Provisioning Rules

Provisioning is the process of creating, connecting, and disconnecting objects in a connector space, based on changes to objects in the metaverse. Provisioning performs object-level actions, such as:

  • Creating a new connector space object and setting initial attribute values for the object.

  • Disconnecting connector space objects from the metaverse.

  • Renaming and moving existing connector space objects (that is, changing the distinguished name attribute).

Important

Export attribute flow rules are always called after provisioning rules have been run. Be aware that export attribute flow rules could modify attributes that were set by the provisioning rules. For this reason, any "one-time" operations, such as setting an initial password, should be done in the provisioning rules, not the export attribute flow rules.

To implement provisioning, you create and enable a rules extension. When you enable provisioning rules, they affect all objects in the metaverse. Provisioning rules are called whenever a metaverse object is modified by the following methods:

  • An attribute has been added, modified, or deleted by import attribute flow rules.

  • A connector space object has been joined to a metaverse object.

  • A connector space object has been projected to the metaverse.

  • A connector space object has been connected using Joiner.

  • A connector space object has been disconnected from a metaverse object and the metaverse object has not been deleted.

  • A management agent is run with a step type Full Import and Full Synchronization or step type Full Synchronization.

The rules extension for provisioning rules can take advantage of the transactional capabilities of Microsoft® Forefront Identity Manager (FIM) 2010 R2. In a case in which a connector space object is provisioned to multiple connected data sources and one of the provisioning rules fails, the complete synchronization operation will be rolled back by default. However, whenever a provisioning rule fails, it will report a rules exception to FIM. You can write a rules extension to identify exceptions and handle them on a management agent basis by doing the following:

  • Calling a routine to handle the exception, and then proceeding with the synchronization. In this case the synchronization will succeed.

  • Calling a routine to analyze the exception and determine its severity. If the exception is too serious to continue, return it to FIM. In this case the entire provisioning transaction will be rolled back.

  • Letting the exception go directly to FIM. In this case the entire provisioning transaction will be rolled back.

The following flow chart shows the sequence in which provisioning rules are applied.

Provisioning rules

Note

If you synchronize the metaverse with a connected data source that uses a hierarchical structure, it is important to note that FIM will synchronize attributes between containers, but it will not create the containers. That is, if you are provisioning a child object, FIM does not create the parent automatically. Import the Active Directory container hierarchy before provisioning objects to the connector space. You can do this by creating a management agent for Active Directory that does not contain any join or projection rules, and then run it in import mode. This creates disconnector objects in the Active Directory connector space for each of the selected containers.

For more detailed documentation on provisioning, see the FIM Developer Reference and "Simple Account Provisioning" (FIM_Account_Provisioning.doc) at https://go.microsoft.com/fwlink/?LinkID=34336.