Group Creation and Provisioning Walkthrough: Scenario Design
Applies To: Windows Server 2003 with SP1
Previous Steps in This Walkthrough
Scenario Design
This section discusses the architectural design of this scenario and describes the GroupPopulator management agent, the group definition database table, and the group creation and provisioning cycle.
Architectural Overview
Table 3.1 lists the management agents (MAs) that you use in the Group Creation and Provisioning scenario.
Table 3.1 Fabrikam MAs
| MA Name | MA Type | Purpose | |
|---|---|---|---|
MA 1 |
Fabrikam HR MA |
Attribute-value pair text file |
Imports information from an HR system. The HR system is emulated by providing file dumps with employee data. Full and delta snapshots of files exist to examine the full and delta functionalities of Microsoft Identity Integration Server 2003 file-based management agents. |
MA 2 |
Fabrikam Telephone MA |
Fixed-width text file |
Populates telephone numbers for the employees. Full and delta snapshots of files exist to examine the full and delta functionalities of Microsoft Identity Integration Server 2003 file-based management agents. |
MA 3 |
Fabrikam AD MA |
Active Directory |
Sends provisioned objects to the Active Directory forest from the Fabrikam HR system. The Active Directory forest consists of one domain. |
MA 4 |
GroupPopulator MA |
Attribute-value pair text file |
Imports groups and membership information into the metaverse. |
Microsoft Identity Integration Server 2003 and all of the management agents are located on the server running Microsoft Identity Integration Server 2003. Active Directory is installed on a different computer (as described below).
To provision the group objects from the GroupPopulator management agent to the Fabrikam AD MA, a rules extension is provided with this scenario. This rules extension extends the Simple Account Provisioning rules extension.
To calculate groups and group membership, a Visual C# .NET application, called GroupPopulator.exe, is provided. This application reads data from the metaverse and writes the results of its calculation to a file. This file is imported by the GroupPopulator MA. The GroupPopulator MA uses a table to read group definitions.
Lastly, the file GroupPopulatorSync.cmd is provided to trigger the group creation and provisioning in Microsoft Identity Integration Server 2003.
GroupPopulator MA
To understand the scenario design, become familiar with the GroupPopulator MA, including:
Import file structure
Attribute configuration
Join and projection configuration
Import attribute flow configuration
Import File Structure
The attribute-value pair import file that defines the groups and members has following structure:
displayname: Sheelah Basarah
objecttype: person
uid: {385A0A21-65B8-4439-B979-BA157BAB0A6A}
displayname: Department 001
objecttype: group
uid: 001
member: {385A0A21-65B8-4439-B979-BA157BAB0A6A}
member: {26012FCD-56CF-4CC7-8A1B-A38A97E02385}
member: {7D8BD2F6-0295-4BF1-A088-A25308D652CA}
member: {C2BF1EE4-99D7-42BE-A742-1CA7763B19BD}
member: {2189410B-CA74-4084-A5C7-0F75C3BACFE2}
The contents of this file describe the person and group object types. The members of the groups are person object types in the file. A member does not necessarily need to be a user or person object; it can be anything in the metaverse.
The anchor of the person object type is the uid attribute, which maps to the metaverse objectID attribute.
The anchor of the Group object type is also the uid attribute. However, this is a unique ID that needs to be provided manually during the group definition. The member attribute is a reference to the uid attribute of the person object types. The group-member relationship is set up by using this method.
Attribute Configuration
Table 3.2 displays the attributes that are configured during the creation of the GroupPopulator MA.
Table 3.2 Attributes Configured for GroupPopulator MA
| Name | Type | Multi-Valued |
|---|---|---|
displayName |
String |
No |
objecttype |
String |
No |
uid |
String |
No |
member |
Reference (DN) |
Yes |
The uid attribute is configured as the anchor attribute.
You use the advanced configuration option on the management agent to define the objecttype attribute as a Define Object Type attribute. This definition is needed to indicate that the import file has more then one object type (in this scenario, person and group).
Join and Projection Configuration
You configure join rules for person and group objects to link to a metaverse object that has a direct match to the objectID attribute of the metaverse object. Table 3.3 lists how the objects and attributes are linked between the connected data source and the metaverse.
Table 3.3 Object Types and Attributes Used for Join Mapping
| Connected Data Source | Metaverse | ||
|---|---|---|---|
Object Type |
Attribute |
Join Mapping |
Object Type |
Group |
uid |
Direct to uid |
Group |
Person |
uid |
Direct to objectID |
Any |
Projection rules are only configured for the group object type in the connected data sources. This projection is a declared projection to the metaverse group object type, and it creates new group objects in the metaverse.
Import Attribute Flow Configuration
In this scenario, you set up import attribute flow for the group object type only (scoped by Data Source.group and Metaverse.group). Table 3.4 lists the import attribute flow configuration used for the GroupPopulator MA.
Table 3.4 Import Attribute Flow Configuration
| Connected Data Source Attribute | Metaverse Attribute | Mapping Type |
|---|---|---|
displayName |
displayName |
Direct |
member |
member |
Direct |
uid |
uid |
Direct |
The Group Definition Database Table
The group definition table is the core of the scenario and defines how groups and their membership are calculated. The group definition table has three columns:
groupID: The unique ID of the group.
displayName: The display name of the group.
clause: The SQL Server where-clause that is used to select the group members from the metaverse.
The name of the table is GroupDefinitions and it is located within the MIIS_Group_Populator database. Table 3.5 shows a sample row of the group definition table.
Table 3.5 Sample Row from Group Definition Table
| GroupID | DisplayName | Clause |
|---|---|---|
001 |
Department 001 |
object_type = ‘person’ and department = ‘001’ |
This row indicates the creation of a group in the metaverse with the display name of Department 001. The members of this group are all objects in the metaverse of the person object type, and they have the value of the department attribute set to 001.
The clause can be any valid SQL Server where-clause of any complexity. For example, Table 3.6 lists another sample row from the group definition table that uses a more complex SQL Server where-clause.
Table 3.6 Sample Row with Complex SQL Server Where-Clause
| GroupID | DisplayName | Clause |
|---|---|---|
006 |
All People with Direct Reports |
object_id in (select Distinct reference_id from mms_mv_link where attribute_name=’manager’) |
This row indicates the creation of a group in the metaverse with the display name of All People with Direct Reports. The members of this group are all objects in the metaverse that have people reporting to them (that is, if the manager attribute is used to express a reporting relationship).
Table 3.7 shows all of the rows that are configured when you set up this scenario.
Table 3.7 Complete Group Definition Table
| GroupID | DisplayName | Clause |
|---|---|---|
001 |
Department 001 |
object_type = ‘person’ and department = ‘001’ |
002 |
Department 002 |
object_type = ‘person’ and department = ‘002’ |
003 |
Department 003 |
object_type = ‘person’ and department = ‘003’ |
004 |
Department 004 |
object_type = ‘person’ and department = ‘004’ |
005 |
Direct Reports Pearl Letargo |
object_id in (select object_id from mms_mv_link where attribute_name=’manager’ and reference_id = (select object_id from mms_metaverse where uid = ‘pletargo’)) |
006 |
All People with Direct Reports |
object_id in (select Distinct reference_id from mms_mv_link where attribute_name=’manager’) |
Note
You need to customize this table based on the groups that apply to your environment. To construct the clause, it is recommended that you use SQL Query Analyzer and type “select * from mms_metaverse where” first. Next, type the where-clause criteria to construct the resultant set of the group members. Test the queries with SQL Sever 2000 Service Pack 3 (SP3) SQL Query Analyzer to ensure that the correct results are calculated.
The Group Creation and Provisioning Cycle
The GroupPopulatorSync.cmd file activates several processes that, when finished, create the groups and group memberships in the metaverse. The GroupPopulatorSync.cmd file performs the following processes:
Runs GroupPopulator.exe. The application uses the defined clause to query the metaverse, and then the results of the query are written to a file named Output.txt.
Copies the Output.txt file to the MaData folder as the Populate-groups.txt file. This file is imported by the GroupPopulator MA.
Runs the GroupPopulator MA. The GroupPopulator MA reads the populate-Groups.txt file as a full import. After this step, all of the groups are populated in the metaverse with membership. Because this is a full import run, all groups that were removed from the group definition table are deleted from the metaverse.
This operation always runs in this exact sequence. It can run as often as required to re-calculate groups by using the GroupPopulatorSync.cmd batch file.
Important
Although it appears that all groups and all membership information are read into Microsoft Identity Integration Server 2003 during the full import run, it is not a full modification of all groups and all membership. Microsoft Identity Integration Server 2003 calculates what needs to be propagated from a full import to the metaverse (and from there to other connected data sources). If only one member was added to one group, Microsoft Identity Integration Server 2003 flows only this single value change to the metaverse (that is, it does not replace all of the members of a large group, but only the values that have changed in the member attribute).