แชร์ผ่าน


Simple Account Provisioning Walkthrough: Implementation Steps

Applies To: Windows Server 2003 with SP1

Previous Steps in This Walkthrough

  1. Overview

  2. Scenario Design

  3. Lab Setup

In this section, you configure three management agents (MAs) for the Fabrikam HR system, the Fabrikam Telephone system, and the Fabrikam Active Directory with the following:

  • Import sources/export targets

    • Object types

    • Selected attributes

  • Import attribute flow rules

  • Connector filter rules

  • Projection rules

  • Join rules

  • Export attribute flow rules

  • Run profiles

Setting Up the Fabrikam HR MA

Use Identity Manager to create the Fabrikam HR MA, and specify all of the details for object, attribute, and rule selection.

To create the Fabrikam HR MA

  1. Click Start, click Programs, click Microsoft Identity Integration Server, and then click Identity Manager.

  2. On the Tools menu, click Management Agents.

  3. On the Actions menu, click Create.

  4. Under Management agent for, click Attribute-value pair text file.

  5. Under Name, type Fabrikam HR MA, as shown in Figure 2.3.

    e7da504b-40d8-4fd2-8bca-4e403a102bab

  6. Click Next.

  7. In Template Input File, click Browse, go to the folder where you copied the scenario contents from the Microsoft Identity Integration Server 2003 installation media, and then click fabrikam-hr-avp.txt.

  8. In Code Page, click US-ASCII, as shown in Figure 2.4.

    28f98c99-cead-48ff-af03-7d66f6e7bd95

  9. Click Next.

  10. On the Configure Attributes page, click Set anchor.

  11. In Available attributes, click employeeID, and then click Add, as shown in Figure 2.5.

    2f52ac0b-5a3b-424e-a1a8-85a47a1b715a

  12. Click OK.

  13. On the Configure Attributes page, under Name, click managerID, and then click Edit.

  14. Under Type, click Reference (DN), and then click OK, as shown in Figure 2.6.

    1ebd8d62-d0a0-4e7a-bcf4-f7ffcb89aec7

  15. After you complete anchor selection and modify the managerID attribute, verify that your screen appears as shown in Figure 2.7.

    5d2ae833-098a-4730-90e9-e74a00ea880f

  16. Click Next.

  17. On the Define Object Types page, click Next (do not make any changes to the settings on this page), as shown in Figure 2.8.

    eed9f4de-8dd3-4599-a8bd-df91ebcab8d6

  18. On the Configure Connector Filter page, under Data Source Object Type, click person, and then click New.

  19. In the Filter for person dialog box, under Data source attribute, click employeeStatus, under Operator, click Equals, and then, in Value, type Terminated.

  20. Click Add Condition.

  21. Click OK, and then verify that the Connector Filter is configured as shown in Figure 2.9.

    4ebfb90b-0286-4243-b489-1a77ef2de60e

  22. Click Next.

  23. On the Configure Join and Projection Rules page, under Data Source Object Type, click person.

  24. Click New Projection Rule.

  25. In the Projection dialog box, click Declared, and ensure that person is listed in Metaverse Object Type, as shown in Figure 2.10.

    4fea241c-b6fd-4ed7-a01f-bae0c74d5f6d

  26. Click OK, and then verify that Join and Projection rules are configured as shown in Figure 2.11.

    1702311f-812c-4353-a9b3-b75212275932

  27. Click Next.

  28. On the Configure Attribute Flow page, under Build Attribute Flow, in Data source object type, click person.

  29. In Metaverse object type, click person, as shown in Figure 2.12.

    844ecc12-db7d-48b1-b35b-4b9e7bc84756

Create Direct Import Attribute Flow Mappings

Create a direct mapping from the connected data source attribute branchID to the metaverse attribute department.

To create the direct import mappings

  1. On the Configure Attribute Flow page of the Fabrikam HR MA, under Data source attribute, click branchID.

  2. Under Metaverse attribute, click department.

  3. Under Mapping Type, click Direct.

  4. Under Flow Direction, click Import.

  5. Click New.

Create direct import mappings for the remaining attributes listed in Table 2.6.

Table 2.6   Direct Import Attribute Flow Mappings for Fabrikam HR MA

Data source attribute Metaverse attribute Type

branchID

department

Direct

c

c

Direct

co

co

Direct

company

company

Direct

employeeID

employeeID

Direct

employeeStatus

employeeStatus

Direct

employeeType

employeeType

Direct

givenName

givenName

Direct

l

l

Direct

managerID

manager

Direct

sAMAccountName

uid

Direct

sn

sn

Direct

title

title

Direct

Create Advanced Attribute Flow Mappings

Create the advanced attribute mapping for the metaverse cn attribute.

To complete the advanced attribute mapping

  1. On the Configure Attribute Flow page, under Mapping Type, click Advanced.

  2. Under Metaverse attribute, click cn.

  3. Under Data source attribute, hold down the CTRL key and click givenName and sn.

  4. Under Flow Direction, click Import.

  5. Click New.

  6. In the Advanced Import Attribute Flow Options dialog box, click Rules extension.

  7. In Flow rule name, type cn, and then click OK, as shown in Figure 2.13.

    dbae734c-defc-4011-a5fe-e04b8d552ffe

Use Table 2.7 to complete the advanced attribute mappings.

Table 2.7   Advanced Attribute Mappings for Person Object

Data source attribute Metaverse attribute Type Flow rule name

givenName, sn

cn

Advanced

cn

givenName, sn

displayName

Advanced

displayName

When you have finished attribute mappings, verify that attribute mappings are configured as shown in Figure 2.14.

834df96d-2158-4c72-ac97-4efd2eaa3140

  1. Click Next.

  2. On the Configure Deprovisioning page, click Next (do not adjust the default settings), as shown in Figure 2.15.

    f250fb8f-cb93-422e-a917-f49d9acd5bdf

  3. On the Configure Extensions page, in Assembly name, type FabrikamHRMA.dll, as shown in Figure 2.16. Ensure that the FabrikamHRMA.dll file is located in the C:\Program Files\Microsoft Identity Integration Server\Extensions folder.

    Note

    You can also click Select to select the FabrikamHRMA.dllfrom the \Extensions folder.

    b328344a-c9dc-4039-af87-c8a224d2946a

  4. Click Finish.

Setting Up the Fabrikam Telephone MA

Define the options required by the Telephone MA to import telephone system data.

To create the Fabrikam Telephone MA

  1. In Identity Manager, in the Tools menu, click Management Agents.

  2. On the Actions menu, click Create.

  3. Under Management agent for, click Fixed-width text file.

  4. Under Name, type Fabrikam Telephone MA, and then click Next.

  5. Under Template Input File, click Browse, and then go to the local folder where you saved the contents of the installation media.

  6. Specify the fabrikam-telinfo-fw.txt as the template input file name.

  7. Select US-ASCII as the code page, as shown in Figure 2.17. Selecting this option informs the MA about how to interpret the data in the template input file. If the file is not plain text US ASCII, ensure that you have selected the correct code page.

    59e1b31e-5fe0-4f6d-a6ee-25629887508b

  8. Click Next.

  9. On the Confirm Fixed Width Text Format page, select the Use first row for header names check box, as shown in Figure 2.18, and then click Next.

    b0b81eb7-86a4-4cb9-b78f-e060765f0203

  10. On the Configure Attributes page, click Set anchor.

  11. Select anchor EMPID, and then click Add, as shown in Figure 2.19.

    bf13bde8-e29d-42b6-a2f5-15ed25118c4b

  12. Click OK, and then verify that the attributes are configured as shown in Figure 2.20.

    55d400c2-8213-4c2d-bdfd-e9e22173377d

  13. Click Next.

  14. On the Define Object Types page, accept the default settings, and then click Next.

  15. On the Configure Connector Filter page, accept the default settings, and then click Next.

  16. On the Configure Join and projection rules page, under Data Source Object Type, click person.

  17. Click New Join Rule.

The next step is to create the join rule and the conditions in which connector space objects in the Fabrikam Telephone MA are joined to the metaverse person object.

To create the Join Rule

  1. In the Join Rule dialog box, under Data source attribute, click EMPID.

  2. Under Metaverse object type, click person.

  3. Under Metaverse attribute, click employeeID.

  4. Click Add Condition.

Verify that your screen appears as shown in Figure 2.21.

41214ff7-f906-445d-9bfe-925216a3b80d

  1. Click OK.

  2. When you have configured the join, click the plus sign under the Mapping Group to see the attribute mapping. Verify that your screen appears as shown in Figure 2.22.

    95ca2267-8e27-494a-9637-7a49c2270c36

  3. Click Next.

The next step is to create attribute flow mappings for the Fabrikam Telephone MA data source attributes.

To create an attribute flow mapping for the fax number and other Fabrikam Telephone MA data source attributes

  1. Under Data source object type, click person.

  2. Under Metaverse object type, click person.

  3. Select the CD attribute FAX from the connected data source attribute list.

  4. Select the metaverse attribute facsimileTelephoneNumber from the metaverse attribute list.

  5. Click Direct.

  6. Click Import.

  7. Click New.

  8. Use the same process to map the attributes listed in Table 2.8.

    Table 2.8   Attribute Flow Mappings for Fabrikam Telephone MA

    Data source attribute Metaverse attribute Type

    FAX

    facsimileTelephoneNumber

    Direct

    MOBILE

    Mobile

    Direct

    PAGER

    Pager

    Direct

    TELEPHONE

    telephoneNumber

    Direct

When you are finished with attribute flow mappings, verify that your screen appears as shown in Figure 2.23.

3a101b93-e0ef-4285-b6d0-29d34fa8cfeb

  1. Click Next.

  2. On the Configure Deprovisioning screen, accept the default settings, and then click Next.

  3. On the Configure Extensions page, accept the default settings, and then click Finish.

Setting Up the Fabrikam AD MA

Configure the domains and containers of interest, attributes, and flow rules for the Fabrikam AD MA.

To create the Fabrikam AD MA

  1. In Identity Manager, in the Tools menu, click Management Agents.

  2. On the Actions menu, click Create.

  3. Under Management agent for, click Active Directory.

  4. Under Name, type Fabrikam AD MA.

  5. Click Next.

  6. Specify the forest name (fabnoa.fabcorp.fabrikam.com) and forest credentials that are used to connect to the forest root domain, as shown in Figure 2.24.

    338cdf8d-76ce-4978-826e-3571ae2c079f

  7. Click Next.

    Note

    This account must have permissions to connect to the domain of the forest specified and read all the partitions in the forest. It can be overwritten later on a per domain basis.

  8. On the Configure Directory Partitions page, ensure that the Fabnoa directory partition is selected, as shown in Figure 2.25.

    be20da86-723f-4cb4-a463-b9b72aac395f

  9. Click Containers.

By default, all containers and organizational units are selected.

  1. Click all containers and organizational units to clear them and then select only the Fabrikam organizational unit, which is located under the OU with the computer name of the Active Directory server and under the SimpleAccountProvisioning OU, as shown in Figure 2.26.

    b27d72b2-7edd-4efd-8166-bf8f2eaa1e6b

  2. Click OK.

  3. Click Next.

  4. In the Select Object Type page, select the check box next to user (the other check boxes selected in Figure 2.27 are already selected), and then click Next.

    f8dc73ae-aaaf-4a2a-a719-40afc0db2d9b

  5. In the Select Attributes page, select the Show All check box, and select the following attributes:

    • c

    • cn

    • co

    • company

    • department

    • displayName

    • employeeID

    • facsimileTelephoneNumber

    • givenName

    • l

    • manager

    • mobile

    • pager

    • sAMAccountName

    • sn

    • telephoneNumber

    • title

    • unicodePwd

    • userAccountControl

    • userPrincipalName

    Note

    You can use the keyboard to type the name of the attribute and the space bar to select the attribute. This is a shortcut that makes navigating and selecting attributes easier.

When you are done selecting attributes, and have cleared the Show All check box, verify that your screen appears as shown in Figure 2.28, and then click Next.

7ccb013d-99a1-412c-aa8c-7835461096e3

  1. On the Configure Connector Filter page, accept the default settings, and then click Next.

  2. On the Configure Join and Projection page, accept the default settings, and then click Next.

Create Direct Export Attribute Flow Mappings

Next you will create direct export attribute flow mappings from metaverse attribute c to the data source attribute c.

To create a direct export flow mapping

  1. On the Configure Attribute flow page, under Data Source Object Type, click user.

  2. Under Metaverse Object Type, click person.

  3. Under Data source attribute, click c.

  4. Under Metaverse attribute, click c.

  5. Under Mapping Type, click Direct.

  6. Under Flow Direction, click Export. Do not select the Allow Nulls check box.

  7. Click New.

  8. Follow this process for the remaining attributes listed in Table 2.9.

    Table 2.9   Direct Export Attribute Flow Mappings for Fabrikam AD MA

    Data source attribute Metaverse attribute Type

    c

    c

    Direct

    co

    co

    Direct

    company

    company

    Direct

    department

    department

    Direct

    displayname

    displayName

    Direct

    employeeid

    employeeID

    Direct

    facsimiletelephonenumber

    facsimileTelephoneNumber

    Direct

    givenname

    givenName

    Direct

    l

    l

    Direct

    manager

    manager

    Direct

    mobile

    mobile

    Direct

    pager

    pager

    Direct

    sn

    sn

    Direct

    telephonenumber

    telephoneNumber

    Direct

    title

    title

    Direct

Create Advanced Attribute Flow Mappings

Create advanced attribute flow mappings from the metaverse attribute employeeStatus of the person object type to the data source attribute userAccountControl for the user object type.

To create the advanced mappings

  1. Under Data source attribute, click userAccountControl.

  2. Under Metaverse attribute, click employeeStatus.

  3. Under Mapping Type, click Advanced.

  4. Click New.

  5. In the Advanced Export Attribute Flow Options dialog, click Rules Extension, and then in the Flow rule name, type userAccountControl.

  6. Click OK.

  7. Use the same process to create the remaining advanced attribute flow mappings listed in Table 2.10.

    Table 2.10   Advanced Attribute Flow Mappings for Fabrikam AD MA

    Data source attribute Metaverse attribute Type Flow Rule Name

    useraccountcontrol

    employeeStatus

    Advanced

    userAccountControl

    userprincipalname

    uid

    Advanced

    userPrincipalName

    samaccountname

    uid

    Advanced

    samAccountName

After you define the export attribute flow, verify that your screen appears as shown in Figure 2.29.

20340580-6913-4804-a53c-c34ded9d4d7d

  1. Click Next. On the Configure Deprovisioning page, select Stage a delete on the object for the next export run, and then click Next.

  2. On the Configure Extensions page, in Rules extension name, click Select, and select the FabrikamADMA.dll file from the location where you copied the scenarios from the installation media (C:\Scenarios\Simple Account Provisioning), as shown in Figure 2.30.

    3ca45939-a50a-4e4a-8114-e14c85d9b4ec

  3. Click Finish.

Verify that three management agents are listed under Management Agents, as shown in Figure 2.31.

96882c48-9bea-4de2-8242-b484b6b13bbe

Setting Up Run Profiles for the Fabrikam HR MA

To step up the run profiles for the Fabrikam HR MA, first copy the attribute-value pair files from the Microsoft Identity Integration Server 2003 installation media to the Fabrikam HR MA working folder. You will configure the Fabrikam HR MA to read the data provided with the scenario in full and delta import modes.

To copy the scenario data to the Fabrikam HR MA working folder

  1. Open a Windows Explorer window.

  2. Navigate to the folder where you saved the files that came with the Microsoft Identity Integration Server 2003 installation media.

  3. Select the files with names starting Fabrikam-hr-avp.

  4. Open another Windows Explorer window.

  5. Navigate to the MaData folder under the default Microsoft Identity Integration Server 2003 installation path, C:\Program Files\Microsoft Identity Integration Server.

  6. Open the subfolder named Fabrikam HR MA.

  7. Copy the files for the Fabrikam HR MA to the Fabrikam HR MA subfolder of MaData under the Microsoft Identity Integration Server 2003 installation path, as shown in Figure 2.32.

    d1a625d3-b7ec-4479-9f60-5bd715cae948

Configure the Fabrikam HR MA Full Import Run Profile

Configure the Fabrikam HR MA run profile to perform a full import of the data in the text file from the HR system.

To configure the Fabrikam HR MA full import run profile

  1. In Identity Manager, in Management Agents, click the Fabrikam HR MA.

  2. From the Actions menu, click Configure Run Profiles, and then click New profile.

  3. Under Name, type Full Import, and then click Next, as shown in Figure 2.33.

    9aa1ae97-aee9-42b5-a562-30242ab24913

    Important

    Use the profile names provided in the walkthrough. If you choose to use other names, you need to customize the run-*.cmd files (for instance run-provisioning-cycle.cmd) in the scenario folder to reflect your profile names.

  4. On the Configure Step page, in Type, ensure Full Import (Stage Only) is selected.

  5. Click Set log file options.

  6. Select Create a log file and then, in Type or select Log file name, type audit-full-import.xml, as shown in Figure 2.34, and then click OK.

    e208070f-2fa6-4669-bdb1-1801b01a2e7e

  7. Click Next.

  8. In Management agent configuration, in Input file name, type fabrikam-hr-avp.txt. The input file contains a dump of the HR system and includes employee records for 100 employees.

  9. In Partition, leave default as the name of the partition, as shown in Figure 2.35.

    33fa48b0-da32-416b-8e57-66c0c4a02922

  10. Click Finish.

When you have created the run profile, verify that your screen appears as shown in Figure 2.36.

7972f18f-7349-4002-ac5c-cdb977c4cbbe

  1. Click Apply, and then click OK.

Configure HR MA Delta Import Changes and Delta Synchronization Run Profiles

You will create run profiles to configure the HR MA to perform the following actions:

  • Change employee status for one employee from active to inactive. This will cause the user account to be moved to the container in Active Directory that is named Disabled Users, and will disable the user account.

  • Reactivate the account that is disabled by changing status from inactive to active. This will cause the account to be moved back to the Users container and enable the user account.

  • Change the name attributes for one user.

  • Terminate a user from the HR system and delete the user and the account.

  • Transfer an employee from one department to another, also changing manager and title.

  • Deprovision accounts based on a full import from the HR system. The full import file contains only one record, and therefore the remaining 99 objects are deleted.

These run profiles demonstrate account management by changing the data in the metaverse and letting the Microsoft Identity Integration Server 2003 provisioning rules extension modify (rename, move, etc) the objects in the connector space for the Active Directory management agent.

To create the run profiles

  1. Use Table 2.11 to create eight additional run profiles by following the steps listed in the previous section.

    Table 2.11   Information to Create Additional Run Profiles

    Profile Name Step Type Filename

    Delta Import Changes 1

    Delta Import (Stage Only)

    fabrikam-hr-avp-change01.txt

    Delta Import Changes 2

    Delta Import (Stage Only)

    fabrikam-hr-avp-change02.txt

    Delta Import Changes 3

    Delta Import (Stage Only)

    fabrikam-hr-avp-change03.txt

    Delta Import Changes 4

    Delta Import (Stage Only)

    fabrikam-hr-avp-change04.txt

    Delta Import Changes 5

    Delta Import (Stage Only)

    fabrikam-hr-avp-change05.txt

    Full Import Obsolete

    Full Import (Stage Only)

    fabrikam-hr-avp-obsolete.txt

    Full Import Zero bytes

    Full Import (Stage Only)

    Fabrikam-hr-avp-zerobytes.txt

    Delta Synchronization

    Delta Synchronization

     

    Important

    For all Delta Imports, ensure the log file options are set to create a log file: audit-delta-import.xml. For the Full Import, ensure the log file options are set to create a log file: audit-full-import.xml.

  2. When you have finished creating HR MA run profiles, verify that your screen appears as shown in Figure 2.37.

    9ed0c93a-f664-403e-b9f3-2b9430da21c9

  3. Click Apply, and then click OK.

Setting Up Run Profiles for the Fabrikam Telephone MA

Configure the run profiles to run the Fabrikam Telephone MA. In order to use the data files supplied with this scenario, ensure that you have copied them to the Fabrikam Telephone MA subfolder under the MaData folder in the Microsoft Identity Integration Server 2003 installation location, as shown in Figure 2.38.

36fdf65c-c1cf-4608-a70c-d9b9e236e9ee

Configure the Fabrikam Telephone MA Full Import Run Profile

Configure the Fabrikam Telephone MA run profile to perform a full import of the data from the fabrikam-telinfo-fw.txt fixed width text file.

To configure the Telephone MA full import run profile

  1. From the Tools menu, click Management Agents.

  2. Click the Fabrikam Telephone MA, and from the Actions menu, click Configure Run Profiles.

  3. Click New Profile, and then type Full Import.

  4. Click Next.

  5. In Configure Step, in Type, ensure Full Import (Stage Only) is selected.

  6. Click Set log file options.

  7. In Set Log File Options -- Import, select Create a log file and in Type or select Log file name, type audit-full-import.xml.

  8. Click OK, and then click Next.

  9. In Input file name, specify fabrikam-telinfo-fw.txt, as shown in Figure 2.39.

    e22a7c17-2f03-4f37-a983-8c77260fda72

  10. Click Finish.

Configure the Fabrikam Telephone MA Delta Import and Delta Synchronization Run Profile

Configure the Fabrikam Telephone MA run profiles to perform a delta import and a delta synchronization of the data from the fabrikam-telinfo-fw-change.txt fixed width text file.

To configure the delta import and delta synchronization run profile

  1. In Management Agents, click the Fabrikam Telephone MA.

  2. From the Actions menu, click Configure Run Profiles, and then click New Profile.

  3. In Profile Name, type Delta Import. Click Next.

  4. Follow the steps outlined above to create the Delta Import Run Profile, and on the Configure Step page, click Delta Import (Stage Only).

  5. Configure the log file options to create the file audit-delta-import.xml. Ensure that fabrikam-telinfo-fw-change.txt is specified as the input file name.

  6. Follow the steps outlined above to create a Delta Synchronization Run Profile.

  7. Name the Delta Synchronization Run Profile Delta Synchronization, and ensure that Delta Synchronization is selected as the step type.

  8. Click Finish.

    When you have finished setting up the Telephone MA run profiles, verify that your screen appears as shown in Figure 2.40.

    e7dc91c2-9477-4d4a-9798-08f37464d132

  9. Click Apply, and then click OK.

Setting Up Run Profiles for the Fabrikam AD MA

Set up the Fabrikam AD MA to perform a full import of the Active Directory domain partition and then to perform an export so that objects are created in Active Directory.

Configure the Fabrikam AD MA Full Import Run Profile

Configure the Fabrikam AD MA run profile to perform a full import of the Active Directory domain partition.

To configure the Fabrikam AD MA full import run profile

  1. In Management Agents, select Fabrikam AD MA, and then click Configure Run Profiles.

  2. Click New Profile.

  3. Under Profile Name, type Full Import.

  4. Click Next.

  5. In Step Type, ensure Full Import (Stage Only) is selected.

  6. Click Set log file options.

  7. In the Set log file options -- Import dialog box, click Create a log file, and then, in Type or select Log file name, type audit-full-import.xml. Click OK.

  8. Click Next.

  9. In Partition, ensure that the correct Active Directory domain is selected, as shown in Figure 2.41.

    55a25551-158c-4573-9163-cba0f4852062

  10. Click Finish.

Configure the Fabrikam AD MA Export Run Profile

The Fabrikam AD MA export run profile will contain two steps. The first step will create the objects in Active Directory, and the second step will import from Active Directory, confirming that the pending exports were completed as planned.

To configure the AD MA export run profile

  1. In Management Agents, select Fabrikam AD MA, and then click Configure Run Profiles.

  2. Click New Profile.

  3. Under Profile Name, type Export.

  4. Click Next.

  5. On the Configure Step page, in Type, select Export.

  6. Click Set log file options.

  7. Click Create a log file and, in Type or select Log file name, type audit-export.xml. Click OK.

  8. Click Next.

  9. In Partition, ensure the correct Active Directory domain is selected.

  10. Click Finish.

  11. When you have added the export step, verify that your screen appears as shown in Figure 2.42.

    4c60973b-6249-4bc8-a764-72753f9807a0

  12. Click New Step.

  13. This step will be a Delta Import (Stage Only) step. Make sure to specify that a log file is created called audit-delta-import.xml. This second step imports the objects from Active Directory and confirms that the previous export was successful. When you are finished creating the second step, verify that your screen appears as shown in Figure 2.43.

    1f38d9ec-be80-4d65-b415-dcbbb2f62162

  14. When you have finished creating the run profiles, click Apply, and then click OK.

Setting the Metaverse Object Deletion Rule

Configure Microsoft Identity Integration Server 2003 to delete objects from the metaverse when the Fabrikam HR MA processes a deletion from the HR system. This type of deletion rule is called a declarative rule because you can configure it simply by using the user interface. This metaverse object deletion rule calls for Microsoft Identity Integration Server 2003 to delete objects that have been deleted from the HR system.

Other object deletion rule options not explored in this section are Delete metaverse object when last connector is disconnected, in which metaverse deletion only occurs when the last connector to the metaverse object is disconnected; and configuring an object deletion rule within a rules extension, where the rules extension handles the logic of the metaverse object deletion.

To configure the declarative metaverse object deletion rule

  1. Click Start, click Programs, click Microsoft Identity Integration Server, and then click Identity Manager.

  2. On the Tools menu, click Metaverse Designer.

  3. In Object types, click Person and then click Configure Object Deletion Rule.

  4. In Configure Object Deletion Rule, in Type, select the Delete metaverse object when connector from this management agent is disconnected, and then select Fabrikam HR MA from the list, as shown in Figure 2.44.

    c4ee4100-068b-4a8b-a9c1-78d40bf89b9c

  5. Click OK.

    When you are finished, verify that your screen appears as shown in Figure 2.45.

    e5580ed4-07cf-45d8-ad9c-f6c5c9a8f5a3

Next