Simple Account Provisioning Walkthrough: Implementation Steps
Applies To: Windows Server 2003 with SP1
Previous Steps in This Walkthrough
In this section, you configure three management agents (MAs) for the Fabrikam HR system, the Fabrikam Telephone system, and the Fabrikam Active Directory with the following:
Import sources/export targets
Object types
Selected attributes
Import attribute flow rules
Connector filter rules
Projection rules
Join rules
Export attribute flow rules
Run profiles
Setting Up the Fabrikam HR MA
Use Identity Manager to create the Fabrikam HR MA, and specify all of the details for object, attribute, and rule selection.
To create the Fabrikam HR MA
Click Start, click Programs, click Microsoft Identity Integration Server, and then click Identity Manager.
On the Tools menu, click Management Agents.
On the Actions menu, click Create.
Under Management agent for, click Attribute-value pair text file.
Under Name, type Fabrikam HR MA, as shown in Figure 2.3.
Click Next.
In Template Input File, click Browse, go to the folder where you copied the scenario contents from the Microsoft Identity Integration Server 2003 installation media, and then click fabrikam-hr-avp.txt.
In Code Page, click US-ASCII, as shown in Figure 2.4.
Click Next.
On the Configure Attributes page, click Set anchor.
In Available attributes, click employeeID, and then click Add, as shown in Figure 2.5.
Click OK.
On the Configure Attributes page, under Name, click managerID, and then click Edit.
Under Type, click Reference (DN), and then click OK, as shown in Figure 2.6.
After you complete anchor selection and modify the managerID attribute, verify that your screen appears as shown in Figure 2.7.
Click Next.
On the Define Object Types page, click Next (do not make any changes to the settings on this page), as shown in Figure 2.8.
On the Configure Connector Filter page, under Data Source Object Type, click person, and then click New.
In the Filter for person dialog box, under Data source attribute, click employeeStatus, under Operator, click Equals, and then, in Value, type Terminated.
Click Add Condition.
Click OK, and then verify that the Connector Filter is configured as shown in Figure 2.9.
Click Next.
On the Configure Join and Projection Rules page, under Data Source Object Type, click person.
Click New Projection Rule.
In the Projection dialog box, click Declared, and ensure that person is listed in Metaverse Object Type, as shown in Figure 2.10.
Click OK, and then verify that Join and Projection rules are configured as shown in Figure 2.11.
Click Next.
On the Configure Attribute Flow page, under Build Attribute Flow, in Data source object type, click person.
In Metaverse object type, click person, as shown in Figure 2.12.
Create Direct Import Attribute Flow Mappings
Create a direct mapping from the connected data source attribute branchID to the metaverse attribute department.
To create the direct import mappings
On the Configure Attribute Flow page of the Fabrikam HR MA, under Data source attribute, click branchID.
Under Metaverse attribute, click department.
Under Mapping Type, click Direct.
Under Flow Direction, click Import.
Click New.
Create direct import mappings for the remaining attributes listed in Table 2.6.
Table 2.6 Direct Import Attribute Flow Mappings for Fabrikam HR MA
Data source attribute | Metaverse attribute | Type |
---|---|---|
branchID |
department |
Direct |
c |
c |
Direct |
co |
co |
Direct |
company |
company |
Direct |
employeeID |
employeeID |
Direct |
employeeStatus |
employeeStatus |
Direct |
employeeType |
employeeType |
Direct |
givenName |
givenName |
Direct |
l |
l |
Direct |
managerID |
manager |
Direct |
sAMAccountName |
uid |
Direct |
sn |
sn |
Direct |
title |
title |
Direct |
Create Advanced Attribute Flow Mappings
Create the advanced attribute mapping for the metaverse cn attribute.
To complete the advanced attribute mapping
On the Configure Attribute Flow page, under Mapping Type, click Advanced.
Under Metaverse attribute, click cn.
Under Data source attribute, hold down the CTRL key and click givenName and sn.
Under Flow Direction, click Import.
Click New.
In the Advanced Import Attribute Flow Options dialog box, click Rules extension.
In Flow rule name, type cn, and then click OK, as shown in Figure 2.13.
Use Table 2.7 to complete the advanced attribute mappings.
Table 2.7 Advanced Attribute Mappings for Person Object
Data source attribute | Metaverse attribute | Type | Flow rule name |
---|---|---|---|
givenName, sn |
cn |
Advanced |
cn |
givenName, sn |
displayName |
Advanced |
displayName |
When you have finished attribute mappings, verify that attribute mappings are configured as shown in Figure 2.14.
Click Next.
On the Configure Deprovisioning page, click Next (do not adjust the default settings), as shown in Figure 2.15.
On the Configure Extensions page, in Assembly name, type FabrikamHRMA.dll, as shown in Figure 2.16. Ensure that the FabrikamHRMA.dll file is located in the C:\Program Files\Microsoft Identity Integration Server\Extensions folder.
Note
You can also click Select to select the FabrikamHRMA.dllfrom the \Extensions folder.
Click Finish.
Setting Up the Fabrikam Telephone MA
Define the options required by the Telephone MA to import telephone system data.
To create the Fabrikam Telephone MA
In Identity Manager, in the Tools menu, click Management Agents.
On the Actions menu, click Create.
Under Management agent for, click Fixed-width text file.
Under Name, type Fabrikam Telephone MA, and then click Next.
Under Template Input File, click Browse, and then go to the local folder where you saved the contents of the installation media.
Specify the fabrikam-telinfo-fw.txt as the template input file name.
Select US-ASCII as the code page, as shown in Figure 2.17. Selecting this option informs the MA about how to interpret the data in the template input file. If the file is not plain text US ASCII, ensure that you have selected the correct code page.
Click Next.
On the Confirm Fixed Width Text Format page, select the Use first row for header names check box, as shown in Figure 2.18, and then click Next.
On the Configure Attributes page, click Set anchor.
Select anchor EMPID, and then click Add, as shown in Figure 2.19.
Click OK, and then verify that the attributes are configured as shown in Figure 2.20.
Click Next.
On the Define Object Types page, accept the default settings, and then click Next.
On the Configure Connector Filter page, accept the default settings, and then click Next.
On the Configure Join and projection rules page, under Data Source Object Type, click person.
Click New Join Rule.
The next step is to create the join rule and the conditions in which connector space objects in the Fabrikam Telephone MA are joined to the metaverse person object.
To create the Join Rule
In the Join Rule dialog box, under Data source attribute, click EMPID.
Under Metaverse object type, click person.
Under Metaverse attribute, click employeeID.
Click Add Condition.
Verify that your screen appears as shown in Figure 2.21.
Click OK.
When you have configured the join, click the plus sign under the Mapping Group to see the attribute mapping. Verify that your screen appears as shown in Figure 2.22.
Click Next.
The next step is to create attribute flow mappings for the Fabrikam Telephone MA data source attributes.
To create an attribute flow mapping for the fax number and other Fabrikam Telephone MA data source attributes
Under Data source object type, click person.
Under Metaverse object type, click person.
Select the CD attribute FAX from the connected data source attribute list.
Select the metaverse attribute facsimileTelephoneNumber from the metaverse attribute list.
Click Direct.
Click Import.
Click New.
Use the same process to map the attributes listed in Table 2.8.
Table 2.8 Attribute Flow Mappings for Fabrikam Telephone MA
Data source attribute Metaverse attribute Type FAX
facsimileTelephoneNumber
Direct
MOBILE
Mobile
Direct
PAGER
Pager
Direct
TELEPHONE
telephoneNumber
Direct
When you are finished with attribute flow mappings, verify that your screen appears as shown in Figure 2.23.
Click Next.
On the Configure Deprovisioning screen, accept the default settings, and then click Next.
On the Configure Extensions page, accept the default settings, and then click Finish.
Setting Up the Fabrikam AD MA
Configure the domains and containers of interest, attributes, and flow rules for the Fabrikam AD MA.
To create the Fabrikam AD MA
In Identity Manager, in the Tools menu, click Management Agents.
On the Actions menu, click Create.
Under Management agent for, click Active Directory.
Under Name, type Fabrikam AD MA.
Click Next.
Specify the forest name (fabnoa.fabcorp.fabrikam.com) and forest credentials that are used to connect to the forest root domain, as shown in Figure 2.24.
Click Next.
Note
This account must have permissions to connect to the domain of the forest specified and read all the partitions in the forest. It can be overwritten later on a per domain basis.
On the Configure Directory Partitions page, ensure that the Fabnoa directory partition is selected, as shown in Figure 2.25.
Click Containers.
By default, all containers and organizational units are selected.
Click all containers and organizational units to clear them and then select only the Fabrikam organizational unit, which is located under the OU with the computer name of the Active Directory server and under the SimpleAccountProvisioning OU, as shown in Figure 2.26.
Click OK.
Click Next.
In the Select Object Type page, select the check box next to user (the other check boxes selected in Figure 2.27 are already selected), and then click Next.
In the Select Attributes page, select the Show All check box, and select the following attributes:
c
cn
co
company
department
displayName
employeeID
facsimileTelephoneNumber
givenName
l
manager
mobile
pager
sAMAccountName
sn
telephoneNumber
title
unicodePwd
userAccountControl
userPrincipalName
Note
You can use the keyboard to type the name of the attribute and the space bar to select the attribute. This is a shortcut that makes navigating and selecting attributes easier.
When you are done selecting attributes, and have cleared the Show All check box, verify that your screen appears as shown in Figure 2.28, and then click Next.
On the Configure Connector Filter page, accept the default settings, and then click Next.
On the Configure Join and Projection page, accept the default settings, and then click Next.
Create Direct Export Attribute Flow Mappings
Next you will create direct export attribute flow mappings from metaverse attribute c to the data source attribute c.
To create a direct export flow mapping
On the Configure Attribute flow page, under Data Source Object Type, click user.
Under Metaverse Object Type, click person.
Under Data source attribute, click c.
Under Metaverse attribute, click c.
Under Mapping Type, click Direct.
Under Flow Direction, click Export. Do not select the Allow Nulls check box.
Click New.
Follow this process for the remaining attributes listed in Table 2.9.
Table 2.9 Direct Export Attribute Flow Mappings for Fabrikam AD MA
Data source attribute Metaverse attribute Type c
c
Direct
co
co
Direct
company
company
Direct
department
department
Direct
displayname
displayName
Direct
employeeid
employeeID
Direct
facsimiletelephonenumber
facsimileTelephoneNumber
Direct
givenname
givenName
Direct
l
l
Direct
manager
manager
Direct
mobile
mobile
Direct
pager
pager
Direct
sn
sn
Direct
telephonenumber
telephoneNumber
Direct
title
title
Direct
Create Advanced Attribute Flow Mappings
Create advanced attribute flow mappings from the metaverse attribute employeeStatus of the person object type to the data source attribute userAccountControl for the user object type.
To create the advanced mappings
Under Data source attribute, click userAccountControl.
Under Metaverse attribute, click employeeStatus.
Under Mapping Type, click Advanced.
Click New.
In the Advanced Export Attribute Flow Options dialog, click Rules Extension, and then in the Flow rule name, type userAccountControl.
Click OK.
Use the same process to create the remaining advanced attribute flow mappings listed in Table 2.10.
Table 2.10 Advanced Attribute Flow Mappings for Fabrikam AD MA
Data source attribute Metaverse attribute Type Flow Rule Name useraccountcontrol
employeeStatus
Advanced
userAccountControl
userprincipalname
uid
Advanced
userPrincipalName
samaccountname
uid
Advanced
samAccountName
After you define the export attribute flow, verify that your screen appears as shown in Figure 2.29.
Click Next. On the Configure Deprovisioning page, select Stage a delete on the object for the next export run, and then click Next.
On the Configure Extensions page, in Rules extension name, click Select, and select the FabrikamADMA.dll file from the location where you copied the scenarios from the installation media (C:\Scenarios\Simple Account Provisioning), as shown in Figure 2.30.
Click Finish.
Verify that three management agents are listed under Management Agents, as shown in Figure 2.31.
Setting Up Run Profiles for the Fabrikam HR MA
To step up the run profiles for the Fabrikam HR MA, first copy the attribute-value pair files from the Microsoft Identity Integration Server 2003 installation media to the Fabrikam HR MA working folder. You will configure the Fabrikam HR MA to read the data provided with the scenario in full and delta import modes.
To copy the scenario data to the Fabrikam HR MA working folder
Open a Windows Explorer window.
Navigate to the folder where you saved the files that came with the Microsoft Identity Integration Server 2003 installation media.
Select the files with names starting Fabrikam-hr-avp.
Open another Windows Explorer window.
Navigate to the MaData folder under the default Microsoft Identity Integration Server 2003 installation path, C:\Program Files\Microsoft Identity Integration Server.
Open the subfolder named Fabrikam HR MA.
Copy the files for the Fabrikam HR MA to the Fabrikam HR MA subfolder of MaData under the Microsoft Identity Integration Server 2003 installation path, as shown in Figure 2.32.
Configure the Fabrikam HR MA Full Import Run Profile
Configure the Fabrikam HR MA run profile to perform a full import of the data in the text file from the HR system.
To configure the Fabrikam HR MA full import run profile
In Identity Manager, in Management Agents, click the Fabrikam HR MA.
From the Actions menu, click Configure Run Profiles, and then click New profile.
Under Name, type Full Import, and then click Next, as shown in Figure 2.33.
Important
Use the profile names provided in the walkthrough. If you choose to use other names, you need to customize the run-*.cmd files (for instance run-provisioning-cycle.cmd) in the scenario folder to reflect your profile names.
On the Configure Step page, in Type, ensure Full Import (Stage Only) is selected.
Click Set log file options.
Select Create a log file and then, in Type or select Log file name, type audit-full-import.xml, as shown in Figure 2.34, and then click OK.
Click Next.
In Management agent configuration, in Input file name, type fabrikam-hr-avp.txt. The input file contains a dump of the HR system and includes employee records for 100 employees.
In Partition, leave default as the name of the partition, as shown in Figure 2.35.
Click Finish.
When you have created the run profile, verify that your screen appears as shown in Figure 2.36.
- Click Apply, and then click OK.
Configure HR MA Delta Import Changes and Delta Synchronization Run Profiles
You will create run profiles to configure the HR MA to perform the following actions:
Change employee status for one employee from active to inactive. This will cause the user account to be moved to the container in Active Directory that is named Disabled Users, and will disable the user account.
Reactivate the account that is disabled by changing status from inactive to active. This will cause the account to be moved back to the Users container and enable the user account.
Change the name attributes for one user.
Terminate a user from the HR system and delete the user and the account.
Transfer an employee from one department to another, also changing manager and title.
Deprovision accounts based on a full import from the HR system. The full import file contains only one record, and therefore the remaining 99 objects are deleted.
These run profiles demonstrate account management by changing the data in the metaverse and letting the Microsoft Identity Integration Server 2003 provisioning rules extension modify (rename, move, etc) the objects in the connector space for the Active Directory management agent.
To create the run profiles
Use Table 2.11 to create eight additional run profiles by following the steps listed in the previous section.
Table 2.11 Information to Create Additional Run Profiles
Profile Name Step Type Filename Delta Import Changes 1
Delta Import (Stage Only)
fabrikam-hr-avp-change01.txt
Delta Import Changes 2
Delta Import (Stage Only)
fabrikam-hr-avp-change02.txt
Delta Import Changes 3
Delta Import (Stage Only)
fabrikam-hr-avp-change03.txt
Delta Import Changes 4
Delta Import (Stage Only)
fabrikam-hr-avp-change04.txt
Delta Import Changes 5
Delta Import (Stage Only)
fabrikam-hr-avp-change05.txt
Full Import Obsolete
Full Import (Stage Only)
fabrikam-hr-avp-obsolete.txt
Full Import Zero bytes
Full Import (Stage Only)
Fabrikam-hr-avp-zerobytes.txt
Delta Synchronization
Delta Synchronization
Important
For all Delta Imports, ensure the log file options are set to create a log file: audit-delta-import.xml. For the Full Import, ensure the log file options are set to create a log file: audit-full-import.xml.
When you have finished creating HR MA run profiles, verify that your screen appears as shown in Figure 2.37.
Click Apply, and then click OK.
Setting Up Run Profiles for the Fabrikam Telephone MA
Configure the run profiles to run the Fabrikam Telephone MA. In order to use the data files supplied with this scenario, ensure that you have copied them to the Fabrikam Telephone MA subfolder under the MaData folder in the Microsoft Identity Integration Server 2003 installation location, as shown in Figure 2.38.
Configure the Fabrikam Telephone MA Full Import Run Profile
Configure the Fabrikam Telephone MA run profile to perform a full import of the data from the fabrikam-telinfo-fw.txt fixed width text file.
To configure the Telephone MA full import run profile
From the Tools menu, click Management Agents.
Click the Fabrikam Telephone MA, and from the Actions menu, click Configure Run Profiles.
Click New Profile, and then type Full Import.
Click Next.
In Configure Step, in Type, ensure Full Import (Stage Only) is selected.
Click Set log file options.
In Set Log File Options -- Import, select Create a log file and in Type or select Log file name, type audit-full-import.xml.
Click OK, and then click Next.
In Input file name, specify fabrikam-telinfo-fw.txt, as shown in Figure 2.39.
Click Finish.
Configure the Fabrikam Telephone MA Delta Import and Delta Synchronization Run Profile
Configure the Fabrikam Telephone MA run profiles to perform a delta import and a delta synchronization of the data from the fabrikam-telinfo-fw-change.txt fixed width text file.
To configure the delta import and delta synchronization run profile
In Management Agents, click the Fabrikam Telephone MA.
From the Actions menu, click Configure Run Profiles, and then click New Profile.
In Profile Name, type Delta Import. Click Next.
Follow the steps outlined above to create the Delta Import Run Profile, and on the Configure Step page, click Delta Import (Stage Only).
Configure the log file options to create the file audit-delta-import.xml. Ensure that fabrikam-telinfo-fw-change.txt is specified as the input file name.
Follow the steps outlined above to create a Delta Synchronization Run Profile.
Name the Delta Synchronization Run Profile Delta Synchronization, and ensure that Delta Synchronization is selected as the step type.
Click Finish.
When you have finished setting up the Telephone MA run profiles, verify that your screen appears as shown in Figure 2.40.
Click Apply, and then click OK.
Setting Up Run Profiles for the Fabrikam AD MA
Set up the Fabrikam AD MA to perform a full import of the Active Directory domain partition and then to perform an export so that objects are created in Active Directory.
Configure the Fabrikam AD MA Full Import Run Profile
Configure the Fabrikam AD MA run profile to perform a full import of the Active Directory domain partition.
To configure the Fabrikam AD MA full import run profile
In Management Agents, select Fabrikam AD MA, and then click Configure Run Profiles.
Click New Profile.
Under Profile Name, type Full Import.
Click Next.
In Step Type, ensure Full Import (Stage Only) is selected.
Click Set log file options.
In the Set log file options -- Import dialog box, click Create a log file, and then, in Type or select Log file name, type audit-full-import.xml. Click OK.
Click Next.
In Partition, ensure that the correct Active Directory domain is selected, as shown in Figure 2.41.
Click Finish.
Configure the Fabrikam AD MA Export Run Profile
The Fabrikam AD MA export run profile will contain two steps. The first step will create the objects in Active Directory, and the second step will import from Active Directory, confirming that the pending exports were completed as planned.
To configure the AD MA export run profile
In Management Agents, select Fabrikam AD MA, and then click Configure Run Profiles.
Click New Profile.
Under Profile Name, type Export.
Click Next.
On the Configure Step page, in Type, select Export.
Click Set log file options.
Click Create a log file and, in Type or select Log file name, type audit-export.xml. Click OK.
Click Next.
In Partition, ensure the correct Active Directory domain is selected.
Click Finish.
When you have added the export step, verify that your screen appears as shown in Figure 2.42.
Click New Step.
This step will be a Delta Import (Stage Only) step. Make sure to specify that a log file is created called audit-delta-import.xml. This second step imports the objects from Active Directory and confirms that the previous export was successful. When you are finished creating the second step, verify that your screen appears as shown in Figure 2.43.
When you have finished creating the run profiles, click Apply, and then click OK.
Setting the Metaverse Object Deletion Rule
Configure Microsoft Identity Integration Server 2003 to delete objects from the metaverse when the Fabrikam HR MA processes a deletion from the HR system. This type of deletion rule is called a declarative rule because you can configure it simply by using the user interface. This metaverse object deletion rule calls for Microsoft Identity Integration Server 2003 to delete objects that have been deleted from the HR system.
Other object deletion rule options not explored in this section are Delete metaverse object when last connector is disconnected, in which metaverse deletion only occurs when the last connector to the metaverse object is disconnected; and configuring an object deletion rule within a rules extension, where the rules extension handles the logic of the metaverse object deletion.
To configure the declarative metaverse object deletion rule
Click Start, click Programs, click Microsoft Identity Integration Server, and then click Identity Manager.
On the Tools menu, click Metaverse Designer.
In Object types, click Person and then click Configure Object Deletion Rule.
In Configure Object Deletion Rule, in Type, select the Delete metaverse object when connector from this management agent is disconnected, and then select Fabrikam HR MA from the list, as shown in Figure 2.44.
Click OK.
When you are finished, verify that your screen appears as shown in Figure 2.45.