Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2009-06-03) Multiple Authoritative Sources For Group Memberships And How About Precedence In ILM

Posted by Jorge on 2009-06-03


If multiple data sources are authoritative for "some-attribute" and all authoritative data sources are considered equal, in ILM 2007 you must configure "Attribute Flow Precedence" for that "some-attribute" where all management agents (MAs) use Rules Extension for the flow of that "some-attribute". When ALL MAs are using Rules Extensions for that particular attribute, you will be able to check the option "Use Manual Precedence". In your code for each MA you check if the value in the CS differs from the value in the MV and when that is the case you allow the flow of the attribute value from the CS to the MV, etc. etc. It will look similar to the picture below.

image

Until now nothing special! Now imagine that "some-attribute" is the "member" attribute of the "group" object. The "member" attribute is a multi-valued reference attribute. It can therefore contain multiple values and it does not have real values, but rather references to OTHER objects such as for examples "user" objects.

Now for the "member" attribute you have the scenario as above. Two connected data sources are authoritative for managing group memberships such as for example:

  1. Active Directory being managed by admins on one side AND some data source (ADAM, SQL, etc.) with a web-interface on the other side
    OR
  2. Active Directory being managed by admins on one side AND some data source (SQL, etc.) with some business logic to automatically create group memberships on the other side

What would you do? The easiest answer would seem say: "do the same as you did for that ‘some-attribute’". Unfortunately that’s not going to work because "reference" attributes (e.g. "member") cannot be used in advanced attribute flow through Rules Extensions and as mentioned earlier you need Rules Extensions to be able to use the option "Use Manual Precedence". Another way to prevent the complexity of precedence is using multiple MAs

This is the approach of the solution I used… (Thanks James!).

REMARK: as you know, there are many ways to get to Rome, and for such a scenario there are many other approaches.

The overall idea is shown in the picture below. The architecture looks very similar to the GalSync solution, but there is a subtle difference! The GalSync architecture uses one MA for each connected data source. In the GalSync architecture, each MA imports users, groups and contacts from the source and exports contacts to the target as shown below.

image

In the Group Management architecture where two connected data sources are equally authoritative for groups and their group memberships, you must use two MAs! The architecture of the solution is shown below.

image

Now you might think: Why not just create 1 MA for each connected system where each MA handles two different group object types like in the GalSync architecture? The answer to this that you need two MAs for each system because groups in each system need to be connected to BOTH group object types (e.g. objecttype: group_ADDS & group_MGMT) in the MV. Any CS object can only be connected to a single MV object(type).

The logic of this usage case is:

  • Employees in HR
    • HR is authoritative for employees
    • Employees objects are imported into the HR CS through the HR MA and then projected as a person object into the MV
    • Employees are provisioned into ADDS CS and MGMT APP CS and exported into the end-system through the corresponding MA (ADDS-Users and MGMT-Users)
  • Groups in ADDS
    • ADDS is authoritative for groups and group memberships
    • Group objects in ADDS are imported into the ADDS-Group-IMP CS through the ADDS-Group-IMP MA and then projected as a group_ADDS object into the MV
    • Group objects (objectType=group_ADDS) are provisioned into MGMT-Group-EXP CS and exported into the MGMT APP through the MGMT-Group-EXP MA
    • Group Memberships originating in ADDS follow the same path through the member attribute in each object as the group object itself
  • Groups in MGMT APP
    • MGMT APP is ALSO authoritative for groups and group memberships
    • Group objects in MGMT APP are imported into the MGMT-Group-IMP CS through the MGMT-Group-IMP MA and then projected as a group_MGMT object into the MV
    • Group objects (objectType=group_MGMT) are provisioned into ADDS-Group-EXP CS and exported into the ADDS through the ADDS-Group-EXP MA
    • Group Memberships originating in MGMT APP follow the same path through the member attribute in each object as the group object itself

REMARK: You might expect a group object or group membership originating in a certain source flowing to the other source and then coming back to the original source and keep flowing around in circles. Don’t worry as it will not happen, AS LONG AS the correct order of imports/syncs/exports is followed. Otherwise you may see "A DELETION" followed by "AN ADDITION" singing around

REMARK: Be aware you need additional imports and joins to make the "circle" complete!

Something else to be aware of is, that it is very difficult to achieve "last-writer-wins". In reality you will achieve "last-sync-wins". Assuming you execute your imports/sync very often then you might get very close to "last-writer-wins". See the remark above! Very important to know!

This is how you can do it in ILM 2007 FP1. How would you do this in ILM "2", or rather FIM 2010 as it is called right now? In FIM 2010 it is much easier to achieve the scenario. In FIM 2010 the picture at the top of this post has an additional option called "Equal Precedence". When that option is checked, the corresponding MAs are equally authoritative for that attribute. And yes, it also applies to multi-valued reference attributes! In FIM 2010 you would not need to use two MAs for each system, but just one to manage groups and group memberships.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

2 Responses to “(2009-06-03) Multiple Authoritative Sources For Group Memberships And How About Precedence In ILM”

  1. steponz said

    You can create advanced flow rules on reference values. Just not from the metaverse, but from the source.

    Using two seperate attributes and calculating them will give a quicker approach than you have here.

    Also I was looking at your sql issue of exporting multi-Value attributes.. This is by design. When a change is detected in the multivalue it will only pass the whole value, not the individual update… I know it stinks, but this is how it works for every ma.

    A way around it would be to create an XMA SQL MA, and for multivalues you would first query the multivalue table and compare the differences then only update what you want.

    This will be a feature in my Open source Project ILM “X” Framework SQL xMA when I finish the export api.

    Joe Stepongzi

  2. […] upon my post about "Multiple Authoritative Sources For Group Memberships And How About Precedence In ILM", a technology partner and I were setting up and test/demo environment. The idea was as […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: