Rules Extensions

  • Article

While you can configure most rules by using Synchronization Service Manager, Microsoft® Forefront Identity Manager (FIM) 2010 R2 administrators can customize the way that management agents and the metaverse work by creating rules extensions. You create rules extensions by using a programming language such as Microsoft Visual Basic .NET or C#. Rules extensions are implemented as a Microsoft .NET Framework class library or as a dynamic-link library (DLL), and they are stored in the Extensions folder of the FIM root directory.

Note

When you create a rules extension project using Synchronization Service Manager in FIM, the project will now be created in Visual Studio 2008. If you use Visual Studio 2008 with rules extensions that were created using Visual Studio .NET 2003, the extensions will be converted to a Visual Studio 2008 project and will be converted to Microsoft .NET Framework 2.0. You will be able to run all existing rules extensions (whether they have been compiled with Microsoft .NET Framework 1.1 or Microsoft .NET Framework 2.0) on FIM without having to recompile your projects. Note, however, that all new development and debugging work done on FIM rules extensions will require the use of Visual Studio .NET Professional 2008, Visual Basic® 2008 (or Express Edition), Visual C#® 2008 (or Express Edition), and can no longer be done with Visual Studio .NET Professional 2003. For more information about upgrading Visual Studio .NET Professional 2003 projects to Visual Studio .NET Professional 2008, see this MSDN article. (https://go.microsoft.com/fwlink/?LinkID=77551)

The following table lists and describes the types of rules extensions that FIM supports.

Rules extension type Description

Management agent

A management agent rules extension is applied to data as it flows from the connector space to the metaverse. Each management agent can have only one rules extension. Management agent rules are:

  • Connector filter rules

  • Join rules

  • Projection rules

  • Attribute flow rules

  • Deprovisioning rules

Metaverse

A metaverse rules extension is applied to data as it flows from the metaverse to the connector space. The metaverse can have only one rules extension. Metaverse rules are:

  • Provisioning rules

  • Object deletion rules

Some of the common tasks that you can perform using a rules extension are:

  • Transforming data

    • Flowing attribute—Data transformation is one of the most common tasks that rules extensions are used for. Data transformation occurs during attribute flow by calculating a target attribute value (or attribute values, in the case of a multi-value attribute). Typically, the source of this calculation is based on source attributes that are imported into FIM, or it is based on information from external data sources.

    • Finding Join candidates—Data transformation can also be used to find join candidates. This is a special case of calculating a value, or values, that is later used in the join process to find matches in the metaverse.

  • Creating new accounts—Along with synchronization and data transformation, the most common task that FIM is used for is the creation of new objects, such as user accounts or mail contacts, in single or multiple connected data sources. This is known as provisioning.

  • Checking for attribute values—Sometimes it is necessary to check for attribute values before making the decision of how, or if, an object is processed by FIM. Attribute values can be checked for objects in the connector space or in the metaverse.

  • Creating unique attribute values—FIM can be used to ensure uniqueness for specific attribute values (for example, for an e-mail alias or a logon account name). After attribute values are flowed into the metaverse, a search is made of existing attribute values, and a comparison is made for uniqueness.

  • Creating a unique naming attribute—Every connected data source has a naming attribute for its entries or objects. For example, in a Lightweight Directory Access Protocol (LDAP) directory this would be the distinguished name (also known as DN). Typically, these naming attributes are constructed based on information that is flowed into the metaverse. A rules extension can calculate and apply a naming attribute based on this information, and it can guarantee uniqueness of the naming attribute by determining if an object with that name already exists. In this case, the rules extension can recalculate the naming attribute and retry the operation.

  • Deprovisioning accounts—Deprovisioning is the process of managing connector space objects after they have been disconnected from a metaverse object under certain circumstances. In some cases you might want to remove the connector space object permanently. In other cases you might want to keep the connector space object in a disconnected state and have it available to link to a metaverse object at a later time.

  • Moving objects—A common task in administrating directories is to move objects within a hierarchy. Moving an object is accomplished by creating a new naming attribute and assigning this attribute to the object.

  • Setting initial passwords—During the creation of a new account, it is often necessary to assign an initial password. A rules extension can be written to immediately assign an initial password when a new account is created.

  • Enabling or disabling accounts—Accounts on different connected data sources can be enabled or disabled by setting specific attribute values for the user account. One example is Active Directory where the userAccountControl attribute determines the state of a user account. A rules extension can modify this attribute at any place during the attribute flow

Password extensions

For file-based, database, and extensible connectivity management agents, which do not support password change and set operations by default, you can create a .NET password extension dynamic-link library (DLL), which is called whenever a password change or set call is invoked for any of these management agents. Password extension settings are configured for these management agents in Synchronization Service Manager.

Password management is supported by default in the management agents for: By using a password extension, password management is also supported in the management agents for:
  • Active Directory

  • Active Directory Lightweight Directory Services (ADLDS)

  • Lotus Notes

  • Novell eDirectory

  • Sun and Netscape directory servers
  • Attribute-value pair text files

  • Delimited text files

  • Directory Services Markup Language (DSML)

  • Extensible Connectivity

  • Fixed-width text files

  • IBM DB2 Universal Database

  • IBM Directory Server

  • LDAP Data Interchange Format (LDIF)

  • Microsoft SQL Server

  • Oracle Database

For more information about creating and using rules extensions and password extensions, see the FIM Developer Reference.