Jaa


Group Creation and Provisioning Walkthrough: Scenario Design

Applies To: Windows Server 2003 with SP1

Previous Steps in This Walkthrough

Scenario Design

This section discusses the architectural design of this scenario and describes the GroupPopulator management agent, the group definition database table, and the group creation and provisioning cycle.

Architectural Overview

Table 3.1 lists the management agents (MAs) that you use in the Group Creation and Provisioning scenario.

Table 3.1   Fabrikam MAs

  MA Name MA Type Purpose

MA 1

Fabrikam HR MA

Attribute-value pair text file

Imports information from an HR system. The HR system is emulated by providing file dumps with employee data. Full and delta snapshots of files exist to examine the full and delta functionalities of Microsoft Identity Integration Server 2003 file-based management agents.

MA 2

Fabrikam Telephone MA

Fixed-width text file

Populates telephone numbers for the employees. Full and delta snapshots of files exist to examine the full and delta functionalities of Microsoft Identity Integration Server 2003 file-based management agents.

MA 3

Fabrikam AD MA

Active Directory

Sends provisioned objects to the Active Directory forest from the Fabrikam HR system. The Active Directory forest consists of one domain.

MA 4

GroupPopulator MA

Attribute-value pair text file

Imports groups and membership information into the metaverse.

Microsoft Identity Integration Server 2003 and all of the management agents are located on the server running Microsoft Identity Integration Server 2003. Active Directory is installed on a different computer (as described below).

To provision the group objects from the GroupPopulator management agent to the Fabrikam AD MA, a rules extension is provided with this scenario. This rules extension extends the Simple Account Provisioning rules extension.

To calculate groups and group membership, a Visual C# .NET application, called GroupPopulator.exe, is provided. This application reads data from the metaverse and writes the results of its calculation to a file. This file is imported by the GroupPopulator MA. The GroupPopulator MA uses a table to read group definitions.

Lastly, the file GroupPopulatorSync.cmd is provided to trigger the group creation and provisioning in Microsoft Identity Integration Server 2003.

GroupPopulator MA

To understand the scenario design, become familiar with the GroupPopulator MA, including:

  • Import file structure

  • Attribute configuration

  • Join and projection configuration

  • Import attribute flow configuration

Import File Structure

The attribute-value pair import file that defines the groups and members has following structure:

displayname: Sheelah Basarah
objecttype: person
uid: {385A0A21-65B8-4439-B979-BA157BAB0A6A}

displayname: Department 001
objecttype: group 
uid: 001
member: {385A0A21-65B8-4439-B979-BA157BAB0A6A}
member: {26012FCD-56CF-4CC7-8A1B-A38A97E02385}
member: {7D8BD2F6-0295-4BF1-A088-A25308D652CA}
member: {C2BF1EE4-99D7-42BE-A742-1CA7763B19BD}
member: {2189410B-CA74-4084-A5C7-0F75C3BACFE2}

The contents of this file describe the person and group object types. The members of the groups are person object types in the file. A member does not necessarily need to be a user or person object; it can be anything in the metaverse.

The anchor of the person object type is the uid attribute, which maps to the metaverse objectID attribute.

The anchor of the Group object type is also the uid attribute. However, this is a unique ID that needs to be provided manually during the group definition. The member attribute is a reference to the uid attribute of the person object types. The group-member relationship is set up by using this method.

Attribute Configuration

Table 3.2 displays the attributes that are configured during the creation of the GroupPopulator MA.

Table 3.2   Attributes Configured for GroupPopulator MA

Name Type Multi-Valued

displayName

String

No

objecttype

String

No

uid

String

No

member

Reference (DN)

Yes

The uid attribute is configured as the anchor attribute.

You use the advanced configuration option on the management agent to define the objecttype attribute as a Define Object Type attribute. This definition is needed to indicate that the import file has more then one object type (in this scenario, person and group).

Join and Projection Configuration

You configure join rules for person and group objects to link to a metaverse object that has a direct match to the objectID attribute of the metaverse object. Table 3.3 lists how the objects and attributes are linked between the connected data source and the metaverse.

Table 3.3   Object Types and Attributes Used for Join Mapping

Connected Data Source   Metaverse  

Object Type

Attribute

Join Mapping

Object Type

Group

uid

Direct to uid

Group

Person

uid

Direct to objectID

Any

Projection rules are only configured for the group object type in the connected data sources. This projection is a declared projection to the metaverse group object type, and it creates new group objects in the metaverse.

Import Attribute Flow Configuration

In this scenario, you set up import attribute flow for the group object type only (scoped by Data Source.group and Metaverse.group). Table 3.4 lists the import attribute flow configuration used for the GroupPopulator MA.

Table 3.4   Import Attribute Flow Configuration

Connected Data Source Attribute Metaverse Attribute Mapping Type

displayName

displayName

Direct

member

member

Direct

uid

uid

Direct

The Group Definition Database Table

The group definition table is the core of the scenario and defines how groups and their membership are calculated. The group definition table has three columns:

  • groupID: The unique ID of the group.

  • displayName: The display name of the group.

  • clause: The SQL Server where-clause that is used to select the group members from the metaverse.

The name of the table is GroupDefinitions and it is located within the MIIS_Group_Populator database. Table 3.5 shows a sample row of the group definition table.

Table 3.5   Sample Row from Group Definition Table

GroupID DisplayName Clause

001

Department 001

object_type = ‘person’ and department = ‘001’

This row indicates the creation of a group in the metaverse with the display name of Department 001. The members of this group are all objects in the metaverse of the person object type, and they have the value of the department attribute set to 001.

The clause can be any valid SQL Server where-clause of any complexity. For example, Table 3.6 lists another sample row from the group definition table that uses a more complex SQL Server where-clause.

Table 3.6   Sample Row with Complex SQL Server Where-Clause

GroupID DisplayName Clause

006

All People with Direct Reports

object_id in (select Distinct reference_id from mms_mv_link where attribute_name=’manager’)

This row indicates the creation of a group in the metaverse with the display name of All People with Direct Reports. The members of this group are all objects in the metaverse that have people reporting to them (that is, if the manager attribute is used to express a reporting relationship).

Table 3.7 shows all of the rows that are configured when you set up this scenario.

Table 3.7   Complete Group Definition Table

GroupID DisplayName Clause

001

Department 001

object_type = ‘person’ and department = ‘001’

002

Department 002

object_type = ‘person’ and department = ‘002’

003

Department 003

object_type = ‘person’ and department = ‘003’

004

Department 004

object_type = ‘person’ and department = ‘004’

005

Direct Reports Pearl Letargo

object_id in (select object_id from mms_mv_link where attribute_name=’manager’ and reference_id = (select object_id from mms_metaverse where uid = ‘pletargo’))

006

All People with Direct Reports

object_id in (select Distinct reference_id from mms_mv_link where attribute_name=’manager’)

Note

You need to customize this table based on the groups that apply to your environment. To construct the clause, it is recommended that you use SQL Query Analyzer and type “select * from mms_metaverse where” first. Next, type the where-clause criteria to construct the resultant set of the group members. Test the queries with SQL Sever 2000 Service Pack 3 (SP3) SQL Query Analyzer to ensure that the correct results are calculated.

The Group Creation and Provisioning Cycle

The GroupPopulatorSync.cmd file activates several processes that, when finished, create the groups and group memberships in the metaverse. The GroupPopulatorSync.cmd file performs the following processes:

  1. Runs GroupPopulator.exe. The application uses the defined clause to query the metaverse, and then the results of the query are written to a file named Output.txt.

  2. Copies the Output.txt file to the MaData folder as the Populate-groups.txt file. This file is imported by the GroupPopulator MA.

  3. Runs the GroupPopulator MA. The GroupPopulator MA reads the populate-Groups.txt file as a full import. After this step, all of the groups are populated in the metaverse with membership. Because this is a full import run, all groups that were removed from the group definition table are deleted from the metaverse.

This operation always runs in this exact sequence. It can run as often as required to re-calculate groups by using the GroupPopulatorSync.cmd batch file.

Important

Although it appears that all groups and all membership information are read into Microsoft Identity Integration Server 2003 during the full import run, it is not a full modification of all groups and all membership. Microsoft Identity Integration Server 2003 calculates what needs to be propagated from a full import to the metaverse (and from there to other connected data sources). If only one member was added to one group, Microsoft Identity Integration Server 2003 flows only this single value change to the metaverse (that is, it does not replace all of the members of a large group, but only the values that have changed in the member attribute).

Next