Calculating the domain and populating user attributes across multiple MIM implementations.

  • Article

OVERVIEW:

Enterprise environments often contain multiple independent MIM installations that serve as a development, staging, and production environments. Ideally, code should be written and tested in the Development environment and transferred to staging for validation then transferred to production with no environmental modifications being required.

I often run across Synchronization or Attribute Flow Rules that contain the domain name “hard coded” in the content of these rule’s logic.  Below is one method for replacing these “hard coded” domain names by dynamically populating user attributes with the appropriate domain associated to the environment the workflow is executing within (re. development, staging, or production).

A single workflow can be migrated from development to staging to production without modification.

SOFTWARE REQUIREMENTS:

This solution uses the Microsoft Identity Manager Portal and MIMWAL workflow components. To install the MIM WAL, please refer to the following document(s).

EXAMPLE ASSUMPTIONS:

Each environment (Re. development, staging, and production) has a distinctly different domain name. In this case the domains are as follow:

Development TestContoso.com

Staging StageContoso.com

Production Contoso.com

USER ATTRIBUTES:

Our example will calculate the domain and populate the following attributes of the user:

Domain (ex. mydomain.com)

userPrincipalName (ex. user.name@mydomain.com)

Email (ex. user.name@mydomain.com)

CREATE THE WORKFLOW:

The following example workflow will calculate the domain, regardless of the environment (re. Test, Staging, Production) and eliminating the need for modification during code promotion.

Launch the MIM Portal with Admin Rights.

Select Workflows

Select New

Enter the workflow name (ex. Set Attributes Containing Domain Names)

Select Action as the Workflow Type.

clip_image002

Select Next

CREATE WORKFLOW ACTIVITY #1

Select Add Activity

Select WAL: Update Resource as the Activity

clip_image004

Press the Select button.

In the Activity Display Name enter “Query Domain Name

Place a checkmark in the Advance Features checkbox.

Place a checkmark in the Query Resources checkbox.

In the Queries Section enter Domain as the Key

In the Queries Section enter //DomainConfiguration as the XPath Filter

clip_image006

Next, assign the value returned from the Query to a Workflow Data Variable called Domain.

In the Updates section, enter [//Queries/Domain/DisplayName] as the Value Expression

In the Updates section, enter [//WorkflowData/Domain] as the Target.

clip_image008

Select Save to save the first activity of the Workflow.

Note: Attribute names variables, Key, XPathFilter, Value Expression, and Target values are case sensitive.

CREATE WORKFLOW ACTIVITY #2:

Select Add Activity

Select WAL: Update Resource as the Activity

clip_image004[1]

Press the Select button.

Enter the Activity Display Name (ex. Update User Attributes)

Next, we will Read the WorkflowData/Domain attribute into an Activity variable.

Under Updates, enter [//WorkflowData/Domain] as the Value Expression

Under Updates, enter $Domain as the Target

clip_image010

Select Add to add another row to the Updates section.

clip_image012

Continue to Add rows and enter the following additional Value Expressions and Targets:

Description

Value Expression

Target

Set the lower case of the user accountName to the Account variable.

LowerCase([//Target/accountName])

$Account

Set the Domain name variable to lowercase.

LowerCase($Domain)

$Domain

Set the Email variable by concatenating values.

Concatenate($Account,”@”,$Domain,”.com”)

$Email

Set the UPN variable userPrincipalName by concatenating values.

Concatenate($Account,”@”,$Domain,”.com”)

$UPN

Set the Domain attribute in the user record to the value of the Domain variable.

$Domain

[//Target/Domain]

Set the mail attribute in the user record to the value of the Email variable.

$Email

[//Target/mail]

Set the userPrincipalName attribute in the user record to the value of the UPN variable.

$UPN

[//Target/userPrincipalName]

NOTE: All MIMWAL Functions, including LowerCase and Concatenate used in tis example, can be referenced at the following location:

https://github.com/Microsoft/MIMWAL/wiki/Functions

Once completed, the second activity of the workflow will appear as follows:

image

Select the Save Button to save the second activity.

Select OK and Submit to save the Workflow.

CREATE A SET

Next, create a set of user objects that do not have a value for one or all of the attributes needing to be populated (re. Domain, mail, or userPrincipalName).

Select Sets, New

In the Display Name enter a name for the set (Ex. ~Users requiring Domain mail or userPrincipalName values)

Select Next

Check Enable criteria-based membership in current set.

Change all resources to user

Change all to any

Select Add Statement

Select Click to Select Attribute and choose the Domain attribute

Select is then from the drop down menu select not starts with

Select click to select value, enter %

Note: % is a wild card value meaning having any value, excludes nulls.

Repeat the above steps for the Mail and User Principal Name attributes. This should result in the following:

clip_image016

Select the View Members button to test the set.

Select Finish, Submit to save the Set.

CREATE A MANAGEMENT POLICY RULE:

Finally, create a Management Policy Rule (MPR) that applies the Workflow to the set of users.

Select Management Policy Rules, New

In the Display Name enter the name of the MPR (ex. !~Update Users Domain Mail and userPrincipalName Values)

In the Type section select Set Transition

clip_image018

Select Next

On the Transition Definition Tab in the Transition Set section select the stacked paper icon.

Choose the set that was created above (Ex. ~Users requiring Domain mail or userPrincipalName values) by placing a checkmark in the box next to the name.

clip_image020

Select Ok

In the Transition Type section retain the default setting of Transition In

Select Next

In the same manner select the workflow created above (Re. Set Attributes Containing Domain Names)

Select Finish and Submit to save.

COMPLETED:

At this point, all new users entering the set for the first time will have the Workflow executed and the Domain, Mail and User Principal Name attributes populated from the formula in the workflow.

The attribute results for each of our domains (Re. Development, Staging, and Production) from the assumptions made in this example:

ATTRIBUTE

DEVELOPMENT DOMAIN

STAGING DOMAIN

PRODUCTION DOMAIN

Domain

testcontoso

stagecontoso

contoso

mail

user.name@testcontoso.com

user.name@stagecontoso.com

user.name@contoso.com

userPrincipalName

user.name@testcontoso.com

user.name@stagecontoso.com

user.name@contoso.com

ADDITIONAL NOTES:

In the event the workflow is updated with additional logic, and/or you simply want to re-run the workflow against all members of the set, the following steps can be taken.

WARNING: Depending upon how many members are in the set, this could take some time to complete and could impact performance.

Open the Management Policy Rule and check Policy is Disabled.

clip_image022

Select Finish and Submit to save.

Open the Workflow and check Run on Policy Update

Select OK and Submit.

clip_image024

Open the Management Policy Rule and remove the check from Policy is Disabled.

clip_image026

Select Finish and Submit. This will cause the workflow to immediately start processing against all members of the set.

Note: All create, and update actions performed above are recorded as transactions in the Search Requests view of the portal. Additionally, any workflow executions against users and their status is also recorded in the Search Request view.