OU=Employees

Extranet-container

Disabled

The OU for disabled employees.

OU=Disabled

Extranet-container

trial-users

The OU for trial users.

OU=Trial Users

Extranet-container

Groups

The OU for groups.

OU=Groups

Sunone-container

Root

The root OU in Sun ONE Directory Server 5.1 (formerly iPlanet Directory Server).

ou=People,dc=fabrikam,dc=com

Extranet

ext-upn-suffix

The default userPrincipalName suffix for new employees in the extranet Active Directory.

perimeter.contoso.com

Extranet

ext-mail-domain

The mail domain that the extranet Active Directory uses.

@contoso.com

Extranet

issuing-CA-dn

The distinguished name (DN) of the issuing certification authority (CA).

DC=com,DC=contoso,DC=corp,CN=CONTOSO-CA111

Extranet

CA-subject-prefix

The CA subject prefix.

DC=com,DC=contoso,DC=corp,DC=na,OU=ContosoCorp,OU=employees

ma-definitions

ext-ad-ma

The extranet Active Directory MA.

Extranet Active Directory

ma-definitions

ln-ma

The Lotus Notes MA.

Lotus Notes

ma-definitions

int-ad-ma

The intranet Active Directory MA.

Intranet Active Directory

ma-definitions

so-ma

The Sun ONE Directory Server 5.1 MA.

Sun ONE Directory

ma-definitions

ssprov-ma

The self-service provisioning MA for the self-service provisioning solution.

Self-Service Provisioning

user-definitions

Upn

The default userPrincipalName suffix for new employees in the intranet Active Directory.

na.corp.contoso.com

user-definitions

min-password-length

The minimum password length in the intranet Active Directory.

8

run-definitions

First

The flag that specifies whether this is the "First-Run" (inhibits provisioning).

False

General-definitions

defaultManagerEmail

The e-mail address to receive manager notifications, if it is not possible to find the e-mail address of a new employee's manager.

postmaster@contoso.com

General-definitions

contractorPrefix

The prefix to sAMAccountName for contractor accounts.

v-

MIIS 2003 with SP1 uses the configuration elements in the previous table and the base SAP HR system information to calculate the attributes shown in the following table.

Table 5.5. Calculated Attributes

Object type

Connected directory

Attribute

Logic

user

Extranet Active Directory

userPrincipalName

<sAMAccountName>@<configuration.ext-upn-suffix>

user

Extranet Active Directory

altSecurityIdentities

"X509:<I>" + <issuing-CA-dn> + "<S>" + <CA-Subject-Prefix> + ",cn=" + <sAMAccountname> + ",E=" + <sAMAccountname> + <ExtMailDomain>

user

Extranet Active Directory

userAccountControl

On first provisioning this is set to normal account, then the following is applied:1) If the employee status is active, the normal flag is set and the disabled account flag is reset (enabled).2) Otherwise (for leave, retired or disabled), the disabled flag is set.

user

Extranet Active Directory

accountExpires

Set to 1 month from today for retired employees.

user

Intranet Active Directory

mail

<sAMAccountName>@<company>.com

user

Extranet Active Directory

sAMAccountName

givenName(1..4) + surName(1..3) + 1, 2, 3, etc. to make it unique to the metadirectory. Illegal characters are removed.

user

Extranet Active Directory

cn

<sAMAccountName>

user

Extranet Active Directory

dn

CN=<sAMAccountName>,<configuration.employees>,<configuration.root>

user

Extranet Active Directory

displayName

<surName> + ", " + <givenName> + " " + <middleName> (if no middlename, trailing space is avoided.)

user

Extranet Active Directory

unicodepwd

Pseudo-random password

user

Intranet Active Directory

sAMAccountName

givenName(1..4) + surName(1..3) + 1, 2, 3, etc. to make it unique to the metaverse. Illegal characters are removed.

user

Intranet Active Directory

userPrincipalName

<sAMAccountName>@<configuration.upn>

user

Intranet Active Directory

cn

<sAMAccountName>

user

Intranet Active Directory

dn

CN=<sAMAccountName>,<configuration.employees>,<configuration.root>

user

Intranet Active Directory

mailNickName

<sAMAccountName>

user

Intranet Active Directory

displayName

<surName> + ", " + <givenName> + " " + <middleName> (If no middlename, trailing space is avoided.)

user

Intranet Active Directory

userAccountControl

When first provisioning this is set to normal account, then the following is applied:1) If the employee status is active, the normal flag is set and the disabled account flag is reset (enabled). 2) If the employee status is inactive, (for leave, retired or disabled), the disabled flag is set.

user

Intranet Active Directory

unicodepwd

Random password

user

Intranet Active Directory

accountExpires

Set to 1 month from today for retired employees.

user

Intranet Active Directory

homeMDB

<configuration.homeMDB>

group

Intranet Active Directory

sAMAccountName

displayName

group

Intranet Active Directory

dn

CN= + <displayName> + "," + <configuration.groups> + "," + <configuration.root>

Person

Lotus Notes

shortName

<sAMAccountName>

Person

Lotus Notes

InternetAddress

For Fabrikam staff this is set to <sAMAccountName>@fabrikam.com.

Person

Lotus Notes

MailAddress

For Fabrikam staff this is set to <sAMAccountName>@contoso.com.

Person

Lotus Notes

Dn

"cn=" + <sn> + " " + <middleName> + " " + <givenName> + " (" + <sAMAccountName> + ")" + "/" + <configuration.ln-certifier> + <configuration.ln-nab>

Person

Lotus Notes

_MMS_Certifier

<configuration.ln-certifier>

Person

Lotus Notes

_MMS_IDRegType

1 for US user (Fabrikam) and 0 for Contact (Contoso)

Person

Lotus Notes

_MMS_IDStoreType

2

Person

Lotus Notes

_MMS_IDPath

<configuration.ln-ifdilehomedir> + "\" + <sAMAccountName> + ".id"

Person

Lotus Notes

_MMS_Password

Pseudo-random password

Person

Lotus Notes

MailServer

<configuration.ln-mailserver>

Person

Lotus Notes

MailFile

mail\ + <sAMAccountName>

Group

Lotus Notes

Dn

CN= + <displayName> + <configuration.ln-nab>

Group

Lotus Notes

groupType

The metaverse groupType attribute corresponds to the Active Directory groupType. This is tested and the Lotus Notes groupType attribute is set as follows:- If it is a security group and mail-enabled: 0 for multipurpose.- If it is a security group and not mail-enabled: 2 for ACL only.- If it is a not a security group, and is mail-enabled: 1 for mail only.

inetOrg Person

Sun ONE Directory Server 5.1

displayName

<surName> + ", " + <givenName> + " " + <middleName> (if no middlename, trailing space is avoided.)

inetOrg Person

Sun ONE Directory Server 5.1

mail

<sAMAccountName>@<company>.com

 

Sun ONE Directory Server 5.1

dn

"CN=" + <employeeId> + <configuration.sunone-container.root>

inetOrg Person

Sun ONE Directory Server 5.1

userPassword

Pseudo-random password

When the MVSchemaExport.xml file is imported, it defines the correct metaverse schema. The only object type that this solution uses is the person object type, but it also configures a group object type for a later solution.

Subfolder: MA Exports

This subfolder contains the configuration for the MAs, exported to an .xml file. You can import these files by using the MIIS 2003 with SP1 Identity Manager, the administration program for MIIS 2003 with SP1. During the import process, the configuration is validated and verified. For example, any call-based MAs have their user account and password information checked, as well as other configuration information such as schema and directory-specific partitions.

You also must verify each page of the configuration. You might have to change connection and partition information if the connected directory structure is not the same as that specified in the file.

Table 5.6. MA Export Files

File name

Purpose

ExtranetActiveDirectory.xml

Exported MA for the extranet Active Directory.

IntranetActiveDirectory.xml

Exported MA for the intranet Active Directory.

LotusNotes.xml

Exported MA for the Lotus Notes directory.

SAPHR.xml

Exported MA for the SAP HR system.

SunONEDirectory.xml

Exported MA for the Sun ONE Directory.

GroupManagement.xml

Exported MA for the group management system used in the second scenario in this chapter.

Subfolder: MIIS 2003 Extensions

You primarily use the MIIS 2003 with SP1 rules extensions for provisioning and advanced flow rules. You must compile the source code provided here into dynamic-link libraries (DLL) that you build in (or at least copy to) the MIIS extension folder, which is usually located at C:\Program Files\Microsoft Identity Integration Server\Extensions.

A number of subfolders contain projects, each of which compiles to a DLL in a .dll file of the same name. All these projects are contained in a single solution called HR Driven Provisioning, which is stored in a subfolder with the same name. Each project also has its own subfolder with the same name as the project that contains the following files:

Table 5.7. MIIS 2003 Rules Extensions

File name

Purpose

AssemblyInfo.vb

An information file that contains metadata about the assemblies in a project, such as name, version, and culture information.

<ProjectName>.vb

The Microsoft Visual Basic® .NET file for the extension.

<ProjectName>.vbproj

The project file that contains the configuration and build settings, and lists the files associated with the project.

<ProjectName>.vbproj.user

The project file that contains the user options related to the project.

The projects in the following table are included:

Table 5.8. MIIS 2003 Rule Extensions Subfolders

Subfolder name

DLL file name

Notes

Contoso MV Extensions

ContosoMVExtensions.dll

Primarily provisioning code for users and groups used in the Group Management solution.

Contoso Utilities

ContosoUtilities.dll PasswordGenerator.dll

Common methods for tasks, such as stripping illegal characters or generating a sAMAccountName and pseudo-random passwords.

SAP HR

SAPHRExtension.dll

Import and export attribute flow rules for the SAP HR MA.

Extranet Active Directory

ExtranetActiveDirectoryExtension.dll

Import and export attribute flow rules for the extranet Active Directory MA.

Intranet Active Directory

IntranetActiveDirectoryExtension.dll

Import and export attribute flow rules for the intranet Active Directory MA.

Lotus Notes

LotusNotesExtension.dll

Import and export attribute flow rules for the Lotus Notes MA.

Self-Service Provisioning

SelfServiceProvisioningExtensions.dll

Import and export attribute flow rules for the Self-Service provisioning MA, which is used in the final scenario in this chapter.

Subfolder: Operations

You can use the scripts that the following table describes in conjunction with the Windows scheduler to perform regular MIIS 2003 with SP1 synchronization.

Table 5.9. Operations Script Files

File name

Purpose

MA-Runs.cmd

This file serializes the MA runs by calling the runMA.vbs file with appropriate parameters to call the MA run profile.

runMA.vbs

This file uses Windows Management Instrumentation (WMI) to execute MA runs based on MA name and profile.

Implementation Prerequisites

This paper assumes that you have already implemented the identity aggregation and synchronization solution. If you have not already done so, you must install the software and infrastructure exactly as described in the "Implementation Prerequisites" section of the Identity Aggregation and Synchronization paper in this series. You must also implement the basic Contoso infrastructure.

Intranet Firewall Configuration

If you have already implemented the identity aggregation and synchronization solution, you do not have to perform this task. If you have not done so, configure firewall and DNS settings as described in the "Intranet Firewall Configuration" section of the Identity Aggregation and Synchronization paper in this series.

MIIS 2003 with SP1 Installation and Associated Configuration

If you have already implemented the identity aggregation and synchronization solution, you do not have to perform this task. If you have not done so, install and configure MIIS 2003 with SP1 exactly as described in the "MIIS 2003 with SP1 Installation and Configuration" section of the Identity Aggregation and Synchronization paper in this series. You must also configure the Sun ONE Directory Server 5.1 and Lotus Notes directories as described in that section.

Data Access Application Block for .NET v2

You must ensure that the Data Access Application Block for .NET v2 is installed. After you have downloaded the block, use the following steps to install it.

To install the Data Access Application Block

  1. Open the DataAccessApplicationBlock.msi file.
  2. Click Start, point to All Programs, click Microsoft Application Blocks for .NET, click Data Access v2, click Source Code (C#), and then click Data Access Application Block to open the solution in Microsoft Visual Studio® .NET.
  3. Build the solution to generate the Microsoft.ApplicationBlocks.Data.dll file.
Microsoft Message Queuing (MSMQ)

You must ensure that the Microsoft Message Queuing (MSMQ) component is installed, and then add the message queues that the IdM Notification Service requires.

To add the MSMQ component

  1. In Control Panel, click Add/Remove programs, and then click Add/Remove Windows Components.
  2. In the Window components wizard, select Application Server, and then click Details.
  3. Select Message Queuing, and then Details.
  4. Select MSMQ HTTP Support, and then click OK.
  5. Click OK on any confirmatory dialog boxes, then click Next and click Finish to complete the installation.

To create the message queues for IdMNotifcationSvc.exe

  1. In Administrative Tools, open the Computer Management console.
  2. Expand Services and Applications, and then expand Message Queuing.
  3. Right-click Private Queues, and select the option to create a new queue.
  4. Type the name as AccountProvisioning and then select the Transactional option.
  5. Do not change the other default options, and click OK.
  6. Repeat steps 3, 4, and 5 to create message queues called SelfServiceProvisioning and miisGroupManagement.
IdM Notification Service

Create the message queues that the IdM Notification Service will use, and then compile and install the IdM Notification Service. You also must configure Exchange and Lotus Notes for secure e-mail, so that initial password notifications (which are sent to the user's manager by e-mail) are not exposed.

To install and then start the IdMNotifcationSvc.exe

  1. Open a command prompt.
  2. Use the syntax: C:\<.NET Framework Installation Folder>InstallUtil <IdMNotificationSvc.exe build path>

For example:

C:\Windows\Microsoft.NET\Framework\v1.1.4322>InstallUtil

C:\IdmNotificationSvc\bin\debug\IdMNotificationSvc.exe

  1. Type NET START IdMNotificationSvc to start the service.

You should see the following output message:

The IdM Notification Service started successfully.

To secure initial password notifications

  1. Ensure that all relevant parties have enabled encryption between Outlook and the Exchange server (To do this in Outlook, click Tools, E-mail Accounts, select the Microsoft Exchange Server account, click Change and then click More Settings. Then on the Security tab, select the Encryption option).
  2. Follow the steps prescribed in the Domino/Notes documentation to secure e-mail traffic.

Implementation Tasks — Overview

To implement the solution for this scenario, perform the tasks that correspond to the following topic sections:

  • Configure MIIS 2003 with SP1.
  • Perform initial identity management operations.
Configure MIIS 2003 with SP1

This section provides detailed guidance for configuring MIIS 2003 with SP1. Information is provided for the following tasks:

  • Task 1: Extending the MIIS 2003 with SP1 metaverse schema
  • Task 2: Building the rules extensions
  • Task 3: Creating the SAP HR MA
  • Task 4: Creating or updating the intranet Active Directory MA
  • Task 5: Creating or updating the extranet Active Directory MA
  • Task 6: Creating or updating the Lotus Notes MA
  • Task 7: Creating or updating the Sun ONE Directory Server MA
  • Task 8: Configuring import attribute flow precedence
  • Task 9: Configuring the run profiles

There are five Management Agents associated with this solution.

  • If you have already implemented the identity aggregation and synchronization solution, you must create a new MA for the SAP HR system, and then update the existing MAs to reflect that the primary authority is the SAP HR system, not Active Directory.
  • If you have not already implemented the identity aggregation and synchronization solution, you must create all five Management Agents.

The following table explains the Management Agents that you must either create or update:

Table 5.10. Management Agents

Management agent

Export file name containing MA configuration

If identity aggregation and synchronization solution is installed

If identity aggregation and synchronization solution is not installed

SAP HR

SAPHR.xml

Create

Create

Intranet Active Directory

IntranetActiveDirectory.xml

Update

Create

Extranet Active Directory

ExtranetActiveDirectory.xml

Update

Create

Lotus Notes

LotusNotes.xml

Update

Create

Sun ONE Directory

SunOneDirectory.xml

Update

Create

The details will vary slightly between Management Agents, but the principles are the same for all of them.

Task 1: Extending the MIIS 2003 with SP1 Metaverse Schema

This task requires you to add new attributes to the MIIS 2003 with SP1 schema. To expedite this process, use the exported metaverse schema.

To extend the MIIS 2003 with SP1 metaverse schema by using an exported metaverse schema

  1. Open the MIIS 2003 with SP1 Identity Manager program.
  2. On the Tools menu, click Metaverse Designer.
  3. Click Actions, and then click Import Metaverse Schema.
  4. In the Open dialog box, locate the %UserProfile%\My Documents\Identity and Access Management Tools and Templates\Provisioning and Workflow\HR-Driven Provsioning\MA Configuration\mvschemaexport.xml file, which was included as part of the tools and templates that download with this paper. After locating this file, select it, and then click Open.
  5. The following message should display:

The schema import completed successfully.

  1. Click OK to close the dialog box.

Note If you receive an error message "Microsoft Identity Integration Server is unable to import schema file. Attribute groupType has different type in the server schema", delete the metaverse entry for groupType and rerun the Metaverse Schema import.

Task 2: Building the Rules Extensions

There are several MIIS 2003 with SP1 extensions that the tools and templates for the solution include when you download this paper. Ensure you compile these extensions into DLLs to use them with MIIS 2003.

To open the MIIS 2003 with SP1 extensions

  1. Open Visual Studio .NET.
  2. Click File, and then click Open Solution.
  3. Browse to the HR Driven Provisioning.sln file in the MIIS Extensions folder.

To ensure that all projects are built in the %UserProfile%\My Documents\Identity and Access Management Tools and Templates\Provisioning and Workflow\HR-Driven Provisioning\MIIS Extensions\HR Driven Provisioning folder

  1. In the Solution Explorer, right-click the ContosoMVExtensions project, and then click Properties.
  2. Select Configuration Properties, and then Build.
  3. Click the ellipse to select the output path, browse to the extensions folder (usually C:\Program Files\Microsoft Identity Integration Server\Extensions), and then click Open and OK.
  4. Repeat steps 1 through 3 for each project in turn.

The following procedure builds all the required projects into the correct directory, and ensures that if you build them again, they will compile into the correct directory.

To build all the projects

  1. On the Build menu, click Rebuild Solution to create the correct .dll files.
  2. Check that all the DLLs have been created in the extensions folder (check the dates).

Note    The default MIIS 2003 with SP1 installation directory is C:\Program Files\Microsoft Identity Integration Server.

  1. Copy the %UserProfile\My Documents\Identity and Access Management\Provisioning and Workflow\HR-Driven Provisioning\MA Configuration\ContosoExtensions.xml file to the <MIIS Installation Directory>\Extensions folder.
  2. Edit the file <MIIS Installation Directory>\Extensions\ContosoExtensions.xml as necessary to modify the parameters. Table 5.3 shows the default values for these parameters. In addition, if your configuration has a different server name or OU structure, modify this file to reflect the correct names.

Task 3: Creating the SAP HR Management Agent

The following steps describe the process to create the SAP HR MA. Detailed configuration information is provided for this task, and for each of the following individual MA tasks to help you resolve any issues.

To create the SAP HR MA

  1. In the Identity Manager program, select the Management Agents tool.
  2. On the Actions menu, click Import Management Agent.
  3. In the File Open dialog box, navigate to the MA Exports folder, select the SAPHR.xml file, and then click Open.
  4. Review each screen, resolve any validation or verification process issues, and then click Finish.
  5. Copy (do not move) all SAP .csv files from the tools and templates folder to C:\Program Files\Microsoft Identity Integration Server\MaData\SAP HR\.

During the import process, MIIS 2003 validates various details, and requires you to review and verify each configuration screen. For call-based MAs you must supply the connection password.

The following notes should help inform you what to look for and how to resolve any issues that might arise on each screen of the Management Agent Designer.

Properties

The type should be Delimited text file, and the name of the MA should be SAP HR.

Configuring Attributes

You must define the attributes in the following table. Note that these attributes were originally taken from the SAP HR Full Import.csv template file, which you are not required to use again unless there are changes to the SAP HR system schema. Also note that there are more attributes available (from the .csv file) that the solution does not use.

Table 5.11. SAP HR System Employee Information

Attribute

Usage

Birthday

The employee's birthday.

Company

If employeeType = A then company = "Contoso" or "Fabrikam."

Country

The employee's country/region.

Department

The employee's department.

EmployeeDepartureDate

If employeeStatus = 1 then employeeDepartureDate = <leave start time>. If employeeStatus = 2 then employeeDepartureDate = <retirement date>.

EmployeeID

The employee's unique ID.

EmployeeStartDate

The date the employee started working in the company.

EmployeeStatus

The current employment status of the employee:- 1 means that the employee is on leave.- 2 means that the employee has retired from the company.- 3 means that the employee is active.

EmployeeType

The type of employee: - A means a full-time employee.

FacsimileTelephoneNumber

The employee's fax number without the international dialing prefix.

GivenName

The employee's given name.

Location

The employee's location.

Manager

If employeeType = A, then manager holds the employeeID of the manager.

MiddleName

The employee's middle name.

Mobile

The employee's mobile number without the international dialing prefix.

Pager

The employee's pager number without the international dialing prefix.

SurName

The employee's surname.

TelephoneNumber

The employee's telephone number without the international dialing prefix.

Title

The employee's job title.

Ensure that the anchor is set to employeeID.

Defining Object Types

There is only the person object type.

Configuring Partitions

No information needed. There are no partitions.

Configuring Connector Filter

No information needed. There is no filter.

Join and Projection Rules

Ensure that the following join rule exists: Direct Mapping Based on employeeID.

Ensure that the following projection rule exists: Direct Projection of a Person.

Configuring Attribute Flow

On the Configure Attribute Flow page, the attribute mappings should appear as detailed in the following table. Note that if any metaverse attributes referenced in the table are incorrect or missing, validation will fail. If failure occurs, verify that the metaverse schema was correctly imported.

Table 5.12. SAP HR MA Attribute Flow for Person

SAP HR attribute (Person Object)

Metaverse attribute (Person Object)

Mapping type

Flow direction

Flow rule name

Birthday

birthDate

Direct

Import

 

Company

Company

Direct

Import

 

Department

Department

Direct

Import

 

EmployeeDepartureDate

employeeDepartureDate

Direct

Import

 

EmployeeID

employeeID

Direct

Import

 

EmployeeStartDate

employeeStartDate

Direct

Import

 

EmployeeStatus

employeeStatus

Advanced

Import

IAFemployee Status

EmployeeType

employeeType

Direct

Import

 

Country, FacsimileTelephone Number

facsimileTelephone Number

Advanced

Import

IAFfacsimile Telephone Number

GivenName

givenName

Direct

Import

 

GivenName, MiddleName, Surname

displayName

Advanced

Import

IAFdisplay Name

GivenName, Surname

cn

Advanced

Import

IAFcn

GivenName, Surname

sAMAccountName

Advanced

Import

IAFsAM AccountName

Location

l

Direct

Import

 

Manager

manager

Direct

Import

IAFmanager Email

Manager

managerEmail

Advanced

Import

IAFmobile

Country, Mobile

mobile

Advanced

Import

IAFpager

Country, Pager

pager

Advanced

Import

 

Surname

Sn

Direct

Import

IAFtelephone Number

Country, TelephoneNumber

telephoneNumber

Advanced

Import

 

Title

Title

Direct

Import

 

Many of these rules are direct flows that require no explanation. However, some complex ones were implemented as rules extension rules (advanced mapping type). The import attribute flows were implemented as SAP HR MA rules extension rules.

The following import attribute flows result in stored values in the metaverse for use as required during provisioning.

  • displayName. The displayName is simply set to a combination of surname, givenName, and middleName.
  • sAMAccountName. The pre-Windows 2000 logon is generated and stored in the metaverse, based on the first four characters of givenName, and the first three characters of SN (surname) with the following exceptions:
    • Uniqueness is ensured by looking up the generated sAMAccountName in the MIIS 2003 with SP1 metaverse. If it is found, the numeral 1 is appended, and a new search is performed. If this name is found, the numeral 2 is appended, and a new search is performed. This process continues until a unique sAMAccountName is generated.
    • The following illegal characters are replaced in sAMAccountName: National characters are replaced with their US ASCII equivalents; and " / \ [ ] : | < > + = ; , ? , * are replaced with - (a hyphen).
  • cn. The common name is set to the same value as the sAMAccountName. This is required to generate a dn during provisioning.
  • managerEmail. The e-mail address of each user's manager is looked up in the MIIS 2003 with SP1 metaverse, and these values are stored for later use.
  • employeeStatus. The handling of an identity's "status" is of sufficient complexity to warrant a fuller explanation. The required behavior is that the SAP HR system is usually authoritative, and that a change in the SAP HR status should be reflected in Active Directory (the account is enabled and disabled accordingly). However, if an account is directly disabled in Active Directory, this behavior stops until the account is enabled again directly in Active Directory. The flow rules to achieve this are:
    • An import attribute flow rule extension for the SAP HR MA simply flows the value 1, 2, or 3 into the metaverse employeeStatus attribute to reflect the value of the corresponding attribute in the HR system. These numbers correspond to an employee on leave, a retired employee, or an active employee. However, if the metaverse employeeStatus attribute is 0, this behavior stops.
    • An export attribute flow rule extension for the intranet Active Directory MA controls the userAccountControl Active Directory attribute depending on the employeeStatus attribute in the metaverse. If employeeStatus is 3, the account is enabled (it resets the appropriate userAccountControl bit), otherwise it is disabled (it sets the appropriate userAccountControl bit).
    • An import attribute flow rule extension for the intranet Active Directory MA ensures that if the account has been disabled directly in Active Directory the employeeStatus metaverse attribute is set to 0 (account disabled). For example, this can be done through the Active Directory Users and Computers MMC snap-in. Because the SAP HR MA import flow rule stops flowing if the employeeStatus attribute is set to 0, this allows the Active Directory MA to seize authority from the HR SAP MA. Conversely, for an active account, the employeeStatus metaverse attribute is set to 3, which relinquishes authority. To be clear, the actual logic is that for a disabled account, if the metaverse employeeStatus attribute is 3, it is set to 0; and for an enabled account, if the metaverse employeeStatus attribute is 0, it is set to 3.
    • This approach was used because it might be desirable to rapidly disable a user, which is most readily achieved through Active Directory. When this type of situation occurs, it is important that authority is transferred to and maintained in Active Directory unless reversed in Active Directory. (In other words, the SAP HR system must not overwrite this change). This logic is achieved through "manual precedence" that is expressed in the previously described import and export flow rules.

Deprovisioning

Confirm that the Deprovisioning options are set to Make them disconnectors, and that the Do not recall check box is cleared.

Configuring Extensions

Confirm that the Rules Extension Name is SAPHRExtension.DLL, and that the Run this rules check box is cleared to allow debugging. Password management settings are irrelevant.

Task 4: Creating or Updating the Intranet Active Directory Management Agent

To create or update the intranet Active Directory MA

  1. In Identity Manager, select the Management Agents tool.
    1. To create the Intranet Active Directory MA, on the Actions menu, click Import Management Agent.
    2. To update the MA if it already exists, select the MA, and then on the Actions menu, click Update Management Agent.
  2. In the File Open dialog box, navigate to the Exports folder, select the IntranetActiveDirectory.xml file, and then click Open.
  3. Review each screen, resolve any validation or verification process issues, and then click Finish.

During the update process, MIIS 2003 with SP1 validates certain details but might not require you to verify each screen. For call-based MAs, you will have to supply the connection password.

The following notes provide you with an idea of what to look for and how to resolve any issues that might arise on each screen of the Management Agent Designer.

Properties

The type should appear as Active Directory, and the name of the MA should appear as Intranet Active Directory.

Connecting to the Active Directory Forest

The original configuration used the following values:

  • Forest name: corp.contoso.com
  • Forest login user: MIISADIntranet
  • Forest login domain: na

If your parameters do not match those of the described environment, you must edit them. In any case, you must enter the correct password.

Configuring Directory Partitions

The original configuration was for the partition DC=na,DC= corp,DC=contoso,DC=com to include the containers OU=Disabled,OU=ContosoCorp,DC=contoso,DC=com, and OU=Employees,OU=ContosoCorp,DC=contoso,DC=com. If your environment is different, edit this partition information.

Selecting Object Types

The object types for Container, domainDNS, and organizationalUnit are mandatory. User is the only additional object type this solution requires.

Configuring Attributes

The solution includes several attributes. Any attributes that are referenced elsewhere — for example, in provisioning code or in attribute flow mappings — must be included here.

Configuring Connector Filter

No information needed. There is no filter.

Join and Projection Rules

Ensure that the following join rule exists for user: Direct Mapping Based on employeeID.

Ensure that the following join rule exists for group (in preparation for the Group Management Solution): Direct Mapping Based on sAMAccountName

Configure Attribute Flow

On the Configure Attribute Flow page, attribute mappings should appear as detailed in the following table. Note that any referenced connector space attributes must appear on the inclusion list (see the previous "Configuring Attributes" section in this chapter). If any referenced metaverse attributes are incorrect or missing, validation will fail. If failure occurs, check the inclusion list and verify that the metaverse schema was correctly imported.

Table 5.13. Intranet Active Directory MA Attribute Flow for Person

Intranet Active Directory attribute (User Object)

Metaverse attribute (Person Object)

Mapping type

Flow direction

Flow rule name

accountExpires

employeeID, employeeStatus

Advanced

Export

EAFaccountExpires

c

c

Direct

Export

 

co

co

Direct

Export

 

company

company

Direct

Export

 

department

department

Direct

Export

 

displayName

displayName

Direct

Export

 

employeeID

employeeID

Direct

Export

 

facsimileTelephoneNumber

facsimileTelephoneNumber

Direct

Export

 

givenName

givenName

Direct

Export

 

l

l

Direct

Export

 

mail

mail

Direct

Export

 

manager

manager

Direct

Export

 

mobile

mobile

Direct

Export

 

pager

pager

Direct

Export

 

sAMAccountName

sAMAccountName

Direct

Export

 

sn

sn

Direct

Export

 

telephoneNumber

telephoneNumber

Direct

Export

 

Title

title

Direct

Export

 

userAccountControl

employeeStatus, employeeID

Advanced

Export

EAFemployeeStatus

userPrincipalName

sAMAccountName

Advanced

Export

EAFuserPrincipalName

cn

cn

Direct

Import

 

mail

mail

Direct

Import

 

mobile

mobile

Direct

Import

 

sAMAccountName

sAMAccountName

Advanced

Import

IAFsAMAccountName

userAccountControl

employeeStatus

Advanced

Import

IAFemployeeStatus

userPrincipalName

userPrincipalName

Direct

Import

 

Many of these rules are direct flows that require no explanation. However, some are sufficiently complex that they were implemented as rules extensions (advanced mapping type). The following import attribute flows were implemented as intranet Active Directory MA rules extensions:

  • IAFsAMAccountName. This flows the sAMAccountName attribute to the metaverse. It is a rules extension (rather than a direct rule) because manual precedence requires this.
  • IAFemployeeStatus. This import attribute flow sets the employeeStatus metaverse attribute to 4 if the account has been disabled in Active Directory (detected by examining the userAccountControl attribute).

The following export attribute flows were implemented as intranet Active Directory MA rules extensions:

  • EAFAccountExpires. When an account is disabled because someone has "retired," this import attribute flow is set to a suitable future date.
  • EAFuserPrincipalName. This export attribute flow is set to a suitable value based on sAMAccountName and one of the elements in the configuration file (see Table 5.4).
  • EAFemployeeStatus. This export attribute flow sets or resets the "2 bit" of the userAccountControl attribute according to the metaverse employeeStatus attribute.

Deprovisioning

Ensure that the deprovisioning options are set to Stage a delete, and that the Do not recall check box is cleared.

Configuring Extensions

Ensure that the Rules Extension Name is IntranetActiveDirectoryExtension.DLL, and that the check box for Run this rules extension in a separate process is cleared to allow debugging. Password management settings are irrelevant at this stage.

Task 5: Creating or Updating the Extranet Active Directory Management Agent

To create or update the extranet Active Directory MA

  1. In Identity Manager, select the Management Agents tool.
    1. To create the extranet Active Directory MA, on the Actions menu, click Import Management Agent.
    2. To update the MA if it already exists, select the MA, and then on the Actions menu, click Update Management Agent.
  2. In the File Open dialog box, navigate to the Exports folder, select the ExtranetActiveDirectory.xml file, and then click Open.
  3. Review each screen to resolve any validation or verification process issues, and then click Finish.

During the update process, MIIS 2003 with SP1 validates certain details but might not require you to verify each screen. For call-based MAs you will have to supply the connection password.

The following notes should help you know what to look for and how to resolve any issues that might arise on each screen of the Management Agent Designer.

Properties

The type should appear as Active Directory, and the name of the MA should appear as Extranet Active Directory.

Connecting to the Active Directory Forest

The original configuration used the following values:

  • Forest name: perimeter.contoso.com
  • Forest login user: administrator
  • Forest login domain: perimeter

If your parameters do not match those of the environment for this solution, you must edit them. In any case, you must enter the correct password.

Configuring Directory Partitions

The original configuration was for the partition DC=perimeter,DC=contoso,DC=com to include the containers OU=Disabled,OU=Accounts and OU=Employees,OU=Accounts both within DC=perimeter,DC=contoso,DC=com. If your environment is different, edit this partition information.

Selecting Object Types

The object types for Container, domainDNS, and organizationalUnit are mandatory. This solution requires the User object type. The next solution requires the Group object type.

Configuring Attributes

This solution includes several attributes. Any attributes referenced elsewhere in this chapter, for example, in provisioning code or in attribute flow mappings, must be included here.

Configuring Connector Filter

No information needed. There is no filter.

Join and Projection Rules

Ensure that the following join rules exist for user: Direct Mapping Based on employeeID, and Direct Mapping Based on sAMAccountName.

Configure Attribute Flow

On the Configure Attribute Flow page, attribute mappings should appear as detailed in the following table. Note that any referenced connector space attributes must appear on the inclusion list (see the previous "Configuring Attributes" section in this chapter). If any referenced metaverse attributes are incorrect or missing, validation will fail. If failure occurs, check the inclusion list and verify that the metaverse schema was correctly imported.

Table 5.14. Extranet Active Directory MA Attribute Flow for Person

Extranet Directory attribute (User Object)

Metaverse attribute (Person Object)

Mapping type

Flow direction

Flow rule name

accountExpires

employeeStatus, employeeID

Advanced

Export

EAFaccountExpires

altSecurityIdentities

sAMAccountName

Advanced

Export

altSecurityIdentities

c

c

Direct

Export

 

co

co

Direct

Export

 

company

company

Direct

Export

 

department

department

Direct

Export

 

employeeID

employeeID

Direct

Export

 

givenName

givenName

Direct

Export

 

l

l

Direct

Export

 

mail

mail

Direct

Export

 

manager

manager

Direct

Export

 

sAMAccountName

sAMAccountName

Direct

Export

 

sn

sn

Direct

Export

 

telephoneNumber

telephoneNumber

Direct

Export

 

userAccountControl

employeeStatus, employeeID

Advanced

Export

EAFemployeeStatus

userPrincipalName

userPrincipalName, sAMAccountName

Advanced

Export

EaFuserPrincipalName

Many of these rules are direct flows that require no explanation. However, some sufficiently complex ones were implemented as rules extensions (advanced mapping type). The following export attribute flows were implemented as extranet Active Directory MA rules extensions:

  • EAFuserPrincipalName. This sets the UPN to a suitable value based on sAMAccountName and the external suffix parameter taken from the control file (see Table 5.4).
  • altSecurityIdentities. This sets up a reference to the appropriate X.509 certificate.
  • EAFEmployeeStatus. This ensures that the employeeStatus attribute in the metaverse is reflected by setting or resetting the appropriate bit of the userAccountControl Active Directory attribute, which results in an enabled or disabled user.
  • EAFaccountExpires. When an account is disabled because someone has "retired," this export attribute flow is set to a suitable future date.

Deprovisioning

Ensure that the deprovisioning options are set to Stage a delete, and that the Do not recall check box is cleared.

Configuring Extensions

Ensure that the Rules Extension Name is ExtranetActiveDirectoryExtension.DLL, and that the Run this rules check box is cleared to allow debugging. Password management settings are irrelevant at this stage.

Task 6: Creating or Updating the Lotus Notes Management Agent

To create or update the Lotus Notes MA

  1. Ensure that Lotus Notes ID files exist in the C:\Program Files\lotus\notes\data folder.
  2. In Identity Manager, select the Management Agents tool.
    1. To create the Lotus Notes MA, on the Actions menu, click Import Management Agent.
    2. To update the MA if it already exists, select the MA, and then on the Actions menu, click Update Management Agent.
  3. In the File Open dialog box, navigate to the Exports folder, select the LotusNotes.xml file, and then click Open.
  4. Review each screen, resolve any validation and verification process issues, and then click Finish.

During the update process, MIIS 2003 with SP1 validates certain details, but might not require you to verify each screen. For call-based MAs, you will have to supply the connection password.

The following notes should help you know what to look for and how to resolve any issues that might arise on each screen of the Management Agent Designer.

Properties

Ensure that the type appears as Lotus Notes 4.6, 5 or 6, and that the MA name is Lotus Notes.

Connecting to the Notes Server

The original configuration used the following values:

  • Server: FFL-SA-LOTUS/Fabrikam
  • Userid: C:\Program Files\lotus\notes\data\ADMIN.ID
  • NAB: NAMES.NSF

If your parameters do not match those of the described environment, edit them. In any case, you must enter the correct password.

Configuring Organizational Units

The original configuration used the following values:

  • OU: O=Fabrikam
  • Certifier path: C:\Program Files\lotus\notes\data\CERT.ID

If your parameters do not match those of the described environment, edit them.

Selecting Object Types

The address book is mandatory. This solution requires the User object type. This chapter requires the Group object type later.

Configuring Attributes

This solution includes several attributes. The first six in the following table are mandatory. Any attributes referenced elsewhere, for example, in provisioning code or in attribute flow mappings, must be included here.

Configuring Connector Filter

Configure a filter to exclude accounts in which ShortName equals madminis (matching the Short Name for the administrator account you created)..

Join and Projection Rules

Ensure that the following join rule exists: Direct Mapping Based on employeeID.

Configuring Attribute Flow

On the Configure Attribute Flow page, the attribute mappings should appear as detailed in the following table. Note that any referenced connector space attributes must appear on the inclusion list (see the previous "Configuring Attributes" section). If any referenced metaverse attributes are incorrect or missing, validation will fail. If failure occurs, check the inclusion list and verify that the metaverse schema was correctly imported.

Table 5.15. Lotus Notes MA Attribute Flow for Person

Lotus Notes attribute (Person Object)

Metaverse attribute (Person Object)

Mapping type

Flow direction

Flow rule name

CellPhoneNumber

mobile

Direct

Export

 

CompanyName

company

Direct

Export

 

Department

department

Direct

Export

 

EmployeeID

employeeID

Direct

Export

 

FirstName

givenName

Direct

Export

 

InternetAddress

mail, company

Advanced

Export

EAFinternetAddress

JobTitle

title

Direct

Export

 

LastName

sn

Direct

Export

 

MailAddress

mail, company

Advanced

Export

EAFMailAddress

Manager

manager

Direct

Export

 

OfficeCity

l

Direct

Export

 

OfficeFAXPhoneNumber

facsimileTelephoneNumber

Direct

Export

 

OfficePhoneNumber

telephoneNumber

Direct

Export

 

PhoneNumber_6

pager

Direct

Export

 

ShortName

sAMAccountName

Advanced

Export

EAFshortName

Title

title

Direct

Export

 

Many of these rules are direct flows that require no explanation. However, some sufficiently complex ones were implemented as rules extensions (advanced mapping type). The following export attribute flows were implemented as extranet Active Directory MA rules extensions:

  • InternetAddress. Flows the e-mail address that Exchange Server 2003 generates for Fabrikam users and deletes it for Contoso users.
  • mailAddress. Flows the e-mail address that Exchange Server 2003 generates for Contoso users and deletes it for Fabrikam users.
  • shortName. Generates this attribute to match sAMAccountName.

Deprovisioning

Ensure that the deprovisioning options are set to Stage a delete, and that the Do not recall check box is cleared.

Configuring Extensions

Ensure that the Rules Extension Name is LotusNotesExtension.DLL, and that the Run this rules check box is cleared to allow debugging. Password management settings are irrelevant at this stage.

Task 7: Creating or Updating the Sun ONE Directory Server Management Agent

To create or update the Sun ONE Directory Server MA

  1. In Identity Manager, select the Management Agents tool.
    1. To create the Sun ONE Directory Server MA, on the Actions menu, click Import Management Agent.
    2. To update the MA if it already exists, select the MA, and then on the Actions menu, click Update Management Agent.
  2. In the File Open dialog box, navigate to the Exports folder, select the SunONEDirectory.xml file, and then click Open.
  3. Review each screen, resolve any validation and verification process issues, and then click Finish.

During the update process, MIIS 2003 with SP1 validates certain details, but might not require you to verify each screen. For call-based MAs you must supply the connection password.

The following notes should help you know what to look for and how to resolve any issues that might arise with each screen of the Management Agent Designer.

Properties

The type should appear as Sun and Netscape directory services, and the name of the MA should appear as Sun ONE Directory.

Specifying Logon Information

The original configuration used these values:

  • Default server: FFL-SA-iPlanet
  • Default port: 389
  • Default login user: uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot

If your parameters do not match those of the described environment, edit them. In any case, you must enter the correct password.

Naming Context

The original configuration used these values:

  • Partition: dc=fabrikam,dc=com
  • Include: dc=fabrikam,dc=com

If your parameters do not match those of the described environment, edit them.

Selecting Object Types

Ensure that the object types for organizationalUnit and iNetOrgPerson are selected.

Selecting Attributes

This solution includes several attributes. Any attributes referenced elsewhere in this chapter, for example, in provisioning code or in attribute flow mappings, must be included here.

Configuring Connector Filter

No information needed. There is no filter.

Join and Projection Rules

Ensure that the following join rule exists: Direct Mapping from employeeNumber to employeeID.

Configuring Attribute Flow

On the Configure Attribute Flow page, attribute mappings should appear as detailed in the following table. Note that any referenced connector space attributes must appear on the inclusion list (see the previous "Configuring Attributes" section). If any referenced metaverse attributes are incorrect or missing, validation will fail. If failure occurs, check the inclusion list and verify that the metaverse schema was correctly imported.

Table 5.16 Sun ONE MA Attribute Flow for Person

Sun ONE attribute (iNetOrgPerson Object)

Metaverse attribute (Person Object)

Mapping type

Flow direction

description

company

Direct

Export

displayName

displayName

Direct

Export

employeeNumber

employeeID

Direct

Export

facsimileTelephoneNumber

facsimileTelephoneNumber

Direct

Export

givenName

givenName

Direct

Export

l

l

Direct

Export

mail

mail

Direct

Export

manager

manager

Direct

Export

sn

sn

Direct

Export

telephoneNumber

telephoneNumber

Direct

Export

Title

title

Direct

Export

uid

uid

Direct

Export

Deprovisioning

Ensure that the deprovisioning options are set to Make them disconnectors, and that the Do not recall check box is cleared.

Configuring Extensions

There is no rules extension. Password management settings are irrelevant at this stage.

Task 8: Configuring Import Attribute Flow Precedence

The basic metaverse schema had to be defined before you can import the MAs. The MAs define flows into the metaverse attributes. If more than one attribute flow exists, precedence must be defined. This configuration completes the metaverse schema definition. Use the following guidance to better understand how and what was set with this solution.

In many cases where there is more than one rule for import flow into the metaverse, the precedence is not important because it will only flow from one originating data source without conflict. The few cases in which precedence does matter are described below.

In Identity Manager, select the Metaverse Designer tool, and then use the following steps.

To configure attribute flow precedence

  1. In Object Types, click Person.
  2. Under Attributes, select the attribute whose flow precedence you want to change.
  3. On the Actions menu, click Configure Attribute Flow Precedence.
  4. Do one of the following:
  • Select Rules, click the Up or Down arrows to set the ranking according to the order in the following table, and then click OK.
  • Select Use manual precedence. (This option is only available if all attribute flow rules are rules extensions.)

Table 5.17. Attribute Flow Precedence

Metaverse attribute (Person Object)

Type

Attribute flow precedence

Manual precedence

cn

String (indexable)

SAP HR intranet Active Directory

 

employeeStatus

String (indexable)

N/A

Yes

sAMAccountName

String (indexable)

N/A

Yes

Task 9: Configuring the Run Profiles

The run profiles for each MA are imported with other settings. For information about run profile types, read the "Run Profiles" section in Chapter 4 of the Identity Aggregation and Synchronization paper in this series. For information about how to create or modify them, read the "Task 8: Create Run Profiles" section in Chapter 5 of that paper.

The following table details the run profiles that you need for this solution. Note that Export run profiles are followed by a confirming staged import and then by a delta synchronization. This final step ensures that any imported changes are propagated properly, and that any connector space objects accidentally disconnected, for example, manually by an administrator, are joined to their corresponding metaverse object again.

Table 5.18. Required Run Profiles

Management agent

Run profile name

Run profile type

Notes

SAP HR

Full Import (Stage Only)

Full Import (Stage Only)

Imports SAP HR Full Import.csv.

SAP HR

Delta Import

Delta Import and Delta Synchronization

Imports and synchronizes updates.csv (This run is used for ongoing operation, and the file is created from or overwritten with the latest data extracted during ongoing operation.)

SAP HR

Synchronize

Full Synchronization

Applies synchronization rules including provisioning.

SAP HR

Demo 1

Delta Import

Imports demo1.csv (Run profiles demo 1 to demo 4 are for testing only).

SAP HR

Demo 2

Delta Import

Imports demo2.csv.

SAP HR

Demo 3

Delta Import

Imports demo3.csv.

SAP HR

Demo 4

Delta Import and Delta Synchronization

Imports and synchronizes demo4.csv.

Intranet Active Directory

Delta Import

Delta Import and Delta Synchronization

Not needed in regular operation.

Intranet Active Directory

Export

Step 1: Export Step 2: Delta Import Step 3: Delta Synchronization

This exports, re-imports to confirm the export, and also imports and synchronizes any changes from Active Directory.

Intranet Active Directory

Full Import (Stage Only)

Full Import (Stage Only)

Initial container discovery.

Intranet Active Directory

Full Synchronization

Full synchronization

Initial synchronization.

Extranet Active Directory

Delta Import

Delta Import and Delta Synchronization

Not needed in regular operation.

Extranet Active Directory

Export

Step 1: Export Step 2: Delta Import Step 3: Delta Synchronization

This exports and re-imports to confirm the export.

Extranet Active Directory

Full Import (Stage Only)

Full Import (Stage Only)

Initial container discovery.

Extranet Active Directory

Full Synchronization

Full synchronization

Initial synchronization.

Lotus Notes

Delta Import

Delta Import and Delta Synchronization

Not needed in regular operation.

Lotus Notes

Export

Step 1: Export Step 2: Delta Import Step 3: Delta Synchronization

This exports and re-imports to confirm the export.

Lotus Notes

Full Import (Stage Only)

Full Import (Stage Only)

Initial container discovery.

Lotus Notes

Full Synchronization

Full synchronization

Initial synchronization.

Sun ONE Directory

Delta Import

Delta Import and Delta Synchronization

Not needed in regular operation.

Sun ONE Directory

Export

Step 1: Export Step 2: Delta Import Step 3: Delta Synchronization

This exports and re-imports to confirm the export.

Sun ONE Directory

Full Import (Stage Only)

Full Import (Stage Only)

Initial container discovery.

Sun ONE Directory

Full Synchronization

Full synchronization

Initial synchronization.

Perform Initial Identity Management Operations

This section describes how to import and synchronize all existing data so that you are ready to conduct ongoing operations. This process involves several tasks, and the order in which they are performed is important. Later during ongoing operations, the order in which you perform them is not as important.

The initial identity integration management operations tasks are as follows:

  • Task 1: Turning off provisioning
  • Task 2: Initializing MIIS 2003 with SP1 connector spaces for all MAs
  • Task 3: Synchronizing connector spaces for all MAs
  • Task 4: Exporting metaverse attribute updates
  • Task 5: Turning on provisioning
  • Task 6: Resynchronizing and exporting to provision new accounts

Task 1: Turning Off Provisioning

If you have not already installed the identity aggregation and synchronization solution, you must perform this task so that no provisioning takes place until existing data has been synchronized.

If you have already installed the identity aggregation and synchronization solution, this step is not strictly necessary because your identity information is already synchronized. However, Microsoft strongly recommends that you turn provisioning off. It is generally a best practice to perform one task at a time whenever introducing a new MA to facilitate checking and debugging. Errors may occur if provisioning is attempted into a hierarchy that has not yet been discovered.

You can turn off provisioning in either of the following two ways.

To turn off provisioning

  • Edit the ContosoExtensions.xml configuration file in the Extensions folder. In the run-definitions configuration group, change the first configuration element to True.
  • Open Identity Manager and on the Tools menu, select Options, and then clear the option for Enable provisioning rules extension.

Task 2: Initializing MIIS 2003 with SP1 Connector Spaces for All Management Agents

If you have not already installed the identity aggregation and synchronization solution, you must perform this step for all Management Agents.

If you have already installed the identity aggregation and synchronization solution, run this step only for the new SAP HR MA. However, you can perform this step for all MAs to ensure that everything initializes correctly.

Run each MA that you created in the previous section with a Full Import (Stage Only) run type. To do so, complete the following steps for each MA.

To initialize the MIIS 2003 with SP1 connector spaces

  1. In the Management Agents tool, select an MA.
  2. On the Actions menu, click Run.
  3. In the Run Management Agent dialog box, select Full Import (Stage Only), and then click OK.
  4. Wait for the run-time state to return to idle, and then ensure that the connection status indicates successful results with no errors. In addition, verify that the statistics indicate that imports have taken place.

Note   If the status does not show success, errors are reported, or nothing has been imported according to the statistics, examine the problem and correct it.

Be sure to perform the previous steps for the following Management Agents:

  • SAP HR
  • Lotus Notes
  • Sun ONE Directory
  • Intranet Directory
  • Extranet Directory

Task 3: Synchronizing Connector Spaces for All Management Agents

You must synchronize all MAs so that new data can flow and you can apply new rules. This task documentation includes guidance for performing synchronization preview and for performing actual synchronization. In addition, guidance is provided on how to proceed with synchronization depending on whether you have already installed the identity aggregation and synchronization solution.

Performing Synchronization Preview

For each MA, it is considered a best practice to use the preview feature before performing the actual synchronization. The preview enables you to ensure that the rules function for sample data, including those for join, projection, import attribute flows, provisioning, and export attribute flows.

To preview synchronization

  1. In the Management Agent tool, select the MA that you want to work with.
  2. On the Actions menu, select Search Connector Space, and then click Search.
  3. Select one of the records, click Preview, and then click Generate Preview.
  4. Review the results of the preview to confirm that the results are what you anticipated.

Make sure that you address any reported errors before continuing to perform the actual synchronization.

Performing Actual Synchronization

Complete the following steps to accomplish this task.

To synchronize an MA

  1. In the Management Agent tool, select the MA that you want to synchronize.
  2. On the Actions menu, click Run.
  3. In the Run Profiles dialog box, select Full Synchronization or Synchronize (depending on the MA), and then click OK.
  4. Wait for the run-time state to return to idle, and then ensure that the bottom pane of the Management Agent user interface (UI) indicates successful results with no synchronization errors. In addition, verify that statistics indicate that projections have taken place.

View the connector space to make sure that the information looks correct. To view the connector space, on the Actions menu, click Search Connector Space or click the hyperlinked statistics.

If You Have Already Installed the Identity Aggregation and Synchronization Solution

If you have already installed the identity aggregation and synchronization solution, you must synchronize the MAs listed in the following table. The table also provides information about what the synchronization should accomplish for each MA.

Table 5.19. Synchronization Runs to Perform if the Identity Aggregation and Synchronization Solution Is Installed

Management agent

What should happen

SAP HR

- SAP HR system users join to existing metaverse objects. If one cannot be found with the correct employeeID a new object is projected.

- Import flows take place for attributes that the SAP HR system is authoritative and has precedence.

- Export flows take place to the connector spaces for other MAs as necessary.

Intranet Active Directory

- Ensures that all attributes are fully synchronized.

- All import attribute flow rules are run.

- Export flows take place to the connector spaces for other MAs as necessary.

Sun ONE Directory

- Ensures that all attributes are fully synchronized.

- All import attribute flow rules are run.

- Export flows take place to the connector spaces for other MAs as necessary.

Note   The Extranet Active Directory and Lotus Notes Management Agents are not included in the table because there is no import flow defined for them.

To view the connector spaces, on the Actions menu, click Search Connector Space or click the hyperlinked statistics.

If You Have Not Already Installed the Identity Aggregation and Synchronization Solution

If you have not installed the identity aggregation and synchronization solution, only perform the single synchronization described in the following table.

Table 5.20 Synchronization Run to Perform If the Identity Aggregation and Synchronization Solution Is Not Installed

Management agent

What should happen

SAP HR

- SAP HR system users project new metaverse objects.

- Import flows take place for attributes that SAP is authoritative.

Task 4: Exporting Metaverse Attribute Updates

If you have already installed the identity aggregation and synchronization solution, perform this task to make sure that any changes are exported.

If you have not already installed the identity aggregation and synchronization solution, skip this step because you do not yet have any exports. Complete the following steps to run the Lotus Notes Export process.

To export metaverse attribute updates to existing users

  1. In the Management Agent tool, select the Lotus Notes MA.
  2. On the Actions menu, click Run.
  3. In the Run Profiles dialog box, select Export, and then click OK.
  4. Wait for the run-time state to return to idle, and then ensure that the bottom pane of the Management Agent UI indicates successful results and no errors.
  5. Repeat steps 1 – 4 for all Management Agents except SAP HR, which is a one-way feed.

This task exports any pending connector space objects (resulting from export flow from the metaverse) and performs a confirming delta import.

Task 5: Turning On Provisioning

To provision any required new accounts, you must enable provisioning. Depending on how provisioning was turned off, you can perform this task in one of the following two ways.

To turn on provisioning

  • Edit the ContosoExtensions.xml configuration file (in the Extensions folder). In the run-definitions configuration group, change the first configuration element to False.
  • In Identity Manager, on the Tools menu, under Options, select Enable provisioning rules extension.

In either case, ensure that on the Tools menu, under Options, the Rules extension name has been set to ContosoMVExtensions.dll.

Task 6: Resynchronizing and Exporting to Provision New Accounts

You must run the provisioning code for each metaverse object, and you do this by ensuring that each object is involved in a synchronization. One way to ensure that a complete synchronization occurs is to run a Full Synchronization step for all MAs that have projected any metaverse objects.

If you have already installed the identity aggregation and synchronization solution, synchronize the SAP HR MA and any others that projected objects during Task 4. Any "missing" connector space objects will be created, ready for export. "Missing" objects are those that should exist according to the business rules but do not, presumably because of errors in the former manual administration.

If you have not already installed the identity aggregation and synchronization solution, you only must synchronize the SAP HR MA. This synchronization will create accounts in the connector spaces for all other MAs to prepare them for export.

In either case, you must perform an export run type for all MAs that have pending exports.

To provision new accounts

Run the synchronization and export steps described in one of the following tables, depending on whether you have already installed the identity aggregation and synchronization solution.

Table 5.21. If You Have Already Installed the Identity Aggregation and Synchronization Solution

Management agent

Run profile

What should happen

SAP HR

Full synchronization

Only "missing" accounts are provisioned into the connector spaces for other MAs according to the business rules.

Intranet Active Directory

Export

Only "missing" accounts are provisioned into Active Directory and re-imported to confirm export (mail-enabled for Contoso, mailbox-enabled for Fabrikam).

Extranet Active Directory

Export

Only "missing" accounts are provisioned into Active Directory and re-imported to confirm export (for Sales employees only).

Lotus Notes

Export

Only "missing" accounts are provisioned into Lotus Notes and re-imported to confirm export (mailboxes for Fabrikam, contacts for Contoso).

Sun ONE Directory

Export

Only "missing" accounts are provisioned into Sun ONE Directory Server 5.1 and re-imported to confirm export (Fabrikam employees only).

Table 5.22. If You Have Not Already Installed the Identity Aggregation and Synchronization Solution

Management agent

Run type

What should happen

SAP HR

Full synchronization

All accounts are provisioned into the connector spaces for other MAs according to the business rules.

Intranet Active Directory

Export

New accounts are provisioned into Active Directory and re-imported to confirm export (mail-enabled for Contoso, mailbox-enabled for Fabrikam).

Extranet Active Directory

Export

New accounts are provisioned into Active Directory and re-imported to confirm export (for Sales employees only).

Lotus Notes

Export

New accounts are provisioned into Lotus Notes and re-imported to confirm export (mailboxes for Fabrikam, contacts for Contoso).

Sun ONE Directory

Export

New accounts are provisioned into Sun ONE Directory Server 5.1 and re-imported to confirm export (Fabrikam employees only).

Group Management

The solution for the Group Management scenario builds directly on the HR-Driven Provisioning solution described in the previous section.

The following sections describe the solution for the Group Management scenario.

Folder: Group Management

This folder contains a script to install the following components:

  • The Web-based Group Management Administration application
  • The Group Populator program
  • The Group Management Microsoft SQL Server database

Subfolder: GroupManagementDB

This subfolder contains a SQL script to create the database that the Group Management Web application uses.

Subfolder: miisGroupManagement

This subfolder contains the source code required to build and deploy the Web-based Group Management administrative application.

Subfolder: GroupPopulator

This subfolder contains the source code required to build the Group Populator program, which builds the group memberships after you define them through the Web UI.

Implementation Prerequisites

Before implementing this solution you must implement the HR-Driven Provisioning solution. You must also have a Web application server (IIS) with Microsoft Windows Server™ 2003 and the Microsoft .NET Framework 1.1 joined to the Active Directory domain. You should also have Active Server Pages (ASP) enabled. For information about how to enable ASPs in IIS, refer to the Windows Server 2003 Help and Support Center.

Implementation Tasks

The next sections in this chapter detail the tasks that you must perform to implement the Group Management solution:

  • Task 1: Preparing the Contoso intranet Active Directory to receive groups
  • Task 2: Creating and initializing the Group Management database
  • Task 3: Compiling and configuring the Group Management application
  • Task 4: Configuring the metaverse for groups
  • Task 5: Creating the new MA
  • Task 6: Verifying the intranet Active Directory and Lotus Notes MAs
  • Task 7: Setting the metaverse object deletion rule for groups
Task 1: Preparing the Contoso Intranet Active Directory to Receive Groups

Perform the steps in this task to create the appropriate OU structure to prepare the Contoso intranet Active Directory.

To create the appropriate OU structure

  1. Log on to a domain controller as a domain administrator.
  2. Open the Active Directory Users and Computers Microsoft Management Console (MMC) and make sure that there is an OU called Groups under the ContosoCorp OU in the na.corp.contoso.com domain node. Add this OU if it does not exist.
Task 2: Creating and Initializing the Group Management Database

Both the Group Populator program and the Group Management Web application depend on the miisGroupManagement database. Application security is managed through access to this database. The minimum requirements for access to the database are SQL Server data-reader and data-writer permissions. You might consider a more sophisticated security model, such as using Authorization Manager, before deploying this solution in a live environment.

Complete the steps in this task to create the database and populate it with configuration and sample data.

To create and initialize the database

  1. Log on to the computer running SQL Server 2000 or later as a local administrator.
  2. Browse to %UserProfile%\My Documents\Identity and Access Management Tools and Templates\Provisioning and Workflow\GroupManagement\CreateGroupPopulatorDB.cmd file and run it.
  3. Confirm that the miisGroupManagement database has been created.
Task 3: Compiling and Configuring the Group Management Application

You must now compile the Group Populator program and the Group Management Web application.

To compile the Group Populator program

  1. Log on to the computer running MIIS 2003 with SP1 and Visual Studio .NET.
  2. In Windows Explorer, navigate to %UserProfile%\My Documents\Identity and Access Management Tools and Templates\Provisioning and Workflow\GroupManagement\GroupPopulator, and then double-click the GroupPopulator.sln file to open the solution in Visual Studio .NET.
  3. Double-click the app.config file in the Solution Explorer window.
  4. Verify the SQL connection string to the server of the MIIS and Group Management databases.
  5. On the Build menu, select Rebuild Solution.

To compile and configure the Group Management Web Application

  1. Copy the %UserProfile%\My Documents\Identity and Access Management Tools and Templates\Provisioning and Workflow\GroupManagement\miisGroupManagement subfolder to C:\inetpub\wwwroot.
  2. Double-click the GroupManagement.sln file to load it into Visual Studio .NET.
  3. On the Build menu, select Rebuild Solution.
  4. In Internet Information Services (IIS) Manager, right-click Default Web Site, select New, and then select Virtual Directory.
  5. Click Next, type the name miisGroupManagement, click Next, and then browse to C:\intepub\wwwroot\miisGroupManagement (which you just created). Click Next, select the option to Run scripts, click Next, and then click Finish.
  6. Right-click the new miisGroupManagement Web site, and then select Properties.
  7. On the Directory Security tab, click Edit, and then ensure that Enable anonymous access is cleared, and that Integrated Windows Authentication is selected.
Task 4: Configuring the Metaverse for Groups

Perform the steps in this task to make sure that the metaverse is properly configured for groups. You must ensure that the group object type is defined, and that it has the required attributes. You must also set the object type deletion rule so that a metaverse object is deleted if the definition is deleted in the Group Management Web application.

To ensure that the group object type is properly configured

  1. In Identity Manager, select the Metaverse Designer tool.
  2. Under Object types, select Group. If there is no such object type, click Create Object Type, type the name Group, and then select the displayName, groupType, uid, description, info and member attributes (if possible).
  3. Under Attributes, ensure that the displayName, groupType, uid, description, and member attributes are present. If any are missing, click Add Attribute to select them. Dependent upon the nature of your MIIS implementation, you may need to create the groupType and enabledFlag attributes. Create groupType as number, and enabledFlag as string-indexable.

Task 5: Creating the New MA

Perform the steps in this task to create the Group Management MA that will import and update group objects.

To create the Group Management MA

  1. In Identity Manager, on the Tools menu, click Management Agents, and then click Import Management Agent.
  2. In the Open dialog box, browse to the MA Exports folder, which is under the HR-Driven Provisioning folder.
  3. Select the GroupManagement.xml file, and click Open.
  4. Click Next to continue through the Create Management Agent Wizard, and provide the password for the account that the MA uses to connect to SQL Server.
  5. Verify the information on each page of the wizard, and then click Finish.

You should not have to change any settings, except perhaps connection details if your environment varies from the one described.

Task 6: Verifying the Intranet Active Directory and Lotus Notes MAs

These MAs should already include the settings for managing groups and users.

To verify the intranet Active Directory MA

  1. Open Identity Manager, and then select the Management Agents tool.
  2. Select the Intranet Active Directory MA, and in the Actions pane, click Properties.
  3. On the Select Object Types page, ensure that the group check box is selected.
  4. On the Select Attributes page, ensure groupType and member are selected.
  5. On the Configure Join and Projection Rules page, verify the join rule detail in the following table. Because groups are provisioned for this MA, no joining is expected to take place. It is a best practice to have a join rule for every object in every MA in case an accidental disconnection occurs.

    Table 5.23. Join Rule Configuration for Group and Object Types

Data source object type

Date source attribute

Metaverse object type

Metaverse attribute

Mapping type

Group

sAMAccountName

Group

sAMAccountName

Direct

  1. On the Configure Attribute Flow page, verify that the attribute mappings in the following table are present.

    Table 5.24. Group Export Attribute Flow Rules for the Intranet Active Directory MA

Data source attribute

Metaverse attribute

Mapping type

Allow nulls?

Notes

description

description

Direct

Yes

 

groupType

groupType

Direct

No

 

info

info

Direct

Yes

 

sAMAccountName

displayName

Direct

No

 

mailNickname

mailNickname

Direct

Yes

 

Member

member

Direct

Yes

Allows zero members

  1. On the Configure Deprovisioning page, ensure that the option for Stage a delete on the object for the next export run is selected.

To verify the Lotus Notes MA

  1. Open Identity Manager, and then select the Management Agents tool.
  2. Select the Lotus Notes MA, and then in the Actions pane, click Properties.
  3. On the Select Object Types page, ensure that the Group check box is selected.
  4. On the Select Attributes page, ensure GroupType and Members are selected.
  5. On the Connection Filter page, ensure that the following filters are defined:
  • ListName equals 'LocalDomainServers'
  • ListName equals 'OtherDomainServers'
  • ListName equals 'LocalDomainAdmins'
  1. On the Configure Join and Projection Rules page, verify the join rule detail in the following table. Because groups are provisioned for this MA, no joining is expected to take place. However, it is best practice to have a join rule for every object in every MA in case an accidental disconnection occurs.

    Table 5.25. Join Rule Configuration for Group and Object Types

Data source object type

Date source attribute

Metaverse object type

Metaverse attribute

Mapping type

Group

GroupTitle

Group

displayName

Direct

  1. On the Configure Attribute Flow page, verify the attribute mapping details in the following table.

    Table 5.26. Export Attribute Flow Rules for the Lotus Notes MA

Data source attribute

Metaverse attribute

Mapping type

Allow nulls?

Notes

GroupTitle

displayName

Direct

No

 

ListDescription

displayName

Direct

No

 

Members

Member

Direct

Yes

Allows zero members

GroupType

groupType, mailNickname

Rules Extension

No

 
  1. On the Configure Deprovisioning page, ensure that Stage a delete… is selected, and that the Do not recall check box is cleared.

Task 7: Setting the Metaverse Object Deletion Rule for Groups

Configure the metaverse object deletion rule for the group object type so that groups are deleted automatically.

To set the metaverse object deletion rule

  1. In Identity Manager, select the Metaverse Designer tool.
  2. Under Object types, select Group.
  3. On the Actions menu, click Configure Object Deletion Rule.
  4. On the Configure Object Deletion Rule page, select Delete metaverse object when connector from this management agent is disconnected.
  5. In the list of MAs, select the Group Management MA, and then click OK.

Self-Service Provisioning

The solution for the Self-Service Provisioning scenario that the following sections describe builds directly on the Group Management solution outlined in the previous section.

Folder: Self-Service Provisioning

This folder contains a number of subfolders containing the files required to implement the Self-Service Provisioning Web application.

Subfolder: Azman

The Self-Service Provisioning Web application is secured through Microsoft Authorization Manager. Anyone can request contractor accounts, but only a user who has been granted the Approver role can approve provisioning. The Azman subfolder contains the mystore.xml file, which has the Authorization Manager policy information required to define the Approver role.

Subfolder: SQL

The Self-Service Provisioning Web application depends on the MIISWorkflow database. The SQL Server script, SelfServiceProvisioningDB.SQL, creates this database, including the required tables and stored procedures.

Subfolder: SSProv

This folder contains all the source code required to build the Self-Service Provisioning Web application itself, SelfSvcProvisioning.sln, and all its associated projects.

Subfolder: MA Exports

The Self-Service Provisioning Web application presents new contractor data to MIIS 2003 with SP1, which imports the data and provisions accounts to Active Directory. This folder contains the Self-ServiceProvisioning.xml file from which you can import the new MA that MIIS requires.

Implementation Prerequisites

Before implementing this solution, you must implement the Group Management solution described previously in this chapter. You must also have a Web application server that has Windows Server 2003 and the Microsoft .NET Framework 1.1 joined to the Active Directory domain.

Implementation Tasks

The remainder of this chapter details the following tasks to implement the Self-Service Provisioning Web application:

  • Task 1: Creating and initializing the Self-Service Provisioning (MIISWorkflow) database
  • Task 2: Configuring Active Directory and Authorization Manager
  • Task 3: Compiling and configuring the Self-Service Provisioning Web application
  • Task 4: Verifying the new MA
Task 1: Creating and Initializing the Self-Service Provisioning (MIISWorkflow) Database

The Self-Service Provisioning Web application depends on the MIISWorkflow database. Complete the steps in this task to create the database.

To create and initialize the database

  1. Log on to the computer running SQL Server 2000 or later as a local administrator.
  2. In the SQL Server Query Analyzer, browse to the SQL folder, and then run SelfServiceProvisioningDB.sql.
  3. Confirm that the MIISWorkflow database has been created.
Task 2: Configuring Active Directory and Authorization Manager

To configure Active Directory and Authorization Manager, you need at least two users: one as a requestor, and one as an approver. You can select two of the accounts that you created in the HR-Driven Provisioning solution. You must also create a Contractor Request Approver role, and a group to manage users who are granted that role. Also, you need a service account to run the application.

Select two accounts and set their passwords

  1. Log on to the domain controller, and run Active Directory Users and Computers.
  2. Select two users that you have provisioned into ou=Employees,ou=ContosoCorp, and reset their passwords to something suitable (rather than the pseudo-random ones they had). One user will be a requestor (this is not a special role), and the other an approver.

To configure the required Active Directory accounts

  1. Select the Users OU, and add a new Universal Security Group called Contractor Request Approvers (MIIS 2003 with SP1 will not manage this group). This group must be e-mail enabled.
  2. Select your Approver from ou=Employees,ou=ContosoCorp.
  3. Add a new user called SSProvSvcAcct with a suitable password.

To configure database permissions for the SSProvSvcAcct service account

  1. In SQL Server Enterprise Manager, browse to MicrosoftSqlServers\SQL Server group\(local) (Windows NT)\Security.
  2. Under Security, right-click Logins, and then select New Logins.
  3. On the General tab, add the na\SSProvSvcAcct name.
  4. On the Database Access tab, under Databases, select the MIISWorkflow database, and then under Roles, select public and db_owner, then click OK.

To configure other required permissions for the SSProvSvcAcct service account

  1. On the computer running MIIS 2003 with SP1, in Active Directory Users and Computers, add NA/SSProvSvcAcct to the IIS_WPG group.
  2. Add NA/SSProvSvcAcct to the MIISOperators group.
  3. In Administrative tools, open the Computer Management console.
  4. Browse to System Tools, Services & Applications, Message Queuing, and finally Private Queues.
  5. Right-click the SelfServiceProvisioning queue, and select Properties.
  6. On the Security tab, add the account SSProvSvcAcct, and then select the full permissions option for this account.
  7. Navigate to the Windows folder, right-click the Temp folder, and select Properties.
  8. On the Security tab, ensure that the account SSProvSvcAcct has Read and Write access, and Execute permissions to the folder.

Note   These permissions are required to work around a known issue. For more information, see the Message Queuing Frequently Asked Questions paper.

To configure Authorization Manager    

  1. Log on to the computer running IIS, and then run mmc.
  2. On the File menu, select Add/Remove Snap-in, and then add the Authorization Manager snap-in.
  3. Copy the mystore.xml file from the %UserProfile%\My Documents\Identity and Access Management Tools and Templates\Provisioning and Workflow\Self-Service Provisioning\Azman subfolder of the Tools and Templates folder to drive C.
  4. Right-click Authorization Manager, select Options, select Developer Mode, and then click OK.
  5. Right-click Authorization Manager, and then open the authorization store in c:\mystore.xml (located in the Azman subfolder described previously). Expand the tree and note that this provides for a Contractor Approver Role and an Approve Contractor Request Operation.
  6. Expand the tree to view the Contractor Approver role assignment, then right-click this role and assign it to your Contractor Request Approvers group.
Task 3: Compiling and Configuring the Self-Service Provisioning Web Application

You must now install and compile the required source code and configure the Web application. You should also create two shortcuts to simplify the process of running the Request and Approve operations within the security contexts of your two chosen users.

To compile and configure the Self-Service Provisioning Web application

  1. Create a folder called SSProv in C:\intepub\wwwroot, and then copy the contents of the subfolder \%UserProfile%\My Documents\Identity and Access Management Tools and Templates\Provisioning and Workflow\Self-Service Provisioning\SSProv\ into the new folder.
  2. Double-click SelfSvcProvisioning.sln to load it into Visual Studio .NET.
  3. Verify that the settings in the web.config file for this solution are consistent with your environment.
  4. On the Build menu, select Rebuild Solution.
  5. In IIS Manager, right-click Application Pools, and then add a new application pool called SSProv that uses default settings.
  6. Right-click SSprov, select Properties, select the Identity tab, select Configurable security account, and then type the SSProvSvcAcct credentials.
  7. Right-click Default Web Site, select New, and then select Virtual Directory.
  8. Click Next, provide the name SSProv, click Next, and then browse to the path C:\intepub\wwwroot\SSProv (which you just created). Click Next and Finish.
  9. Right-click the new SSProv Web site, and then select Properties. Select the Directory Security tab, and then, under Authentication and Access Control, click Edit. Ensure that the Enable anonymous access check box is cleared, and that the Integrated Windows Authentication check box is selected.
  10. Right-click the SSProv Web site, select Properties, and then select the SSProv Application pool.
  11. At a command prompt, type iisreset and then press Enter to restart IIS.

To create two shortcuts

  1. For the Request operation, create a shortcut whose target is: %windir%\system32\runas.exe /profile /user:<domain\username1> "C:\Program Files\Internet Explorer\iexplore.exe http://localhost/ssprov/ssprovrequest.aspx".
  2. For the Approve operation, create a shortcut whose target is: %windir%\system32\runas.exe /profile /user:<domain\username2> "C:\Program Files\Internet Explorer\iexplore.exe http://localhost/ssprov/ssprovapproval.aspx".
  3. Ensure that the Web applications load.
Task 4: Verifying the New MA

You can export an MA's configuration to an .xml file and then import it using the MIIS 2003 with SP1 Identity Manager, which is the administration program for MIIS 2003 with SP1. The import process validates and verifies the configuration. For example, the user account and password information of any call-based Management Agents are checked, as well as other configuration information, such as schema and directory-specific partitions. You also are required to verify each page of the configuration wizard. You might have to change the connection and partition information if the connected directory structure is not the same as that specified in the file. Perform the steps in this task to create the Self-Service Provisioning MA that will import and update group objects.

To create the Self-Service Provisioning MA

  1. Open Identity Manager, then on the Tools menu, click Management Agents, and then click Import Management Agent.
  2. In the Open dialog box, browse to the MA Exports folder.
  3. Select the SelfServiceProvisioning.xml file and click Open.
  4. Click Next to continue through the Create Management Agent Wizard, and provide the password for the account that the MA uses to connect to SQL Server.
  5. Verify each page of the wizard, and then click Finish.

You should not have to change any settings, except perhaps connections details if your environment varies from the one described.

Chapter 6: Testing the Solution

This chapter describes how to validate the implemented scenario solutions from the previous chapter. It also provides some steps on how to troubleshoot common implementation challenges. It does not provide comprehensive guidance on how to test the end-to-end user or administrator experiences.

Testing the HR-Driven Provisioning Solution

When you have completed the HR-Driven Provisioning solution implementation according to the guidance in Chapter 5, "Implementing the Solution," you are ready to validate it to ensure that it meets the specified requirements.

Validating the Base Environment

To validate the base environment, perform baseline tests 1 through 5 in Chapter 6, "Testing the Solution," in the Identity Aggregation and Synchronization paper in this series. Also perform tests 1 through 4 in the "Validating Aggregation and Synchronization" section of the same paper, then complete the following baseline tests. The management agent (MA) solutions should compile and create assemblies in the Microsoft Identity Integration Server\Extensions folder with no errors.

Baseline Test 1: Verify rules extension assembly creation

  1. Log on to the MIIS 2003 with SP1 server with MIIS administrative privileges.
  2. Browse to the <MIIS installation path>\Extensions\ folder.
  3. Verify the presence of the following files:
  • IntranetActiveDirectoryExtension.dll
  • ExtranetActiveDirectoryExtension.dll
  • LotusNotesExtension.dll
  • SAPHRExtension.dll
  • ContosoMVExtensions.dll

Baseline Test 2: Verify that the MAs exist in Identity Manager

  1. Log on to the MIIS 2003 with server with MIIS administrative privileges, and then open Identity Manager.
  2. In Identity Manager, on the Tools menu, click Management Agents.
  3. Verify that the following MAs are present in Identity Manager:
  • Intranet Active Directory
  • Extranet Active Directory
  • Sun ONE Directory
  • Lotus Notes
  • SAP HR

Baseline Test 3: Verify that the message queues are properly configured

  1. In Administrative tools, open the Computer Management console.
  2. Browse to System Tools, then Services, Applications, Message Queuing, and finally Private Queues.
  3. Confirm the presence of the following message queues:
  • accountprovisioning
  • selfserviceprovisioning
  • miisgroupmanagement
  1. In turn, right-click each message queue, select Properties, and then confirm the text Transactional queue displays.

Baseline Test 4: Verify accounts across all data sources

  1. Browse to the <MIIS Installation path>\MaData\SAP HR folder.
  2. Open the SAP HR FULL Import.csv file in Notepad.
  3. Confirm the presence of these three example employees:
  • Laura Steele in Fabrikam Research and Development
  • James Wilson in Contoso Customer Services
  • William Malone in Contoso Sales
  1. Log on to the intranet domain controller with domain administrator privileges.
  2. In Active Directory Users and Computers, confirm the presence of user accounts for each of the three example employees in OU=Employees, OU=ContosoCorp,DC=na,DC=corp,DC=contoso,DC=com.
  3. Check the properties for each in turn and confirm that Laura Steele has a Fabrikam e-mail address, and that the other two have Contoso e-mail addresses.
  4. Log on to the Lotus Notes Server. In Lotus Domino Administrator, on the Administration menu, select People and Groups.
  5. Verify that Laura Steele has a mailbox and that the other two example employees are included as contacts.
  6. Log on to the extranet domain controller with domain administrator privileges.
  7. In Active Directory Users and Computers, confirm the presence of William Malone as a user who works in Sales (the other two example employees will not be present) in OU=Employees, OU=Accounts,DC=perimeter,DC=contoso,DC=com.
  8. Log on to the Sun ONE server. In the iPlanet Console, select Users and Groups.
  9. Confirm the presence of an inetOrgPerson account for Fabrikam employee Laura Steele (the other two example employees will not be present).

Validating HR-Driven Provisioning

It is important to perform the following tests so that you can validate that the solution is functioning correctly. Subsequent sections in this chapter address these tests in detail:

  • Test 1: Provisioning
  • Test 2: Status changes and deprovisioning
  • Test 3: Disabling an account in Active Directory
  • Test 4: Automated run cycle
Test 1: Provisioning

Complete the procedures in this section to verify that new users created in the mySAP ERP Human Capital Management system (SAP HR system) are correctly provisioned into the appropriate connected data sources according to Contoso's business rules.

Use the demonstration .csv files to simulate data export from the SAP HR system.

To simulate adding new users to the SAP HR system

  1. Log on to the MIIS 2003 server with MIIS administrative privileges.
  2. In Microsoft Windows® Explorer, navigate to the <MIIS installation path>\madata\SAP HR folder, and then use Notepad to open the demo1.csv file. Note the new users.
  3. In Identity Manager, select the Management Agent tool.
  4. In the Management Agent tool, select SAP HR MA.
  5. In the Actions panel, click Run.
  6. In the Run Management Agent dialog box, select demo1, and then click OK.

This profile uses the demo1.csv file.

  1. Verify that the staging statistics indicate four Adds.

To preview provisioning

  1. In the Management Agent tool that is still open from the last test, click the hyperlink for the four Adds.
  2. Select the first one, and then click Properties.
  3. Click Preview, and then click Generate Preview. (In this case, Full or Delta synchronization will work the same.)
  4. Examine the results to verify that provisioning is happening in accordance with the business rules detailed in the following table. Also verify that there is an export flow for each provisioned account.
  5. Click Close twice, and then repeat steps 2 through 5 for each connector space entry.

    Table 6.1. New Users in Demo1.csv

Name

Company

Department

Status

Expected result

Oliver Cox

Contoso

Operations

3 (active)

- An intranet Active Directory® mailbox was enabled for this user. - A Lotus Notes Contact was created.

Phil Gibbins

Fabrikam

Customer Service

3 (active)

- An intranet Active Directory mailbox was enabled for this user. - A Lotus Notes mailbox was created. - A Sun ONE Directory Server 5.1 account was created.

Justin Thorp

Contoso

Sales

3 (active)

- An intranet Active Directory mailbox was enabled for this user. - A Lotus Notes mailbox was created.- An extranet shadow account was created.

Alex Roland

Contoso

Operations

3 (active)

- An intranet Active Directory mailbox was enabled for this user - A Lotus Notes Contact was created.

To complete provisioning

  1. Close any open dialog boxes in the Management Agent tool.
  2. In the Actions panel, click Run.
  3. In the Run Management Agent dialog box, select the Full Synchronization run profile, and then click OK.
  4. Verify that the statistics agree with the information that you just previewed.
  5. For each target MA, select Run and the Export run profile, and then click OK.
  6. Verify that each MA exported Adds.

To verify that all accounts were provisioned in accordance with Table 6.1

  1. On an intranet Active Directory domain controller, log on as an administrator.
    1. Start the Active Directory Users and Computers Microsoft Management Console (MMC).
    2. Verify that the accounts were created correctly.
  2. On an extranet Active Directory domain controller, log on as an administrator.
    1. Start the Active Directory Users and Computers MMC.
    2. Verify that the accounts were created correctly.
  3. Log on to the Lotus Notes server by using Lotus Domino Administrator.
    1. On the Administration menu, select People and Groups.
    2. Verify that the accounts were created correctly.
  4. Log on to the Sun ONE Directory Server 5.1 (formerly iPlanet Directory Server) server by using iPlanet Console 5.1.
    1. In the iPlanet console, select Users and Groups.
    2. Verify that the accounts were created correctly.

To verify that the accounts are properly formed and that notifications were sent

  • Access the e-mail account for Alex Roland, who is Oliver Cox's manager, and check his e-mail. Note the account password for Oliver Cox that was e-mailed to the manager.
  • Using this password, log on to a domain computer as Oliver Cox. After verifying that you can log on, log off and then log on again by using the MIIS 2003 administrative account as usual.
Test 2: Status Changes and Deprovisioning

Complete the procedures in this section to verify the following: If the HR status of a user changes to leave or retired, or if an Active Directory account is disabled, corresponding accounts also change status accordingly.

Use the demonstration .csv files to simulate the data export from the SAP HR system.

To simulate a status change for users in the SAP HR system

  1. Log on to the MIIS 2003 server with MIIS administrative privileges.
  2. In Windows Explorer, navigate to the <MIIS installation path>\madata\SAP HR folder, and then open the demo2.csv file with Notepad.

Note that some users have been modified.

  1. In Identity Manager, select the Management Agent tool.
  2. In the Management Agent tool, select SAP HR MA.
  3. In the Actions panel, click Run.
  4. In the Run Management Agent dialog box, select demo2, and then click OK.

This profile uses the demo2.csv file.

  1. Verify that the staging statistics indicate two Updates.

To preview status changes

  1. With the Management Agent tool still open from the last test, click the hyperlink for the two Updates.
  2. Select the first one, and then click Properties.
  3. Click Preview, and then click Generate Preview. (In this case, Full or Delta synchronization will work the same.)
  4. Examine the results to verify that export attribute flow is indicated in accordance with the business rules in the following table.
  5. Click Close twice, and then repeat steps 2 through 5 for the other connector space entry.

Table 6.2. Modified Users in Demo2.csv

Name

Company

Department

Status

Expected result

Oliver Cox

Contoso

Operations

1 (leave)

- The intranet Active Directory account was disabled (the "2 bit" for the userAccountControl attribute was set).

Phil Gibbins

Fabrikam

Customer Service

2 (retired)

- The intranet Active Directory account was disabled. - An expiration date was set.

To complete the changes

  1. Close any open dialog boxes in the Management Agent tool.
  2. In the Actions panel, click Run.
  3. In the Run Management Agent dialog box, select the Full Synchronization run profile, and then click OK.
  4. Verify that the statistics agree with the information that you just previewed.
  5. For the intranet Active Directory MA, select Run, select the Export run profile, and then click OK.
  6. Verify that the MA exported the updates.

To verify that all accounts were modified in accordance with Table 6.2

  1. On the intranet Active Directory domain controller, log on as an administrator.
  2. Open the Active Directory Users and Computers MMC.
  3. Verify the correct account changes.
Test 3: Disabling an Account in Active Directory

To verify that Active Directory can override the SAP HR system

  1. With the Active Directory Users and Computers MMC still open, find the account for Justin Thorp and disable it.
  2. In Identity Manager, select the Management Agent tool.
  3. In the Management Agent tool, select the Intranet Active Directory MA.
  4. In the Actions panel, click Run.
  5. In the Run Management Agent dialog box, select the Delta import and Delta Synchronization run profile, and then click OK.
  6. Verify that one update was imported.
  7. Select the Metaverse Search tool.
  8. Select columns, and then click Search so that you can easily identify the objects and find Justin Thorp.

If you have a large number of objects, you can use a suitable clause or sort order to help you find the right one.

  1. Examine the properties for this object, and verify that the employeeStatus is 0 (disabled).
  2. In the Management Agent tool, select SAP HR MA.
  3. In the Actions panel, click Run.
  4. In the Run Management Agent dialog box, select Full Synchronization, and then click OK to re-apply all the attribute flow rules.
  5. Select the Metaverse Search tool.
  6. Examine the properties for Justin Thorp again to verify that employeeStatus is still 0 (disabled), and that the SAP HR MA did not override the Active Directory setting.

To verify that Active Directory can cede authority to the SAP HR system again

  1. In the Active Directory Users and Computers MMC, find the account for Justin Thorp, and enable it.
  2. In Identity Manager, select the Management Agents tool.
  3. In the Management Agent tool, select the Intranet Active Directory MA.
  4. In the Actions panel, click Run.
  5. In the Run Management Agent dialog box, select the Delta Import and Delta Synchronization run profile, and then click OK.
  6. Verify that one update was imported.
  7. Select the Metaverse Search tool.
  8. Examine the properties for Justin Thorp again, and verify that the employeeStatus is set to 3 (active).
  9. In the Management Agent tool, select the SAP HR MA.
  10. In the Actions panel, click Run.
  11. In the Run Management Agent dialog box, select demo3, and then click OK.

This profile uses the demo3.csv file, which contains a record showing that Justin Thorp is on leave, as the following table indicates.

Table 6.3. Modified User in Demo3.csv

Name

Company

Department

Status

Expected result

Justin Thorp

Contoso

Sales

1 (leave)

- The intranet Active Directory account was disabled. - The extranet Active Directory account was disabled.

  1. Verify that the staging statistics indicate one Update.
  2. In the Run Management Agent dialog box, select Full Synchronization, and then click OK.
  3. Select the Metaverse Search tool.
  4. Examine the properties for Justin Thorp again, and verify that the status for them is now set to 1 (leave).
Test 4: Automated Run Cycle

After you complete the provisioning, status change, and deprovisioning tests, you are ready to implement a regular run cycle. The following table details the activity cycle.

Table 6.4. Regular Provisioning Activity Cycle

MA

Run type

What should happen

SAP HR

Delta Import and Delta Synchronization

- All new accounts are provisioned into connector spaces for the other MAs according to the business rules. - All updates are synchronized with the other connector spaces for the other MAs.

Intranet Active Directory

Export and Delta Import and Delta Synchronization

- New accounts are provisioned into Active Directory and re-imported to confirm export. Any changes from Active Directory are imported and synchronized with the connector spaces for other MAs.

Extranet Active Directory

Export and Delta Import and Delta Synchronization

- New Sales accounts are provisioned into Active Directory and re-imported to confirm export.

Lotus Notes

Export and Delta Import, and Delta Synchronization

New accounts are provisioned into Lotus Notes and re-imported to confirm export.

Sun ONE Directory

Export and Delta Import, and Delta Synchronization

New Sales accounts are provisioned into the Sun ONE Directory Server and re-imported to confirm export.

You can use the demo4.csv SAP transfer file to provide some new and modified identity information for this test. Use this test to further check the correct application of the rules.

Note   When you export to the intranet Active Directory, the confirming delta import might occur before the Exchange Recipient Update Service (RUS) has had a chance to populate the mail attribute of any new accounts with an e-mail address. Thus, it will not be until a later run cycle that the delta import detects the changes and synchronizes to propagate them. If you are testing you can simply run the Export run profile again.

To perform the regular run cycle

  1. Edit the delta import and delta synchronization run profile so that it uses the demo4.csv file. To do so:
    1. In the Management Agent tool, select SAP HR MA, and then click Configure Run Profiles.
    2. In the Configure Run Profiles dialog box, select the Delta Import run profile, which performs a delta import and delta synchronization, select Step 1, and then click Edit Step.
    3. Click Next, click Select, and then select demo4.csv.
    4. Click OK, click Finish, and then click OK.
  2. In the Operations folder, run the MA-runs.cmd file.
  3. After all activity is completed, use the Management Agent tool to select each MA in turn to examine staging, synchronization, and export statistics.
  4. Examine all directories to verify that there were no errors, and that provisioning and synchronization happened in accordance with the information in the following table.

Table 6.5. New and Modified Users in Demo4.csv (All Active)

Name

Company

Department

Delta type

Expected result

Alex Roland    

Contoso

Sales

Modify

- The department changed to Sales- The extranet shadow account was created.

Phil Gibbins

Fabrikam

Customer Service

Modify

- Attributes flowed to other accounts.

Maurice Taylor

Contoso

Operations

Add

- The intranet Active Directory mailbox was enabled for this user. - A Lotus Notes Contact was created.

Justin Thorp

Contoso

Operations

Modify

- The extranet shadow account was deleted. - The intranet Active Directory account was re-enabled.

Testing the Group Management Solution

After the Group Management solution implementation is complete, you are ready to validate your implementation to ensure that it meets the specified requirements.

Validate the Implementation Prerequisites

Ensure that you have completed the previous tests to validate the HR-Driven Provisioning solution.

Validate the Implementation

The following tests are important for this scenario because they validate key requirements and functionality.

Baseline Tests

After completing the Group Management solution implementation as described in Chapter 5, "Implementing the Solution," verify that you have performed the following tasks:

  • Creating and initializing the Group Management database
  • Creating and initializing the Group Populator program
  • Compiling and configuring the Group Management application
  • Configuring the metaverse for groups
  • Creating the new MA
  • Verifying the Active Directory and Lotus Notes MAs, and the deprovisioning settings
  • Setting the Metaverse Object Deletion Rule for groups
  • Performing initial operations
  • Configuring run profiles

In addition to these tasks, perform the following test:

To verify whether the group management database is configured

  1. In Microsoft SQL Server Enterprise Manager, open the object hierarchy until you can see Databases.
  2. Verify that a miisGroupManagement database exists.
  3. Verify that it has eight tables.
Validating the Group Management Web Application

Use the following tests to validate the application:

  • Test 1: Verifying manual group additions
  • Test 2: Verifying attribute group additions
  • Test 3: Verifying the Managing Exceptions feature
  • Test 4: Verifying reference attribute group additions
  • Test 5: Verifying synchronization of manual changes
  • Test 6: Verifying synchronization of identity data changes
  • Test 7: Verifying group removal
  • Test 8: Verifying notifications

Test 1: Verifying Manual Group Additions

Complete the steps in this section to verify that you can add manual groups through the Group Management Web application. Add some groups and then manually import, synchronize, and export them. Note that the database installs with a few sample groups. Examine them and ascertain whether they are useful. This test is described as though the sample groups do not exist.

To add groups

  1. Load the Web page http://localhost/miisGroupManagement/default.aspx.
  2. Click Add Group, and then set the Group name to Engineers and the Description to Title starts with Engineer.
  3. Set the Group Type to Sec group – Univ, and then click the ellipsis () to define Mail to Mail disabled.
  4. Click the clause or ellipsis (), select title, select Starts with, type Engineer, and then click Add. Click Preview to view the membership, and then click Close. Finally, click Update in the clause dialog box.
  5. At the end of the row, click Update to save the new group.
  6. Repeat steps 2 through 5 for a number of groups to test various options with the data in the following table:

Table 6.6. Manual Groups

Group name

Description

Group type

Mail

Clause

Marketing

Marketing department

Sec Group – Global

Mail-enabled with default alias

department = 'marketing'

Cambridge

Location is Cambridge

Sec Group – DomLocal

Mail-enabled with customer alias "Camb"

l = 'Cambridge'

EngineerDist

All Engineers

Dist Group – Univ

Mail-enabled with default alias

title like '%engineer%

To run the Group Populator

  • Navigate to \%UserProfile\My Documents\Identity and Access Management Tools and Templates\Provisioning and Workflow\GroupManagement\GroupPopulator\bin and double-click Group Populator.exe. (Typically, you include this as part of a batch command file, but each step is tested in this procedure.)

To perform the initial import

  1. In the Management Agents tool, select the Group Management MA.
  2. On the Actions menu, click Run.
  3. In the Run Management Agent dialog box, select Full Import (Stage Only) run, and then click OK.

Note   Ordinarily you would use a Delta Import. Use the full import the first time.

  1. Wait for the run-time state to return to idle, and then ensure that the connection status indicates successful results with no errors reported. In addition, verify that the statistics indicate that Adds have taken place. (The number will represent the total of groups and users involved in those groups.)

To preview synchronization

  1. In the Management Agents tool, select the Group Management MA.
  2. In the Synchronization Statistics panel, click the Adds hyperlink, and then select a group (not a user).
  3. Click Properties, click Preview, and then click Generate Preview.
  4. Ensure that the group is correctly projected into the metaverse and provisioned into the connector spaces for the Intranet Active Directory and Lotus Notes.
  5. Close all dialog boxes.

To project and provision groups

  1. In the Management Agents tool, select the Group Management MA.
  2. On the Actions menu, click Run.
  3. In the Run Management Agent dialog box, select the Full Synchronization run, and then click OK.
  4. Wait for the run-time state to return to idle, and then ensure that the connection status indicates successful results and no errors. In addition, verify that the statistics indicate that provisioning and export flow have occurred. Refer to the following table to check the statistics.

To export the new groups

  1. In the Management Agent tool, select the Intranet Active Directory MA.
  2. On the Actions menu, click Run.
  3. In the Run Management Agent dialog box, select the Export run, and then click OK.
  4. Wait for the run-time state to return to idle, and then ensure that the connection status indicates successful results with no errors reported. In addition, verify that the statistics indicate that Adds were exported and re-imported.
  5. Repeat these steps for Lotus Notes, and then refer to the following table to check the statistics.

Table 6.7. MA Operations

Name

Profile

Step

Statistics

Group Management

Full Import (Stage Only)

1

Staging Adds 4 groups + U (where U is the total number of users involved in the groups).(Existing group updates might exist.)

Full Synchronization

 

1

Inbound Synchronization Projections 4 Joins U Connectors with Flow Updates 4 + U Outbound Synchronization Lotus Notes Export Attribute Flow 4 Provisioning Adds 4 Outbound Synchronization Intranet Active Directory Export Attribute Flow 4 Provisioning Adds 4

Intranet Active Directory

Export

1

Adds 4

Intranet Active Directory

 

2

Staging Adds 4

Lotus Notes

Export

1

Adds 4

Lotus Notes

 

2

Staging Adds 4

  1. On the domain controller, in Active Directory Users and Computers, verify that the groups have been created in ou=ContosoCorp,ou=Groups, and that their memberships look sensible. Verify that each group is the correct type, and that you can send an e-mail to those that are mail-enabled. (To do this, right-click each group, and then select Send Mail.)

To clear the Delta table (so that the next run only includes new "deltas")

  • At a command prompt, navigate to %UserProfile%\My Documents\Identity and Access Management Tools and Templates\Provisioning and Workflow\GroupManagement, type OSQL –S Localhost –E –i TruncateDeltaTable.sql, and press ENTER. (Typically you include this as part of a batch command file).

Test 2: Verifying Attribute Group Additions

Complete the steps in this section to verify that you can add attribute-based groups through the Group Management Web application. Again, some sample attribute groups are provided. You can either remove or include them. (If you choose to include them, the statistics in the following table will be different.)

To add a group for each location

  1. Load the Web page http://localhost/miisGroupManagement/default.aspx.
  2. Click Define Attribute Groups, and then click Add Definition.
  3. Type the uniqueID Locations, change the displayName to People at <attribute value>, and then select l as the attribute.
  4. Leave the defType as single, select a groupType, and then click the () button to decide whether to make the groups mail-enabled.
  5. Click Define Groups to return to the main page, and then at the end of the row, click Update to save the new group.

To generate the attribute groups, and populate and provision groups

  1. Nagivate to %UserProfile%\My Documents\Identity and Access Management Tools and Templates\Provisioning and Workflow\Group Management\, then edit GroupManagement Sync.cmd to ensure that the command line that runs groupPopulator.exe includes your uniqueID (Locations): groupPopulator.exe/r:titles,locations/p (including the attribute groups that you have so far added.
  2. Run GroupManagement Sync.cmd to generate the groups, perform the necessary MA runs and truncate the Delta table.

To verify attribute groups

  1. On the default Group Management Define Groups page, in the Specify Search Criteria drop-down list, select All, select the Include attribute based groups box, and then click Search. Verify that a group exists for each location.
  2. In the MIIS 2003 Operations tool, verify that the statistics of the MA operations detailed in the following table display, and that they display the status Success.

Table 6.8. MA Operations

Name

Profile

Step

Statistics

Group Management

Delta Import (Stage Only) – Delta Synchronization)

1

Staging Adds L + U (where L is the number of locations and therefore the number of new groups, and U is the number of additional users – which could be zero)Also, there might be updates.

Group Management

 

2

Inbound Synchronization Projections L Joins U Connectors with Flow Updates and Connectors without Flow Updates between them add up to L + UOutbound Synchronization Lotus Notes Export Attribute Flow L Provisioning Adds LOutbound Synchronization Intranet Active Directory Export Attribute Flow L Provisioning Adds L

Intranet Active Directory

Export

1

Adds L

Intranet Active Directory

 

2

Staging Adds L

Lotus Notes

Export

1

Adds L

Lotus Notes

 

2

Staging Adds L

To confirm group creation

  1. On the intranet Active Directory domain controller, in the Active Directory Users and Computers MMC, navigate to the Group organizational unit (OU).
  2. Press F5 to refresh the OU and verify that the groups and their memberships are present.

Test 3: Verifying the Managing Exceptions Feature

Complete the procedures in this section to verify that you can create exceptions to the rules for manual groups through the Group Management Web application.

To add an inclusion and an exclusion

  1. On the domain controller, in Active Directory Users and Computers, choose one of your groups and note its members.
  2. On the default Group Management Define Groups page, expand the Specify Search Criteria drop-down list, clear the All check box, and then click Search. Select one of your groups, and then click Edit.
  3. Click Exceptions (), and then click Add Inclusion. Type a search criterion, such as sn Starts with A, and then select a user who is not already a member. (You might have to check in Active Directory to find one.) Then click Add.
  4. Click Add Exclusion. Type a search criterion, such as sn Starts with A, and then select a user who is already a member. (Again, you might have to check in Active Directory to find one.)
  5. Click Close, and then click Update.

To verify inclusion and exclusion

  1. Navigate to %UserProfile%\My Documents\Identity and Access Management Tools and Templates\Provisioning and Workflow\GroupManagement\, and then at a command prompt, run GroupManagement Sync.cmd.
  2. On the default Group Management Define Groups page, expand the Specify Search Criteria drop-down list, clear the All check box, and then click Search. Select one of your groups, and then click Edit.
  3. In the MIIS 2003 Operations tool, verify that the update has been synchronized and exported.
  4. On the domain controller, in Active Directory Users and Computers, locate the group in ou=ContosoCorp,ou=Groups, and verify that the new member has arrived. The old member will be removed in 10 days.

Test 4: Verifying Reference Attribute Group Additions

Complete the steps in this section to verify that you can add reference attribute-based groups through the Group Management Web application.

To add a group for each manager (populated with their reports)

  1. Load the Web page http://localhost/miisGroupManagement/default.aspx.
  2. Click Define Attribute Groups, and then click Add Definition.
  3. Type Managers for the uniqueID, and then change the displayName to People reporting to <attribute value>. Change the defType to linked. Select displayName as the attribute (the attribute referred to in angle brackets above).
  4. Select manager as the linkAttribute, which is the attribute that will generate groups, and the object_id as the linkAttributeKey. (All users with the same value for their manager attribute will be placed in the group of the manager with the same value in their object_id attribute.)
  5. Select a groupType, and then click Update.

To generate the attribute groups, and populate and provision groups

  1. Navigate to %UserProfile%\My Documents\Identity and Access Management Tools and Templates\Provisioning and Workflow\GroupManagement\, edit GroupManagement Sync.cmd, and make sure that the command line that runs groupPopulator.exe includes your uniqueID (Managers): groupPopulator.exe /r:managers, locations, and titles.
  2. Run GroupManagement Sync.cmd.

To verify attribute groups

  1. On the default Group Management Define Groups page, expand the Specify Search Criteria drop-down list, select All, and then click Search. Verify that a group exists for each manager.
  2. In the MIIS 2003 Operations tool, verify the statistics of the MA operations detailed in the following table display, and that they display the status Success.

Table 6.9. MA Operations

Name

Profile

Step

Statistics

Group Management

Delta Import (Stage Only) – Delta Synchronization

1

Staging Adds M + U (where M is the number of managers and therefore the number of new groups, and U is the number of additional users involved – which might be zero as the locations will probably have included everybody) Also, there might be updates

Group Management

 

2

Inbound Synchronization Projections M Joins U Connectors with Flow Updates M + U

Outbound Synchronization Lotus Notes Export Attribute Flow M Provisioning Adds M

Outbound Synchronization Intranet Active Directory Export Attribute Flow M Provisioning Adds M

Intranet Active Directory

Export

1

Adds M

Intranet Active Directory

 

2

Staging Adds M

Lotus Notes

Export

1

Adds M

Lotus Notes

 

2

Staging Adds M

  1. On the domain controller, in Active Directory Users and Computers, verify that the groups have been created in ou=ContosoCorp,ou=Groups, and that their memberships look sensible. Then, verify that the groups are the correct type.

Test 5: Verifying Synchronization of Manual Changes

Changes will occur as a result of data changes and as a result of edits you make in the group management user interface (UI).

To make a manual change

  1. On the default Group Management Define Groups page, expand the Specify Search Criteria drop-down list, clear the All check box, and then click Search to locate the group "Location is Cambridge."
  2. Click Edit, change the description to "All people whose l attribute is Cambridge" and then click Update.
  3. Run GroupManagement Sync.cmd.

To verify a manual change

  • On the domain controller, in Active Directory Users and Computers, verify that the description has changed.

Test 6: Verifying Synchronization of Identity Data Changes

Changes will occur due to data changes and edits that you make in the group management UI. Before this test will work with the suggested data, you must successfully complete the tests for the HR-Driven Provisioning system.

To change the identity data

  1. In the MaData folder for the SAP HR MA, locate the demo4.csv file, and then change Justin Thorp's location to Oxford.
  2. In the Operations folder under HR-Driven provisioning, run the run-ma.cmd file.
  3. Run GroupManagement Sync.cmd.

To verify the change

  1. On the domain controller, in Active Directory Users and Computers, verify that a group exists for the Oxford location, and that Justin Thorp is a member.
  2. On the default Group Management Define Groups page, expand the Specify Search Criteria drop-down list, select All, then select the Include attribute based groups box, and click Search. Verify that there is a group for Oxford.

Test 7: Verifying Group Removal

This text enables you to verify that if a group is removed from the UI, it is removed from Active Directory.

To remove a group

  1. On the default Group Management Define Groups page, expand the Specify Search Criteria drop-down list, clear All, and then click Search to locate the group "Location is Cambridge."
  2. Click Delete.
  3. Run GroupManagement Sync.cmd.

To verify the removal

  • On the domain controller, in Active Directory Users and Computers, verify that the group has been deleted.

Test 8: Verifying Notifications

Ensure that notifications have been sent in the following circumstances:

  • Someone is added to a group.
  • Someone is included in a group as an exception.
  • Someone is excluded from a group as an exception.

Because these events have happened during earlier tests, you can read the e-mail of affected individuals to verify that the Notification Service is running. Because users have had pseudo-random passwords set, you must set known passwords for anyone whose email you want to read.

To reset an affected user's password

  • On the domain controller, in Active Directory Users and Computers, locate the user you excluded in Test 3 and reset their password to something you know.

To check the e-mail of the two individuals

  1. On the MIIS 2003 server, open Microsoft Internet Explorer and type the address https://ffl-na-msg-01/exchange.
  2. When challenged, type the user name na\<sAMAccountName> for the excluded person, and then the password that you just reset.
  3. Verify that you can see messages about location, manager groups, and the removal of the excluded person.
  4. Repeat steps 1 through 3 for the included person.
  5. Verify that that you can see messages about location, manager groups, and the addition of the included person.

Testing the Self-Service Provisioning Solution

After you have completed the Self-Service Provisioning solution implementation, you are ready to validate it to ensure that it meets the specified requirements.

Validate the Implementation Prerequisites

Ensure that you have completed the previous tests for the HR-Driven Provisioning solution to meet the prerequisites for this solution.

Validate the Implementation

In this scenario, the following tests validate key requirements and functionality.

Baseline Tests

After you have implemented the Self-Service Provisioning solution as described in Chapter 5, "Implementing the Solution," verify that you have performed the following tasks:

  • Creating and initializing the Self-Service Provisioning (MIISWorkflow) database
  • Configuring the Metaverse Object Deletion rule for the person object
  • Configuring Active Directory and Authorization Manager
  • Compiling and configuring the Self-Service Provisioning Web application
  • Configuring the new MA
  • Performing initial operations
  • Configuring run profiles

In addition to these tasks, perform the following tests:

To verify whether the MIISWorkflow database is configured

  1. In SQL Server Enterprise Manager, open the object hierarchy until you can see Databases.
  2. Verify that the MIISWorkflow database exists.
  3. Verify that this database has the following three tables: Contractors, Contractors_Delta, and Contractors_History.
  4. Verity that this database has the following two views: CONTRACTORS_DELTA_GREATER_THEN_START_DATE and CONTRACTORS_WITH_START_AND_END_DATE.

To verify the Metaverse Object Deletion rule for the person object type

  1. In Identity Manager, select the Metaverse Designer tool.
  2. Under Object types, select Person.
  3. Verify that the Object Deletion Rule is set to Rules Extension.
Validating the Self-Service Provisioning Web Application

Perform the following tests to validate the Web application:

  • Test 1: Verifying new request additions
  • Test 2: Verifying request approvals
  • Test 3: Verifying request denials
  • Test 4: Verifying request terminations
  • Test 5: Verifying active contractor terminations
  • Test 6: Verifying notifications

It will be much easier to perform these tests if you have created the two shortcuts as described in Chapter 5, "Implementing the Solution."

Test 1: Verifying New Request Additions

Complete the following procedure to verify that you can add new requests.

To add a request

  1. Use your "Requestor" shortcut to open the request Web page. (Or, by using the context of your Requestor user, open //localhost/ssprov/ssprovrequest.aspx.)
  2. Type the name of a contractor and today's date as the start date, and then click Submit.

To verify that the request has been added

  1. Verify that a success message has appeared on the page.
  2. Click Contractor Status to verify that your contactor is Waiting for Approval.
  3. In SQL Server Enterprise Manager, navigate to the MIISWorkflow database, and then Tables. Right-click the Contractors table, select Open Table, select Return all rows, and then verify that your contractor appears as a row in this table.

Test 2: Verifying Request Approvals

Complete the following procedure to verify that you can approve a request.

To approve a request

  1. Use your "Approver" shortcut to open the request Web page. (Or, by using the context of your Approver user, open //localhost/ssprov/ssprovapproval.aspx.)
  2. Verify that you are immediately presented with the request that you entered in Test 1 with the option to approve or deny it.
  3. Select Approve, and then click Submit.

To verify the approval

  1. Verify that (after a short time) you can see a message indicating that a contractor has been provisioned.
  2. Refresh the page to verify that your contractor no longer requires approval. The following message will confirm this: "There are no approvals awaiting you at this time."
  3. As the Requestor, on the Status page, verify that the status of your contractor is Provisioned.
  4. In the MIIS 2003 Operations tool, verify that the Delta Import and Export profile for the Self-Service Provisioning MA has run, and that the statistics report at least a Provisioning Add for the Intranet Active Directory MA.
  5. In the same tool, verify that the Export profile for the Intranet Active Directory MA has run, and that your contractor has been exported as an Add in Step 1.
  6. On the domain controller, run Active Directory Users and Computers. Verify that your contractor has been provisioned in ou=Employees,ou=ContosoCorp. (The cn will start with "v-" because Contoso has chosen to prefix contractor accounts in this way to designate them as vendors.)

Test 3: Verifying Request Denials

Complete the following procedure to verify that you can deny a request.

To add a request

  1. Use your "Requestor" shortcut to open the request Web page. (Or, by using the context of your Requestor user, open //localhost/ssprov/ssprovrequest.aspx.) If you are already using the Web application, you can click Contractor Request.
  2. Type the name of a contractor and today's date as the start date, and then click Submit.

To deny a request

  1. Use your "Approver" shortcut to open the request Web page. (Or, by using the context of your Approver user, open //localhost/ssprov/ssprovapproval.aspx.) If you are already using the Web application, you can click Contractor Approval or just refresh the page if you are already on that page.
  2. Verify that you are immediately presented with the request that you just entered, select Deny, and then click Submit.

To verify a denial

  1. As the Approver, verify that you can see a message indicating that a contractor has been denied.
  2. Refresh the page to verify that your contractor no longer requires approval. The following message will confirm this: "There are no pending approvals awaiting you at this time."
  3. As the Requestor, on the Request page, click Contractor Status and verify that the status of your contractor is Denied.
  4. In the MIIS 2003 Operations tool, verify that there has been no activity suggesting that an approval has taken place.

Test 4: Verifying Request Terminations

Complete the procedures in this section to verify that you can terminate a request.

To terminate a contractor

  1. Add a request as in Test 1 and verify that it was entered into the database.
  2. Click Contractor Status, find the newly entered request, click Terminate, and then click OK to confirm.

To verify a termination

  1. Refresh the Contractor Status page and verify that the contractor is shown as terminated. Click View History and confirm that the last entry is the termination.
  2. As the Approver, check that the contractor does not appear as a pending approval.
  3. As an additional check, in SQL Server Enterprise Manager, navigate to the MIISWorkflow database, then Tables. Right-click the Contractors_History table, select Open Table, and then select Return All Rows. Verify that your contractor has been terminated in the last row of the table.

Test 5: Verifying Active Contractor Terminations

Complete the procedures in this section to verify that you can rapidly terminate a contractor.

To terminate an active contractor

  1. Add a new request and approve it, making sure that the request is exported to the intranet Active Directory. (See Tests 1 and 2 for instructions.)
  2. On the Contractor Status page, find the contractor, and then click Terminate.

To verify an active contractor termination

  • In Active Directory User and Computers, verify that the contractor account has been deleted.

Test 6: Verifying Notifications

Complete the following procedure to verify that notifications are taking place.

To verify notifications

  • In the security context of your Approval user, use Microsoft Outlook® Web Access (OWA) to check e-mail. Verify that e-mails have been received to notify the user of all significant events.

Troubleshooting

This section provides information about some common errors that you might encounter when you test these solutions and how you can most likely resolve them. However, the information in the following table is not an exhaustive list of errors and troubleshooting procedures.

For more information, read the troubleshooting suggestions in Chapter 6 of the Identity Aggregation and Synchronization paper in this series, which also apply to this paper.

Table 6.10. Troubleshooting HR-Driven Provisioning

Error

Troubleshooting procedure

The DN already exists during synchronization.

- Rebuild the MIIS 2003 extension solutions. - Remove users from the directory that generated the errors, delete the data in the connector space for that directory, and run a full synchronization of the SAP HR MA.

Other provisioning errors.

- Rebuild the MIIS 2003 extension solutions.

Export errors

- Check the MA configuration. - Check the MA connection account permissions.

Account provisioning notification failure.

Verify that the AccountProvisioning message queue is present and is of the transactional type.

Permission denied export run error in one of the Active Directory management agents.

Verify that the account used to connect to the Active Directory in question is a member of its Domain Admins group. Verify that it has been correctly entered in the User name field on the Connect to Active Directory Forest page of the Management Agent Properties, and re-enter the password in the Password field.

Table 6.11. Troubleshooting Self-Service Provisioning

Error

Troubleshooting procedure

Notification failure

Verify that the SelfServiceProvisioning message queue is of the transactional type. Check the SelfServiceProvisioning queue properties and verify that SSProvSvcAcct has full permissions.

Chapter 7: Operational Considerations

After you implement and verify any of the elements of this solution, you should consider a number of ongoing operational activities to ensure that it will continue to operate successfully for you.

Previous chapters in papers of the Identity and Access Management series provide a broad discussion of the management tasks associated with the long-term operation of the infrastructure components for this solution. These chapters include:

  • Chapter 6, "Operating the Infrastructure," of the Platform and Infrastructure paper in this series, which provides information and references about backing up and monitoring Active Directory®, Certificate Services, and Firewall and Proxy Services.
  • Chapter 7, "Operational Considerations," of the Identity Aggregation and Synchronization paper in this series, which provides additional information and references for managing a Microsoft Identity Integration Server (MIIS 2003) implementation, scheduling and automating management agent (MA) runs, and monitoring MIIS 2003.

This chapter examines operational considerations for the specific elements of these solutions.

General

The following considerations apply to the three solutions presented in this paper.

Version Control Management

This solution is complex, with many different components. Because these components have dependencies on each other, a change in one component might require changes in other components.

Contoso Pharmaceuticals chose to utilize its existing implementation of Microsoft Visual SourceSafe® as a version control management system for the different solution components. The following table shows which components to maintain under version control, and (where appropriate) how you can extract the information from MIIS 2003.

Table 7.1. Files To Maintain Under Version Control

Solution

Component

Format

Extraction method

HR Driven Provisioning

Management agent (MA) definitions

Extensible Markup Language (XML) file

MIIS 2003 Identity Manager, Management Agents, Export MA

HR Driven Provisioning

Metaverse schema

XML file

MIIS 2003 Identity Manager, Metaverse Designer, Actions, Export Metaverse Schema

HR Driven Provisioning

MIIS Server Export files

XML files

Server Export on the File menu in Identity Manager

HR Driven Provisioning

Rules extension projects

Source code files

 

HR Driven Provisioning

XML configuration files

XML file

Found in Extensions folder

HR Driven Provisioning

Scripts

Source code files

 

HR Driven Provisioning

Documentation

Microsoft Word documents

 

Group Management

MA definition

XML file

MIIS 2003 Identity Manager, MAs, Export MA

Group Management

Group Management Projects

Source code files

 

Self Service Provisioning

MA definition

XML file

MIIS 2003 Identity Manager, MAs, Export MA

Self Service Provisioning

Group Management Projects

Source code files

 

You must also consider how you manage your SAP .csv files. In the event of a problem, you may want to re-import all the changes of the last few days, and you may want to maintain your .csv files under some kind of version control. However, it is usually much easier to perform a full import of the SAP data after a suspected problem to include any missing changes. In fact, except for when this takes too long to do, it is normal to perform a full import from time to time to ensure that it is complete.

Patch Management

Contoso uses Microsoft Windows Server Update Services (WSUS), which is available as a free download. WSUS uses the Automatic Updates Service in Microsoft Windows Server™ 2003 and Microsoft Windows® XP Professional to ensure that all servers and clients in the solution environment have the latest security and software updates installed.

For more information about WSUS, see Windows Server Update Services.

For more information about patch management, see the Security Guidance for Patch Management Web page on Microsoft TechNet.

Backup

You might want to consider an appropriate backup and recover strategy for these systems. For more information about backup and recovery services, see the Introduction to Backup and Recovery Services Web page of the Windows Server System Reference Architecture Guide.

Maintaining the MIIS 2003 Database

MIIS 2003 stores data, configuration, and the contents of the extensions folder (including rules extension dynamic-link libraries) in its Microsoft SQL Server database. Group and contractor data is stored in two other databases. All three of these must be included in your backup procedure.

For more information about backup and recovery specific to MIIS 2003, see the Maintaining the MIIS 2003 Database Web page.

Source Code

As part of the company's general disaster recovery strategy, Contoso chose to add the solution source code to the resources it backs up offsite. The company does this in addition to using Visual SourceSafe for version control.

Additional Files

As described previously, although the MIIS 2003 configuration is stored in its SQL Server database, you also can export it to XML files. For additional safety these XML files are stored at an off-site location and in Visual SourceSafe.

Encryption Keys

MIIS 2003 encrypts any passwords that it stores with encryption keys during installation. If you rebuild the MIIS 2003 server, the setup program will request the encryption keys. For this solution, the MIIS 2003 encryption key utility (miiskmu.exe) was used immediately after installation to back up the encryption keys for storage at an off-site location. The encryption key utility was used to generate new keys from time to time, including the option to replace old keys.

Total Metadirectory Data Loss

In the unlikely event that you experience a total loss of all MIIS 2003 data and backups for it, use the following procedure to rebuild the metadirectory. The reason this works is that employeeID has been flowed to each directory, and a join rule has been put in place to make use of this attribute. This process is generally known as "bread-crumbing."

  1. Delete any remaining connector space data.
  2. On the Tools menu, select Options, and then switch off provisioning.
  3. Perform staged imports and synchronizations for all MAs in this order:
    1. SAP HR MA
    2. Self-Service Provisioning MA
    3. Group Management MA
    4. All the rest in any order
  4. Examine a large sample of objects to verify that they have all projected or joined correctly.
  5. Switch on provisioning.
  6. Resynchronize the SAP HR MA, Self-Service Provisioning MA, and Group Management MA.

Note   Very little should happen, unless many changes have occurred since the data failure. However, it will take some time for this "check" process to complete.

  1. Export any changes.
  2. Perform the following checks and corrections if necessary:
    1. Look for obvious errors in a random set of identity information in each data store.
    2. Look for detail errors in all identity information across all data stores for a small set of people and groups. Use the metaverse search tool to make sure that they are connected correctly.
    3. Count the person and group objects in the metaverse to confirm that the total corresponds to how many you estimate exist according to the authoritative data stores.
  3. Test the automated run cycle.

Operating MIIS 2003

This section provides information about operating and monitoring MIIS 2003.

MIIS 2003 Regular Run Cycle

After completing the tests in Chapter 6, "Testing the Solution," you are ready to set up the regular activity cycle. You must run MIIS 2003 MAs in the correct cycle to ensure that changes from the SAP HR system propagate to other systems in a timely manner. The MARuns.cmd file (in the Operations folder of the Tools and Templates folder) must be consistent with the information in the following table.

Table 7.2. Regular Cycle of Provisioning Runs

MA

Run profile

What should happen

SAP HR

Regular Import

All new accounts are provisioned into connector spaces for other management agents according to the business rules. All updates are synchronized with the other connector spaces for other MAs.

Intranet Active Directory

Export

New accounts are provisioned into Active Directory and re-imported to confirm export. Any changes from Active Directory are imported and synchronized with the connector spaces for other MAs.

Extranet Active Directory

Export

New Sales accounts are provisioned into Active Directory and re-imported to confirm export.

Lotus Notes

Export

New accounts are provisioned into Lotus Notes and re-imported to confirm export.

Sun ONE Directory

Export

New Sales accounts are provisioned into Sun ONE Directory Server 5.1 and re-imported to confirm export.

In addition, the Delta Import run profile for the SAP HR management agent must refer to the CSV file containing the latest data from the SAP HR system.

Note   When you export to Intranet Active Directory, the confirming delta import might occur before the Exchange Recipient Update Service (RUS) has had a chance to populate the mail attribute with an e-mail address. Thus it will not be until some future cycle run that the delta import sees the changes and the delta synchronization propagates them. If you are testing you

Monitoring MIIS 2003

It is important that you correctly monitor MIIS 2003 and resolve any errors in a timely manner.

Microsoft Operations Manager (MOM)

You can install the MIIS 2003 MOM Management Pack to alert administrators of any warnings or errors. For more information about the management pack, see the Microsoft Download Center page for the Microsoft Identity Integration Server 2003 Management Pack for MOM 2000 SP1.

Operations History and Event Log

In the event of any errors, you should check two sources of information:

  • The Operations tool of Identity Manager contains a history of each run, including details of any errors generated.
  • The Event Viewer, which checks the Application Log for any events with the source MIIServer.

Clearing the Operations History

Left alone, the operations history will eventually become very large. If the database fills the physical disk space it is very likely that data will be damaged. The run history is cleared as part of the overall Contoso backup process, by using the Operations tool in Identity Manager.

Any extensions and run scripts should also include monitoring and event logging (either the system log or the MIIS Logging APIs) to provide detailed information about their status. The Notification Service is an excellent example.

Third-Party Products

NetPro Computing, Inc., a leading provider of distributed services management software, has designed MissionControl 2.0 for MIIS 2003 to meet the demands of enterprise customers.

Monitoring Replication Times

The Active Directory management agent in MIIS 2003 with SP1 can connect to any domain controller in the specified domain. Alternatively, you can configure MIIS 2003 to communicate with a particular domain controller or set of domain controllers. Active Directory takes some time to replicate changes, and so changes synchronized by MIIS 2003 may not immediately be available. The MOM pack for Active Directory allows you to monitor domain controller replication times. Being aware of these times may help you avoid unnecessary attempts to learn more about apparent errors that are merely delays.

Group Management

This section contains operational considerations that apply only to the Group Management solution. Backup or source code and data have already been covered earlier in this chapter.

Frequency of Regenerating Groups

You may configure MIIS 2003 with SP1 simply to run with a regular cycle of activity, picking up any recent changes in the Group Management system as it does. If so, you must include miisGroupmanagement Sync.cmd as part of your regular cycle of runs, which the following table describes:

Table 7.3. Regular Cycle of Runs Including Group Management

MA or process

Run profile

Run type

What should happen

SAP HR MA

Regular Import

Delta Import and Delta Synchronization

- All new accounts are provisioned into connector spaces for other management agents according to the business rules. - All updates are synchronized with the other connector spaces for other Management Agents.

miisGroupManagement Sync.cmd

N/A

 

- SQL Server tables are populated with groups and their member lists based on group definitions and the latest metaverse data.

Group Management MA

Regular Import

Delta Import and Delta Synchronization

- All new accounts are provisioned into connector spaces for the extranet Active Directory and Lotus Notes. - Existing group member lists are synchronized.

Intranet Active Directory MA

Export

Export, Delta Import, Delta Synchronization

- New accounts (including groups) are provisioned into Active Directory and re-imported to confirm export. Any changes from Active Directory are imported and synchronized with the connector spaces for other Management Agents.

Extranet Active Directory MA

Export

Export and Delta Import

- New Sales accounts are provisioned into Active Directory and re-imported to confirm export.

Lotus Notes MA

Export

Export and Delta Import

- New accounts (including groups) are provisioned into Lotus Notes and re-imported to confirm export.

Sun ONE Directory MA

Export

Export and Delta Import

- New Sales accounts are provisioned into Sun ONE Directory Server 5.1 and re-imported to confirm export. Any changes from Active Directory are imported and synchronized with the connector spaces for other Management Agents.

Note   The miisGroupManagement Sync.cmd file includes export runs for the Lotus Notes and intranet Active Directory MAs, so these are being done twice. The impact on performance is close to negligible, but you could edit the file to remove these runs.

You must perform some timing tests with and without group population. The overall cycle must run in minutes, not hours. If group population turns out to be a significant factor, you should consider your priorities.

It might be acceptable to wait 24 hours for groups to populate but only minutes for someone to be deprovisioned. It is possible to run different cycles by day and by night to reflect such priorities.

Note   The miisGroupManagement Sync.cmd file contains a line to run the Group Populator with an –r switch. This switch causes attribute groups to be regenerated. In a large system, it would be very time consuming to regenerate these each time. In such circumstances you may decide to create two different .cmd files, one with the –r switch to be run after changes have been made to attribute group definitions, and another without the switch to be run whenever other changes may have been made (perhaps as part of the regular cycle).

Contractor Account Provisioning

When the contractor was imported, run profiles should have been predefined. You should ensure that there is a correctly configured run profile that can be included in the regular run cycle, which is now as described in the following table.

Table 7.4. Regular Cycle of Runs Including Contractor Account Provisioning

MA or process

Run profile

Run type

What should happen

SAP HR MA

Regular Import

Delta Import and Delta Synchronization

- All new accounts are provisioned into connector spaces for other Management Agents according to the business rules.- All updates are synchronized with the other connector spaces for other Management Agents.

Self-Service Provisioning MA

Regular Import

Delta Import Delta Synchronization Export Delta Import

- All new contractor accounts are provisioned into connector spaces for other Management Agents according to the business rules.- All updates are synchronized with the other connector spaces for other MAs.- A value is flowed back to the MIISworkflow database so that the user interface can show status as "Provisioned".

Group Management Sync.cmd

N/A

 

- SQL Server tables are populated with groups and member lists based on group definitions and the latest metaverse data.

Group Management MA

Regular Import

Delta Import and Delta Synchronization

- All new accounts are provisioned into connector spaces for the extranet Active Directory and Lotus Notes.- Existing group member lists are synchronized.

Intranet Active Directory MA

Export

Export and Delta Import and Delta Synchronization

- New accounts (including groups) are provisioned into Active Directory and reimported to confirm export. Any changes from Active Directory are imported and synchronized with the connector spaces for other Management Agents.

Extranet Active Directory MA

Export

Export and Delta Import

- New Sales accounts are provisioned into Active Directory and re-imported to confirm export.

Lotus Notes MA

Export

Export and Delta Import

- New accounts (including groups) are provisioned into Lotus Notes and reimported to confirm export.

Sun ONE Directory MA

Export

Export and Delta Import

- New Sales accounts are provisioned into Sun ONE Directory Server 5.1 and reimported to confirm export. Any changes from Active Directory are imported and synchronized with connector spaces for other Management Agents.

Appendix A: Self-Service Provisioning Web Application User Guide

This appendix provides a brief guide for Self-Service Provisioning Web application users.

Overview

The Self-Service Provisioning Web application is a sample solution that provides a way to request and approve accounts. The application, which uses a Web-based interface, is not a complete solution, but serves as a starting point for you to build a custom application.

The Self-Service Provisioning Web application is designed to help simplify typical workflow requirements and serves as a framework for an approval-based provisioning tool to create and delete contractor accounts. You can extend and customize the application by using Microsoft® Visual C#® and Microsoft ASP.NET.

New Contactor Request

On the New Contractor Request page, anyone who manages one or more contractors can submit a request to provision a contractor. In the sample application, only the name, and the start and end dates are entered, but you can readily extend these requirements.

Figure A.1. The New Contractor Request page

After you submit a new contractor request, you will receive a message at the bottom of the page to confirm that the contractor has been added successfully to the application as indicated in the following figure.

Figure A.2. The confirmation message at the bottom of the New Contractor Request page.

At this stage of the process, the application has added a row to the Contractors table, and has populated the columns for Department, Location, ManagerID, and Company according to who requested the account for the contractor. For example, the ManagerID is the EmployeeID of the requestor.

Contractor Approval

A user with the Approval role can access and use the Contractor Approval page.

Figure A.3. The Contractor Approval page displays pending requests

In this role, you can approve or deny pending requests, and then submit them. Denied submissions are flagged. Approved submissions also are flagged and appear in the Contractors_Delta table. An approved submission triggers Microsoft® Identity Integration Server (MIIS 2003) Service Pack 1 (SP1) to import data and provision it according to business rules (depending on the company and the requestor's department). MIIS 2003 indicates a successful provisioning with a confirmation message.

Figure A.4. A message appears after submitting either an approval or deny request

Contractor Status

At any stage, you can check the status of requests.

Figure A.5. The Requested Contractor's Status page displays provisioning requests

You also can access the history of each contractor request from this page.

Termination

You can terminate a contractor at any stage in the process. If a request has not yet been provisioned, the application flags it as terminated. If the contractor has been provisioned, the application disables the corresponding account.

Process Summary

The following diagram and explanation provide a summary of the process.

Figure A.6. Process summary

The following provides a summary of the steps for the Self-Service Provisioning Web application process:

  1. The user submits a request for a new contractor account that the application adds to the Contractors table.
  2. The use can view the request status on the Requested Contractors' Status page at any time.
  3. The approver views the pending requests on the Contractor Approval page.
  4. Upon approval, the new account is flagged as "In progress" in the Contractors table, and a new entry is created in the Contractors_Delta table. The MIIS Self-Service Provisioning management agent (MA) is called by using Windows Management Instrumentation (WMI).
  5. The MIISWorkflow MA imports the new change from the Contractors_Delta table.
  6. The Self-Service Provisioning MA increments the UPDATE_COUNT attribute of the imported account, and exports the change to the Contractors table.
  7. A trigger on the Contractors table detects the change in the UPDATE_COUNT column, marks the account as "Approved," and then completes the processed entry in the Contractors_Delta table. It also creates a new history for the contractor in the Contractors_History table.
  8. The user can view the history from the Requested Contractors' Status page.

Appendix B: Group Management Web Application User Guide

This appendix provides a brief guide for Group Management Web application users.

Overview

The Group Management Web application provides a sample solution that allows you to define groups based on user membership in the Microsoft® Identity Integration Server 2003 (MIIS 2003) Service Pack 1 (SP1) metaverse. The application stores its definitions in a Microsoft SQL Server database. A separate Group Populator program generates group and membership information that is also stored in the database.

MIIS 2003 then imports the data and provisions any newly defined groups into the Active Directory® directory service and Lotus Notes, and keeps group memberships updated as data and definitions change. You can extend MIIS 2003 to include other directories, or extend and customize the application by using Microsoft Visual Basic® .NET and Microsoft ASP.NET.

Components

The Group Management Web Application Suite includes the following components.

Source Code

The application itself is a collection of ASP.NET Web pages for that you use to enter and maintain group definition data. The pages provided are described later in this appendix.

SQL Server Database

A number of tables are used to hold group definitions, user (group member) information, and the import data that MIIS 2003 requires.

Group Populator

Group Populator is a separate program that generates groups and their respective memberships. The program runs a provided batch file (which may require editing in certain situations). Note that this is not the same Group Populator program that is provided with MIIS 2003.

Management Agent

A management agent (MA) is provided so that MIIS 2003 can import data from the database. Code is provided for provisioning that has been built into the HR-Driven Provisioning solution code.

Features

The Group Management Web application includes the following features.

Simple Groups

The application allows you to create simple groups based on metaverse attributes that you manually enter as a query. For example, you might use a query clause like Title Contains 'Engineer.' The Group Populator program runs a query to return all the metaverse objects to satisfy the query, and then stores the membership information in the database. MIIS 2003 later imports this information for provisioning.

You can edit groups through the user interface (UI) and you can delete them. Data changes in the metaverse (new, deleted, or modified users that MIIS 2003 processes) require membership updates. Including Group Populator as part of the MIIS 2003 run cycle automatically incorporates all such changes.

Attribute Groups

You can also define "families" of groups based on attribute data. For example, you might want to create a group for each department in your company and base membership on the users in each one. You could call such groups something like "All people in Department <name>." When you run it, the Group Populator program reads the definition, generates one group for each department, and then populates the groups correctly. If a person has their department attribute set or changed to a value that does not exist, the program creates a new group. Also, if all members of a group are deleted, or moved to other departments (and their department attributes are updated accordingly), the group is deleted. After they are created, the attribute groups appear in the UI in much the same way that the simple groups do. You can only edit them in a limited way because they are designed to be automatically generated.

Reference Attribute Groups

This type of group is a variant of the attribute group. For example, you might want to create a group for each manager that includes all users who report to that manager. This is slightly more complicated to define, but otherwise reference attribute groups behave like attribute groups.

Inclusions and Exclusion

It is possible to make individual inclusions and exclusions for any group. Because the intent of this application is to reduce administration, keep inclusions and exclusions to a minimum—an arbitrary limit of 10 for each group has been set. Of course you can change this by altering the code.

Notifications

The Group Management Web application uses the Notification Service to send e-mails to users about membership changes.

Membership Removal Delay

When a user is removed from a group, an e-mail is sent to notify the user, but actual deprovisioning is delayed to give them a chance to complete any group business. The delay defaults to 0 days, but you can configure this value.

Web Application Pages

Access the default startup page at http://localhost/miisGroupManagement/default.asp.

Adding Simple Groups

Figure B.1. The default startup page for the Group Management Web application

To add a group, click Add Group and define the fields that the application displays according to the information in the following table.

Table B.1. Simple Group Definition Fields

Field

Purpose

Examples

Group Name

A unique name that you provide.

Engineers; MarketingDist; PaloAlto

Description

A description that you provide.

Title starts with Engineer; Everyone in the Marketing department; All users in Palo Alto.

Group Type

The type of Active Directory group (MIIS 2003 selects the closest match in Lotus Notes).

Combinations of: Security or Distribution List Universal, Global or Domain Local

Enabled

Whether the group is managed or not.

You can generate a group, then clear this field to pass control to Active Directory

Mail

Whether the group is mail-enabled or not.

Disabled Enabled with a default alias Enabled with an alias you provide.

Clause

The "Where" clause, based on metaverse attributes, that the application uses to generate memberships.

Title like "engineer%" (starts with Engineer) Title like "%engineer%" (contains Engineer) department = 'marketing' l = 'Cambridge'

Clauses

To add a clause, on the startup page click Clause (…) to open the Specify Clause Criteria window.

Figure B.2. The Specify Clause Criteria window

You can build the clause by using the attribute and operator drop-down menus, the and and or options, and the Append and Replace buttons as seen in Figure 2, or you can edit the clause directly.

Using an Existing Clause

You can also use an existing clause by selecting the Use clause from existing group check box. Enabling this option displays a list of the current groups from which you can then choose an existing clause.

If you share a clause between two groups, you can still have exceptions that are different for each group. For example, if you want to define two groups in which one contains all department employees and the other contains all department employees and the manager; you could define the first group, and then define the second group by choosing to share an existing clause. In this way you can include the manager as an exception to the second group.

As another example, if you want to have separate groups for security and distribution that include the same members, you can share the same clause between the groups. In this way, if you edit the clause for one group, it will modify the other one.

Preview

Click Preview to check the result of the query to ensure that it produces the results that you want. The group membership has not yet been built at this point, but you can see who will be included in it.

Figure B.3. A preview of group members resulting from a new query

On the Specify Clause Criteria window, click Update to accept your clause, or Cancel to cancel it.

Exceptions

Finally, you can specify exceptions to your clause. Click Exceptions (), and then use the same query as before to either include or exclude individuals.

To define an exception, click either Add Exclusion or Delete Exclusion, and then enter a query by using the drop-down menus.

Figure B.4. The Exception Management window

Select an individual, and then click Add.

Note   A warning message displays if you create more than 10 exclusions to discourage you from manual management. To the extent that you can, always use rules (clauses) to define group membership.

When you are finished, click Close and then click Update (at the end of the row) to complete defining your exceptions.

Editing and Deleting Simple Groups

On the startup page, you can specify a search criterion to display groups of interest.

Figure B.5. The Group Management window

Now you can click Edit or Delete to manage your groups. The UI for editing is the same one that you use for adding groups, except that not everything can be edited.

Attribute Groups

Attribute groups are families of groups based on a metaverse attribute. To create an attribute group, first define your groups, and then run Group Populator to generate them.

Adding Attribute Group Definitions

From the startup page, click Define Attributes, click Add Definition and define the fields according to the information in the following table (this example generates a group for each location), and the click Update to complete this process.

Table B.2. Attribute Group Definition Fields

Field

Purpose

Examples

UniqueID

A unique ID that you provide.

Locations.

displayName

To generate a displayName for each group that will involve the attribute that defines the group.

People at location {attribute}.

defType

The attribute group type.

single for an attribute group (linked for a reference attribute group – see the next section of this appendix for more information).

Group Type

The type of Active Directory group (MIIS 2003 selects the closest match in Lotus Notes).

Combinations of: Security or Distribution List Universal, Global or Domain Local

Mail

Whether the group is mail-enabled or not.

(Selected or cleared).

Reference Attribute Groups

Reference attribute groups are families of groups based on a metaverse reference attribute. To create a reference attribute group, first define your groups, and then run Group Populator to generate them.

Adding Reference Attribute Group Definitions

On the startup page, click Define Attributes, click Add Definition, and define the fields by using the information in the following table. This example generates a group for each manager and populates it with the manager's reports. When defining the fields, you must think in terms of the metaverse object (person) for the group member and hence its "member attributes." However, you must also think in terms of the metaverse object for the "pointed at" or linked person. For example, the manager who is defined in the employee's manager field.

Table B.3. Reference Attribute Group Definition Fields

Field

Purpose

Examples

UniqueID

A unique ID that you provide.

Managers (others might be Secretaries, or Assistants)

displayName

To generate a displayName for each group that will involve the attribute that defines the group.

People managed by {attribute}

defType

The type of attribute group.

linked

Attribute

The attribute that you want to use in the displayName field. The value used in each case is for the pointed-at object.

displayName so that the displayName of the manager is used (others might be sn, cn, or sAMAccountname).

linkAttribute

A choice from any reference member attributes in the metaverse.

manager (others might be secretary or assistant).

linkAttributeKey

The linked person attribute that the linkAttribute points to.

employeeID (or other unique key).

Group Type

The type of Active Directory group (MIIS 2003 selects the closest match in Lotus Notes).

Combinations of: Security or Distribution List Universal, Global, or Domain Local.

Mail

Whether mail-enabled or not.

(Selected or cleared)

Figure B.6. The Attribute Group Definition page

Click Update to complete or add any others, and then click Back to Group Definitions. This page will not yet reflect your attribute groups—they must first be generated (see the "Generating and Provisioning Groups" section later in this appendix). After they have been generated, they will appear when you enter a query on the startup page, and select Include attribute based groups.

Figure B.7. A Group Definitions window that displays both simple and attribute-based groups

You cannot edit or delete attribute groups through the Web application. You manage them by running the Group Populator program.

Generating and Provisioning Groups

To generate and provision group, a batch (.cmd) file is provided with this solution to do this (usually located in C:\GroupManagement). The batch file runs the Group Populator and then instructs MIIS 2003 to perform the correct runs to provision your groups. It checks for any errors after each step and stops if it detects one. It also truncates the delta tables. The Group Management application presents changes (deltas) only to MIIS 2003 rather than all groups to optimize performance.

The command line that runs the Group Populator looks something like the following example:

groupPopulator.exe /r:managers,locations,departments,titles /p

The /r switch instructs the Group Populator to regenerate the indicated attribute groups. These group names are the unique IDs that you specified in the UI when you defined your attribute groups. For everyday operation, you may decide to modify this command file. For example, you may decide not to keep regenerating the attribute groups (which would be time-consuming in a large organization). You could use a version of this batch file without the /r switch for your regular run cycle for MIIS 2003. You also could run the batch file in its original form (with the /r switch) periodically to ensure that any necessary regeneration takes place.

The remainder of the batch file uses the MIIS 2003 WMI interface to perform the MA runs required to synchronize the groups and their memberships with the target directories. This involves the import and synchronization of the group management MA, and export of the Intranet Active Directory and Lotus Notes MAs. Another line truncates the delta tables as in the following example:

osql -S localhost -E -n -b -i "TruncateDeltaTable.sql"

If an error occurs, the batch file will stop. Examine any errors that do occur and take appropriate action to correct them.

Disabling Groups

You can clear the Enabled field for an ordinary group. This will cause the group to be deprovisioned, but the application will retain the group definition in case you want to enable it again.

Table Definitions

It is not practical to provide a full technical guide for the Group Management Web application. However, the description of the database tables in this section may be of value to developers.

The Attribute Group Definitions Table

This table stores information about attribute-based group definitions.

Table B.4. attributeGroupDefinitions Table

Column name

Data type

Length

Null allowed

Description

objectUID

varchar

64

No

A unique identifier for the attribute group definition, randomly generated when the definition is initially created.

uniqueGroupID

varchar

256

Yes

A friendly name that uniquely identifies the group definition. This name is specified after the /r switch when you run groupPopulator.exe.

displayName

varchar

256

Yes

The structure of the friendly name for each group that is generated from these definitions in the target directories. Each entry in this column must contain the literal string {attributeValue}.

attributeGroupType

varchar

256

Yes

Specifies whether or not the group relies upon reference attributes within MIIS 2003 to create groups that are either ('linked') or not ('single').

attribute

varchar

256

Yes

The metaverse attribute that used to generate the group definitions.

linkAttribute

varchar

256

Yes

The reference attribute used to generate the group definitions (for the linked groupType only).

linkAttributeKey

varchar

256

Yes

The attribute key that generates the group definitions (for the linked groupType only).

groupType

int

 

Yes

Defines the type of group that will be created in the target directories based on the Active Directory groupType attribute.

mailEnabled

varchar

256

Yes

Defines whether or not groups generated from this definition are mail enabled (true/false) or not.

The Clause Definitions Table

This table stores clause information for the groups so that you can optionally share clauses between groups.

Table B.5. clauseDefinitions Table

Column name

Data type

Length

Null allowed

Description

objectUID

varchar

64

No

Links the clause to the group definition.

clauseAutoUID

varchar

256

Yes

Links the clause to the attribute generated group definitions.

clauseType

varchar

64

No

Identifies whether the clause was generated from an attribute group definition or a standard definition.

Clause

varchar

5120

Yes

Defines the clause used to query the metaverse for group members.

The Exception Definitions Table

This table stores a record for each metaverse object that has had an exception defined for it.

Table B.6. exceptionDefinitions Table

Column name

Data type

Length

Null allowed

Description

objectUID

varchar

64

No

Ties the exception to a group.

exceptType

varchar

64

Yes

Defines whether the user is included or excluded.

mvObjectUID

varchar

64

Yes

The object-id from the metaverse of the object defined as an exception.

The Group Definitions Table

This is the main table that stores the group and person objects that MIIS 2003 imports.

Table B.7. groupDefinitions Table

Column name

Data type

Length

Null allowed

Description

objectUID

varchar

256

No

A unique Identifier: • Standard group — generated globally unique identifier (GUID). • Group generated by attribute group definition — combination of uniqueGroupID (Table 1) and the metaverse attribute value. • Person — metaverse object-id.

groupAutoUID

varchar

256

Yes

The friendly name that associates the group with the attribute group definition used to generate it.

objectType

varchar

64

Yes

The type of object (group, groupAuto or person).

displayName

varchar

256

Yes

The group name used in the target directories.

description

varchar

256

Yes

The group description used in the target directories.

clauseLink

varchar

64

Yes

A link to the clause definitions table. If the clauseLink is not the same as the objectUID, then it shares a clause with another group.

enabledFlag

varchar

64

Yes

If this is set to enabled, the definition results in group creation in target directories. If it is disabled, the groups are removed from the target directories.

maxExcept

varchar

64

Yes

The maximum number of manual exceptions that can be applied before a warning appears. This number cannot be set through the graphical user interface (GUI).

preserveMembers

int

 

Yes

The number of days to automatically preserve members after they would otherwise be deleted from a group.

groupType

int

 

Yes

Group type that will be created in the target directories (based on the Active Directory groupType attribute).

mailNickName

varchar

256

Yes

If set, the group will be mail enabled, and will use this value for the alias.

The Group Definitions Delta Table

This table stores all of the group and people objects that MIIS 2003 uses during a delta import. The structure of this is the same as Table 7, with three additional columns.

Table B.8. groupDefinitions_delta Table

Column name

Data type

Length

Null allowed

Description

objectUID

varchar

256

No

See Table 7

groupAutoUID

varchar

256

Yes

See Table 7

objectType

varchar

64

Yes

See Table 7

displayName

varchar

256

Yes

See Table 7

description

varchar

256

Yes

See Table 7

clauseLink

varchar

64

Yes

See Table 7

enabledFlag

varchar

64

Yes

See Table 7

maxExcept

varchar

64

Yes

See Table 7

preserveMembers

int

 

Yes

See Table 7

groupType

int

 

Yes

See Table 7

mailNickName

varchar

256

Yes

See Table 7

attributeName

varchar

64

Yes

If the value for changeType is Modify_Attribute then this column specifies the name of the attribute that was modified.

changeTime

datetime

 

Yes

The time that the change was entered into the delta table, which is used to sort the view for the MIIS 2003 import.

changeType

varchar

64

Yes

The type of delta change (Add, Modify, Delete, Modify_Attribute).

The Member Definitions Table

This table holds a record for each member of each group. It cross-references people and objects in Table 7. It is specified in MIIS 2003 as the multivalued attribute table.

Table B.9. memberDefinitions Table

Column name

Data type

Length

Null allowed

Description

objectUID

varchar

64

No

The unique identifier of the group (Table 7 foreign key).

objectType

varchar

64

Yes

The attribute name (in this solution it is always set to "member").

mvObjectUID

varchar

64

Yes

The unique Identifier of the person that is a member of the group (Table 7 foreign key).

The Member Definitions Temporary Table

This table is a backup of the memberDefinitions table that the application uses to compare membership to a previous state to determine changes in group membership to in turn generate the delta table. It has the same structure as the memberDefinitions table.

Table B.10. memberDefinitions_temp Table

Column name

Data type

Length

Null allowed

Description

objectUID

varchar

64

No

The unique Identifier of the group (Table 7 foreign key).

objectType

varchar

64

Yes

The attribute name (in this solution it is always set to "member").

mvObjectUID

varchar

64

Yes

The unique identifier of the person that is a member (Table 7 foreign key).

The Staging Definitions Table

This table stores sqlStatements for future execution. This is primarily used to complete processes related to preserved members.

Table B.11. stagingDefinitions Table

Column name

Data type

Length

Null allowed

Description

executeDateTime

datetime

 

Yes

The date and time to execute the sqlCommand.

sqlCommand

varchar

5120

Yes

A SQL formatted statement that will perform a transaction in the future to complete processes related to preserved members.

comment

varchar

2048

Yes

Used to pass information along with the sqlCommand into the code.