Introduction to Publishing To Active Directory from Two Authoritative Data Sources

Applies To: Forefront Identity Manager 2010

With declarative provisioning, a new feature introduced in Microsoft® Forefront® Identity Manager (FIM) 2010, you can implement your complete identity integration business logic without developing a rules extension source code. This document shows how to populate Active Directory® users from two authoritative data sources by using declarative provisioning.

For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap.

Prerequisite Knowledge

This document assumes that you have a basic understanding of the following information technology (IT) concepts and tasks:

A description of how to set up FIM 2010 and Active Directory Domain Services (AD DS) is out of the scope of this document.

Audience

This guide is intended for IT planners, systems architects, technology decision makers, consultants, infrastructure planners, and IT personnel who plan to deploy FIM 2010 by using codeless provisioning.

Time Requirements

The procedures in this document require 60 to 90 minutes for a new user to complete.

Note

These time estimates assume that the testing environment is already configured for the scenario and do not include the time required to set up the test environment.

Getting Support

If you have questions regarding the content of this document or if you have general feedback you would like to discuss, feel free to post a message to the Forefront Identity Manager 2010 TechNet Forum.

Scenario Description

The ability to configure an identity integration scenario without the need to write code is one key feature in FIM 2010. This feature is known as declarative provisioning. With declaritive provisioning, you can configure all aspects of your identity integration scenario by using the FIM 2010 R2 Portal.

Fabrikam, a fictitious corporation, uses a human resources (HR) database to track information about all full-time employees. This database is the authoritative source for the creation of user accounts in the corporate Active Directory environment. In addition to the full time employees, Fabrikam is also required to grant access to other employee types such as contractors to the corporate network. To save operational costs, Fabrikam needs to automate the process of managing Active Directory accounts for the various employee types.

FIM 2010 provides all the features needed to cover Fabrikam’s requirements. FIM 2010 R2 includes a database and the required front-end in the form of a Web portal-based application to manage the information about the various employee types. Plus, Fabrikam can use FIM 2010 R2 for automated management of distributed identity information from a central point.

To evaluate the capabilities of FIM 2010, Fabrikam has a lab environment with a simplified implementation of the corporate network. This environment consists of an attribute-value pair (AVP) data source that functions as the HR database, an Active Directory environment, and FIM 2010. All three data sources have a related management agent.

This document describes the steps Fabrikam uses to test the new features provided by FIM 2010 in the outlined scenario.

Testing environment

The scenario outlined in this document has been developed and tested on a stand-alone computer. On this computer, FIM 2010 is already deployed and the computer is configured to be a domain controller for the Active Directory forest, Fabrikam.com. The name of this domain controller is FabrikamDC1. The following illustration outlines the configuration.

7f149bb5-8092-4ff4-9e7e-e02b47291fa7

To perform the procedures in this document, the domain controller has been configured with the following characteristics:

  • Windows Server® 2008 64-bit Enterprise

  • Microsoft .NET Framework 3.5 Service Pack 1 (SP1)

  • Microsoft SQL Server® 2008 64-bit Enterprise SP1

  • Windows® SharePoint® Services 3.0 SP1, 64-bit

  • Windows PowerShell™ 1.0

  • FIM 2010

Note

A description of the installation of FIM 2010 and the required software components is out of the scope of this document. For a complete description of how to install FIM 2010, see the FIM Installation Guide.

Scenario Roadmap

The scenario roadmap in this document consists of three main building blocks:

  1. Configuring the scenario - In this section, you create all the required scenario components including the required sample users, management agents, run profiles, and an inbound synchronization rule.

  2. Initializing the scenario - In this section, you deploy your initial configuration inside FIM 2010.

  3. Testing the scenario. - In this section, you verify that the scenario functions according to the outlined scenario specification.

Implementing the Procedures in this Document

To implement the procedures in this document, you complete the following steps in the order shown:

  1. Configuring the connected data sources

  2. Configuring the FIM 2010 R2 Synchronization Service

  3. Configuring the FIM 2010 R2 Service

  4. Initializing the testing environmentInitializing the testing environment

  5. Testing the configuration

Configuring the connected data sources

For the scenario in this document, you need to create a data file for the AVP management agent and a new organizational unit in your AD DS.

Creating the data file

For the scenario in this document, you create an AVP data file.

To create the data file

  1. Copy the records from the data below, and then paste them into a new Notepad file.

    EmployeeID:10
    DeltaOperation:Add
    Company:Fabrikam
    FirstName:Terry
    LastName:Adams
    UserID:tadams
    EmployeeType:Full Time Employee
    Manager: 
    
    EmployeeID:11
    DeltaOperation:Add
    Company:Fabrikam
    FirstName:Jimmy
    LastName:Bischoff
    UserID:jbischoff
    EmployeeType:Full Time Employee
    Manager:10
    
    EmployeeID:12
    DeltaOperation:Add
    Company:Fabrikam
    FirstName:Lola
    LastName:Jacobsen
    UserID:ljacobsen
    EmployeeType:Full Time Employee
    Manager:11
    
  2. Save the Notepad file on your local drive as C:\HRData.txt.

Creating the organizational unit

For the scenario in this document, you create an organizational unit that receives the newly created sample object.

To create the organizational unit

  1. To open the Active Directory Users and Computers snap-in, open the Run command, and then type dsa.msc.

  2. In the tree view, right-click fabrikam.com, select New, and then click Organizational Unit.

  3. In the Name text box, type FIMObjects.

  4. To create the organizational unit, click OK.

Configuring the FIM Synchronization Service

You can configure the FIM 2010 R2 Synchronization Service by performing the following tasks:

  1. Creating management agents.

  2. Creating run profiles.

Creating management agents

For the scenario in this document, you must create three management agents:

  1. Fabrikam HRMA

  2. Fabrikam FIMMA

  3. Fabrikam ADMA

The following sections provide detailed instructions to help you create the required management agents manually

Creating the Fabrikam HRMA

The Fabrikam HRMA is a management agent for the AVP text file. To create this management agent, you use the Create Management Agent wizard.

To create the Fabrikam HRMA

  1. In FIM 2010, open the Synchronization Service Manager and on the Tools menu, click Management Agents.

  2. To open the Create Management Agent wizard, on the Actions menu, click Create.

  3. On the Create Management Agent page, provide the following settings, and then click Next:

    • Management agent for: AVP text file

    • Name: Fabrikam HRMA

  4. On the Select Template Input File page, provide the following settings, and then click Next:

    • Template Input File: C:\HRData.txt

    • Code Page: Western European (Windows)

  5. On the Configure Attributes page, provide the following settings, and then click Next:

    1. To open the Set Anchor dialog box, click Set Anchor.

    2. In the Attributes list, select Employee ID, and then click Add.

    3. To close the Set Anchor dialog box, click OK.

    4. In the Attributes list, select Manager.

    5. To open the Edit Attribute dialog box, click Edit.

    6. In the Type list, select Reference (DN).

    7. To close the Edit Attribute dialog box, click OK.

  6. On the Define Object Types page, click Next.

  7. On the Configure Connector Filter page, click Next.

  8. On the Configure Join and Projection Rules page, click Next.

  9. On the Configure Attribute Flow page, click Next.

  10. On the Configure Deprovisioning page, click Next.

  11. On the Configure Extensions page, click Next.

Creating the Fabrikam FIMMA

The Fabrikam FIMMA is a management agent for the FIM Service Management Agent. To create this management agent, you use the Create Management Agent wizard.

When you configure a FIM 2010 R2 management agent, you need to specify a user account. This document uses fimma as name for this account. You need to replace this name with account you have specified in your environment.

Warning

The account you use for your FIM management agent must be the same account as the one you have specified during the installation of FIM 2010 R2. For more information, see How can I manage my FIM MA account?.

To create the Fabrikam FIMMA

  1. To open the Create Management Agent wizard, on the Actions menu, click Create.

  2. On the Create Management Agent page, provide the following settings, and then click Next:

    • Management agent for: FIM 2010 R2 Service management agent

    • Name: Fabrikam FIMMA

  3. On the Connect to Database page, provide the following settings, and then click Next:

    • Server: localhost

    • Database: FIMService

    • FIM Service base address: https://localhost:5725

    • Authentication mode: Windows integrated authentication

    • User name: fimma

    • Password: <the account’s password>

    • Domain: fabrikam

  4. On the Selected Object Types page, verify that the object types that are listed below are selected, and then click Next:

    • ExpectedRuleEntry

    • DetectedRuleEntry

    • SynchronizationRule

    • Person

  5. On the Selected Attributes page, verify that all listed attributes are selected, and then click Next.

  6. On the Configure Connector Filter page, click Next.

  7. On the Configure Object Type Mappings page, add the following mapping, and then click Next:

    1. In the Data Source Object Type list, select Person.

    2. To open the Mapping dialog box, click Add Mapping.

    3. In the Metaverse object type list, select person.

    4. To close the Mapping dialog box, click OK.

  8. On the Configure Attribute Flow page, apply the following attribute flow mappings, and then click Next:

    Flow Direction Data source attribute Metaverse attribute

    Import

    AccountName

    accountName

    Import

    Company

    company

    Import

    DisplayName

    displayName

    Import

    Domain

    domain

    Import

    EmployeeID

    employeeID

    Import

    EmployeeType

    employeeType

    Import

    ExpectedRulesList

    expectedRulesList

    Import

    FirstName

    firstName

    Import

    LastName

    lastName

    Import

    Manager

    manager

    Export

    AccountName

    accountName

    Export

    Company

    company

    Export

    DisplayName

    displayName

    Export

    Domain

    domain

    Export

    EmployeeID

    employeeID

    Export

    EmployeeType

    employeeType

    Export

    FirstName

    firstName

    Export

    LastName

    lastName

    Export

    Manager

    manager

    Export

    ObjectSID

    objectSid

    1. Select Person as the Data source object type.

    2. Select person as the Metaverse object type.

    3. Select Direct as the Mapping Type.

    4. For each row in the previous table, complete the following steps:

      1. Select the Flow Direction shown for that row in the table.

      2. Select the Data source attribute shown for that row in the table.

      3. Select the metaverse attribute shown for that row in the table.

      4. To apply the flow mapping, click New.

  9. On the Configure Deprovisioning page, click Next.

  10. To create the management agent, on the Configure Extensions page, click Finish.

Creating the Fabrikam ADMA

The Fabrikam ADMA is a management agent for AD DS. To create this management agent, you use the Create Management Agent wizard.

To create the Fabrikam ADMA

  1. To open the Create Management Agent wizard, on the Actions menu, click Create.

  2. On the Create Management Agent page, provide the following settings, and then click Next:

    • Management agent for: Active Directory Domain Services

    • Name: Fabrikam ADMA

  3. On the Connect to Active Directory Forest page, provide the following settings, and then click Next:

    • Forest name: fabrikam.com

    • User name: administrator

    • Password : <the account’s password>

    • Domain: fabrikam

  4. On the Configure Directory Partitions page, provide the following settings, and then click Next:

    1. In the Select directory partitions list, select DC=Fabrikam, DC=com.

    2. To open the Select Containers dialog box, click Containers.

    3. To cancel the selection of all selected nodes, click the DC=Fabrikam,DC=com node.

    4. Click the FIMObjects node.

    5. To close the Select Containers dialog box, click OK.

  5. On the Configure Provisioning Hierarchy page, click Next.

  6. On the Select Object Types page, provide the following settings, and then click Next:

    • In the Object types list, select user.
  7. On the Select Attributes page, provide the following settings, and then click Next:

    • Select Show All.

    • In the Attributes list, select the following attributes:

      • company

      • displayname

      • employeeID

      • employeeType

      • givenName

      • manager

      • objectSid

      • sAMAccountName

      • sn

      • unicodePwd

      • userAccountControl

  8. On the Configure Connector Filter page, click Next.

  9. On the Configure Join and Projection Rues page, click Next.

  10. On the Configure Attribute Flow page, click Next.

  11. On the Configure Deprovisioning page, click Next.

  12. On the Configure Extensions page, click Finish.

Creating run profiles

This topic provides instructions for creating and configuring the required run profiles.

Creating run profiles for the Fabrikam HRMA management agent

Before you can start with the configuration of the run profiles for this management agent, you need to copy the import data file you have already created in a previous section into the management agents’ data folder.

To copy the management agents’ data file

  1. Open the Run command dialog box.

  2. In the Open text box, type copy "C:\HRData.txt" "%programfiles%\Microsoft Forefront Identity Manager\2010\Synchronization Service\MaData\Fabrikam HRMA".

The following table shows the run profiles you create for the Fabrikam HRMA :

Profile Run profile name Step type

Profile 1

Full Import

Full Import (Stage Only)

Profile 2

Full Synchronization

Full Synchronization

To create run profiles for the Fabrikam HRMA management agent

  1. In FIM 2010, open the Synchronization Service Manager and, in the Tools menu, click Management Agents.

  2. In the management agent list, click Fabrikam HRMA.

  3. To open the Configure Run Profiles for dialog box, on the Actions menu, click Configure Run Profiles.

  4. To open the Configure Run Profile wizard, click New Profile.

  5. In the Name text box, type Full Import, and then click Next.

  6. In the Type list, click Full Import (Stage Only), and then click Next.

  7. In the Input file name text box, type HRData.txt.

  8. To create the run profile, click Finish.

  9. To open the Configure Run Profile wizard, click New Profile.

  10. In the Name box, type Full Synchronization, and then click Next.

  11. In the Type list, select Full Synchronization, and then click Next.

  12. To create the run profile, click Finish.

  13. To close the Configure Run Profiles dialog box, click OK.

Creating run profiles for the Fabrikam ADMA management agent

The following table lists the run profiles you create for the Fabrikam ADMA management agent:

Profile Run profile name Step type

Profile1

Full Import

Full Import (Stage Only)

Profile2

Full Synchronization

Full Synchronization

Profile3

Delta Import

Delta Import (Stage Only)

Profile4

Delta Synchronization

Delta Synchronization

Profile5

Export

Export

To create run profiles for the Fabrikam ADMA management agent

  1. In FIM 2010, open the Synchronization Service Manager and, on the Tools menu, click Management Agents.

  2. In the Management Agents list, select Fabrikam ADMA.

  3. To open the Configure Run Profiles for dialog box, on the Actions menu, click Configure Run Profiles.

  4. For each run profile in the table immediately above this procedure, complete the following steps:

    1. To open the Configure Run Profile wizard, click New Profile.

    2. In the Name box, type the profile name shown in the table, and click Next.

    3. In the Type list, select the step type shown in the table, and then click Next.

    4. Click Finish to create the run profile.

  5. To close the Configure Run Profiles dialog box, click OK.

Creating run profiles for the Fabrikam FIMMA management agent

The following table lists the run profiles you create for the Fabrikam FIMMA management agent:

Profile Run profile name Step type

Profile1

Full Import

Full Import (Stage Only)

Profile2

Full Synchronization

Full Synchronization

Profile3

Delta Import

Delta Import (Stage Only)

Profile4

Delta Synchronization

Delta Synchronization

Profile5

Export

Export

To create run profiles for the Fabrikam FIMMA management agent

  1. In FIM 2010, open Synchronization Service Manager and, on the Tools menu, click Management Agents.

  2. In the management agent list, select Fabrikam FIMMA.

  3. To open the Configure Run Profiles for dialog box, on the Actions menu, click Configure Run Profiles.

  4. For each run profile in the table immediately above this procedure, complete the following steps:

    1. To open the Configure Run Profile wizard, click New Profile.

    2. In the Name box, type the profile name shown in the table, and then click Next.

    3. In the Type list, click the step type shown in the table, and then click Next.

    4. To create the run profile, click Finish.

  5. To close the Configure Run Profiles dialog box, click OK.

Configuring the FIM Service

For the scenario in this document you perform the following configuration steps in the FIM 2010 R2 Service:

  1. Creating the HR user inbound synchronization rule

  2. Creating the Active Directory user provisioning policy

Creating the HR user inbound synchronization rule

The objective of the HR user inbound synchronization rule is to populate the FIM 2010 R2 service with data from the HR data file. The following table shows the configuration of this synchronization rule.

HR User Inbound Synchronization Rule

To configure the HR inbound synchronization rule, you use the related wizard pages.

To create the HR user inbound synchronization rule

  1. On the FIM 2010 R2 portal home page, on the navigation bar, click Administration.

  2. To open the Synchronization Rules page, click Synchronization Rules.

  3. To open the Create Synchronization Rule wizard, in the toolbar, click New.

  4. On the General tab, provide the following information, and then click Next:

    • Display Name: HR User Inbound Synchronization Rule

    • Data Flow Direction: Inbound

  5. On the Scope tab, provide the following information, and then click Next:

    • Metaverse Resource Type: person

    • External System: Fabrikam HRMA

    • External System Resource Type: person

  6. On the Relationship tab, provide the following information, and then click Next:

    • To configure the Relationship Criteria, select employeeID from the MetaverseObject:person(Attribute) list and EmployeeID from the ConnectedSystemObject:person(Attribute) list.

    • Select Create Resource In FIM.

  7. On the Inbound Attribute Flow page, provide the following information, and then click Next:

    Flow rule Source Destination

    Rule 1

    Company

    company

    Rule 2

    EmployeeID

    employeeID

    Rule 3

    EmployeeType

    employeeType

    Rule 4

    FirstName

    firstName

    Rule 5

    LastName

    lastName

    Rule 6

    Manager

    manager

    Rule 7

    UserID

    accountName

    1. For each row in the previous table, perform the following steps:

      1. To open the Flow Definition dialog box, click New Attribute Flow.

      2. On the Source tab, select the attribute shown for that row in the table.

      3. On the Destination tab, select the attribute shown for that row in the table.

      4. To apply the attribute flow configuration, click OK.

      5. To set the displayName attribute, perform the following steps:

        1. To open the Flow Definition dialog box, click New Attribute Flow.

        2. On the Source tab, in the attributes list, select FirstName.

        3. Click Concatenate Value.

        4. In the attributes list, select String.

        5. In the text box, type a space.

        6. Click Concatenate Value.

        7. In the attributes list, select LastName.

        8. On the Destination tab, in the attributes list, select displayName.

        9. To apply the attribute flow configuration, click OK.

  8. On the Summary tab, click Submit.

Creating the Active Directory provisioning policy

The Active Directory users in the scenario of this document originate in the HR data file. Because of this, you have an outbound facing object and attribute flow from the metaverse to the Active Directory connector space. For an outbound facing synchronization operation, an outbound synchronization rule needs to be linked to all affected objects. In FIM 2010 R2, workflows are used to add or remove managed objects from the scope of an outbound synchronization rule. A third component, a Management Policy Rule (MPR), is required to determine when a Workflow needs to be activated. The combination of an outbound synchronization rule, a Workflow, and a MPR that is used to add or remove a managed object from the scope of an outbound synchronization rule is known as the provisioning policy.

The following illustration outlines the dependencies of the provisioning policy components:

Synchronization Rule Configuration

Creating the Active Directory provisioning policy consists of the following building blocks:

34daaa9d-2a33-4b10-8a81-e8b0a35318de

Creating the Active Directory user synchronization rule

abc6f41f-fcbf-426c-bcfe-126f6ddb752e

Creating the Active Directory provisioning workflow

7fe695f8-0f5a-406c-8650-964f53c245e2

Creating the All Contractors and FTEs Set

716b3510-4a5e-4b2a-a3ca-7881a2dfe5ab

Creating the Active Directory management policy rule

Tip

When you are done configuring your provisioning policy, you can run Using PowerShell to document your provisioning policy configuration to test the accuracy of your configuration.

The following illustration shows the result of running the script to document your synchronization policy configuration.

Provisioning Policy

Creating the Active Directory user synchronization rule

You can enable the scenario users to access the FIM 2010 R2 portal by populating the domain and the security identifier (SID) attribute on an FIM 2010 R2 user object. The domain and the SID attribute are contributed by your AD DS. This is why the synchronization rule that is used to manage the user objects in this scenario is a combination of an inbound and an outbound synchronization rule.

The following table shows the configuration of this synchronization rule.

Active Directory User Synchronization Rule

To configure the Active Directory synchronization rule, you use the related wizard pages.

To create the Active Directory user synchronization rule

  1. On the FIM 2010 R2 Portal home page, click Administration, and then select Synchronization Rules.

  2. To open the Create Synchronization Rules wizard, click New.

  3. On the General tab, provide the following information, and then click Next:

    • Display Name: Active Directory User Synchronization Rule

    • Data Flow Direction: Inbound and Outbound

  4. On the Scope tab, provide the following information, and then click Next:

    • Metaverse Resource Type: person

    • External System: Fabrikam ADMA

    • External System Resource Type: user

  5. On the Relationship tab, provide the following information, and then click Next:

    1. Relationship Criteria:

      • MetaverseObject:person(Attribute): employeeID

      • ConnectedSystemObject:person(Attribute): employee ID

    2. Create Resource in External System: selected

  6. On the Workflow Parameters tab, click Next.

  7. On the Outbound Attribute Flow tab, provide the following information, and then click Next:

    Source Destination

    accountName

    sAMAccountName

    company

    company

    displayName

    displayName

    employeeID

    employeeID

    employeeType

    employeeType

    firstName

    givenName

    lastName

    sn

    manager

    manager

    1. For each row in the previous table, perform the following steps:

      1. To open the Flow Definition dialog box, click New Attribute Flow.

      2. On the Source tab, select the attribute shown for that row in the table.

      3. On the Destination tab, select the attribute shown for that row in the table.

      4. To apply the attribute flow configuration, click OK.

    2. To set the DN attribute flow, perform the following steps:

      1. To open the Flow Definition dialog box, click New Attribute Flow.

      2. On the Source tab, in the attributes list, select String, and then in the associated text box, type CN=.

      3. Click Concatenate Value.

      4. In the attributes list, select displayName

      5. Click Concatenate Value.

      6. In the attributes list, select String.

      7. In the text box, type ,OU=FIMObjects,DC=Fabrikam,DC=com.

      8. On the Destination tab, in the attributes list, select dn.

      9. To apply the attribute flow configuration, click OK.

    3. To set an initial password, perform the following steps:

      1. To open the Flow Definition dialog box, click New Attribute Flow.

      2. On the Source tab, in the attributes list, select String, and then in the associated text box, type P@ssW0rd.

      3. On the Destination tab, in the Destination list, select unicodePwd.

      4. To apply the attribute flow configuration, click OK.

    4. To set the userAccountControl attribute, perform the following steps:

      1. To open the Flow Definition dialog box, and then click New Attribute Flow.

      2. On the Source tab, in the attributes list, select Number, and the type 512 in the associated text box.

      3. On the Destination tab, in the Destination list, select userAccountControl list.

      4. To apply the attribute flow configuration, click OK.

    5. Select Initial Flow Only for the following flows:

      • “CN=”+firstName+” “+lastName+”,OU=FIMObjects,DC=Fabrikam,DC=com” =>dn

      • 512=>userAccountControl

      • “P@ssW0rd”=>unicodePwd

  8. On the Inbound Attribute Flow tab, provide the following information, and the click Finish.

    1. To open the Flow Definition dialog box, click New Attribute Flow.

    2. On the Source tab, in the attributes list, select objectSid.

    3. On the Destination tab, in the Destination list, select objectSid.

    4. To apply the attribute flow configuration, click OK.

    5. To open the Flow Definition dialog box, click New Attribute Flow.

    6. On the Source tab, in the attributes list, select String, and then type FABRIKAM in the associated text box.

    7. On the Destination tab, in the Destination list, select domain.

  9. On the Summary tab, click Submit.

Creating the Active Directory provisioning workflow

The objective of the Active Directory provisioning workflow is to bring user objects into the scope of the Active Directory user synchronization rule. The following table shows the configuration of the workflow.

Active Directory Provisioning Workflow

To configure the Active Directory provisioning workflow, you use the related wizard pages.

To create the Active Directory provisioning workflow

  1. On the FIM 2010 R2 Portal home page, in the Management Policy Rules section of the navigation bar, click Workflows to open the Workflows page.

  2. To open the Create Workflow wizard, on the toolbar, click New.

  3. On the General tab, provide the following information, and then click Next:

    • Workflow Name: Active Directory Provisioning Workflow

    • Workflow Type: Action

  4. On the Activities tab, perform the following steps, and then click Next:

    1. In the Activity Picker, select Synchronization Rule Activity, and then click Select.

    2. In the Synchronization Rules list, select Active Directory User Synchronization Rule.

    3. In the Action Selection options, select Add.

    4. Click Save.

  5. On the Summary tab, click Submit.

Creating the All Contractors and FTEs Set

One option to trigger an MPR is to use a membership change in a Set. For the scenario in this document, all users that become a member of the AD Contractors and FTE Set are supposed to be brought into the scope of the Active Directory synchronization rule.

The following illustration shows the filter statement of this Set.

Set Filter

To configure the AD Contractors and FTEs Set, you use the related wizard pages.

To create the AD Contractors and FTEs Set

  1. To open the Sets page, in the Management Policy Rules section on the navigation bar, click Sets.

  2. To open the Create Set wizard, on the toolbar, click New.

  3. On the General tab, provide the following information, and then click Next:

    • Display Name: AD Contractors and FTEs
  4. On the Criteria-based Members page, provide the following information, and then click Next:

    1. Select Enable criteria-based membership in current set.

    2. In the select statement, click all resources, and then from the resources list, select user.

    3. In the select statement, click all, and then from the match list, select any.

    4. Click Add Statement.

    5. Click <Click to select attribute>, and then from the attributes list, select Employee Type.

    6. Click <click to select value>, and then in the text box, type Contractor.

    7. Click Add Statement.

    8. Click <Click to select attribute>, and then from the attributes list, select Employee Type.

    9. Click <click to select value>, and then in the textbox, type Full Time Employee.

  5. On the Manually-managed Members tab, click Next.

  6. On the Summary tab, click Submit.

Creating the Active Directory Provisioning Management Policy Rule

The objective of the Active Directory Provisioning Management Policy Rule is to bring objects that have transitioned into the All Contractors and FTEs Set into the scope of the Active Directory User Synchronization Rule by invoking the Active Directory Provisioning Workflow. The following table shows the configuration of the MPR.

Active Directory Provisioning MPR

To configure the Management Policy, you use the related wizard pages.

To create the Active Directory Provisioning Management Policy Rule

  1. To open the Management Policy Rules page, on the FIM 2010 R2 Portal home page, in the navigation bar, click Management Policy Rules .

  2. To open the Create Management Policy Rule wizard, on the toolbar, click New.

  3. On the General tab, provide the following information, and then click Next:

    • Display Name: Active Directory Provisioning Management Policy Rule

    • Type: Set Transition

  4. On the Transition Definition tab, perform the following steps, and then click Next:

    • Transition Set: All Contractors and FTEs

    • Transition Type: Transition In

  5. On the Policy Workflows tab, perform the following steps, and then click Finish:

    • In the Action Workflows list, select Active Directory Provisioning Workflow.
  6. On the Summary tab, click Submit.

Initializing the testing environment

Before you can test your configuration with test data, you need to initialize the configuration. The following steps are part of this process:

  • Enabling provisioning

  • Initializing the Fabrikam FIMMA

  • Configuring attribute flow precedence

  • Initializing the Fabrikam ADMA

At the end of the initialization phase, the Active Directory User Synchronization Rule and the HR User Inbound Synchronization Rule are projected into the metaverse. To verify this, you should perform a metaverse search. The following illustration shows an example for this.

Metaverse Search

Enabling provisioning

For the scenario in this document, you need to ensure that provisioning is enabled.

To enable provisioning

  1. In FIM 2010 R2, open the Synchronization Service Manager.

  2. To open the Options dialog box, on the Tools menu, click Options.

  3. Select Enable Synchronization Rule Provisioning.

  4. To close the Options dialog box, click OK.

Initializing the Fabrikam FIMMA

To initialize the Fabrikam FIMMA, you need to run a complete synchronization cycle on this management agent. The complete cycle consists of the following run profile runs:

Step Run profile name

1

Full Import

2

Full Synchronization

3

Export

4

Delta Import

To initialize the Fabrikam FIMMA

  1. Open the Synchronization Service Manager and on the Tools menu, click Management Agents.

  2. In the Management Agents list, select Fabrikam FIMMA

  3. To open the Run Management Agent dialog box, on the Actions menu, click Run.

  4. For each row in the table immediately above this procedure, complete the following steps:

    1. To open the Run Management Agent dialog box, on the Actions menu, click Run.

    2. In the Run profiles list, select the run profile shown for that row in the table.

  5. To start the run profile, click OK.

Configuring attribute flow precedence

During the initialization of the FIM 2010 R2 management agent, the two configured synchronization rules have been brought into the metaverse. Since the sample HR data source is authoritative for certain attributes, you need to adjust the attribute flow precedence for the attributes contributed by this management agent to ensure that these attributes can flow into the metaverse and later also into the FIM 2010 R2 data store.

The following illustration shows an example for the correct configuration of the accountName and the company attributes.

Attribute Flow Precedence

The following table lists the affected attributes

Step Attribute name

1

accountName

2

company

3

displayName

4

employeeID

5

employeeType

6

firstName

7

lastName

8

manager

To configure the attribute flow precedence

  1. In Synchronization Service Manager, in the Tools menu, click Metaverse Designer.

  2. In the Object types list, click person.

  3. For each row in the table immediately above this procedure, complete the following steps:

    1. In the Attributes list, click the attribute shown for that row in the table.

    2. To open the Configure Attribute Flow Precedence dialog box, on the Actions menu, click Configure Attribute Flow Precedence.

    3. Move your Fabrikam HRMA to the top of the list.

    4. To close the Configure Attribute Flow Precedence dialog box, click OK.

Important

After changing the attribute flow precedence, you should run a full synchronization run on the Fabrikam FIMMA.

Initializing the Fabrikam ADMA

To initialize the Active Directory management agent, you need to run a full import and a full synchronization on it. The full import is required to bring the organizational unit FIMObjects that is used as target for the sample objects into the connector space. The full synchronization is required because the synchronization rules have changed by projecting the new synchronization rules from the FIM 2010 R2 connector space into the metaverse.

Step Run profile name

1

Full Import

2

Full Synchronization

To initialize the Fabrikam ADMA

  1. Open the Synchronization Service Manager and in the Tools menu, click Management Agents.

  2. In the Management Agents list, select Fabrikam ADMA.

  3. To open the Run Management Agent dialog box, on the Actions menu, click Run.

  4. For each row in the table immediately above this procedure, complete the following steps:

    1. To open the Run Management Agent dialog box, on the Actions menu, click Run.

    2. In the Run profiles list, select the run profile shown for that row in the table.

  5. To start the run profile, click OK.

Testing the configuration

To test the configuration, you create some test users in the FIM 2010 R2 Portal, process the sample objects from the HR data file, and, finally, you process all sample objects in the FIM 2010 R2 Portal to AD DS.

Creating sample user objects in the FIM Portal

To create the sample users in the FIM 2010 R2 Portal, you use the related wizard pages.

The following table shows the sample user configuration:

Attribute User 1 User 2

First Name

Britta

Jossef

Last Name

Simon

Goldberg

Display Name

Britta Simon

Jossef Goldberg

Account Name

bsimon

jgoldberg

Employee Type

Contractor

Contractor

Employee ID

13

14

To create sample users in the FIM Portal

  1. To open the FIM 2010 R2 Portal, start Internet Explorer, and then navigate to https://localhost/identitymanagement/default.aspx.

  2. To open the Users page, in the navigation bar, click Users.

  3. To open the Create User wizard, on the toolbar, click New.

  4. On the General tab, provide the following information, and then click Next:

    • First Name: Britta

    • Last Name: Simon

    • Display Name: Britta Simon

    • Account Name: bsimon

    • Domain: Fabrikam

  5. On the Work Info tab, provide the following information, and then click Finish:

    • Employee Type: Contractor

    • Employee ID: 13

  6. On the Summary tab, click Submit:

  7. To open the Create User wizard, on the toolbar, click New.

  8. On the General tab, provide the following information, and then click Next:

    • First Name: Jossef

    • Last Name: Goldberg

    • Display Name: Jossef Goldberg

    • Account Name: jgoldberg

    • Domain: Fabrikam

  9. On the Work Info tab, provide the following information, and then click Finish:

    • Employee Type: Contractor

    • Employee ID: 14

  10. On the Summary tab, click Submit:

After creating the new sample users, you should verify whether both users have the potential to be provisioned to the Active Directory data source. The verification consists of two steps:

  • Checking the Set membership

  • Checking the provisioning state

Checking the Set membership

The Active Directory outbound management policy is triggered by a change of the Set membership. For newly created users, only the condition specified under Condition After is relevant. To be able to be eventually provisioned to AD DS, the user must be a member of the All Contractors and FTEs et.

To check the Set membership

  1. To open the Sets page, in the Management Policy Rules section of the navigation bar, click Sets.

  2. In the Display Name list, click All Contractors and FTEs.

  3. On the Criteria-based Members tab, click View Members.

  4. Verify that Britta Goldberg and Jossef Goldberg are listed.

  5. Close the dialog box.

Checking the provisioning state

The membership in the All Contractors and FTEs Set triggers the process that associates a sample object with the Active Directory outbound synchronization rule. If this process has run successfully, an entry is added to the user’s Expected Rules List attribute.

You can verify the provisioning state of a user, by reviewing the Expected Rules List attribute of the object. The following illustration shows an example for this.

Provisioning Properties

To check the provisioning state

  1. To open the Users page, in the navigation bar, click Users.

  2. To display all users, click the Search for button.

  3. In the Display Name list, select Britta Simon.

  4. To open the Details dialog box, on the toolbar, click Details.

  5. On the Provisioning tab, verify that AD Outbound Synchronization Rule is listed under Expected Rules List.

  6. Close the Details dialog box.

Processing the sample objects in the HR data file

The objective of this step is to bring the objects in the HR data file into the FIM 2010 R2 Portal. To accomplish this, you run the following run profiles:

Step Management Agent Run Profile

1

Fabrikam HRMA

Full Import

2

Fabrikam HRMA

Full Synchronization

3

Fabrikam FIMMA

Export

You should verify after each run profile run whether your scenario works as expected. The first step in this verification process is to review the synchronization statistics.

After the import on the Fabrikam HRMA, three newly staged objects are reported by the synchronization statistics. The following illustration shows an example for this.

Import Synchronization Statistics

In addition to reviewing the synchronization statistics, you should also perform a connector space search to verify that your objects have the expected attribute values.

During the following synchronization run, these three objects are projected into the metaverse and also provisioned into the connector space of the Fabrikam FIMMA.

The following illustration shows an example of the related synchronization statistics.

Full Synchronization Synchronization Statistics

Tip

Before running an export run profile, it is a good practice to verify whether you have staged export operations on a management agent. You can do this by running Using PowerShell to display the export state of a management agent

When you run the script that displays the export state of a management agent, three Adds should be reported. The following illustration shows an example for this.

Pending Exports

To process the sample objects in the HR data file

  1. Open Synchronization Service Manager and, in the Tools menu, click Management Agents.

  2. For each row in the table immediately above this procedure, complete the following steps:

    1. Select the management agent shown for that row in the table.

    2. To open the Run Management Agent dialog box, on the Actions menu, click Run.

    3. In the Run profiles list, select the run profile shown for that row in the table, and then click OK to start it.

Processing the sample objects in the FIM Portal

The objective of the last testing phase is to publish all sample objects in AD DS. You should verify whether the objects you have imported from your HR system fulfill the prerequisites to be provisioned to AD DS. As first step, you should review the membership in the All Contractors and FTEs Set.

The following illustration shows an example for this.

Set Members

In addition to this, you should review the Expected Rules List attribute values of the new user objects. If the Expected Rules List attribute has been populated with the right value, you are ready to provision your sample objects to AD DS.

During the synchronization run on your Fabrikam FIMMA, five new objects are provisioned to the connector space of the Fabrikam FIMM. The following illustration shows an example for this.

Synchronization Statistics

To confirm the report of the synchronization statistics, you can run the script that lists the pending exports on your Fabrikam ADMA. The following illustration shows an example for this.

Pending Exports

During an export run profile run on your Fabrikam ADMA, the five sample users are created in AD DS. You should verify this by looking at the content of the FIMObjects organizational unit. The following illustration shows an example for this.

Active Directory Users

To provision your sample objects to AD DS, you run a sequence of run profiles. The following table lists the required run profiles for this phase:

Step Management agent Run profile

1

Fabrikam FIMMA

Delta Import

2

Fabrikam FIMMA

Full Synchronization

3

Fabrikam ADMA

Export

4

Fabrikam ADMA

Delta Import

To process the sample object in the FIM Portal

  1. Open Synchronization Service Manager and in the Tools menu, click Management Agents.

  2. For each row in the table immediately above this procedure, complete the following steps:

    1. Select the management agent shown for that row in the table.

    2. To open the Run Management Agent dialog box, on the Actions menu, click Run.

    3. In the Run profiles list, select the run profile shown for that row in the table, and then click OK to start it.

See Also

Reference

Documentation Roadmap
Understanding Data Synchronization with External Systems
How Do I Synchronize Users from Active Directory Domain Services to FIM
How Do I Synchronize Groups from Active Directory Domain Services to FIM
How do I Provision Users to Active Directory Domain Services
How do I Provision Groups to Active Directory Domain Services
FIM Experts Corner
FIM Scriptbox