Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2009-07-30) Provisioning In FIM 2010 RC0 (Previously a.k.a. ILM ‘2’)

Posted by Jorge on 2009-07-30

In ILM 2007 to be able to provision objects in whatever connected source you needed at least:

  • A provisioning Rules Extension DLL
  • Provisioning turned on in Identity Manager

In ILM ‘2’ for provisioning objects the above still is true, but additionally as a replacement of that you could use the new way of provisioning/synchronizing objects by leveraging management policy rules, workflow actions, sets and sync rules. To cut a long story short on how that all works, the Sync Rule contains an option on the Relationship TAB called "Create Object in ILM" so that objects go into the ILM ‘2’ Portal (Inbound Sync only) and one called "Create Object in Connected System" so that objects go into the corresponding connected data source (Outbound Sync only). See the picture below.


In this post we are focusing on the option called "Create Object in ILM". But what does that really mean? According to the description it means: "This option indicates if a new object should be created in ILM when the Relationship Criteria is not satisfied for an object in the Connected System Scope". Reading this it sounds like the checkbox option, when checked, it will provision an object to go into the ILM ‘2’ Portal. In reality it means something else. Compared to a certain MA, sync rules do not have projection rules. At least that’s what you may think. The checkbox "Create Object in ILM" in reality means it will PROJECT the object into the metaverse (MV). Because the ILM ‘2’ MA contains an object mapping for the objectType in the MV and the corresponding objectType in the ILM ‘2’ connector space (CS), it will provision the object into the ILM ‘2’ CS. See the picture below.


This is if you are using the new way to go "Sync Rules". But let’s say you still want to keep using a provisioning Rules Extension DLL for while until you have planned and designed all that’s needed to use Sync Rules.

MAs can have projection rules to create objects in the MV when coming from some CS. How about provisioning then? Well, if you want to provision to some connected system (not the ILM ‘2’ Portal) you need to fulfill the requirements as mentioned above. But what about provisioning objects into the ILM ‘2’ MA? You cannot use a provisioning Rules Extension DLL for that. So how that’s done? Well, the answer to that is easy. Exactly the same way! Again, because the ILM ‘2’ MA contains an object mapping for the objectType in the MV and the corresponding objectType in the ILM ‘2’ CS, it will provision the object into the ILM ‘2’ CS. And this happens if you are not using the new Sync Rules!

While we are at it, how about the option called "Create Object in Connected System"? That option really means provision the object into the corresponding CS. The projection into the MV from the ILM ‘2’ CS is done because there is an object mapping defined in the ILM ‘2’ MA included with an attribute flow. See the picture above.

One big difference with regards to provisioning between ILM 2007 and ILM ‘2’, is that in ILM 2007 you can disable provisioning and in ILM ‘2’ you cannot. This is important during initial loads and disaster recovery scenarios with ILM 2007. If you wonder why… let’s talk about that then. Be aware though that there is not much difference between an "initial load" and "disaster recovery". The main difference is that the data during an initial load has not yet been corrected and exported to the connected sources and during a disaster recovery scenario is already has been touched and corrected if needed by the ILM sync engine.

An important thing to understand is that the ILM engine will always try joins first and if no join if made, it will do a projection. Projection occurs when an object is created in the MV based upon an existing object in some CS that triggered that projection. During "initial load"/"disaster recovery" you want the authoritative sources for objects to be the first to import their data into the ILM sync engine and to project (through a sync) into the MV. You DO NOT want it to start provisioning objects in the other CSes yet, because there might be objects already in those CSes that match the objects in the MV. To prevent that you need to disable provisioning temporarily! After the authoritative sources have been imported you can import the data from non-authoritative sources into their corresponding CS. After that doing a sync for each CS, this will join (match) to objects already existing in the MV. After that, provisioning can be enabled again. If you did not join the objects before enabling provisioning again, the provisioning code would try to recreated the object in the corresponding CS and most likely hit and already existing object. In that case two things can happen. The complete transaction (provisioning from MV to CS AND projection from CS to MV) is rolled back because of the "Already Existing Object" error. Another way would be to ‘catch’ that error and reprovision with a new DN. However, other attributes that must also be unique (e.g. sAMAccountName) would either still conflict with another value in another object (you would only experience the error during export to the CS) or you would end up with multiple objects in the CS for one MV object. Attribute flow could then also be a nightmare. As you can see all kinds of stuff to think of.

ILM ‘2’ with the codeless provisioning will also project and try to provision an object. Again it would hit an existing object, but in this case it would not have the same issues as with ILM 2007 as the transaction is not rolled back. The projection is kept in place. In this case you can still allow a join from other CS without issues. This is important because it is not possible to disable provisioning in the codeless way as it is possible in the provisioning Rules Extension DLL way.

* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
############### Jorge’s Quest For Knowledge #############
######### ########


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: