Today's large organizations often have complex and poorly designed processes for provisioning systems with information for computer network users. For example, in some organizations, it can take up to two weeks before new information workers can access e-mail and the applications that they need for their jobs. The manual, task-intensive processes that are typically involved in identity provisioning add overhead, delay employee productivity, and often lead to a network environment that is not secure.
This paper discusses how to provision identities automatically into multiple directories and identity stores in a heterogeneous environment. It also discusses managing security and e-mail group memberships, and describes a workflow process that can extend automated processes.
You can use the information in this paper to enable the automated administration of user identities and reduce costs while you increase the availability and security of information resources. This paper also provides detailed configuration tasks that you can use to achieve these results by using Microsoft® Identity Integration Server 2003, Enterprise Edition with Service Pack 1 (MIIS 2003 with SP1).
Organizations store identity information in numerous repositories, or data stores. Using a product that includes metadirectory functionality allows you to synchronize existing data so that it is consistent across these stores. The Identity Aggregation and Synchronization paper, which is part of this series, describes this synchronization capability in detail. The provisioning challenge is to use technology to automate the addition of new identities to these stores. Deprovisioning, which refers to processes that remove and disable accounts at the end of an identity object's life cycle, is closely related to this challenge. Your environment might require workflow processes to provide discretionary input to provisioning tasks. For example, in cases that involve security-oriented or special-purpose requirements.
The manual administration of provisioning tasks is slow and typically does not enforce policies for access and authorization in a consistent manner. Without reliable, automated processes it will often not be practical even to attempt to implement all desirable policies.
The business challenges that relate to provisioning include how to:
The business benefits that organizations can achieve through efficient, largely automated administrative processes for provisioning and deprovisioning based on reliable technologies include:
The intended audience for this paper includes system architects, IT professionals, managers, technical decision makers, and consultants involved in identity life cycle management efforts.
This paper assumes that readers have a moderate knowledge of the identity and access management concepts and technologies described in the Fundamental Concepts paper in this series.
To implement any of the solutions in this paper, readers should understand the infrastructure described and implemented in the Platform and Infrastructure paper in this series. In addition, implementing the solutions in this paper requires the following prerequisites:
To properly understand the solution, it is also helpful to know Microsoft Visual C#® and Visual Basic® .NET, as well as MIIS 2003 with SP1.
This paper explains how you can design, plan, build, and operate provisioning and workflow solutions by using the following technologies:
In addition to a general discussion of provisioning and workflow approaches, this paper also provides detailed prescriptive guidance on implementing solutions based on three typical scenarios for Contoso Pharmaceuticals, a fictitious organization.
In this scenario, synchronizing identity information is only part of the required solution for Contoso. In addition to enabling a comprehensive view of its users, the company needs a provisioning solution. Data that resides in Contoso's mySAP ERP Human Capital Management system (SAP HR system) drives this solution to initiate automated provisioning operations.
This scenario describes how Contoso implements automated full-time employee account provisioning using MIIS 2003 with SP1.
Tools and Templates
You can use a set of configuration files, source code, scripts, and other data files to quickly and effectively implement the solution for this scenario.
In this scenario, Contoso manages the following groups in its environment:
Historically, Contoso has found it difficult to both place users in the appropriate groups during the provisioning process, and manage groups as users change roles, positions, and locations during their careers. This situation has led to user frustration, increased help desk call volume, and inappropriate access granted to some users.
This scenario describes how Contoso implements automated group management in its environment by using a group management application.
Tools and Templates
A sample Group Management Web application is provided in this scenario. The application can provide a solution for simple cases, and you can extend it for more complex ones. Contoso developed this tool to provide the following additional functionality:
In this scenario, although the Contoso SAP HR system is considered the authoritative source for full-time employees, department managers hire contractors on a case-by-case basis. Because there is not an authoritative data source to drive fully-automated provisioning for contractors, Contoso requires managers to use a separate mechanism to request contractor accounts. To provide adequate security and safeguards for accounts, members of the IT administrators group must approve all such provisioning requests.This scenario describes how Contoso implements a Web application to provision contractor accounts. The application includes simple workflow capability.
Tools and Templates
The sample workflow-driven provisioning application provides the following functionality:
Useful configuration and other data files are also provided in this scenario.
Chapters 3 through 7 in this paper provide design and implementation details for the following three scenarios:
This paper includes the following seven chapters:
Chapter 1: Introduction
This chapter provides an executive summary, introduces the business challenges and benefits, suggests the recommended audience for the paper, lists reader prerequisites, and provides an overview of the chapters and scenarios in the paper.
Chapter 2: Approaches to Provisioning and Workflow
This chapter builds on the information provided in the Fundamental Concepts and Identity Aggregation and Synchronization papers in this series. It discusses approaches to provisioning, group management, and workflow.
Chapter 3: Issues and Requirements
This chapter defines the background, technology, security issues, and requirements for the HR-Driven Provisioning, Group Management, and Self-Service Provisioning scenarios. Contoso Pharmaceuticals, a fictitious organization, is used to illustrate the scenarios.
Chapter 4: Designing the Solution
This chapter highlights the key elements of the solution for each scenario; introduces the concepts, prerequisites, and architecture; and discusses how the proposed solution addresses the initial requirements.
Chapter 5: Implementing the Solution
This chapter builds on the infrastructure described in the Platform and Infrastructure and Identity Aggregation and Synchronization papers in this series to provide implementation details for the scenarios discussed in this paper. It also includes step-by-step configuration instructions.
Chapter 6: Testing the Solution
This chapter describes how to validate the implemented solution, including some troubleshooting steps to overcome common implementation challenges.
Chapter 7: Operational Considerations
This chapter discusses ongoing operational activities that must occur to ensure the continued success of the solution for each scenario.
Large organizations typically have dozens of data stores for identity information. The Identity Aggregation and Synchronization paper in this series addresses the challenge of aggregating and synchronizing identity information that already exists in such data stores. Readers of this Provisioning and Workflow paper should be familiar with the information in the Identity Aggregation and Synchronization paper.
The Provisioning and Workflow paper focuses on provisioning new identity information to data stores. This chapter explores various approaches to provisioning, and the closely associated processes for deprovisioning, group management, and workflow. Subsequent chapters in this paper describe how these approaches address the three scenarios identified in Chapter 1, "Introduction."
New employees need physical objects such as a phone, a desk, and an ID card to do their work. In addition to these physical objects, there are many collections of digital information that describe who the employee is and define the employee's roles and entitlements within the organization. The allocation of these objects and creation of the digital identity information that enables services for a user is known as provisioning.
Other papers in this series have discussed digital identity information that is not related to people. However, this paper focuses primarily on provisioning people-related identity information.
Many individuals who are not employees of an organization also need provisioning, such as business partners, vendors, and customers. However, this paper focuses on the special needs of provisioning employees and contractors. The following section introduces various aspects of provisioning digital identity information in an organization.
The life cycle of an identity, and therefore of identity information, comprises three main steps:
When the life cycle of a new identity starts (such as when an employee joins an organization), information that describes the person is typically provisioned into a human resources (HR) system, operating system directories, application directories, and so on.
From these resources, additional information that describes the identity's roles and entitlements within the organization is created. For example, a person's job title may be used to determine membership of a group, which entitles the person to access non-public information.
The initial information that is collected and distributed about a person in an organization undergoes modification throughout the full cycle of the relationship between the person and organization.
The Identity Aggregation and Synchronization paper in this series discusses ways to synchronize identity information between different data stores. However, when you create new information that describes a user, or group of users, it is typically called a provisioning process, not a synchronization process. This is a subtle but very important point.
For example, during an employee's relationship with an organization, the employee might be promoted into a new position that entails new roles and responsibilities. When this occurs, the employee's identity information must be reprovisioned to reflect the person's new entitlements. To reflect the unique relationship between a person and her new team or department, you might have to provision new accounts and other data objects in various data stores.
When an identity reaches the end of its life cycle, the accounts that correspond to it must be removed or disabled. Accounts that are not deprovisioned in a timely and accurate manner present a security risk, and potentially make the organization liable from a regulatory compliance perspective. In addition, outdated identity information inhibits efficient business processes and may create legal exposure.
For example, when an employee permanently leaves an organization, someone in the organization will have to access the employee's record in the HR database, the person's account in any operating system directories, and corresponding information held in any other identity stores. In each case, you must decide which of the following actions to take:
You might need to disable an account temporarily during an identity's life cycle. However, temporary account disabling is generally considered maintenance, not deprovisioning. Of course the convenience of being able to reactivate a temporarily disabled account has to be balanced against other considerations such as security risk.
When you delete an account from a data store, this might also remove valuable history information. And deleted or disabled accounts might not be properly removed from the groups or distribution lists to which they formally belonged unless the groups or lists are automatically updated.
There are reasons for disabling rather than deleting some accounts. For example, in the case of an account that uses the Active Directory® directory service, you might not want to lose the account security identifier (SID). This is because you might need to reactivate the account. And for an e-mail directory, you might want to retain an account to forward e-mail but disable access to it.
Disabled accounts are typically placed in their own organizational unit (OU) so that you can easily locate them and not confuse them with active accounts.
Disabling and then later deleting an account helps protect against accidentally deleting it, which can sometimes result from an erroneous edit in an HR application.
Appropriate technology products can provide highly effective solutions to address the challenges associated with provisioning. These products can save time and money, enhance security, improve regulatory compliance, and increase productivity.
The subsequent sections describe using technology for automated provisioning, management, and deprovisioning, specifically:
You are unlikely to ever deal with a brand new organization when implementing identity information provisioning. Any organization will likely have processes in place that might be manual or that employ various kinds of technology.
When you start a project that involves applying technology to solve problems related to identity life cycle management, first carefully assess the existing business processes. Plan to implement technology that provides at least the existing levels of functionality. However, you should also seek opportunities to streamline and improve, or even replace processes to gain maximum benefit from the technology that you use.
A major challenge when implementing a technology solution is to identify these opportunities. Often existing manual processes are not properly formalized, and many organizations do not know what processes they are using. Analyzing the existing situation often reveals unreliable, wasteful, or even unnecessary activities. Clear process definition is a vital precursor to design and implementation.
For more information about process definition, see the MIIS 2003 Design and Planning Collection.
As you analyze existing processes, also identify the data sources that are available. The triggering event for provisioning is typically the creation of a new account in a particular authoritative data source. This source will be authoritative for some attributes but might not be for all attributes. Any data source can hold authoritative attribute values, and synchronization ensures that these values flow correctly as described in the Identity Aggregation and Synchronization paper in this series.
It is possible for more than one data source to be authoritative, but this is not often the case. It is also very likely that more information is stored in these data sources than required for provisioning purposes. This section describes some typical provisioning data sources, and then discusses how you might extract a data subset.
Many organizations treat their HR system as a primary authority. The HR department is often the first to know about an employee's hiring or departure. Access to this data is often limited because of legal constraints, privacy and security concerns, interdepartmental politics, or limitations of the HR system.
Sometimes the mechanism to retrieve data from the HR system may introduce delays in provisioning accounts or updating information. For example, a nightly extract-to-text file will prevent accounts from being provisioned for 24 hours, while a "live" database view into the relevant HR tables and attributes may significantly reduce this delay.
Some organizations are organized around their IT departments. In such cases, a directory service such as Active Directory might be the first data source in which a new user appears or is disabled. Access might be restricted to read-only.
In some cases you might not be able to identify an existing primary authoritative data source for provisioning and deprovisioning actions. In these cases, it might be appropriate to introduce a dedicated data source. Identities are then added through a suitable user interface (UI) and stored in this new data source, which then becomes the driver for provisioning.
Whatever the nature of the data source, it is likely to contain some objects that should be ignored for provisioning and deprovisioning purposes, such as service accounts in a directory or records in an HR system of employees who have left the organization. All objects might have more attributes than are needed. So a filtering method is required to select the required data subset.
As changes arise, the identity management system must import the changes and take appropriate actions. The most efficient import process is one that imports only objects and attributes that have changed. To achieve this, a data source must be able to support such "delta" imports by providing this special subset of data.
Filtering
Some data sources provide filtered views, or the ability to specify a selection of containers or OUs for import. Others might only be capable of providing a full information report. In this case, the identity management system must provide filtering capability. You should assess the impact of the unnecessary traffic and the processing resources it requires.
Delta Imports
The most economical import is one that includes only the identity information that has changed since the last import. For such "delta" imports to work, both the data sources and the identity management systems must support them, and not all data sources do. This factor has a large impact on performance. For this reason, ensure that the identity life-cycle management system that you choose can manage both situations optimally.
After you understand the existing processes in the organization, and have identified the data sources, you can start to consider what might be the most appropriate solution approach. Common approaches to identity life-cycle management include the following:
The following subsections provide information about each of these approaches.
Manual administration is the default mechanism that the Identity Aggregation and Synchronization paper in this series describes in detail.
This approach requires that someone must create a record and type information into fields through one interface, so that HR functions can be fulfilled. Then, by using a different interface, someone must create an account in an operating system directory and populate attributes with much of the same information. They must also manually add the account to the correct security and distribution groups. They will repeat these actions as accounts are created and attributes are populated, sometimes in many data stores.
There are some potential drawbacks to this approach. Different teams may create different account types. And the communication between these teams may be unreliable and inefficient. For example, one team may type information into a document that it then sends to another team, only to have that team retype it.
A metadirectory product can synchronize information between data stores to help mitigate this problem. However, note that the effectiveness of the metadirectory relies on an ability to connect the existing objects that belong to an identity, which in turn relies on the accuracy of certain attributes. If the metadirectory product also provides provisioning, this reliance may not be important for new objects, because this integrity can be enforced as part of the provisioning process.
The following details the advantages and disadvantages of manual entry.
Advantages
Disadvantages
When manual administration becomes cumbersome, the next step is typically for the IT administrator to create scripts that will provision new objects in various data stores.
Advantages
Disadvantages
The Identity Aggregation and Synchronization paper in this series discusses in detail the following disadvantages of using a scripting approach:
A dedicated provisioning tool provides an interface to add new users. You can then use the tool to provision accounts in multiple data stores according to implemented business rules.
Advantages
Dedicated provisioning tools overcome many of the disadvantages of the script-based approach and often include one or more of the following features:
Disadvantages
The main disadvantage of a dedicated provisioning tool is that it does not include aggregation and synchronization capability, which typically means one of the following:
A distinct advantage of the synchronization approach is that much authority stays with the individual data stores.
An identity life-cycle management product is designed to provide the dedicated-tool features without the associated disadvantages. Such products can also provide features that would be very difficult to implement with scripts.
Desirable Features
Identity life-cycle management products typically provide the following set of provisioning features in addition to synchronizing identity information:
Advantages
Disadvantages
The reporting and auditing feature requires the following additional explanation.
Communications: Reporting and Auditing Functionality
Legal and other issues will lead to requirements to audit provisioning and related processes. You can write key events such as account creation, deletion, and group membership changes into logs for future analysis if required.
Periodically, you might require detailed and summary reports. For these requirements, you can implement a dedicated monitoring and reporting service; your choice depends on auditing, compliance, and security considerations.
You may send individual notifications for particular provisioning activities, such as provisioning administrator accounts. You may also require other types of notification, such as randomly generated user passwords sent to managers. You can send these notifications securely by e-mail, perhaps, as part of a formal notification service.
After you have made a decision to implement an identity life-cycle product, from a technology perspective, fully automated provisioning is the easiest to accomplish. Provisioning decisions are based on data attributes such as department, role, and job title, which are retrieved from an authoritative data source.
For example, suppose that an HR system is identified as authoritative, and that new records entered into the system are used to trigger provisioning actions. An employee in the sales department who travels a lot might require an extranet as well as an intranet account. Other employees might only require an intranet account. Employees in one part of an organization might require mailboxes in Lotus Notes and to be mail-enabled users in Active Directory. Other employees might need to be Microsoft Exchange 2003 mailbox-enabled users in Active Directory.
The values entered into certain attributes determine what is to be provisioned and to where. This produces a data-driven (in this case an HR-driven) provisioning scenario.
The actual mechanism for retrieving this information depends on the nature and capabilities of the data source. For example, some sources store data in data tables that are easily accessible. However, other data sources can only be accessed through a proprietary interface or through an exported flat file. Flat file use increases reliance on properly timed external batch processes. In either of these cases, you might be limited to read-only access or a restricted view. Although these types of access are still very powerful improvements on manual and scripted solutions, they are not always adequate. The following "Workflow-Driven Provisioning" section discusses this topic further.
Data-driven provisioning addresses a clear business need, but you are unlikely to realize the full advantages of data-driven provisioning without group management. This is because it is usually through groups that authorization is controlled. Initial group management is really a special case of provisioning. When you start using groups, you provision them in much the same way that you provision user accounts. You must provision groups of various types and scopes.
The rules that might define the membership of groups include:
You may establish some groups for only special purposes that might require manual maintenance. You can define other groups purely in terms of rules, which makes them obvious candidates for an automated process. Other groups might be rules-based, but will require the ability to make manual adjustments to them.
It is necessary to maintain group memberships to reflect the following events:
Groups also have deprovisioning requirements — your organization might require you to retire them at some point.
A workflow-driven provisioning system accepts requests from users and routes them to users (typically managers) with sufficient authority to make decisions about specific requests. If the decision is favorable, provisioning can proceed. If not, a request can be denied or routed to a higher authority.
This approach contrasts with the automated data-driven provisioning just described, in which an authorized person can initiate automated provisioning actions simply by adding a user to an HR system.
User accounts are usually associated with identities. The following account types all require special treatment, and are good candidates for a workflow approach to provisioning.
Administrative accounts are powerful accounts with extended rights and privileges that must be treated with care. It is a best practice to provide administrators with user accounts that they should use whenever they do not have to use their administrator accounts.
You can think of such cases as one identity with two accounts, or two separate identities. Either way, it is a security risk to rely on a check box or other option on a form as the sole reason to go ahead and provision such a powerful account. A workflow system can route the request to someone with appropriate authority for approval before proceeding to provision such an account.
Organizations must also provision special accounts called service accounts. These accounts are used to provide an identity with access to services and applications that run on various host computers. Service accounts do not link on a one-to-one basis with any particular user. Instead, they provide application services. There are usually a relatively large number of people in an organization who need service accounts, but a much smaller number who actually create or approve service accounts. This type of account type might also benefit from workflow provisioning.
Temporary accounts also require special treatment. For employee accounts, you would typically enter detailed information into the HR system, and you can make provisioning decisions based on that information. For temporary worker accounts, minimal information may be stored, and data-driven provisioning may not be viable. Because temporary workers might not go through typical HR hiring procedures, workflow provisioning might be appropriate. In addition, you can set an expiration dates for the temporary accounts because the process for notifying temporary workers whose contracts have expired may not always be clear.
The group management approaches previously discussed in this chapter have mostly been data-driven. However, workflow requirements are also associated with group management. The following group management requests might require a workflow-driven provisioning solution. And they apply to both security and distribution groups:
Your workflow product choice depends on the complexity of the implementation, the requirements for audit and legal compliance, and various other factors.
A simple workflow product might include the following features:
A complex workflow product might include the following features:
Single-Step Workflow
The complex workflow features just described might be unnecessary in some cases. For many of the requirements discussed in this chapter, a simple workflow product is sufficient. The advantage of using simple workflow processes is that you can often implement them rapidly and easily. Typically, such workflow features require the following:
This section briefly describes a few life-cycle management products.
Microsoft offers two identity life-cycle management products:
The Identity Aggregation and Synchronization paper in this series provides detailed information about these products and their software requirements.
Microsoft BizTalk® is an engine which allows you to build complex workflow solutions that provide each of the features described previously. However, this product is not integrated with MIIS 2003 with SP1.
An effective provisioning implementation requires a detailed analysis of the key business and technology issues and requirements. This chapter records these issues for the fictitious Contoso Pharmaceuticals environment, and then lists the solution requirements and the security vulnerabilities that the following closely-related scenarios will address:
For more information about the Contoso Pharmaceuticals example organization, see the Platform and Infrastructure paper in this series.
Contoso has already deployed Microsoft® Identity Integration Server 2003, Enterprise Edition, with Service Pack 1 (MIIS 2003 with SP1) as an aggregation and synchronization tool. The current scope of the implementation is limited to the following data sources:
However, like many organizations, the identity information for Contoso resides in the company's mySAP ERP Human Capital Management system (SAP HR system). Contoso now wants to widen this system's scope to make it the authoritative source of provisioning activity for the company.
Contoso had a provisioning system that involved some manual processes, some scripting, and an internally-developed provisioning tool. This resulted in inconsistency, a lack of security, lack of monitoring, user frustration, errors, and omissions. The company considers the SAP HR system as the authority for new identities and for many associated attributes. Data conflicts are usually resolved in favor of the HR system. However, any data source could be authoritative for any attribute.
Contoso intends to implement an automated provisioning system for employee accounts in the HR database. The company will handle temporary contractor accounts through a workflow system. Administrative and service accounts are outside the implementation scope. Provisioning partner accounts into the extranet Active Directory also is outside the scope.
Contoso selected MIIS 2003 with SP1 as the identity life-cycle management product to handle provisioning because the company already uses the product for synchronization.
Contoso identified the following business issues in the HR-Driven Provisioning scenario:
Contoso identified the following technical issue in the HR-Driven Provisioning scenario:
Contoso identified the following security issues in the HR-Driven Provisioning scenario:
From the issues that the previous sections discuss, Contoso produced the following requirements for the HR-Driven Provisioning scenario:
Organizations typically use distribution groups to distribute e-mail and security groups to conveniently group users with similar entitlements. The challenge is to manage these different types of groups to ensure that the correct entitlements are granted or revoked in a timely manner in accordance with business rules, while providing the most efficient e-mail routing and the best user experience.
Contoso has a large number of groups in both its intranet and extranet Active Directory stores and in Lotus Notes. The company previously managed these groups manually through calls and e-mail messages to the help desk.
Contoso recognized the need for automated group management. Its primary goal was to automatically manage groups based on the information in its directories. These data-driven groups, which represented the majority of groups within Contoso, can be defined as attribute-based queries such as "John Smith's Direct Reports" or "All Sales."
Contoso planned to extend the automation of group management to a full self-service application later. Such a system would handle informal or special-purpose groups created quickly, as well as hierarchically nested groups.
Contoso identified the following business issues in the Group Management scenario:
Contoso identified the following technical issues in the Group Management scenario:
Contoso identified the following security issues in the Group Management scenario:
From the issues listed in the previous sections, Contoso produced the following requirements for the Group Management scenario:
There are many circumstances in which it might be advantageous for a large subset of users to request provisioning actions. However, only a designated person should approve such requests. A solution for this scenario type requires a simple workflow capability.
In addition to employee provisioning, which lends itself to an automated data-driven solution, Contoso has an ongoing need to provision a large number of temporary contractor accounts. Each of these special-purpose accounts requires authorization.
The existing process was for a manager to draft an agreement, and then when the start date was known, send an e-mail message to the IT department. Upon receiving the e-mail message, the IT department would attempt to create accounts in Active Directory and Lotus Notes, a process that usually involved further communication to find missing key attribute information.
Contoso identified the following business issues in the Self-Service Provisioning scenario:
Contoso identified the following technical issue in the Self-Service Provisioning scenario:
Contoso identified the following security issues in the Self-Service Provisioning scenario:
From the issues listed in the previous sections, Contoso produced the following set of requirements for the Self-Service Provisioning scenario:
The previous chapter in the paper considered the business, technology, and security issues and requirements for the following three provisioning scenario solutions:
This chapter presents solution concepts, prerequisites, and architectures, and also introduces the following topics:
The chapter then discusses the three scenario solutions in detail.
When Contoso decided to add provisioning to its identity life-cycle management system, it could have taken one of several approaches (see the discussion in Chapter 2, "Approaches to Provisioning and Workflow," in this paper). Although many of these approaches had merit, the company chose to use MIIS 2003 with SP1 to meet the company's provisioning requirements.
Contoso decided that MIIS 2003 with SP1 would provide the most cost-effective way to achieve its solution requirements while overcoming all of the company's business, technology, and security issues. Contoso also determined that there were many advantages to tightly integrating the company's aggregation and synchronization system with its provisioning system.
This section describes the IdM Notification Service that the solutions described in this chapter will depend on.
Contoso recognized in the early stages of its implementation that the company had many scheduled activity requirements for various application and directory components that in turn had to notify each other to trigger actions. The following sections define requirement examples for each scenario.
Requirements:
Requirement:
Requirements:
To address these requirements, Contoso designed and built a generalized notification service — a Microsoft Windows® service written in Microsoft Visual C#® — to support all of the company's identity life-cycle management notification needs. Basically, this service monitors a number of systems and conditions, such as group membership requirements, message queues into which the identity life-cycle management system might place predefined requests, and Active Directory account expiration dates (so that e-mail notices can be sent).
This section describes the solution for the HR-Driven Provisioning scenario. It includes information about the concept, prerequisites, architecture, design, functionality, and possibilities for extending the solution.
The following figure depicts the scenario concept for HR-driven provisioning in the Contoso environment:
Figure 4.1. The HR-Driven Provisioning scenario for Contoso
The solution for this scenario provisions objects into the connected directories based on the data in the mySAP ERP Human Capital Management system (SAP HR system). When a new Contoso employee is hired, an HR employee directs the system to automatically create an account in the intranet Active Directory, and a Microsoft Exchange mailbox. If the employee is in the Sales department, the IdM system creates a user account in the extranet Active Directory. When a new Fabrikam employee is hired, the IdM system automatically creates an account in Active Directory, as well as a Lotus Notes mailbox and a Sun ONE Directory Server 5.1 (formerly iPlanet Directory Server) account.
Contoso has the same prerequisites that were defined for the aggregation and synchronization solution in this series. The addition of the SAP HR system created the following additional prerequisites:
This solution is based on the one described in the Identity Aggregation and Synchronization paper in this series, although the new solution is HR-driven and not Active Directory-driven. Microsoft recommends that you read that paper to fully understand the concepts presented in it before proceeding with this solution.
To fully understand the concepts involved to aggregate and synchronize data, and then prepare it for provisioning, read the section "How the Solution Works" of Chapter 4, "Designing the Solution." In particular, ensure that you understand the following concepts:
You can design and plan an MIIS 2003 with SP1-based provisioning solution in the same way that you would design any other IT project. The process requires gathering requirements; implementing conceptual, logical, and physical designs; building a proof of concept; and then creating project plans, a schedule, and a budget.
For more information about architecting a MIIS 2003 solution, see the MIIS 2003 Design and Planning Collection.
Note The papers in this series focus on the unique aspects of each solution scenario rather than the normal activities of a technology project life cycle. For more information about how to plan, build, and deploy technology solutions of all kinds, see the Microsoft Solutions Framework guidance on the "MSF for Agile Software Development" Web page on the Microsoft MSDN® Web site.
Contoso followed several planning and design activities for MIIS 2003 with SP1 to create an architecture for its identity aggregation and synchronization solution.
The following sections describe the architectural elements and focus on the differences between the provisioning solution and the aggregation and synchronization solution, which include:
There are similarities between this solution and the aggregation and synchronization solution. For example, for both solutions, when you first run the IdM system, you must, initially aggregate and synchronize the data according to rules that you specify. During later runs, the same rules maintain the synchronization.
However, major differences between the two solutions include the following:
Rule Differences
Because the SAP HR system data source is now the primary authority, its management agent (MA) has a projection rule that generates a new metaverse object for each new HR record that is imported. All other objects join to this object by using their employeeID attributes, as described in the Identity Aggregation and Synchronization paper. The SAP HR MA also has a join rule. Although it might seem superfluous and the provisioning process certainly does not use this rule, it might be needed again under some circumstances. For example, if the metaverse must be rebuilt or if an administrator manually breaks a link.
Some of the attribute flow rules for the aggregation and synchronization solution will be altered, and a complete set of new ones are required for the SAP HR MA, as described in detail in Chapter 5, "Implementing the Solution."
A central part of the provisioning solution is to establish which identity stores are the authoritative sources for object creation, and to define the object types and object attributes. The MAs that Contoso chose for this scenario are the same as those for the aggregation and synchronization scenario, with the addition of the SAP HR MA. The following table lists each MA and its associated data source; the subsequent section describes these data sources in more detail.
Table 4.1. Contoso Management Agents
Data source | MA type | Data source description |
SAP HR system | File | The SAP HR system contains identity information about all Contoso and Fabrikam full-time employees. This information will be provided through a one-way transfer file. |
Intranet directory | Active Directory | The intranet directory contains all Contoso and Fabrikam users who are authorized to use e-mail. |
Extranet directory | Active Directory | The extranet directory contains shadow accounts for users in the Sales department. |
Lotus Notes Release 6.5.4 | Lotus Notes | The Lotus Notes address book (NAB) contains users from Fabrikam who will continue to use Lotus Notes e-mail until they migrate to Exchange Server 2003. It also contains contacts for Contoso employees. |
Sun ONE Directory Server 5.1 | Sun and Netscape Directory Servers | Sun ONE Directory Server 5.1 contains entries for users from Fabrikam to support authentication requests for an application. |
Note Management Agents required for the other scenarios are described later in this chapter.
SAP HR System Data Source
The SAP HR system is the authoritative source for user objects in this scenario. New objects will be projected into the metaverse based on this source. The SAP HR system is also authoritative for most of the person object attributes, except for the mobilePhone attribute and others that are specific to Active Directory, Exchange Server 2003, and Lotus Notes, such as sAMAccountName or mail.
In particular, at Contoso the SAP HR system is the authoritative data source for user account status (Enabled or Disabled) based on the status of the employee (Active, Leave, or Retired). This authoritative data source also enables or disables Active Directory accounts. However, it is possible to immediately disable a user's account directly within Active Directory. For example, you can use the Active Directory Users and Computers Microsoft Management Console (MMC) to make Active Directory the master repository for the user account's status. If you re-enable the user account, then the SAP HR system will again become the authoritative source.
Intranet Active Directory Data Source
This data source performs the same function as it did in the Identity Aggregation and Synchronization paper except that it is no longer the authoritative source for Contoso user objects, and it is responsible for fewer attributes. In this HR-Driven Provisioning scenario, the SAP HR system is the authoritative source for Contoso user objects and for many attributes. The Active Directory accounts join to objects that the SAP HR MA has projected.
Lotus Notes Management Agent
This data source performs the same function that it did in the Identity Aggregation and Synchronization paper except that it is no longer the authoritative source for Fabrikam user objects, and it is responsible for fewer attributes. In this HR-Driven Provisioning scenario, the SAP HR system is the authoritative source for Fabrikam user objects and for many attributes. The Lotus Notes accounts join to objects that the SAP HR MA projects.
Extranet Active Directory Data Source
This data source performs the same function that it did in the Identity Aggregation and Synchronization paper, except that only Contoso employees in the Sales department will have shadow accounts.
Sun ONE Directory Data Source
This data source supports the Fabrikam system. All Fabrikam employees require an account with this data source.
After you understand the data sources, you can decide how to implement the business rules for provisioning them. All provisioning actions are implemented in the Provision method of the metaverse rules extension. This method expresses the business logic. For example, the method defines what to provision under which circumstances.
The MIIS 2003 with SP1 Provision method runs each time a metaverse object is involved in the synchronization process. The method runs when a new metaverse object projects into the metaverse after a new record has been entered into the SAP HR system, and whenever any change causes attribute flow during synchronization.
The following sections describe key Provision method features:
State-Driven, Not Event-Driven
The provisioning code is state-driven; it does not react to events. It does not work any differently when the IdM system projects a new object than it does when an attribute changes. The MIIS 2003 with SP1 Provision method always examines the state of the connector space. For example, if this method detects that a connector space object that should be present is not, then the method creates it. Such newly created objects are "pending adds" that will be exported to the relevant directories during the next export run. The MIIS 2003 with SP1 Provision method normally does this after it detects a new identity in the HR application, but the method will also do this later if it detects that an object that should exist has somehow been deleted.
Provisioning Code for Other Purposes
The provisioning code is not only for provisioning. You can also use it for many other metaverse and connector space object activities. For example, in this solution the code also resets the distinguished name (DN) of any objects that need it. The code also moves intranet Active Directory accounts to a special organizational unit (OU) when they are disabled.
Initial Passwords
When a new user account is enabled, a pseudo-random initial password is generated for it. This information is automatically stored in an encrypted form until the account is exported to the data store (Active Directory, Sun ONE Directory Server 5.1, or Lotus Notes). The IdM Notification Service explained earlier in this chapter also sends it to the new user's manager.
Business Rules That the Provision Method Implements
In this scenario, the Provision method of the metaverse rules extension implements the following business rules for provisioning:
The following figure illustrates the logical design of the Contoso HR-Driven Provisioning scenario solution for full-time Contoso employees. The MIIS 2003 with SP1 elements in this diagram are explained in Chapter 4 of the Identity Aggregation and Synchronization paper in this series.
Figure 4.2. The logical design of the process for provisioning a new Contoso employee
The following figure illustrates the logical design of the Contoso HR-Driven Provisioning scenario solution for full-time Fabrikam employees.
Figure 4.3. The logical design of the process for provisioning a new Fabrikam employee
The HR-Driven Provisioning solution is based on the Identity Aggregation and Synchronization solution. To fully understand the concepts involved in aggregating and synchronizing data to prepare it for provisioning, read the "How the Solution Works" section of Chapter 4, "Designing the Solution."
After implementation, these operations build the initial metaverse, keep it regularly synchronized, and coordinate the provisioning, maintenance, and deprovisioning for your user community.
After you implement the solution according to the instructions in the next chapter, you can perform the following initial operations. Chapter 5, "Implementing the Solution," explains these operations in detail:
The following sections describe these operations.
Initial Import and Synchronization (Discovery)
You must run each MA with a Full Import (Stage Only) run step type, and then a Full Synchronization run step type with provisioning disabled. If you do not disable provisioning, you might create incorrect accounts or receive an error if MIIS 2003 with SP1 attempts to create an account in an OU that it is not aware of yet.
The order in which you run the MAs is important. Run the SAP HR MA first, because the SAP HR system is the authoritative information source for Contoso users, and it will project new objects into the metaverse. You can then run the other MAs in any order to establish joins to the new metaverse objects.
The synchronization process causes attributes to flow in accordance with the configured rules. Authoritative values replace any missing or erroneous non-authoritative values. For example, attribute values for manager, job title, or location might flow from SAP HR system objects to Active Directory and Lotus Notes objects. Other attribute values, such as phone numbers, might flow between the objects that other MAs manage. By design, nothing flows to the SAP HR system because it is a read-only identity information source.
Check for Data Consistency
During this task monitor the Identity Manager user interface (UI). You will find reports on any data issues, such as non-unique displayNames or the inability to join existing data to SAP HR objects because of non-matching employeeIDs. Establish the cause of each exception, correct the data in the relevant data source, and then repeat the previous the process.
Export Changes
You must now export any changes to the data sources. To accomplish this task, run each MA in turn (except the SAP HR MA) with an Export run step type, and then a Full Import (Stage Only) run step type to confirm the export, and then a Delta Synchronization run step type. This last step is not always necessary, but it does make sure any changes just imported are synchronized. It also rejoins any connector space objects that have become accidentally disconnected by manual administration (provided there is a suitable join rule). Therefore, it is considered a good practice to include such a step after any confirming import, and to include a suitable join rule in every management agent. At this stage, all accounts in all the data sources are synchronized, but no new accounts have been provisioned. There might be "missing" accounts — objects that did not exist before synchronization, but that should exist according to the provisioning rules. For example, a user might exist in SAP, but during the previous manual provisioning for Active Directory, the user was not included. You should now allow the IdM system to create these missing accounts based on the records imported from SAP.
Provision Any Missing Accounts
The next operation is to re-enable provisioning and then run the provisioning code against every metaverse object. One way of ensuring that this happens is to perform a full synchronization for all MAs that have projected any metaverse objects. In this case you need only to run this process for the SAP HR MA because it is the only MA that has projected any objects. Finally, you must perform an Export run step type for each MA that received newly provisioned objects (as reported in the Identity Manager). It is this final step that actually creates new accounts in the data sources.
The following figure illustrates the tasks in this initial provisioning process.
Figure 4.4. Concept of data flow through MIIS 2003 with SP1
The following table explains which MA runs achieve the different steps in the previous figure.
Table 4.2. Contoso Management Agents
Diagram step | Management agent | Run step type |
1 | SAP HR MA | Full Import (Stage only). |
2 | SAP HR MA | Initial full synchronization with provisioning disabled. |
3 | SAP HR MA | Full synchronization after provisioning has been enabled. |
4 | Any affected MA | Export. |
After the existing accounts are consistent across all connected data sources, a regular cycle of imports, synchronizations, and exports can take place. Contoso created a regular job that runs each MA through several run profiles, as shown in the following table:
Table 4.3. Contoso Ongoing Run Cycle for HR-Driven Provisioning
Management agent | Run step type |
SAP HR | Delta import, and delta synchronization |
Intranet Active Directory | Export, delta import, and delta synchronization |
Extranet Active Directory | Export, delta import, and delta synchronization |
Lotus Notes | Export, delta import, and delta synchronization |
Sun ONE Directory | Export, delta import, and delta synchronization |
A Windows Management Instrumentation (WMI) script controls the run cycle. If any errors occur, the cycle stops, and you may take remedial action. When this cycle runs continuously, it accomplishes the following actions:
The provisioning code uses the IdM Notification Service as follows:
As part of the run cycle described previously, the attribute flow rules ensure that the accounts are enabled or disabled when users are not active. For example:
The remaining two scenarios in this chapter extend the HR-Driven Provisioning solution to include group management and self-service provisioning for contractor accounts. Contoso also plans to extend the scenario as follows:
This section describes the solution for the Group Management scenario, and includes the concept, prerequisites, architecture, design, functionality, and some possibilities for extending it.
The solution for the Group Management scenario has a number of elements:
The following figure depicts the solution concept for managing group membership lists in the Contoso environment.
Figure 4.5. The Group Management concept for Contoso
The numbered portions of the diagram are explained as follows:
The solution for the Group Management scenario is built on the HR-Driven Provisioning solution. The additional prerequisites are to:
The following sections describe the architecture of the solution for the Group Management scenario.
A Web-based application was created for managing groups and is available to authorized users. The Universal Resource Locator (URL) authorization feature of Active Directory Authorization Manager handles authorization to secure the ASP.NET Web UI. The application stores its data in a SQL Server database called miisGroupManagement.
This database is the authoritative repository of group data for those groups that the Group Management Web application manages. Groups that the Web application does not manage include:
The Group Populator program previously populated this final category, but the management rights for it have since been granted to Active Directory.
The Web application allows you to create new groups and manage the membership and other group attributes. After you have created some groups, MIIS 2003 with SP1 can synchronize them with Active Directory, as the following sections explain.
An additional MA now exists — the Group Populator MA — to import and synchronize information stored in the miisGroupManagement SQL Server database by using the Group Management Web application.
Inbound Flow Rules
Because the Group Management MA is the authority for groups, it has a projection rule for group objects. The MA also imports users that are joined to their metaverse counterparts. Users are included in the synchronization process so that membership references work correctly. They have to be joined to the metaverse so that connector space references (to anchors) can be translated into metaverse references (to MIIS 2003 with SP1 GUIDs).
Chapter 5, "Implementing the Solution," fully lists and discusses the flow rules required in this scenario. However, the key attribute is the group member attribute, which flows into the metaverse. Note that the attribute flows for different objects — user and group — are quite independent, and so are the rules for projection, joining, and filtering.
Provisioning – Metaverse Rules Extension
The provisioning code, which is a key part of the scenario, now must include group provisioning as well as user provisioning. As before, the MIIS 2003 with SP1 Provision method in the metaverse rules extension implements this provisioning.
Each time a metaverse object is involved in the synchronization process, such as when a modification is detected, the MIIS 2003 with SP1 Provision method runs. This method examines the connector space state, and then detects whether to create new group connector space objects or not. New objects are "pending adds" that will move to the relevant directories during the next export run.
Continuously enforcing these rules causes the provisioning process to recreate groups as needed. For example, the process would recreate an accidentally deleted group in Active Directory.
Outbound Flow Rules
After the provisioning code has run, any outbound flow rules are applied. In this case, attribute flow takes place from the metaverse to the intranet Active Directory and Lotus Notes connector space objects. Again, member is the key attribute.
The following figure illustrates the logical design of the solution for the Contoso Group Management scenario.
Figure 4.6. The logical design for group provisioning
The following sections outline the prerequisite steps for implementing Group Management, its ongoing day-to-day activities, and the notifications its users will receive.
After you implement the solution according to the instructions in the next chapter, perform the following initial operations to prepare the environment for normal operations:
Define Groups
You must create some groups to establish the correct implementation. You can add group definitions through the Group Management Web application.
There are two main group types that you manage differently by using the Group Management Web application:
"Manual" Groups That You Create in the Web Application
For groups that you create in the Web application, define properties such as name, description, group type (corresponding to Active Directory group types), and whether the group is authorized to use e-mail.
You can either type or use a query builder to build the criterion for membership. The criterion takes the form of a SQL WHERE clause that uses metaverse attributes. For example, you could use l = Palo Alto, or jobTitle = Secretary.
You can also specify exceptions to include or exclude individuals, and deliberately limit the number to 10 for each group to enforce the concept. You can use a simple search tool to choose the individuals from the metaverse.
A preview button allows you to ensure that your WHERE clause produces the results that you want and that users are meeting the criteria.
Finally, you can indicate that this new group is not managed, which grants control to Active Directory, along with the current membership.
"Attribute" Groups That You Create Automatically
The Group Management Web application can also generate group "families" based on attributes.
For example, you can choose a metaverse attribute such as department and automatically create a managed group for each unique department value. To do this, define a generic name for each group, such as "Everyone in the <department attribute value> department." The Group Populator program will then generate a group called "Everyone in the <department attribute value> department" and then populate it with anyone whose identity information includes the specified department attribute value. Group Populator will then continue to generate groups for each department that exists as a department attribute value for at least one user in the metaverse.
A variant of group "families" that you can automatically create is one that you can generate by using a reference attribute, which is a pointer to another metaverse object. For example, the manager attribute is a reference attribute that you can use to generate a series of automatic groups, such as "Jeff Chia's Direct Reports." The Group Populator program can generate a group for each manager as long as there is at least one metaverse user to reference each manager.
After these groups have been generated, you can manage them the same way that you manage the groups created in the Web application.
Populate Groups
You next run the Group Populator program to create groups based on your definitions. All the user and group information is stored in the SQL Server database.
Perform the Initial Import
To perform the initial import, run the Group Management MA with a Full Import (Stage Only) run step type. When complete, the MIIS 2003 with SP1 connector space will contain all data that relates to your groups.
Preview Synchronization
Before going ahead with full synchronization, preview a sample of imported group objects through the synchronization process. Resolve any issues reported in the Identity Manager before performing the full synchronization.
Perform Projection and Provisioning
To accomplish this task, run the Group Management MA with a Full Synchronization run step type. The synchronization process projects group objects into the metaverse. The provisioning rules extension creates new connector space objects for export to Active Directory and Lotus Notes.
Export Changes
After the initial import and synchronization, you can run the intranet Active Directory and Lotus Notes MAs an Export run step type, and then a Delta Import (Stage Only) run step type to confirm the export. The new groups should now appear in the Active Directory and Lotus Notes data sources.
After initial operations are complete, you are ready to initiate an ongoing run cycle. Contoso adjusted its run cycle to include the group management processes in the following table.
Table 4.4. Group Management Ongoing Run Cycle for Contoso
Management agent or process | Run step types for MAs |
SAP HR MA | Delta import, and delta synchronization |
Group Populator program | N/A |
Group Management MA | Delta import and delta synchronization |
Intranet Active Directory MA | Export, delta import, and delta synchronization |
Extranet Active Directory MA | Export, delta import, and delta synchronization |
Lotus Notes MA | Export, delta import, and delta synchronization |
Sun ONE Directory MA | Export, delta import, and delta synchronization |
Changes that you make through the Group Management Web application are reflected when the next cycle completes. More significantly, changes to user data are reflected. For example, a title or location change in the SAP HR system might require a group change when the membership rules are applied. In this way, the group management solution becomes a regular part of the identity management update cycle.
Removal From Groups
Users are removed from groups in the same systematic way that they are added to them. You can also set a delay so that removal is not immediate.
The Group Management Web application uses the IdM Notification Service to e-mail users when the following conditions occur:
Contoso can extend the Group Management Web application in the future to handle the following:
This section describes the solution for the Self-Service Provisioning scenario, including the concept, prerequisites, architecture, design, functionality, and some possibilities for extending it.
The HR-Driven Provisioning scenario is data-driven. Accounts are provisioned into the intranet Active Directory and other data sources for every full-time employee are imported from the SAP HR system.
The solution for the Self-Service Provisioning scenario is workflow-driven, because the HR system does not manage contractors at Contoso. Authorized managers can use this self-service system to request temporary contractor accounts. Authorized administrators can then approve or deny these requests. MIIS 2003 with SP1 provisions the approved account requests.
The following figure depicts the solution concept for provisioning contractor accounts in the Contoso environment:
Figure 4.7. The contractor provisioning concept for Contoso
This section explains the numbered portions in the diagram as follows:
In addition, the following activities can take place.
This solution is built on the HR-Driven Provisioning scenario. It does not depend on whether you have implemented the Group Management solution.
The additional prerequisites for this solution are to:
The following sections describe the Self-Service Provisioning Web application architecture.
Contoso created a Web-based application for managers to request and administrators to approve contractor accounts. Windows Authorization Manager handles authorization to secure the ASP.NET Web UI.
The Self-Service Provisioning Web application stores its data in a SQL Server database called miisWorkflow. This database is the authoritative repository for contractor account data. The tool uses the IdM Notification Service described previously in this chapter.
An additional MA imports and synchronizes information stored in the miisWorkflow SQL Server database.
Inbound Synchronization Rules
Attributes flow into the metaverse based on those stored in the database. Some of these attributes were automatically generated based on information about the requesting manager (such as the manager's ID, department, and location).
Provisioning-Metaverse Rules Extension
The provisioning code, which is modified from the previous scenarios, examines the connector space state, and then detects whether to create new objects or not. New objects are "pending adds" for export to the relevant directories to create accounts during the next export run.
Unlike accounts for full-time employees, the provisioning code sets a designated expiration date. The provisioning process continuously enforces these rules to recreate accidentally deleted accounts as needed.
Outbound Synchronization Rules
Attribute values flow out to the new accounts so that they are fully formed in accordance with Contoso business rules. Export attribute flow also sets a flag in the miisWorkflow SQL Server database so that you can see the provisioned status in the Self-Service Provisioning Web application.
The following sections outline the initial prerequisite steps to implement the self-service provisioning scenario, its ongoing day-to-day activities, how it tracks and monitors requests, and how managers and administrators receive notification through the simple workflow process.
After following the instructions in Chapter 5, "Implementing the Solution," there are a few initial operations that you must perform to prepare the environment for normal operations. These include:
Request and Approve Some Contractors
You need some data to establish the correct implementation. The same UI is used for requests and approvals. However, the UI functionality depends on your role. When you open the initial page to make a request, you can enter a new contractor request or examine the status of previous requests (pending, approved, denied, or provisioned).
You must request some contractor accounts, and then approve them before they will be presented to MIIS 2003 with SP1. MIIS 2003 with SP1 automatically runs after it receives an approved request.
Check MIIS 2003 with SP1 Processing
Use the MIIS Operations tool to ensure that the correct runs have taken place, including:
Export New Accounts
Next run the intranet Active Directory and Lotus Notes MAs with an Export run step type to export the new accounts, and then follow these with Delta Import and Delta Synchronization run step types to confirm the export.
The new accounts should then exist in the Active Directory and Lotus Notes data sources. Examine these data sources directly to check for them.
After the initial tasks are complete and error-free, you are ready to initiate an ongoing run cycle. Contoso adjusted its run cycle to include the contractor processes listed in the following table.
Table 4.5. Contoso Ongoing Run Cycle for Contract Account Provisioning
Management agent or process | Run step types |
SAP HR MA | Delta import, and delta synchronization |
Group Populator program (if present) | |
Group Management MA (if present) | Delta import and delta synchronization |
Self-Service MA | Delta import and delta synchronization, Export and Delta Import (stage only) |
Intranet Active Directory MA | Export, delta import, and delta synchronization |
Extranet Active Directory MA | Export, delta import, and delta synchronization |
Lotus Notes MA | Export, delta import, and delta synchronization |
Sun ONE Directory MA | Export, delta import, and delta synchronization |
From time to time (for example, every night) the Self-Service MA should be run in Full import and delta synchronization mode, to ensure that expired accounts are deleted from MIIS 2003 with SP1 and deprovisioned from Active Directory.
The person who made the request can review the status of all requests at any time. Windows Event Log records each significant event, including the user who made the change.
The Self-Service Provisioning Web application uses the IdM Notification Service to:
Contoso might extend the Self-Service Provisioning scenario to handle the following:
The previous chapters in this paper provided information about the typical issues, requirements, and design criteria for solutions that address the following scenarios:
This chapter provides prescriptive guidance about how to implement these solutions. Guidance for each scenario is divided into the following sections:
After you implement the solutions, you can verify them by using the guidance in Chapter 6, "Testing the Solution."
The Identity and Access Management download package includes Identity and Access Management Tools and Templates.msi, which is the Tools and Templates installer file. The Tools and Templates that are part of this download include text-based scripts, code samples, and configuration files that are related to identity and access management, but do not include any executable programs or compiled code.
Note These samples are provided as examples only. Be sure to review, customize, and test these tools and templates before you use them in a production environment.
When you run the installer file, the resulting folder structure will look similar to the one displayed in the following figure, depending on where you install it.
Figure 5.1. The Tools and Templates folder structure
This guide assumes you have installed the Tools and Templates into the default location of %UserProfile%\My Documents\Identity and Access Management Tools and Templates. If you use a different installation location, ensure that you use this path in all the steps in this document.
Note The Tools and Templates MSI package can sometimes produce an error during the installation process. See the Identity and Access Management Series Readme.htm file for more information.
The following sections describe the solution for the HR-Driven Provisioning scenario.
This folder contains the sample code for the IdM Notification Service that Contoso uses. The IdM Notification Service is a sample Microsoft® Windows® Service written in Microsoft Visual C#® that you must compile and install in order to make many of the other scenario solutions in this paper fully functional.
Table 5.1. Primary Notification Service Files
File name | Purpose |
AssemblyInfo.cs | An information file that contains metadata about the assemblies in a project, such as name, version, and culture information. |
AcccountExpirations.cs | The Visual C# file that implements notifications for account expirations. |
AcccountProvisioning.cs | The Visual C# file that implements notifications for the provisioning solutions in this paper. |
ContractorWorkflow.cs | The Visual C# file that implements notifications for the Self-Service Provisioning Web application in this paper. |
IdMNotificationSvc.cs | The Visual C# file that implements the main service function. |
miisGroupManagement.cs | The Visual C# file that implements notifications for the group management scenario in this paper. |
PasswordExpirations.cs | The Visual C# file that implements notifications for extranet password expirations. See the Password Management paper in the IdM Solution Series for more information. |
SMTPMailer.cs | The Visual C# file that implements the Simple Mail Transfer Protocol (SMTP) messaging used for all notifications. |
IdmNotificationSvc.csproj | The project file that contains the configuration and build settings and keeps a list of files associated with the project. |
This folder has a number of subfolders that contain configuration and other files that you need to implement this solution.
Subfolder: SAP HR Information
This subfolder contains a program to extract information from the mySAP ERP Human Capital Management system (SAP HR system) in the required format, along with documentation and some sample extractions. The sample extractions are delta extracts (changes only) provided for testing purposes. If you want to use your own SAP data, you must modify and use the provided program.
The SAP HR Extract Program is an Advanced Business Application Programming (ABAP) program called Z_SAP_TO_MIIS. It is stored in the file z_sap_to_miis.txt. To enter the program into SAP, use transaction SE38 and then select the Create option. The configured program reflects the fictitious MSS IdM companies Contoso and Fabrikam. For this reason, you must adjust it.
Full details are available in the SAP Extraction Program documentation. The file MSS IdM SAP HR Information.doc contains full information about the extraction program, including the configuration, fields used, and parameters you might have to modify. The program can extract either full or delta information.
Sample files are provided to help you perform initial operations and ongoing tests. Place these files in the SAP HR subfolder of the <MIIS Installation Directory>\madata folder after you have created the SAP HR management agent (MA).
Table 5.2. SAP HR Extraction Files
File name | Purpose |
demo1.csv | This file contains an extract of the HR identity information for four new Contoso or Fabrikam employees. You can import the file to check that the accounts are provisioned in the other directories in accordance with the business rules. |
demo2.csv | This file contains delta HR identity information for modifications to two of the accounts imported through Demo1.csv. You can import these and check that the Active Directory® accounts are correctly modified as a result. |
demo3.csv | This file contains modified delta HR identity information for one employee that you can use to test certain business rules. |
demo4.csv | This file contains delta HR identity information for various additional changes. |
Updates.csv | This file lists the field headers for the import process. |
SAP HR FULL Import.csv | This file contains a larger set of SAP HR data. |
Note For audit and regulatory compliance reasons, no one is ever actually removed from the Contoso SAP HR system. Identity information is never deleted.
Subfolder: MA Configuration
This subfolder contains two Extensible Markup Language (XML) files that are explained in the following table:
Table 5.3. Configuration Files
File name | Purpose |
ContosoExtensions.xml | Use this configuration file to import configuration data that you can change without modifying the source code for configuration-specific information. Place this file in the <MIIS Installation Directory>\Extensions folder. |
MVSchemaExport.xml | This file contains an export of the Contoso metaverse schema for this solution, including required attributes that are not part of the default metaverse schema that is created when you install Microsoft® Identity Integration Server 2003, Enterprise Edition, with Service Pack 1 (MIIS 2003 with SP1), Enterprise Edition. You import this file to define the correct schema to avoid manually defining the schema. |
The metaverse and all the MA rule extensions use the same XML-formatted configuration file. The configuration elements defined in the configuration file are shown in the following table.
Table 5.4. Configuration Elements
Configuration group | Configuration element | Usage | Example value |
Intranet-container | Root | The root organizational unit (OU) in the intranet Active Directory. | OU=ContosoCorp,dc=na,dc=corp,dc=contoso,DC=com |
Intranet-container | Employees | The OU for employees. | OU=Employees |
Intranet-container | Disabled | The OU for disabled accounts. | OU=Disabled |
Intranet-container | Contacts | The OU for contacts. | OU=Contacts |
Intranet-container | Groups | The OU for groups. | OU=Groups |
Intranet-container | homeMDB | The default Microsoft Exchange Server 2003 mailbox store for new employee mailboxes. | CN=First Mailbox Store (SG1),CN=First Storage Group,CN=InformationStore,CN=FFL-NA-MSG-01,CN=Servers, CN=First Administrative Group,CN=Administrative Groups, CN=Contoso Corp,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com |
Intranet-container | fabrikamSMTPdomain | The Internet e-mail domain that the Fabrikam Lotus Notes uses. | @fabrikam.com |
Intranet-container | ln-certifier | The OU name of the certifier in Lotus Notes. | O=Fabrikam |
Intranet-container | ln-nab | The name of the Notes Address Book (NAB). | NAB=names.nsf |
Intranet-container | ln-mailserver | The name of the Lotus Notes mail server. Must match the exact case of the name in Lotus Notes. | FFL-SA-LOTUS/Fabrikam |
Intranet-container | ln-idfilehomedir | The directory on the MIIS 2003 with SP1 server in which the Lotus Notes ID files for new Lotus Notes mailboxes are stored. | C:\LNR6IdFiles |
Extranet-container | Root | The root OU in the extranet Active Directory. | OU=Accounts,dc=perimeter,dc=contoso,DC=com |
Extranet-container | Employees | The OU for employees. | OU=Employees |
Extranet-container | Disabled | The OU for disabled employees. | OU=Disabled |
Extranet-container | trial-users | The OU for trial users. | OU=Trial Users |
Extranet-container | Groups | The OU for groups. | OU=Groups |
Sunone-container | Root | The root OU in Sun ONE Directory Server 5.1 (formerly iPlanet Directory Server). | ou=People,dc=fabrikam,dc=com |
Extranet | ext-upn-suffix | The default userPrincipalName suffix for new employees in the extranet Active Directory. | perimeter.contoso.com |
Extranet | ext-mail-domain | The mail domain that the extranet Active Directory uses. | @contoso.com |
Extranet | issuing-CA-dn | The distinguished name (DN) of the issuing certification authority (CA). | DC=com,DC=contoso,DC=corp,CN=CONTOSO-CA111 |
Extranet | CA-subject-prefix | The CA subject prefix. | DC=com,DC=contoso,DC=corp,DC=na,OU=ContosoCorp,OU=employees |
ma-definitions | ext-ad-ma | The extranet Active Directory MA. | Extranet Active Directory |
ma-definitions | ln-ma | The Lotus Notes MA. | Lotus Notes |
ma-definitions | int-ad-ma | The intranet Active Directory MA. | Intranet Active Directory |
ma-definitions | so-ma | The Sun ONE Directory Server 5.1 MA. | Sun ONE Directory |
ma-definitions | ssprov-ma | The self-service provisioning MA for the self-service provisioning solution. | Self-Service Provisioning |
user-definitions | Upn | The default userPrincipalName suffix for new employees in the intranet Active Directory. | na.corp.contoso.com |
user-definitions | min-password-length | The minimum password length in the intranet Active Directory. | 8 |
run-definitions | First | The flag that specifies whether this is the "First-Run" (inhibits provisioning). | False |
General-definitions | defaultManagerEmail | The e-mail address to receive manager notifications, if it is not possible to find the e-mail address of a new employee's manager. | postmaster@contoso.com |
General-definitions | contractorPrefix | The prefix to sAMAccountName for contractor accounts. | v- |
MIIS 2003 with SP1 uses the configuration elements in the previous table and the base SAP HR system information to calculate the attributes shown in the following table.
Table 5.5. Calculated Attributes
Object type | Connected directory | Attribute | Logic |
user | Extranet Active Directory | userPrincipalName | <sAMAccountName>@<configuration.ext-upn-suffix> |
user | Extranet Active Directory | altSecurityIdentities | "X509:<I>" + <issuing-CA-dn> + "<S>" + <CA-Subject-Prefix> + ",cn=" + <sAMAccountname> + ",E=" + <sAMAccountname> + <ExtMailDomain> |
user | Extranet Active Directory | userAccountControl | On first provisioning this is set to normal account, then the following is applied:1) If the employee status is active, the normal flag is set and the disabled account flag is reset (enabled).2) Otherwise (for leave, retired or disabled), the disabled flag is set. |
user | Extranet Active Directory | accountExpires | Set to 1 month from today for retired employees. |
user | Intranet Active Directory | | <sAMAccountName>@<company>.com |
user | Extranet Active Directory | sAMAccountName | givenName(1..4) + surName(1..3) + 1, 2, 3, etc. to make it unique to the metadirectory. Illegal characters are removed. |
user | Extranet Active Directory | cn | <sAMAccountName> |
user | Extranet Active Directory | dn | CN=<sAMAccountName>,<configuration.employees>,<configuration.root> |
user | Extranet Active Directory | displayName | <surName> + ", " + <givenName> + " " + <middleName> (if no middlename, trailing space is avoided.) |
user | Extranet Active Directory | unicodepwd | Pseudo-random password |
user | Intranet Active Directory | sAMAccountName | givenName(1..4) + surName(1..3) + 1, 2, 3, etc. to make it unique to the metaverse. Illegal characters are removed. |
user | Intranet Active Directory | userPrincipalName | <sAMAccountName>@<configuration.upn> |
user | Intranet Active Directory | cn | <sAMAccountName> |
user | Intranet Active Directory | dn | CN=<sAMAccountName>,<configuration.employees>,<configuration.root> |
user | Intranet Active Directory | mailNickName | <sAMAccountName> |
user | Intranet Active Directory | displayName | <surName> + ", " + <givenName> + " " + <middleName> (If no middlename, trailing space is avoided.) |
user | Intranet Active Directory | userAccountControl | When first provisioning this is set to normal account, then the following is applied:1) If the employee status is active, the normal flag is set and the disabled account flag is reset (enabled). 2) If the employee status is inactive, (for leave, retired or disabled), the disabled flag is set. |
user | Intranet Active Directory | unicodepwd | Random password |
user | Intranet Active Directory | accountExpires | Set to 1 month from today for retired employees. |
user | Intranet Active Directory | homeMDB | <configuration.homeMDB> |
group | Intranet Active Directory | sAMAccountName | displayName |
group | Intranet Active Directory | dn | CN= + <displayName> + "," + <configuration.groups> + "," + <configuration.root> |
Person | Lotus Notes | shortName | <sAMAccountName> |
Person | Lotus Notes | InternetAddress | For Fabrikam staff this is set to <sAMAccountName>@fabrikam.com. |
Person | Lotus Notes | MailAddress | For Fabrikam staff this is set to <sAMAccountName>@contoso.com. |
Person | Lotus Notes | Dn | "cn=" + <sn> + " " + <middleName> + " " + <givenName> + " (" + <sAMAccountName> + ")" + "/" + <configuration.ln-certifier> + <configuration.ln-nab> |
Person | Lotus Notes | _MMS_Certifier | <configuration.ln-certifier> |
Person | Lotus Notes | _MMS_IDRegType | 1 for US user (Fabrikam) and 0 for Contact (Contoso) |
Person | Lotus Notes | _MMS_IDStoreType | 2 |
Person | Lotus Notes | _MMS_IDPath | <configuration.ln-ifdilehomedir> + "\" + <sAMAccountName> + ".id" |
Person | Lotus Notes | _MMS_Password | Pseudo-random password |
Person | Lotus Notes | MailServer | <configuration.ln-mailserver> |
Person | Lotus Notes | MailFile | mail\ + <sAMAccountName> |
Group | Lotus Notes | Dn | CN= + <displayName> + <configuration.ln-nab> |
Group | Lotus Notes | groupType | The metaverse groupType attribute corresponds to the Active Directory groupType. This is tested and the Lotus Notes groupType attribute is set as follows:- If it is a security group and mail-enabled: 0 for multipurpose.- If it is a security group and not mail-enabled: 2 for ACL only.- If it is a not a security group, and is mail-enabled: 1 for mail only. |
inetOrg Person | Sun ONE Directory Server 5.1 | displayName | <surName> + ", " + <givenName> + " " + <middleName> (if no middlename, trailing space is avoided.) |
inetOrg Person | Sun ONE Directory Server 5.1 | | <sAMAccountName>@<company>.com |
Sun ONE Directory Server 5.1 | dn | "CN=" + <employeeId> + <configuration.sunone-container.root> | |
inetOrg Person | Sun ONE Directory Server 5.1 | userPassword | Pseudo-random password |
When the MVSchemaExport.xml file is imported, it defines the correct metaverse schema. The only object type that this solution uses is the person object type, but it also configures a group object type for a later solution.
Subfolder: MA Exports
This subfolder contains the configuration for the MAs, exported to an .xml file. You can import these files by using the MIIS 2003 with SP1 Identity Manager, the administration program for MIIS 2003 with SP1. During the import process, the configuration is validated and verified. For example, any call-based MAs have their user account and password information checked, as well as other configuration information such as schema and directory-specific partitions.
You also must verify each page of the configuration. You might have to change connection and partition information if the connected directory structure is not the same as that specified in the file.
Table 5.6. MA Export Files
File name | Purpose |
ExtranetActiveDirectory.xml | Exported MA for the extranet Active Directory. |
IntranetActiveDirectory.xml | Exported MA for the intranet Active Directory. |
LotusNotes.xml | Exported MA for the Lotus Notes directory. |
SAPHR.xml | Exported MA for the SAP HR system. |
SunONEDirectory.xml | Exported MA for the Sun ONE Directory. |
GroupManagement.xml | Exported MA for the group management system used in the second scenario in this chapter. |
Subfolder: MIIS 2003 Extensions
You primarily use the MIIS 2003 with SP1 rules extensions for provisioning and advanced flow rules. You must compile the source code provided here into dynamic-link libraries (DLL) that you build in (or at least copy to) the MIIS extension folder, which is usually located at C:\Program Files\Microsoft Identity Integration Server\Extensions.
A number of subfolders contain projects, each of which compiles to a DLL in a .dll file of the same name. All these projects are contained in a single solution called HR Driven Provisioning, which is stored in a subfolder with the same name. Each project also has its own subfolder with the same name as the project that contains the following files:
Table 5.7. MIIS 2003 Rules Extensions
File name | Purpose |
AssemblyInfo.vb | An information file that contains metadata about the assemblies in a project, such as name, version, and culture information. |
<ProjectName>.vb | The Microsoft Visual Basic® .NET file for the extension. |
<ProjectName>.vbproj | The project file that contains the configuration and build settings, and lists the files associated with the project. |
<ProjectName>.vbproj.user | The project file that contains the user options related to the project. |
The projects in the following table are included:
Table 5.8. MIIS 2003 Rule Extensions Subfolders
Subfolder name | DLL file name | Notes |
Contoso MV Extensions | ContosoMVExtensions.dll | Primarily provisioning code for users and groups used in the Group Management solution. |
Contoso Utilities | ContosoUtilities.dll PasswordGenerator.dll | Common methods for tasks, such as stripping illegal characters or generating a sAMAccountName and pseudo-random passwords. |
SAP HR | SAPHRExtension.dll | Import and export attribute flow rules for the SAP HR MA. |
Extranet Active Directory | ExtranetActiveDirectoryExtension.dll | Import and export attribute flow rules for the extranet Active Directory MA. |
Intranet Active Directory | IntranetActiveDirectoryExtension.dll | Import and export attribute flow rules for the intranet Active Directory MA. |
Lotus Notes | LotusNotesExtension.dll | Import and export attribute flow rules for the Lotus Notes MA. |
Self-Service Provisioning | SelfServiceProvisioningExtensions.dll | Import and export attribute flow rules for the Self-Service provisioning MA, which is used in the final scenario in this chapter. |
Subfolder: Operations
You can use the scripts that the following table describes in conjunction with the Windows scheduler to perform regular MIIS 2003 with SP1 synchronization.
Table 5.9. Operations Script Files
File name | Purpose |
MA-Runs.cmd | This file serializes the MA runs by calling the runMA.vbs file with appropriate parameters to call the MA run profile. |
runMA.vbs | This file uses Windows Management Instrumentation (WMI) to execute MA runs based on MA name and profile. |
This paper assumes that you have already implemented the identity aggregation and synchronization solution. If you have not already done so, you must install the software and infrastructure exactly as described in the "Implementation Prerequisites" section of the Identity Aggregation and Synchronization paper in this series. You must also implement the basic Contoso infrastructure.
If you have already implemented the identity aggregation and synchronization solution, you do not have to perform this task. If you have not done so, configure firewall and DNS settings as described in the "Intranet Firewall Configuration" section of the Identity Aggregation and Synchronization paper in this series.
If you have already implemented the identity aggregation and synchronization solution, you do not have to perform this task. If you have not done so, install and configure MIIS 2003 with SP1 exactly as described in the "MIIS 2003 with SP1 Installation and Configuration" section of the Identity Aggregation and Synchronization paper in this series. You must also configure the Sun ONE Directory Server 5.1 and Lotus Notes directories as described in that section.
You must ensure that the Data Access Application Block for .NET v2 is installed. After you have downloaded the block, use the following steps to install it.
To install the Data Access Application Block
You must ensure that the Microsoft Message Queuing (MSMQ) component is installed, and then add the message queues that the IdM Notification Service requires.
To add the MSMQ component
To create the message queues for IdMNotifcationSvc.exe
Create the message queues that the IdM Notification Service will use, and then compile and install the IdM Notification Service. You also must configure Exchange and Lotus Notes for secure e-mail, so that initial password notifications (which are sent to the user's manager by e-mail) are not exposed.
To install and then start the IdMNotifcationSvc.exe
For example:
C:\Windows\Microsoft.NET\Framework\v1.1.4322>InstallUtil
C:\IdmNotificationSvc\bin\debug\IdMNotificationSvc.exe
You should see the following output message:
The IdM Notification Service started successfully.
To secure initial password notifications
To implement the solution for this scenario, perform the tasks that correspond to the following topic sections:
This section provides detailed guidance for configuring MIIS 2003 with SP1. Information is provided for the following tasks:
There are five Management Agents associated with this solution.
The following table explains the Management Agents that you must either create or update:
Table 5.10. Management Agents
Management agent | Export file name containing MA configuration | If identity aggregation and synchronization solution is installed | If identity aggregation and synchronization solution is not installed |
SAP HR | SAPHR.xml | Create | Create |
Intranet Active Directory | IntranetActiveDirectory.xml | Update | Create |
Extranet Active Directory | ExtranetActiveDirectory.xml | Update | Create |
Lotus Notes | LotusNotes.xml | Update | Create |
Sun ONE Directory | SunOneDirectory.xml | Update | Create |
The details will vary slightly between Management Agents, but the principles are the same for all of them.
Task 1: Extending the MIIS 2003 with SP1 Metaverse Schema
This task requires you to add new attributes to the MIIS 2003 with SP1 schema. To expedite this process, use the exported metaverse schema.
To extend the MIIS 2003 with SP1 metaverse schema by using an exported metaverse schema
The schema import completed successfully.
Note If you receive an error message "Microsoft Identity Integration Server is unable to import schema file. Attribute groupType has different type in the server schema", delete the metaverse entry for groupType and rerun the Metaverse Schema import.
Task 2: Building the Rules Extensions
There are several MIIS 2003 with SP1 extensions that the tools and templates for the solution include when you download this paper. Ensure you compile these extensions into DLLs to use them with MIIS 2003.
To open the MIIS 2003 with SP1 extensions
To ensure that all projects are built in the %UserProfile%\My Documents\Identity and Access Management Tools and Templates\Provisioning and Workflow\HR-Driven Provisioning\MIIS Extensions\HR Driven Provisioning folder
The following procedure builds all the required projects into the correct directory, and ensures that if you build them again, they will compile into the correct directory.
To build all the projects
Note The default MIIS 2003 with SP1 installation directory is C:\Program Files\Microsoft Identity Integration Server.
Task 3: Creating the SAP HR Management Agent
The following steps describe the process to create the SAP HR MA. Detailed configuration information is provided for this task, and for each of the following individual MA tasks to help you resolve any issues.
To create the SAP HR MA
During the import process, MIIS 2003 validates various details, and requires you to review and verify each configuration screen. For call-based MAs you must supply the connection password.
The following notes should help inform you what to look for and how to resolve any issues that might arise on each screen of the Management Agent Designer.
Properties
The type should be Delimited text file, and the name of the MA should be SAP HR.
Configuring Attributes
You must define the attributes in the following table. Note that these attributes were originally taken from the SAP HR Full Import.csv template file, which you are not required to use again unless there are changes to the SAP HR system schema. Also note that there are more attributes available (from the .csv file) that the solution does not use.
Table 5.11. SAP HR System Employee Information
Attribute | Usage |
Birthday | The employee's birthday. |
Company | If employeeType = A then company = "Contoso" or "Fabrikam." |
Country | The employee's country/region. |
Department | The employee's department. |
EmployeeDepartureDate | If employeeStatus = 1 then employeeDepartureDate = <leave start time>. If employeeStatus = 2 then employeeDepartureDate = <retirement date>. |
EmployeeID | The employee's unique ID. |
EmployeeStartDate | The date the employee started working in the company. |
EmployeeStatus | The current employment status of the employee:- 1 means that the employee is on leave.- 2 means that the employee has retired from the company.- 3 means that the employee is active. |
EmployeeType | The type of employee: - A means a full-time employee. |
FacsimileTelephoneNumber | The employee's fax number without the international dialing prefix. |
GivenName | The employee's given name. |
Location | The employee's location. |
Manager | If employeeType = A, then manager holds the employeeID of the manager. |
MiddleName | The employee's middle name. |
Mobile | The employee's mobile number without the international dialing prefix. |
Pager | The employee's pager number without the international dialing prefix. |
SurName | The employee's surname. |
TelephoneNumber | The employee's telephone number without the international dialing prefix. |
Title | The employee's job title. |
Ensure that the anchor is set to employeeID.
Defining Object Types
There is only the person object type.
Configuring Partitions
No information needed. There are no partitions.
Configuring Connector Filter
No information needed. There is no filter.
Join and Projection Rules
Ensure that the following join rule exists: Direct Mapping Based on employeeID.
Ensure that the following projection rule exists: Direct Projection of a Person.
Configuring Attribute Flow
On the Configure Attribute Flow page, the attribute mappings should appear as detailed in the following table. Note that if any metaverse attributes referenced in the table are incorrect or missing, validation will fail. If failure occurs, verify that the metaverse schema was correctly imported.
Table 5.12. SAP HR MA Attribute Flow for Person
SAP HR attribute (Person Object) | Metaverse attribute (Person Object) | Mapping type | Flow direction | Flow rule name |
Birthday | birthDate | Direct | Import | |
Company | Company | Direct | Import | |
Department | Department | Direct | Import | |
EmployeeDepartureDate | employeeDepartureDate | Direct | Import | |
EmployeeID | employeeID | Direct | Import | |
EmployeeStartDate | employeeStartDate | Direct | Import | |
EmployeeStatus | employeeStatus | Advanced | Import | IAFemployee Status |
EmployeeType | employeeType | Direct | Import | |
Country, FacsimileTelephone Number | facsimileTelephone Number | Advanced | Import | IAFfacsimile Telephone Number |
GivenName | givenName | Direct | Import | |
GivenName, MiddleName, Surname | displayName | Advanced | Import | IAFdisplay Name |
GivenName, Surname | cn | Advanced | Import | IAFcn |
GivenName, Surname | sAMAccountName | Advanced | Import | IAFsAM AccountName |
Location | l | Direct | Import | |
Manager | manager | Direct | Import | IAFmanager Email |
Manager | managerEmail | Advanced | Import | IAFmobile |
Country, Mobile | mobile | Advanced | Import | IAFpager |
Country, Pager | pager | Advanced | Import | |
Surname | Sn | Direct | Import | IAFtelephone Number |
Country, TelephoneNumber | telephoneNumber | Advanced | Import | |
Title | Title | Direct | Import |
Many of these rules are direct flows that require no explanation. However, some complex ones were implemented as rules extension rules (advanced mapping type). The import attribute flows were implemented as SAP HR MA rules extension rules.
The following import attribute flows result in stored values in the metaverse for use as required during provisioning.
Deprovisioning
Confirm that the Deprovisioning options are set to Make them disconnectors, and that the Do not recall check box is cleared.
Configuring Extensions
Confirm that the Rules Extension Name is SAPHRExtension.DLL, and that the Run this rules check box is cleared to allow debugging. Password management settings are irrelevant.
Task 4: Creating or Updating the Intranet Active Directory Management Agent
To create or update the intranet Active Directory MA
During the update process, MIIS 2003 with SP1 validates certain details but might not require you to verify each screen. For call-based MAs, you will have to supply the connection password.
The following notes provide you with an idea of what to look for and how to resolve any issues that might arise on each screen of the Management Agent Designer.
Properties
The type should appear as Active Directory, and the name of the MA should appear as Intranet Active Directory.
Connecting to the Active Directory Forest
The original configuration used the following values:
If your parameters do not match those of the described environment, you must edit them. In any case, you must enter the correct password.
Configuring Directory Partitions
The original configuration was for the partition DC=na,DC= corp,DC=contoso,DC=com to include the containers OU=Disabled,OU=ContosoCorp,DC=contoso,DC=com, and OU=Employees,OU=ContosoCorp,DC=contoso,DC=com. If your environment is different, edit this partition information.
Selecting Object Types
The object types for Container, domainDNS, and organizationalUnit are mandatory. User is the only additional object type this solution requires.
Configuring Attributes
The solution includes several attributes. Any attributes that are referenced elsewhere — for example, in provisioning code or in attribute flow mappings — must be included here.
Configuring Connector Filter
No information needed. There is no filter.
Join and Projection Rules
Ensure that the following join rule exists for user: Direct Mapping Based on employeeID.
Ensure that the following join rule exists for group (in preparation for the Group Management Solution): Direct Mapping Based on sAMAccountName
Configure Attribute Flow
On the Configure Attribute Flow page, attribute mappings should appear as detailed in the following table. Note that any referenced connector space attributes must appear on the inclusion list (see the previous "Configuring Attributes" section in this chapter). If any referenced metaverse attributes are incorrect or missing, validation will fail. If failure occurs, check the inclusion list and verify that the metaverse schema was correctly imported.
Table 5.13. Intranet Active Directory MA Attribute Flow for Person
Intranet Active Directory attribute (User Object) | Metaverse attribute (Person Object) | Mapping type | Flow direction | Flow rule name |
accountExpires | employeeID, employeeStatus | Advanced | Export | EAFaccountExpires |
c | c | Direct | Export | |
co | co | Direct | Export | |
company | company | Direct | Export | |
department | department | Direct | Export | |
displayName | displayName | Direct | Export | |
employeeID | employeeID | Direct | Export | |
facsimileTelephoneNumber | facsimileTelephoneNumber | Direct | Export | |
givenName | givenName | Direct | Export | |
l | l | Direct | Export | |
| | Direct | Export | |
manager | manager | Direct | Export | |
mobile | mobile | Direct | Export | |
pager | pager | Direct | Export | |
sAMAccountName | sAMAccountName | Direct | Export | |
sn | sn | Direct | Export | |
telephoneNumber | telephoneNumber | Direct | Export | |
Title | title | Direct | Export | |
userAccountControl | employeeStatus, employeeID | Advanced | Export | EAFemployeeStatus |
userPrincipalName | sAMAccountName | Advanced | Export | EAFuserPrincipalName |
cn | cn | Direct | Import | |
| | Direct | Import | |
mobile | mobile | Direct | Import | |
sAMAccountName | sAMAccountName | Advanced | Import | IAFsAMAccountName |
userAccountControl | employeeStatus | Advanced | Import | IAFemployeeStatus |
userPrincipalName | userPrincipalName | Direct | Import |
Many of these rules are direct flows that require no explanation. However, some are sufficiently complex that they were implemented as rules extensions (advanced mapping type). The following import attribute flows were implemented as intranet Active Directory MA rules extensions:
The following export attribute flows were implemented as intranet Active Directory MA rules extensions:
Deprovisioning
Ensure that the deprovisioning options are set to Stage a delete, and that the Do not recall check box is cleared.
Configuring Extensions
Ensure that the Rules Extension Name is IntranetActiveDirectoryExtension.DLL, and that the check box for Run this rules extension in a separate process is cleared to allow debugging. Password management settings are irrelevant at this stage.
Task 5: Creating or Updating the Extranet Active Directory Management Agent
To create or update the extranet Active Directory MA
During the update process, MIIS 2003 with SP1 validates certain details but might not require you to verify each screen. For call-based MAs you will have to supply the connection password.
The following notes should help you know what to look for and how to resolve any issues that might arise on each screen of the Management Agent Designer.
Properties
The type should appear as Active Directory, and the name of the MA should appear as Extranet Active Directory.
Connecting to the Active Directory Forest
The original configuration used the following values:
If your parameters do not match those of the environment for this solution, you must edit them. In any case, you must enter the correct password.
Configuring Directory Partitions
The original configuration was for the partition DC=perimeter,DC=contoso,DC=com to include the containers OU=Disabled,OU=Accounts and OU=Employees,OU=Accounts both within DC=perimeter,DC=contoso,DC=com. If your environment is different, edit this partition information.
Selecting Object Types
The object types for Container, domainDNS, and organizationalUnit are mandatory. This solution requires the User object type. The next solution requires the Group object type.
Configuring Attributes
This solution includes several attributes. Any attributes referenced elsewhere in this chapter, for example, in provisioning code or in attribute flow mappings, must be included here.
Configuring Connector Filter
No information needed. There is no filter.
Join and Projection Rules
Ensure that the following join rules exist for user: Direct Mapping Based on employeeID, and Direct Mapping Based on sAMAccountName.
Configure Attribute Flow
On the Configure Attribute Flow page, attribute mappings should appear as detailed in the following table. Note that any referenced connector space attributes must appear on the inclusion list (see the previous "Configuring Attributes" section in this chapter). If any referenced metaverse attributes are incorrect or missing, validation will fail. If failure occurs, check the inclusion list and verify that the metaverse schema was correctly imported.
Table 5.14. Extranet Active Directory MA Attribute Flow for Person
Extranet Directory attribute (User Object) | Metaverse attribute (Person Object) | Mapping type | Flow direction | Flow rule name |
accountExpires | employeeStatus, employeeID | Advanced | Export | EAFaccountExpires |
altSecurityIdentities | sAMAccountName | Advanced | Export | altSecurityIdentities |
c | c | Direct | Export | |
co | co | Direct | Export | |
company | company | Direct | Export | |
department | department | Direct | Export | |
employeeID | employeeID | Direct | Export | |
givenName | givenName | Direct | Export | |
l | l | Direct | Export | |
| | Direct | Export | |
manager | manager | Direct | Export | |
sAMAccountName | sAMAccountName | Direct | Export | |
sn | sn | Direct | Export | |
telephoneNumber | telephoneNumber | Direct | Export | |
userAccountControl | employeeStatus, employeeID | Advanced | Export | EAFemployeeStatus |
userPrincipalName | userPrincipalName, sAMAccountName | Advanced | Export | EaFuserPrincipalName |
Many of these rules are direct flows that require no explanation. However, some sufficiently complex ones were implemented as rules extensions (advanced mapping type). The following export attribute flows were implemented as extranet Active Directory MA rules extensions:
Deprovisioning
Ensure that the deprovisioning options are set to Stage a delete, and that the Do not recall check box is cleared.
Configuring Extensions
Ensure that the Rules Extension Name is ExtranetActiveDirectoryExtension.DLL, and that the Run this rules check box is cleared to allow debugging. Password management settings are irrelevant at this stage.
Task 6: Creating or Updating the Lotus Notes Management Agent
To create or update the Lotus Notes MA
During the update process, MIIS 2003 with SP1 validates certain details, but might not require you to verify each screen. For call-based MAs, you will have to supply the connection password.
The following notes should help you know what to look for and how to resolve any issues that might arise on each screen of the Management Agent Designer.
Properties
Ensure that the type appears as Lotus Notes 4.6, 5 or 6, and that the MA name is Lotus Notes.
Connecting to the Notes Server
The original configuration used the following values:
If your parameters do not match those of the described environment, edit them. In any case, you must enter the correct password.
Configuring Organizational Units
The original configuration used the following values:
If your parameters do not match those of the described environment, edit them.
Selecting Object Types
The address book is mandatory. This solution requires the User object type. This chapter requires the Group object type later.
Configuring Attributes
This solution includes several attributes. The first six in the following table are mandatory. Any attributes referenced elsewhere, for example, in provisioning code or in attribute flow mappings, must be included here.
Configuring Connector Filter
Configure a filter to exclude accounts in which ShortName equals madminis (matching the Short Name for the administrator account you created)..
Join and Projection Rules
Ensure that the following join rule exists: Direct Mapping Based on employeeID.
Configuring Attribute Flow
On the Configure Attribute Flow page, the attribute mappings should appear as detailed in the following table. Note that any referenced connector space attributes must appear on the inclusion list (see the previous "Configuring Attributes" section). If any referenced metaverse attributes are incorrect or missing, validation will fail. If failure occurs, check the inclusion list and verify that the metaverse schema was correctly imported.
Table 5.15. Lotus Notes MA Attribute Flow for Person
Lotus Notes attribute (Person Object) | Metaverse attribute (Person Object) | Mapping type | Flow direction | Flow rule name |
CellPhoneNumber | mobile | Direct | Export | |
CompanyName | company | Direct | Export | |
Department | department | Direct | Export | |
EmployeeID | employeeID | Direct | Export | |
FirstName | givenName | Direct | Export | |
InternetAddress | mail, company | Advanced | Export | EAFinternetAddress |
JobTitle | title | Direct | Export | |
LastName | sn | Direct | Export | |
MailAddress | mail, company | Advanced | Export | EAFMailAddress |
Manager | manager | Direct | Export | |
OfficeCity | l | Direct | Export | |
OfficeFAXPhoneNumber | facsimileTelephoneNumber | Direct | Export | |
OfficePhoneNumber | telephoneNumber | Direct | Export | |
PhoneNumber_6 | pager | Direct | Export | |
ShortName | sAMAccountName | Advanced | Export | EAFshortName |
Title | title | Direct | Export |
Many of these rules are direct flows that require no explanation. However, some sufficiently complex ones were implemented as rules extensions (advanced mapping type). The following export attribute flows were implemented as extranet Active Directory MA rules extensions:
Deprovisioning
Ensure that the deprovisioning options are set to Stage a delete, and that the Do not recall check box is cleared.
Configuring Extensions
Ensure that the Rules Extension Name is LotusNotesExtension.DLL, and that the Run this rules check box is cleared to allow debugging. Password management settings are irrelevant at this stage.
Task 7: Creating or Updating the Sun ONE Directory Server Management Agent
To create or update the Sun ONE Directory Server MA
During the update process, MIIS 2003 with SP1 validates certain details, but might not require you to verify each screen. For call-based MAs you must supply the connection password.
The following notes should help you know what to look for and how to resolve any issues that might arise with each screen of the Management Agent Designer.
Properties
The type should appear as Sun and Netscape directory services, and the name of the MA should appear as Sun ONE Directory.
Specifying Logon Information
The original configuration used these values:
If your parameters do not match those of the described environment, edit them. In any case, you must enter the correct password.
Naming Context
The original configuration used these values:
If your parameters do not match those of the described environment, edit them.
Selecting Object Types
Ensure that the object types for organizationalUnit and iNetOrgPerson are selected.
Selecting Attributes
This solution includes several attributes. Any attributes referenced elsewhere in this chapter, for example, in provisioning code or in attribute flow mappings, must be included here.
Configuring Connector Filter
No information needed. There is no filter.
Join and Projection Rules
Ensure that the following join rule exists: Direct Mapping from employeeNumber to employeeID.
Configuring Attribute Flow
On the Configure Attribute Flow page, attribute mappings should appear as detailed in the following table. Note that any referenced connector space attributes must appear on the inclusion list (see the previous "Configuring Attributes" section). If any referenced metaverse attributes are incorrect or missing, validation will fail. If failure occurs, check the inclusion list and verify that the metaverse schema was correctly imported.
Table 5.16 Sun ONE MA Attribute Flow for Person
Sun ONE attribute (iNetOrgPerson Object) | Metaverse attribute (Person Object) | Mapping type | Flow direction |
description | company | Direct | Export |
displayName | displayName | Direct | Export |
employeeNumber | employeeID | Direct | Export |
facsimileTelephoneNumber | facsimileTelephoneNumber | Direct | Export |
givenName | givenName | Direct | Export |
l | l | Direct | Export |
| | Direct | Export |
manager | manager | Direct | Export |
sn | sn | Direct | Export |
telephoneNumber | telephoneNumber | Direct | Export |
Title | title | Direct | Export |
uid | uid | Direct | Export |
Deprovisioning
Ensure that the deprovisioning options are set to Make them disconnectors, and that the Do not recall check box is cleared.
Configuring Extensions
There is no rules extension. Password management settings are irrelevant at this stage.
Task 8: Configuring Import Attribute Flow Precedence
The basic metaverse schema had to be defined before you can import the MAs. The MAs define flows into the metaverse attributes. If more than one attribute flow exists, precedence must be defined. This configuration completes the metaverse schema definition. Use the following guidance to better understand how and what was set with this solution.
In many cases where there is more than one rule for import flow into the metaverse, the precedence is not important because it will only flow from one originating data source without conflict. The few cases in which precedence does matter are described below.
In Identity Manager, select the Metaverse Designer tool, and then use the following steps.
To configure attribute flow precedence
Table 5.17. Attribute Flow Precedence
Metaverse attribute (Person Object) | Type | Attribute flow precedence | Manual precedence |
cn | String (indexable) | SAP HR intranet Active Directory | |
employeeStatus | String (indexable) | N/A | Yes |
sAMAccountName | String (indexable) | N/A | Yes |
Task 9: Configuring the Run Profiles
The run profiles for each MA are imported with other settings. For information about run profile types, read the "Run Profiles" section in Chapter 4 of the Identity Aggregation and Synchronization paper in this series. For information about how to create or modify them, read the "Task 8: Create Run Profiles" section in Chapter 5 of that paper.
The following table details the run profiles that you need for this solution. Note that Export run profiles are followed by a confirming staged import and then by a delta synchronization. This final step ensures that any imported changes are propagated properly, and that any connector space objects accidentally disconnected, for example, manually by an administrator, are joined to their corresponding metaverse object again.
Table 5.18. Required Run Profiles
Management agent | Run profile name | Run profile type | Notes |
SAP HR | Full Import (Stage Only) | Full Import (Stage Only) | Imports SAP HR Full Import.csv. |
SAP HR | Delta Import | Delta Import and Delta Synchronization | Imports and synchronizes updates.csv (This run is used for ongoing operation, and the file is created from or overwritten with the latest data extracted during ongoing operation.) |
SAP HR | Synchronize | Full Synchronization | Applies synchronization rules including provisioning. |
SAP HR | Demo 1 | Delta Import | Imports demo1.csv (Run profiles demo 1 to demo 4 are for testing only). |
SAP HR | Demo 2 | Delta Import | Imports demo2.csv. |
SAP HR | Demo 3 | Delta Import | Imports demo3.csv. |
SAP HR | Demo 4 | Delta Import and Delta Synchronization | Imports and synchronizes demo4.csv. |
Intranet Active Directory | Delta Import | Delta Import and Delta Synchronization | Not needed in regular operation. |
Intranet Active Directory | Export | Step 1: Export Step 2: Delta Import Step 3: Delta Synchronization | This exports, re-imports to confirm the export, and also imports and synchronizes any changes from Active Directory. |
Intranet Active Directory | Full Import (Stage Only) | Full Import (Stage Only) | Initial container discovery. |
Intranet Active Directory | Full Synchronization | Full synchronization | Initial synchronization. |
Extranet Active Directory | Delta Import | Delta Import and Delta Synchronization | Not needed in regular operation. |
Extranet Active Directory | Export | Step 1: Export Step 2: Delta Import Step 3: Delta Synchronization | This exports and re-imports to confirm the export. |
Extranet Active Directory | Full Import (Stage Only) | Full Import (Stage Only) | Initial container discovery. |
Extranet Active Directory | Full Synchronization | Full synchronization | Initial synchronization. |
Lotus Notes | Delta Import | Delta Import and Delta Synchronization | Not needed in regular operation. |
Lotus Notes | Export | Step 1: Export Step 2: Delta Import Step 3: Delta Synchronization | This exports and re-imports to confirm the export. |
Lotus Notes | Full Import (Stage Only) | Full Import (Stage Only) | Initial container discovery. |
Lotus Notes | Full Synchronization | Full synchronization | Initial synchronization. |
Sun ONE Directory | Delta Import | Delta Import and Delta Synchronization | Not needed in regular operation. |
Sun ONE Directory | Export | Step 1: Export Step 2: Delta Import Step 3: Delta Synchronization | This exports and re-imports to confirm the export. |
Sun ONE Directory | Full Import (Stage Only) | Full Import (Stage Only) | Initial container discovery. |
Sun ONE Directory | Full Synchronization | Full synchronization | Initial synchronization. |
This section describes how to import and synchronize all existing data so that you are ready to conduct ongoing operations. This process involves several tasks, and the order in which they are performed is important. Later during ongoing operations, the order in which you perform them is not as important.
The initial identity integration management operations tasks are as follows:
Task 1: Turning Off Provisioning
If you have not already installed the identity aggregation and synchronization solution, you must perform this task so that no provisioning takes place until existing data has been synchronized.
If you have already installed the identity aggregation and synchronization solution, this step is not strictly necessary because your identity information is already synchronized. However, Microsoft strongly recommends that you turn provisioning off. It is generally a best practice to perform one task at a time whenever introducing a new MA to facilitate checking and debugging. Errors may occur if provisioning is attempted into a hierarchy that has not yet been discovered.
You can turn off provisioning in either of the following two ways.
To turn off provisioning
Task 2: Initializing MIIS 2003 with SP1 Connector Spaces for All Management Agents
If you have not already installed the identity aggregation and synchronization solution, you must perform this step for all Management Agents.
If you have already installed the identity aggregation and synchronization solution, run this step only for the new SAP HR MA. However, you can perform this step for all MAs to ensure that everything initializes correctly.
Run each MA that you created in the previous section with a Full Import (Stage Only) run type. To do so, complete the following steps for each MA.
To initialize the MIIS 2003 with SP1 connector spaces
Note If the status does not show success, errors are reported, or nothing has been imported according to the statistics, examine the problem and correct it.
Be sure to perform the previous steps for the following Management Agents:
Task 3: Synchronizing Connector Spaces for All Management Agents
You must synchronize all MAs so that new data can flow and you can apply new rules. This task documentation includes guidance for performing synchronization preview and for performing actual synchronization. In addition, guidance is provided on how to proceed with synchronization depending on whether you have already installed the identity aggregation and synchronization solution.
Performing Synchronization Preview
For each MA, it is considered a best practice to use the preview feature before performing the actual synchronization. The preview enables you to ensure that the rules function for sample data, including those for join, projection, import attribute flows, provisioning, and export attribute flows.
To preview synchronization
Make sure that you address any reported errors before continuing to perform the actual synchronization.
Performing Actual Synchronization
Complete the following steps to accomplish this task.
To synchronize an MA
View the connector space to make sure that the information looks correct. To view the connector space, on the Actions menu, click Search Connector Space or click the hyperlinked statistics.
If You Have Already Installed the Identity Aggregation and Synchronization Solution
If you have already installed the identity aggregation and synchronization solution, you must synchronize the MAs listed in the following table. The table also provides information about what the synchronization should accomplish for each MA.
Table 5.19. Synchronization Runs to Perform if the Identity Aggregation and Synchronization Solution Is Installed
Management agent | What should happen |
SAP HR | - SAP HR system users join to existing metaverse objects. If one cannot be found with the correct employeeID a new object is projected. - Import flows take place for attributes that the SAP HR system is authoritative and has precedence. - Export flows take place to the connector spaces for other MAs as necessary. |
Intranet Active Directory | - Ensures that all attributes are fully synchronized. - All import attribute flow rules are run. - Export flows take place to the connector spaces for other MAs as necessary. |
Sun ONE Directory | - Ensures that all attributes are fully synchronized. - All import attribute flow rules are run. - Export flows take place to the connector spaces for other MAs as necessary. |
Note The Extranet Active Directory and Lotus Notes Management Agents are not included in the table because there is no import flow defined for them.
To view the connector spaces, on the Actions menu, click Search Connector Space or click the hyperlinked statistics.
If You Have Not Already Installed the Identity Aggregation and Synchronization Solution
If you have not installed the identity aggregation and synchronization solution, only perform the single synchronization described in the following table.
Table 5.20 Synchronization Run to Perform If the Identity Aggregation and Synchronization Solution Is Not Installed
Management agent | What should happen |
SAP HR | - SAP HR system users project new metaverse objects. - Import flows take place for attributes that SAP is authoritative. |
Task 4: Exporting Metaverse Attribute Updates
If you have already installed the identity aggregation and synchronization solution, perform this task to make sure that any changes are exported.
If you have not already installed the identity aggregation and synchronization solution, skip this step because you do not yet have any exports. Complete the following steps to run the Lotus Notes Export process.
To export metaverse attribute updates to existing users
This task exports any pending connector space objects (resulting from export flow from the metaverse) and performs a confirming delta import.
Task 5: Turning On Provisioning
To provision any required new accounts, you must enable provisioning. Depending on how provisioning was turned off, you can perform this task in one of the following two ways.
To turn on provisioning
In either case, ensure that on the Tools menu, under Options, the Rules extension name has been set to ContosoMVExtensions.dll.
Task 6: Resynchronizing and Exporting to Provision New Accounts
You must run the provisioning code for each metaverse object, and you do this by ensuring that each object is involved in a synchronization. One way to ensure that a complete synchronization occurs is to run a Full Synchronization step for all MAs that have projected any metaverse objects.
If you have already installed the identity aggregation and synchronization solution, synchronize the SAP HR MA and any others that projected objects during Task 4. Any "missing" connector space objects will be created, ready for export. "Missing" objects are those that should exist according to the business rules but do not, presumably because of errors in the former manual administration.
If you have not already installed the identity aggregation and synchronization solution, you only must synchronize the SAP HR MA. This synchronization will create accounts in the connector spaces for all other MAs to prepare them for export.
In either case, you must perform an export run type for all MAs that have pending exports.
To provision new accounts
Run the synchronization and export steps described in one of the following tables, depending on whether you have already installed the identity aggregation and synchronization solution.
Table 5.21. If You Have Already Installed the Identity Aggregation and Synchronization Solution
Management agent | Run profile | What should happen |
SAP HR | Full synchronization | Only "missing" accounts are provisioned into the connector spaces for other MAs according to the business rules. |
Intranet Active Directory | Export | Only "missing" accounts are provisioned into Active Directory and re-imported to confirm export (mail-enabled for Contoso, mailbox-enabled for Fabrikam). |
Extranet Active Directory | Export | Only "missing" accounts are provisioned into Active Directory and re-imported to confirm export (for Sales employees only). |
Lotus Notes | Export | Only "missing" accounts are provisioned into Lotus Notes and re-imported to confirm export (mailboxes for Fabrikam, contacts for Contoso). |
Sun ONE Directory | Export | Only "missing" accounts are provisioned into Sun ONE Directory Server 5.1 and re-imported to confirm export (Fabrikam employees only). |
Table 5.22. If You Have Not Already Installed the Identity Aggregation and Synchronization Solution
Management agent | Run type | What should happen |
SAP HR | Full synchronization | All accounts are provisioned into the connector spaces for other MAs according to the business rules. |
Intranet Active Directory | Export | New accounts are provisioned into Active Directory and re-imported to confirm export (mail-enabled for Contoso, mailbox-enabled for Fabrikam). |
Extranet Active Directory | Export | New accounts are provisioned into Active Directory and re-imported to confirm export (for Sales employees only). |
Lotus Notes | Export | New accounts are provisioned into Lotus Notes and re-imported to confirm export (mailboxes for Fabrikam, contacts for Contoso). |
Sun ONE Directory | Export | New accounts are provisioned into Sun ONE Directory Server 5.1 and re-imported to confirm export (Fabrikam employees only). |
The solution for the Group Management scenario builds directly on the HR-Driven Provisioning solution described in the previous section.
The following sections describe the solution for the Group Management scenario.
This folder contains a script to install the following components:
Subfolder: GroupManagementDB
This subfolder contains a SQL script to create the database that the Group Management Web application uses.
Subfolder: miisGroupManagement
This subfolder contains the source code required to build and deploy the Web-based Group Management administrative application.
Subfolder: GroupPopulator
This subfolder contains the source code required to build the Group Populator program, which builds the group memberships after you define them through the Web UI.
Before implementing this solution you must implement the HR-Driven Provisioning solution. You must also have a Web application server (IIS) with Microsoft Windows Server™ 2003 and the Microsoft .NET Framework 1.1 joined to the Active Directory domain. You should also have Active Server Pages (ASP) enabled. For information about how to enable ASPs in IIS, refer to the Windows Server 2003 Help and Support Center.
The next sections in this chapter detail the tasks that you must perform to implement the Group Management solution:
Perform the steps in this task to create the appropriate OU structure to prepare the Contoso intranet Active Directory.
To create the appropriate OU structure
Both the Group Populator program and the Group Management Web application depend on the miisGroupManagement database. Application security is managed through access to this database. The minimum requirements for access to the database are SQL Server data-reader and data-writer permissions. You might consider a more sophisticated security model, such as using Authorization Manager, before deploying this solution in a live environment.
Complete the steps in this task to create the database and populate it with configuration and sample data.
To create and initialize the database
You must now compile the Group Populator program and the Group Management Web application.
To compile the Group Populator program
To compile and configure the Group Management Web Application
Perform the steps in this task to make sure that the metaverse is properly configured for groups. You must ensure that the group object type is defined, and that it has the required attributes. You must also set the object type deletion rule so that a metaverse object is deleted if the definition is deleted in the Group Management Web application.
To ensure that the group object type is properly configured
Task 5: Creating the New MA
Perform the steps in this task to create the Group Management MA that will import and update group objects.
To create the Group Management MA
You should not have to change any settings, except perhaps connection details if your environment varies from the one described.
Task 6: Verifying the Intranet Active Directory and Lotus Notes MAs
These MAs should already include the settings for managing groups and users.
To verify the intranet Active Directory MA
Table 5.23. Join Rule Configuration for Group and Object Types
Data source object type | Date source attribute | Metaverse object type | Metaverse attribute | Mapping type |
Group | sAMAccountName | Group | sAMAccountName | Direct |
Table 5.24. Group Export Attribute Flow Rules for the Intranet Active Directory MA
Data source attribute | Metaverse attribute | Mapping type | Allow nulls? | Notes |
description | description | Direct | Yes | |
groupType | groupType | Direct | No | |
info | info | Direct | Yes | |
sAMAccountName | displayName | Direct | No | |
mailNickname | mailNickname | Direct | Yes | |
Member | member | Direct | Yes | Allows zero members |
To verify the Lotus Notes MA
Table 5.25. Join Rule Configuration for Group and Object Types
Data source object type | Date source attribute | Metaverse object type | Metaverse attribute | Mapping type |
Group | GroupTitle | Group | displayName | Direct |
Table 5.26. Export Attribute Flow Rules for the Lotus Notes MA
Data source attribute | Metaverse attribute | Mapping type | Allow nulls? | Notes |
GroupTitle | displayName | Direct | No | |
ListDescription | displayName | Direct | No | |
Members | Member | Direct | Yes | Allows zero members |
GroupType | groupType, mailNickname | Rules Extension | No |
Task 7: Setting the Metaverse Object Deletion Rule for Groups
Configure the metaverse object deletion rule for the group object type so that groups are deleted automatically.
To set the metaverse object deletion rule
The solution for the Self-Service Provisioning scenario that the following sections describe builds directly on the Group Management solution outlined in the previous section.
This folder contains a number of subfolders containing the files required to implement the Self-Service Provisioning Web application.
Subfolder: Azman
The Self-Service Provisioning Web application is secured through Microsoft Authorization Manager. Anyone can request contractor accounts, but only a user who has been granted the Approver role can approve provisioning. The Azman subfolder contains the mystore.xml file, which has the Authorization Manager policy information required to define the Approver role.
Subfolder: SQL
The Self-Service Provisioning Web application depends on the MIISWorkflow database. The SQL Server script, SelfServiceProvisioningDB.SQL, creates this database, including the required tables and stored procedures.
Subfolder: SSProv
This folder contains all the source code required to build the Self-Service Provisioning Web application itself, SelfSvcProvisioning.sln, and all its associated projects.
Subfolder: MA Exports
The Self-Service Provisioning Web application presents new contractor data to MIIS 2003 with SP1, which imports the data and provisions accounts to Active Directory. This folder contains the Self-ServiceProvisioning.xml file from which you can import the new MA that MIIS requires.
Before implementing this solution, you must implement the Group Management solution described previously in this chapter. You must also have a Web application server that has Windows Server 2003 and the Microsoft .NET Framework 1.1 joined to the Active Directory domain.
The remainder of this chapter details the following tasks to implement the Self-Service Provisioning Web application:
The Self-Service Provisioning Web application depends on the MIISWorkflow database. Complete the steps in this task to create the database.
To create and initialize the database
To configure Active Directory and Authorization Manager, you need at least two users: one as a requestor, and one as an approver. You can select two of the accounts that you created in the HR-Driven Provisioning solution. You must also create a Contractor Request Approver role, and a group to manage users who are granted that role. Also, you need a service account to run the application.
Select two accounts and set their passwords
To configure the required Active Directory accounts
To configure database permissions for the SSProvSvcAcct service account
To configure other required permissions for the SSProvSvcAcct service account
Note These permissions are required to work around a known issue. For more information, see the Message Queuing Frequently Asked Questions paper.
To configure Authorization Manager
You must now install and compile the required source code and configure the Web application. You should also create two shortcuts to simplify the process of running the Request and Approve operations within the security contexts of your two chosen users.
To compile and configure the Self-Service Provisioning Web application
To create two shortcuts
You can export an MA's configuration to an .xml file and then import it using the MIIS 2003 with SP1 Identity Manager, which is the administration program for MIIS 2003 with SP1. The import process validates and verifies the configuration. For example, the user account and password information of any call-based Management Agents are checked, as well as other configuration information, such as schema and directory-specific partitions. You also are required to verify each page of the configuration wizard. You might have to change the connection and partition information if the connected directory structure is not the same as that specified in the file. Perform the steps in this task to create the Self-Service Provisioning MA that will import and update group objects.
To create the Self-Service Provisioning MA
You should not have to change any settings, except perhaps connections details if your environment varies from the one described.
This chapter describes how to validate the implemented scenario solutions from the previous chapter. It also provides some steps on how to troubleshoot common implementation challenges. It does not provide comprehensive guidance on how to test the end-to-end user or administrator experiences.
When you have completed the HR-Driven Provisioning solution implementation according to the guidance in Chapter 5, "Implementing the Solution," you are ready to validate it to ensure that it meets the specified requirements.
To validate the base environment, perform baseline tests 1 through 5 in Chapter 6, "Testing the Solution," in the Identity Aggregation and Synchronization paper in this series. Also perform tests 1 through 4 in the "Validating Aggregation and Synchronization" section of the same paper, then complete the following baseline tests. The management agent (MA) solutions should compile and create assemblies in the Microsoft Identity Integration Server\Extensions folder with no errors.
Baseline Test 1: Verify rules extension assembly creation
Baseline Test 2: Verify that the MAs exist in Identity Manager
Baseline Test 3: Verify that the message queues are properly configured
Baseline Test 4: Verify accounts across all data sources
It is important to perform the following tests so that you can validate that the solution is functioning correctly. Subsequent sections in this chapter address these tests in detail:
Complete the procedures in this section to verify that new users created in the mySAP ERP Human Capital Management system (SAP HR system) are correctly provisioned into the appropriate connected data sources according to Contoso's business rules.
Use the demonstration .csv files to simulate data export from the SAP HR system.
To simulate adding new users to the SAP HR system
This profile uses the demo1.csv file.
To preview provisioning
Table 6.1. New Users in Demo1.csv
Name | Company | Department | Status | Expected result |
Oliver Cox | Contoso | Operations | 3 (active) | - An intranet Active Directory® mailbox was enabled for this user. - A Lotus Notes Contact was created. |
Phil Gibbins | Fabrikam | Customer Service | 3 (active) | - An intranet Active Directory mailbox was enabled for this user. - A Lotus Notes mailbox was created. - A Sun ONE Directory Server 5.1 account was created. |
Justin Thorp | Contoso | Sales | 3 (active) | - An intranet Active Directory mailbox was enabled for this user. - A Lotus Notes mailbox was created.- An extranet shadow account was created. |
Alex Roland | Contoso | Operations | 3 (active) | - An intranet Active Directory mailbox was enabled for this user - A Lotus Notes Contact was created. |
To complete provisioning
To verify that all accounts were provisioned in accordance with Table 6.1
To verify that the accounts are properly formed and that notifications were sent
Complete the procedures in this section to verify the following: If the HR status of a user changes to leave or retired, or if an Active Directory account is disabled, corresponding accounts also change status accordingly.
Use the demonstration .csv files to simulate the data export from the SAP HR system.
To simulate a status change for users in the SAP HR system
Note that some users have been modified.
This profile uses the demo2.csv file.
To preview status changes
Table 6.2. Modified Users in Demo2.csv
Name | Company | Department | Status | Expected result |
Oliver Cox | Contoso | Operations | 1 (leave) | - The intranet Active Directory account was disabled (the "2 bit" for the userAccountControl attribute was set). |
Phil Gibbins | Fabrikam | Customer Service | 2 (retired) | - The intranet Active Directory account was disabled. - An expiration date was set. |
To complete the changes
To verify that all accounts were modified in accordance with Table 6.2
To verify that Active Directory can override the SAP HR system
If you have a large number of objects, you can use a suitable clause or sort order to help you find the right one.
To verify that Active Directory can cede authority to the SAP HR system again
This profile uses the demo3.csv file, which contains a record showing that Justin Thorp is on leave, as the following table indicates.
Table 6.3. Modified User in Demo3.csv
Name | Company | Department | Status | Expected result |
Justin Thorp | Contoso | Sales | 1 (leave) | - The intranet Active Directory account was disabled. - The extranet Active Directory account was disabled. |
After you complete the provisioning, status change, and deprovisioning tests, you are ready to implement a regular run cycle. The following table details the activity cycle.
Table 6.4. Regular Provisioning Activity Cycle
MA | Run type | What should happen |
SAP HR | Delta Import and Delta Synchronization | - All new accounts are provisioned into connector spaces for the other MAs according to the business rules. - All updates are synchronized with the other connector spaces for the other MAs. |
Intranet Active Directory | Export and Delta Import and Delta Synchronization | - New accounts are provisioned into Active Directory and re-imported to confirm export. Any changes from Active Directory are imported and synchronized with the connector spaces for other MAs. |
Extranet Active Directory | Export and Delta Import and Delta Synchronization | - New Sales accounts are provisioned into Active Directory and re-imported to confirm export. |
Lotus Notes | Export and Delta Import, and Delta Synchronization | New accounts are provisioned into Lotus Notes and re-imported to confirm export. |
Sun ONE Directory | Export and Delta Import, and Delta Synchronization | New Sales accounts are provisioned into the Sun ONE Directory Server and re-imported to confirm export. |
You can use the demo4.csv SAP transfer file to provide some new and modified identity information for this test. Use this test to further check the correct application of the rules.
Note When you export to the intranet Active Directory, the confirming delta import might occur before the Exchange Recipient Update Service (RUS) has had a chance to populate the mail attribute of any new accounts with an e-mail address. Thus, it will not be until a later run cycle that the delta import detects the changes and synchronizes to propagate them. If you are testing you can simply run the Export run profile again.
To perform the regular run cycle
Table 6.5. New and Modified Users in Demo4.csv (All Active)
Name | Company | Department | Delta type | Expected result |
Alex Roland | Contoso | Sales | Modify | - The department changed to Sales- The extranet shadow account was created. |
Phil Gibbins | Fabrikam | Customer Service | Modify | - Attributes flowed to other accounts. |
Maurice Taylor | Contoso | Operations | Add | - The intranet Active Directory mailbox was enabled for this user. - A Lotus Notes Contact was created. |
Justin Thorp | Contoso | Operations | Modify | - The extranet shadow account was deleted. - The intranet Active Directory account was re-enabled. |
After the Group Management solution implementation is complete, you are ready to validate your implementation to ensure that it meets the specified requirements.
Ensure that you have completed the previous tests to validate the HR-Driven Provisioning solution.
The following tests are important for this scenario because they validate key requirements and functionality.
After completing the Group Management solution implementation as described in Chapter 5, "Implementing the Solution," verify that you have performed the following tasks:
In addition to these tasks, perform the following test:
To verify whether the group management database is configured
Use the following tests to validate the application:
Test 1: Verifying Manual Group Additions
Complete the steps in this section to verify that you can add manual groups through the Group Management Web application. Add some groups and then manually import, synchronize, and export them. Note that the database installs with a few sample groups. Examine them and ascertain whether they are useful. This test is described as though the sample groups do not exist.
To add groups
Table 6.6. Manual Groups
Group name | Description | Group type | | Clause |
Marketing | Marketing department | Sec Group – Global | Mail-enabled with default alias | department = 'marketing' |
Cambridge | Location is Cambridge | Sec Group – DomLocal | Mail-enabled with customer alias "Camb" | l = 'Cambridge' |
EngineerDist | All Engineers | Dist Group – Univ | Mail-enabled with default alias | title like '%engineer% |
To run the Group Populator
To perform the initial import
Note Ordinarily you would use a Delta Import. Use the full import the first time.
To preview synchronization
To project and provision groups
To export the new groups
Table 6.7. MA Operations
Name | Profile | Step | Statistics |
Group Management | Full Import (Stage Only) | 1 | Staging Adds 4 groups + U (where U is the total number of users involved in the groups).(Existing group updates might exist.) |
Full Synchronization | 1 | Inbound Synchronization Projections 4 Joins U Connectors with Flow Updates 4 + U Outbound Synchronization Lotus Notes Export Attribute Flow 4 Provisioning Adds 4 Outbound Synchronization Intranet Active Directory Export Attribute Flow 4 Provisioning Adds 4 | |
Intranet Active Directory | Export | 1 | Adds 4 |
Intranet Active Directory | 2 | Staging Adds 4 | |
Lotus Notes | Export | 1 | Adds 4 |
Lotus Notes | 2 | Staging Adds 4 |
To clear the Delta table (so that the next run only includes new "deltas")
Test 2: Verifying Attribute Group Additions
Complete the steps in this section to verify that you can add attribute-based groups through the Group Management Web application. Again, some sample attribute groups are provided. You can either remove or include them. (If you choose to include them, the statistics in the following table will be different.)
To add a group for each location
To generate the attribute groups, and populate and provision groups
To verify attribute groups
Table 6.8. MA Operations
Name | Profile | Step | Statistics |
Group Management | Delta Import (Stage Only) – Delta Synchronization) | 1 | Staging Adds L + U (where L is the number of locations and therefore the number of new groups, and U is the number of additional users – which could be zero)Also, there might be updates. |
Group Management | 2 | Inbound Synchronization Projections L Joins U Connectors with Flow Updates and Connectors without Flow Updates between them add up to L + UOutbound Synchronization Lotus Notes Export Attribute Flow L Provisioning Adds LOutbound Synchronization Intranet Active Directory Export Attribute Flow L Provisioning Adds L | |
Intranet Active Directory | Export | 1 | Adds L |
Intranet Active Directory | 2 | Staging Adds L | |
Lotus Notes | Export | 1 | Adds L |
Lotus Notes | 2 | Staging Adds L |
To confirm group creation
Test 3: Verifying the Managing Exceptions Feature
Complete the procedures in this section to verify that you can create exceptions to the rules for manual groups through the Group Management Web application.
To add an inclusion and an exclusion
To verify inclusion and exclusion
Test 4: Verifying Reference Attribute Group Additions
Complete the steps in this section to verify that you can add reference attribute-based groups through the Group Management Web application.
To add a group for each manager (populated with their reports)
To generate the attribute groups, and populate and provision groups
To verify attribute groups
Table 6.9. MA Operations
Name | Profile | Step | Statistics |
Group Management | Delta Import (Stage Only) – Delta Synchronization | 1 | Staging Adds M + U (where M is the number of managers and therefore the number of new groups, and U is the number of additional users involved – which might be zero as the locations will probably have included everybody) Also, there might be updates |
Group Management | 2 | Inbound Synchronization Projections M Joins U Connectors with Flow Updates M + U Outbound Synchronization Lotus Notes Export Attribute Flow M Provisioning Adds M Outbound Synchronization Intranet Active Directory Export Attribute Flow M Provisioning Adds M | |
Intranet Active Directory | Export | 1 | Adds M |
Intranet Active Directory | 2 | Staging Adds M | |
Lotus Notes | Export | 1 | Adds M |
Lotus Notes | 2 | Staging Adds M |
Test 5: Verifying Synchronization of Manual Changes
Changes will occur as a result of data changes and as a result of edits you make in the group management user interface (UI).
To make a manual change
To verify a manual change
Test 6: Verifying Synchronization of Identity Data Changes
Changes will occur due to data changes and edits that you make in the group management UI. Before this test will work with the suggested data, you must successfully complete the tests for the HR-Driven Provisioning system.
To change the identity data
To verify the change
Test 7: Verifying Group Removal
This text enables you to verify that if a group is removed from the UI, it is removed from Active Directory.
To remove a group
To verify the removal
Test 8: Verifying Notifications
Ensure that notifications have been sent in the following circumstances:
Because these events have happened during earlier tests, you can read the e-mail of affected individuals to verify that the Notification Service is running. Because users have had pseudo-random passwords set, you must set known passwords for anyone whose email you want to read.
To reset an affected user's password
To check the e-mail of the two individuals
After you have completed the Self-Service Provisioning solution implementation, you are ready to validate it to ensure that it meets the specified requirements.
Ensure that you have completed the previous tests for the HR-Driven Provisioning solution to meet the prerequisites for this solution.
In this scenario, the following tests validate key requirements and functionality.
After you have implemented the Self-Service Provisioning solution as described in Chapter 5, "Implementing the Solution," verify that you have performed the following tasks:
In addition to these tasks, perform the following tests:
To verify whether the MIISWorkflow database is configured
To verify the Metaverse Object Deletion rule for the person object type
Perform the following tests to validate the Web application:
It will be much easier to perform these tests if you have created the two shortcuts as described in Chapter 5, "Implementing the Solution."
Test 1: Verifying New Request Additions
Complete the following procedure to verify that you can add new requests.
To add a request
To verify that the request has been added
Test 2: Verifying Request Approvals
Complete the following procedure to verify that you can approve a request.
To approve a request
To verify the approval
Test 3: Verifying Request Denials
Complete the following procedure to verify that you can deny a request.
To add a request
To deny a request
To verify a denial
Test 4: Verifying Request Terminations
Complete the procedures in this section to verify that you can terminate a request.
To terminate a contractor
To verify a termination
Test 5: Verifying Active Contractor Terminations
Complete the procedures in this section to verify that you can rapidly terminate a contractor.
To terminate an active contractor
To verify an active contractor termination
Test 6: Verifying Notifications
Complete the following procedure to verify that notifications are taking place.
To verify notifications
This section provides information about some common errors that you might encounter when you test these solutions and how you can most likely resolve them. However, the information in the following table is not an exhaustive list of errors and troubleshooting procedures.
For more information, read the troubleshooting suggestions in Chapter 6 of the Identity Aggregation and Synchronization paper in this series, which also apply to this paper.
Table 6.10. Troubleshooting HR-Driven Provisioning
Error | Troubleshooting procedure |
The DN already exists during synchronization. | - Rebuild the MIIS 2003 extension solutions. - Remove users from the directory that generated the errors, delete the data in the connector space for that directory, and run a full synchronization of the SAP HR MA. |
Other provisioning errors. | - Rebuild the MIIS 2003 extension solutions. |
Export errors | - Check the MA configuration. - Check the MA connection account permissions. |
Account provisioning notification failure. | Verify that the AccountProvisioning message queue is present and is of the transactional type. |
Permission denied export run error in one of the Active Directory management agents. | Verify that the account used to connect to the Active Directory in question is a member of its Domain Admins group. Verify that it has been correctly entered in the User name field on the Connect to Active Directory Forest page of the Management Agent Properties, and re-enter the password in the Password field. |
Table 6.11. Troubleshooting Self-Service Provisioning
Error | Troubleshooting procedure |
Notification failure | Verify that the SelfServiceProvisioning message queue is of the transactional type. Check the SelfServiceProvisioning queue properties and verify that SSProvSvcAcct has full permissions. |
After you implement and verify any of the elements of this solution, you should consider a number of ongoing operational activities to ensure that it will continue to operate successfully for you.
Previous chapters in papers of the Identity and Access Management series provide a broad discussion of the management tasks associated with the long-term operation of the infrastructure components for this solution. These chapters include:
This chapter examines operational considerations for the specific elements of these solutions.
The following considerations apply to the three solutions presented in this paper.
This solution is complex, with many different components. Because these components have dependencies on each other, a change in one component might require changes in other components.
Contoso Pharmaceuticals chose to utilize its existing implementation of Microsoft Visual SourceSafe® as a version control management system for the different solution components. The following table shows which components to maintain under version control, and (where appropriate) how you can extract the information from MIIS 2003.
Table 7.1. Files To Maintain Under Version Control
Solution | Component | Format | Extraction method |
HR Driven Provisioning | Management agent (MA) definitions | Extensible Markup Language (XML) file | MIIS 2003 Identity Manager, Management Agents, Export MA |
HR Driven Provisioning | Metaverse schema | XML file | MIIS 2003 Identity Manager, Metaverse Designer, Actions, Export Metaverse Schema |
HR Driven Provisioning | MIIS Server Export files | XML files | Server Export on the File menu in Identity Manager |
HR Driven Provisioning | Rules extension projects | Source code files | |
HR Driven Provisioning | XML configuration files | XML file | Found in Extensions folder |
HR Driven Provisioning | Scripts | Source code files | |
HR Driven Provisioning | Documentation | Microsoft Word documents | |
Group Management | MA definition | XML file | MIIS 2003 Identity Manager, MAs, Export MA |
Group Management | Group Management Projects | Source code files | |
Self Service Provisioning | MA definition | XML file | MIIS 2003 Identity Manager, MAs, Export MA |
Self Service Provisioning | Group Management Projects | Source code files |
You must also consider how you manage your SAP .csv files. In the event of a problem, you may want to re-import all the changes of the last few days, and you may want to maintain your .csv files under some kind of version control. However, it is usually much easier to perform a full import of the SAP data after a suspected problem to include any missing changes. In fact, except for when this takes too long to do, it is normal to perform a full import from time to time to ensure that it is complete.
Contoso uses Microsoft Windows Server Update Services (WSUS), which is available as a free download. WSUS uses the Automatic Updates Service in Microsoft Windows Server™ 2003 and Microsoft Windows® XP Professional to ensure that all servers and clients in the solution environment have the latest security and software updates installed.
For more information about WSUS, see Windows Server Update Services.
For more information about patch management, see the Security Guidance for Patch Management Web page on Microsoft TechNet.
You might want to consider an appropriate backup and recover strategy for these systems. For more information about backup and recovery services, see the Introduction to Backup and Recovery Services Web page of the Windows Server System Reference Architecture Guide.
MIIS 2003 stores data, configuration, and the contents of the extensions folder (including rules extension dynamic-link libraries) in its Microsoft SQL Server database. Group and contractor data is stored in two other databases. All three of these must be included in your backup procedure.
For more information about backup and recovery specific to MIIS 2003, see the Maintaining the MIIS 2003 Database Web page.
Source Code
As part of the company's general disaster recovery strategy, Contoso chose to add the solution source code to the resources it backs up offsite. The company does this in addition to using Visual SourceSafe for version control.
Additional Files
As described previously, although the MIIS 2003 configuration is stored in its SQL Server database, you also can export it to XML files. For additional safety these XML files are stored at an off-site location and in Visual SourceSafe.
Encryption Keys
MIIS 2003 encrypts any passwords that it stores with encryption keys during installation. If you rebuild the MIIS 2003 server, the setup program will request the encryption keys. For this solution, the MIIS 2003 encryption key utility (miiskmu.exe) was used immediately after installation to back up the encryption keys for storage at an off-site location. The encryption key utility was used to generate new keys from time to time, including the option to replace old keys.
Total Metadirectory Data Loss
In the unlikely event that you experience a total loss of all MIIS 2003 data and backups for it, use the following procedure to rebuild the metadirectory. The reason this works is that employeeID has been flowed to each directory, and a join rule has been put in place to make use of this attribute. This process is generally known as "bread-crumbing."
Note Very little should happen, unless many changes have occurred since the data failure. However, it will take some time for this "check" process to complete.
This section provides information about operating and monitoring MIIS 2003.
After completing the tests in Chapter 6, "Testing the Solution," you are ready to set up the regular activity cycle. You must run MIIS 2003 MAs in the correct cycle to ensure that changes from the SAP HR system propagate to other systems in a timely manner. The MARuns.cmd file (in the Operations folder of the Tools and Templates folder) must be consistent with the information in the following table.
Table 7.2. Regular Cycle of Provisioning Runs
MA | Run profile | What should happen |
SAP HR | Regular Import | All new accounts are provisioned into connector spaces for other management agents according to the business rules. All updates are synchronized with the other connector spaces for other MAs. |
Intranet Active Directory | Export | New accounts are provisioned into Active Directory and re-imported to confirm export. Any changes from Active Directory are imported and synchronized with the connector spaces for other MAs. |
Extranet Active Directory | Export | New Sales accounts are provisioned into Active Directory and re-imported to confirm export. |
Lotus Notes | Export | New accounts are provisioned into Lotus Notes and re-imported to confirm export. |
Sun ONE Directory | Export | New Sales accounts are provisioned into Sun ONE Directory Server 5.1 and re-imported to confirm export. |
In addition, the Delta Import run profile for the SAP HR management agent must refer to the CSV file containing the latest data from the SAP HR system.
Note When you export to Intranet Active Directory, the confirming delta import might occur before the Exchange Recipient Update Service (RUS) has had a chance to populate the mail attribute with an e-mail address. Thus it will not be until some future cycle run that the delta import sees the changes and the delta synchronization propagates them. If you are testing you
It is important that you correctly monitor MIIS 2003 and resolve any errors in a timely manner.
You can install the MIIS 2003 MOM Management Pack to alert administrators of any warnings or errors. For more information about the management pack, see the Microsoft Download Center page for the Microsoft Identity Integration Server 2003 Management Pack for MOM 2000 SP1.
In the event of any errors, you should check two sources of information:
Clearing the Operations History
Left alone, the operations history will eventually become very large. If the database fills the physical disk space it is very likely that data will be damaged. The run history is cleared as part of the overall Contoso backup process, by using the Operations tool in Identity Manager.
Any extensions and run scripts should also include monitoring and event logging (either the system log or the MIIS Logging APIs) to provide detailed information about their status. The Notification Service is an excellent example.
NetPro Computing, Inc., a leading provider of distributed services management software, has designed MissionControl 2.0 for MIIS 2003 to meet the demands of enterprise customers.
The Active Directory management agent in MIIS 2003 with SP1 can connect to any domain controller in the specified domain. Alternatively, you can configure MIIS 2003 to communicate with a particular domain controller or set of domain controllers. Active Directory takes some time to replicate changes, and so changes synchronized by MIIS 2003 may not immediately be available. The MOM pack for Active Directory allows you to monitor domain controller replication times. Being aware of these times may help you avoid unnecessary attempts to learn more about apparent errors that are merely delays.
This section contains operational considerations that apply only to the Group Management solution. Backup or source code and data have already been covered earlier in this chapter.
You may configure MIIS 2003 with SP1 simply to run with a regular cycle of activity, picking up any recent changes in the Group Management system as it does. If so, you must include miisGroupmanagement Sync.cmd as part of your regular cycle of runs, which the following table describes:
Table 7.3. Regular Cycle of Runs Including Group Management
MA or process | Run profile | Run type | What should happen |
SAP HR MA | Regular Import | Delta Import and Delta Synchronization | - All new accounts are provisioned into connector spaces for other management agents according to the business rules. - All updates are synchronized with the other connector spaces for other Management Agents. |
miisGroupManagement Sync.cmd | N/A | - SQL Server tables are populated with groups and their member lists based on group definitions and the latest metaverse data. | |
Group Management MA | Regular Import | Delta Import and Delta Synchronization | - All new accounts are provisioned into connector spaces for the extranet Active Directory and Lotus Notes. - Existing group member lists are synchronized. |
Intranet Active Directory MA | Export | Export, Delta Import, Delta Synchronization | - New accounts (including groups) are provisioned into Active Directory and re-imported to confirm export. Any changes from Active Directory are imported and synchronized with the connector spaces for other Management Agents. |
Extranet Active Directory MA | Export | Export and Delta Import | - New Sales accounts are provisioned into Active Directory and re-imported to confirm export. |
Lotus Notes MA | Export | Export and Delta Import | - New accounts (including groups) are provisioned into Lotus Notes and re-imported to confirm export. |
Sun ONE Directory MA | Export | Export and Delta Import | - New Sales accounts are provisioned into Sun ONE Directory Server 5.1 and re-imported to confirm export. Any changes from Active Directory are imported and synchronized with the connector spaces for other Management Agents. |
Note The miisGroupManagement Sync.cmd file includes export runs for the Lotus Notes and intranet Active Directory MAs, so these are being done twice. The impact on performance is close to negligible, but you could edit the file to remove these runs.
You must perform some timing tests with and without group population. The overall cycle must run in minutes, not hours. If group population turns out to be a significant factor, you should consider your priorities.
It might be acceptable to wait 24 hours for groups to populate but only minutes for someone to be deprovisioned. It is possible to run different cycles by day and by night to reflect such priorities.
Note The miisGroupManagement Sync.cmd file contains a line to run the Group Populator with an –r switch. This switch causes attribute groups to be regenerated. In a large system, it would be very time consuming to regenerate these each time. In such circumstances you may decide to create two different .cmd files, one with the –r switch to be run after changes have been made to attribute group definitions, and another without the switch to be run whenever other changes may have been made (perhaps as part of the regular cycle).
When the contractor was imported, run profiles should have been predefined. You should ensure that there is a correctly configured run profile that can be included in the regular run cycle, which is now as described in the following table.
Table 7.4. Regular Cycle of Runs Including Contractor Account Provisioning
MA or process | Run profile | Run type | What should happen |
SAP HR MA | Regular Import | Delta Import and Delta Synchronization | - All new accounts are provisioned into connector spaces for other Management Agents according to the business rules.- All updates are synchronized with the other connector spaces for other Management Agents. |
Self-Service Provisioning MA | Regular Import | Delta Import Delta Synchronization Export Delta Import | - All new contractor accounts are provisioned into connector spaces for other Management Agents according to the business rules.- All updates are synchronized with the other connector spaces for other MAs.- A value is flowed back to the MIISworkflow database so that the user interface can show status as "Provisioned". |
Group Management Sync.cmd | N/A | - SQL Server tables are populated with groups and member lists based on group definitions and the latest metaverse data. | |
Group Management MA | Regular Import | Delta Import and Delta Synchronization | - All new accounts are provisioned into connector spaces for the extranet Active Directory and Lotus Notes.- Existing group member lists are synchronized. |
Intranet Active Directory MA | Export | Export and Delta Import and Delta Synchronization | - New accounts (including groups) are provisioned into Active Directory and reimported to confirm export. Any changes from Active Directory are imported and synchronized with the connector spaces for other Management Agents. |
Extranet Active Directory MA | Export | Export and Delta Import | - New Sales accounts are provisioned into Active Directory and re-imported to confirm export. |
Lotus Notes MA | Export | Export and Delta Import | - New accounts (including groups) are provisioned into Lotus Notes and reimported to confirm export. |
Sun ONE Directory MA | Export | Export and Delta Import | - New Sales accounts are provisioned into Sun ONE Directory Server 5.1 and reimported to confirm export. Any changes from Active Directory are imported and synchronized with connector spaces for other Management Agents. |
This appendix provides a brief guide for Self-Service Provisioning Web application users.
The Self-Service Provisioning Web application is a sample solution that provides a way to request and approve accounts. The application, which uses a Web-based interface, is not a complete solution, but serves as a starting point for you to build a custom application.
The Self-Service Provisioning Web application is designed to help simplify typical workflow requirements and serves as a framework for an approval-based provisioning tool to create and delete contractor accounts. You can extend and customize the application by using Microsoft® Visual C#® and Microsoft ASP.NET.
On the New Contractor Request page, anyone who manages one or more contractors can submit a request to provision a contractor. In the sample application, only the name, and the start and end dates are entered, but you can readily extend these requirements.
Figure A.1. The New Contractor Request page
After you submit a new contractor request, you will receive a message at the bottom of the page to confirm that the contractor has been added successfully to the application as indicated in the following figure.
Figure A.2. The confirmation message at the bottom of the New Contractor Request page.
At this stage of the process, the application has added a row to the Contractors table, and has populated the columns for Department, Location, ManagerID, and Company according to who requested the account for the contractor. For example, the ManagerID is the EmployeeID of the requestor.
A user with the Approval role can access and use the Contractor Approval page.
Figure A.3. The Contractor Approval page displays pending requests
In this role, you can approve or deny pending requests, and then submit them. Denied submissions are flagged. Approved submissions also are flagged and appear in the Contractors_Delta table. An approved submission triggers Microsoft® Identity Integration Server (MIIS 2003) Service Pack 1 (SP1) to import data and provision it according to business rules (depending on the company and the requestor's department). MIIS 2003 indicates a successful provisioning with a confirmation message.
Figure A.4. A message appears after submitting either an approval or deny request
At any stage, you can check the status of requests.
Figure A.5. The Requested Contractor's Status page displays provisioning requests
You also can access the history of each contractor request from this page.
You can terminate a contractor at any stage in the process. If a request has not yet been provisioned, the application flags it as terminated. If the contractor has been provisioned, the application disables the corresponding account.
The following diagram and explanation provide a summary of the process.
Figure A.6. Process summary
The following provides a summary of the steps for the Self-Service Provisioning Web application process:
This appendix provides a brief guide for Group Management Web application users.
The Group Management Web application provides a sample solution that allows you to define groups based on user membership in the Microsoft® Identity Integration Server 2003 (MIIS 2003) Service Pack 1 (SP1) metaverse. The application stores its definitions in a Microsoft SQL Server database. A separate Group Populator program generates group and membership information that is also stored in the database.
MIIS 2003 then imports the data and provisions any newly defined groups into the Active Directory® directory service and Lotus Notes, and keeps group memberships updated as data and definitions change. You can extend MIIS 2003 to include other directories, or extend and customize the application by using Microsoft Visual Basic® .NET and Microsoft ASP.NET.
The Group Management Web Application Suite includes the following components.
The application itself is a collection of ASP.NET Web pages for that you use to enter and maintain group definition data. The pages provided are described later in this appendix.
A number of tables are used to hold group definitions, user (group member) information, and the import data that MIIS 2003 requires.
Group Populator is a separate program that generates groups and their respective memberships. The program runs a provided batch file (which may require editing in certain situations). Note that this is not the same Group Populator program that is provided with MIIS 2003.
A management agent (MA) is provided so that MIIS 2003 can import data from the database. Code is provided for provisioning that has been built into the HR-Driven Provisioning solution code.
The Group Management Web application includes the following features.
The application allows you to create simple groups based on metaverse attributes that you manually enter as a query. For example, you might use a query clause like Title Contains 'Engineer.' The Group Populator program runs a query to return all the metaverse objects to satisfy the query, and then stores the membership information in the database. MIIS 2003 later imports this information for provisioning.
You can edit groups through the user interface (UI) and you can delete them. Data changes in the metaverse (new, deleted, or modified users that MIIS 2003 processes) require membership updates. Including Group Populator as part of the MIIS 2003 run cycle automatically incorporates all such changes.
You can also define "families" of groups based on attribute data. For example, you might want to create a group for each department in your company and base membership on the users in each one. You could call such groups something like "All people in Department <name>." When you run it, the Group Populator program reads the definition, generates one group for each department, and then populates the groups correctly. If a person has their department attribute set or changed to a value that does not exist, the program creates a new group. Also, if all members of a group are deleted, or moved to other departments (and their department attributes are updated accordingly), the group is deleted. After they are created, the attribute groups appear in the UI in much the same way that the simple groups do. You can only edit them in a limited way because they are designed to be automatically generated.
This type of group is a variant of the attribute group. For example, you might want to create a group for each manager that includes all users who report to that manager. This is slightly more complicated to define, but otherwise reference attribute groups behave like attribute groups.
It is possible to make individual inclusions and exclusions for any group. Because the intent of this application is to reduce administration, keep inclusions and exclusions to a minimum—an arbitrary limit of 10 for each group has been set. Of course you can change this by altering the code.
The Group Management Web application uses the Notification Service to send e-mails to users about membership changes.
When a user is removed from a group, an e-mail is sent to notify the user, but actual deprovisioning is delayed to give them a chance to complete any group business. The delay defaults to 0 days, but you can configure this value.
Access the default startup page at http://localhost/miisGroupManagement/default.asp.
Figure B.1. The default startup page for the Group Management Web application
To add a group, click Add Group and define the fields that the application displays according to the information in the following table.
Table B.1. Simple Group Definition Fields
Field | Purpose | Examples |
Group Name | A unique name that you provide. | Engineers; MarketingDist; PaloAlto |
Description | A description that you provide. | Title starts with Engineer; Everyone in the Marketing department; All users in Palo Alto. |
Group Type | The type of Active Directory group (MIIS 2003 selects the closest match in Lotus Notes). | Combinations of: Security or Distribution List Universal, Global or Domain Local |
Enabled | Whether the group is managed or not. | You can generate a group, then clear this field to pass control to Active Directory |
| Whether the group is mail-enabled or not. | Disabled Enabled with a default alias Enabled with an alias you provide. |
Clause | The "Where" clause, based on metaverse attributes, that the application uses to generate memberships. | Title like "engineer%" (starts with Engineer) Title like "%engineer%" (contains Engineer) department = 'marketing' l = 'Cambridge' |
To add a clause, on the startup page click Clause (…) to open the Specify Clause Criteria window.
Figure B.2. The Specify Clause Criteria window
You can build the clause by using the attribute and operator drop-down menus, the and and or options, and the Append and Replace buttons as seen in Figure 2, or you can edit the clause directly.
Using an Existing Clause
You can also use an existing clause by selecting the Use clause from existing group check box. Enabling this option displays a list of the current groups from which you can then choose an existing clause.
If you share a clause between two groups, you can still have exceptions that are different for each group. For example, if you want to define two groups in which one contains all department employees and the other contains all department employees and the manager; you could define the first group, and then define the second group by choosing to share an existing clause. In this way you can include the manager as an exception to the second group.
As another example, if you want to have separate groups for security and distribution that include the same members, you can share the same clause between the groups. In this way, if you edit the clause for one group, it will modify the other one.
Click Preview to check the result of the query to ensure that it produces the results that you want. The group membership has not yet been built at this point, but you can see who will be included in it.
Figure B.3. A preview of group members resulting from a new query
On the Specify Clause Criteria window, click Update to accept your clause, or Cancel to cancel it.
Finally, you can specify exceptions to your clause. Click Exceptions (…), and then use the same query as before to either include or exclude individuals.
To define an exception, click either Add Exclusion or Delete Exclusion, and then enter a query by using the drop-down menus.
Figure B.4. The Exception Management window
Select an individual, and then click Add.
Note A warning message displays if you create more than 10 exclusions to discourage you from manual management. To the extent that you can, always use rules (clauses) to define group membership.
When you are finished, click Close and then click Update (at the end of the row) to complete defining your exceptions.
On the startup page, you can specify a search criterion to display groups of interest.
Figure B.5. The Group Management window
Now you can click Edit or Delete to manage your groups. The UI for editing is the same one that you use for adding groups, except that not everything can be edited.
Attribute groups are families of groups based on a metaverse attribute. To create an attribute group, first define your groups, and then run Group Populator to generate them.
From the startup page, click Define Attributes, click Add Definition and define the fields according to the information in the following table (this example generates a group for each location), and the click Update to complete this process.
Table B.2. Attribute Group Definition Fields
Field | Purpose | Examples |
UniqueID | A unique ID that you provide. | Locations. |
displayName | To generate a displayName for each group that will involve the attribute that defines the group. | People at location {attribute}. |
defType | The attribute group type. | single for an attribute group (linked for a reference attribute group – see the next section of this appendix for more information). |
Group Type | The type of Active Directory group (MIIS 2003 selects the closest match in Lotus Notes). | Combinations of: Security or Distribution List Universal, Global or Domain Local |
| Whether the group is mail-enabled or not. | (Selected or cleared). |
Reference attribute groups are families of groups based on a metaverse reference attribute. To create a reference attribute group, first define your groups, and then run Group Populator to generate them.
On the startup page, click Define Attributes, click Add Definition, and define the fields by using the information in the following table. This example generates a group for each manager and populates it with the manager's reports. When defining the fields, you must think in terms of the metaverse object (person) for the group member and hence its "member attributes." However, you must also think in terms of the metaverse object for the "pointed at" or linked person. For example, the manager who is defined in the employee's manager field.
Table B.3. Reference Attribute Group Definition Fields
Field | Purpose | Examples |
UniqueID | A unique ID that you provide. | Managers (others might be Secretaries, or Assistants) |
displayName | To generate a displayName for each group that will involve the attribute that defines the group. | People managed by {attribute} |
defType | The type of attribute group. | linked |
Attribute | The attribute that you want to use in the displayName field. The value used in each case is for the pointed-at object. | displayName so that the displayName of the manager is used (others might be sn, cn, or sAMAccountname). |
linkAttribute | A choice from any reference member attributes in the metaverse. | manager (others might be secretary or assistant). |
linkAttributeKey | The linked person attribute that the linkAttribute points to. | employeeID (or other unique key). |
Group Type | The type of Active Directory group (MIIS 2003 selects the closest match in Lotus Notes). | Combinations of: Security or Distribution List Universal, Global, or Domain Local. |
| Whether mail-enabled or not. | (Selected or cleared) |
Figure B.6. The Attribute Group Definition page
Click Update to complete or add any others, and then click Back to Group Definitions. This page will not yet reflect your attribute groups—they must first be generated (see the "Generating and Provisioning Groups" section later in this appendix). After they have been generated, they will appear when you enter a query on the startup page, and select Include attribute based groups.
Figure B.7. A Group Definitions window that displays both simple and attribute-based groups
You cannot edit or delete attribute groups through the Web application. You manage them by running the Group Populator program.
To generate and provision group, a batch (.cmd) file is provided with this solution to do this (usually located in C:\GroupManagement). The batch file runs the Group Populator and then instructs MIIS 2003 to perform the correct runs to provision your groups. It checks for any errors after each step and stops if it detects one. It also truncates the delta tables. The Group Management application presents changes (deltas) only to MIIS 2003 rather than all groups to optimize performance.
The command line that runs the Group Populator looks something like the following example:
groupPopulator.exe /r:managers,locations,departments,titles /p
The /r switch instructs the Group Populator to regenerate the indicated attribute groups. These group names are the unique IDs that you specified in the UI when you defined your attribute groups. For everyday operation, you may decide to modify this command file. For example, you may decide not to keep regenerating the attribute groups (which would be time-consuming in a large organization). You could use a version of this batch file without the /r switch for your regular run cycle for MIIS 2003. You also could run the batch file in its original form (with the /r switch) periodically to ensure that any necessary regeneration takes place.
The remainder of the batch file uses the MIIS 2003 WMI interface to perform the MA runs required to synchronize the groups and their memberships with the target directories. This involves the import and synchronization of the group management MA, and export of the Intranet Active Directory and Lotus Notes MAs. Another line truncates the delta tables as in the following example:
osql -S localhost -E -n -b -i "TruncateDeltaTable.sql"
If an error occurs, the batch file will stop. Examine any errors that do occur and take appropriate action to correct them.
You can clear the Enabled field for an ordinary group. This will cause the group to be deprovisioned, but the application will retain the group definition in case you want to enable it again.
It is not practical to provide a full technical guide for the Group Management Web application. However, the description of the database tables in this section may be of value to developers.
This table stores information about attribute-based group definitions.
Table B.4. attributeGroupDefinitions Table
Column name | Data type | Length | Null allowed | Description |
objectUID | varchar | 64 | No | A unique identifier for the attribute group definition, randomly generated when the definition is initially created. |
uniqueGroupID | varchar | 256 | Yes | A friendly name that uniquely identifies the group definition. This name is specified after the /r switch when you run groupPopulator.exe. |
displayName | varchar | 256 | Yes | The structure of the friendly name for each group that is generated from these definitions in the target directories. Each entry in this column must contain the literal string {attributeValue}. |
attributeGroupType | varchar | 256 | Yes | Specifies whether or not the group relies upon reference attributes within MIIS 2003 to create groups that are either ('linked') or not ('single'). |
attribute | varchar | 256 | Yes | The metaverse attribute that used to generate the group definitions. |
linkAttribute | varchar | 256 | Yes | The reference attribute used to generate the group definitions (for the linked groupType only). |
linkAttributeKey | varchar | 256 | Yes | The attribute key that generates the group definitions (for the linked groupType only). |
groupType | int | Yes | Defines the type of group that will be created in the target directories based on the Active Directory groupType attribute. | |
mailEnabled | varchar | 256 | Yes | Defines whether or not groups generated from this definition are mail enabled (true/false) or not. |
This table stores clause information for the groups so that you can optionally share clauses between groups.
Table B.5. clauseDefinitions Table
Column name | Data type | Length | Null allowed | Description |
objectUID | varchar | 64 | No | Links the clause to the group definition. |
clauseAutoUID | varchar | 256 | Yes | Links the clause to the attribute generated group definitions. |
clauseType | varchar | 64 | No | Identifies whether the clause was generated from an attribute group definition or a standard definition. |
Clause | varchar | 5120 | Yes | Defines the clause used to query the metaverse for group members. |
This table stores a record for each metaverse object that has had an exception defined for it.
Table B.6. exceptionDefinitions Table
Column name | Data type | Length | Null allowed | Description |
objectUID | varchar | 64 | No | Ties the exception to a group. |
exceptType | varchar | 64 | Yes | Defines whether the user is included or excluded. |
mvObjectUID | varchar | 64 | Yes | The object-id from the metaverse of the object defined as an exception. |
This is the main table that stores the group and person objects that MIIS 2003 imports.
Table B.7. groupDefinitions Table
Column name | Data type | Length | Null allowed | Description |
objectUID | varchar | 256 | No | A unique Identifier: • Standard group — generated globally unique identifier (GUID). • Group generated by attribute group definition — combination of uniqueGroupID (Table 1) and the metaverse attribute value. • Person — metaverse object-id. |
groupAutoUID | varchar | 256 | Yes | The friendly name that associates the group with the attribute group definition used to generate it. |
objectType | varchar | 64 | Yes | The type of object (group, groupAuto or person). |
displayName | varchar | 256 | Yes | The group name used in the target directories. |
description | varchar | 256 | Yes | The group description used in the target directories. |
clauseLink | varchar | 64 | Yes | A link to the clause definitions table. If the clauseLink is not the same as the objectUID, then it shares a clause with another group. |
enabledFlag | varchar | 64 | Yes | If this is set to enabled, the definition results in group creation in target directories. If it is disabled, the groups are removed from the target directories. |
maxExcept | varchar | 64 | Yes | The maximum number of manual exceptions that can be applied before a warning appears. This number cannot be set through the graphical user interface (GUI). |
preserveMembers | int | Yes | The number of days to automatically preserve members after they would otherwise be deleted from a group. | |
groupType | int | Yes | Group type that will be created in the target directories (based on the Active Directory groupType attribute). | |
mailNickName | varchar | 256 | Yes | If set, the group will be mail enabled, and will use this value for the alias. |
This table stores all of the group and people objects that MIIS 2003 uses during a delta import. The structure of this is the same as Table 7, with three additional columns.
Table B.8. groupDefinitions_delta Table
Column name | Data type | Length | Null allowed | Description |
objectUID | varchar | 256 | No | See Table 7 |
groupAutoUID | varchar | 256 | Yes | See Table 7 |
objectType | varchar | 64 | Yes | See Table 7 |
displayName | varchar | 256 | Yes | See Table 7 |
description | varchar | 256 | Yes | See Table 7 |
clauseLink | varchar | 64 | Yes | See Table 7 |
enabledFlag | varchar | 64 | Yes | See Table 7 |
maxExcept | varchar | 64 | Yes | See Table 7 |
preserveMembers | int | Yes | See Table 7 | |
groupType | int | Yes | See Table 7 | |
mailNickName | varchar | 256 | Yes | See Table 7 |
attributeName | varchar | 64 | Yes | If the value for changeType is Modify_Attribute then this column specifies the name of the attribute that was modified. |
changeTime | datetime | Yes | The time that the change was entered into the delta table, which is used to sort the view for the MIIS 2003 import. | |
changeType | varchar | 64 | Yes | The type of delta change (Add, Modify, Delete, Modify_Attribute). |
This table holds a record for each member of each group. It cross-references people and objects in Table 7. It is specified in MIIS 2003 as the multivalued attribute table.
Table B.9. memberDefinitions Table
Column name | Data type | Length | Null allowed | Description |
objectUID | varchar | 64 | No | The unique identifier of the group (Table 7 foreign key). |
objectType | varchar | 64 | Yes | The attribute name (in this solution it is always set to "member"). |
mvObjectUID | varchar | 64 | Yes | The unique Identifier of the person that is a member of the group (Table 7 foreign key). |
This table is a backup of the memberDefinitions table that the application uses to compare membership to a previous state to determine changes in group membership to in turn generate the delta table. It has the same structure as the memberDefinitions table.
Table B.10. memberDefinitions_temp Table
Column name | Data type | Length | Null allowed | Description |
objectUID | varchar | 64 | No | The unique Identifier of the group (Table 7 foreign key). |
objectType | varchar | 64 | Yes | The attribute name (in this solution it is always set to "member"). |
mvObjectUID | varchar | 64 | Yes | The unique identifier of the person that is a member (Table 7 foreign key). |
This table stores sqlStatements for future execution. This is primarily used to complete processes related to preserved members.
Table B.11. stagingDefinitions Table
Column name | Data type | Length | Null allowed | Description |
executeDateTime | datetime | Yes | The date and time to execute the sqlCommand. | |
sqlCommand | varchar | 5120 | Yes | A SQL formatted statement that will perform a transaction in the future to complete processes related to preserved members. |
comment | varchar | 2048 | Yes | Used to pass information along with the sqlCommand into the code. |