Need Help with Initial Setup
-
Monday, December 10, 2012 4:39 AM
Hello Everybody,
I apologize now for the long post but I'm hoping this may yield better responses. I currently have 4 Management agents configured using the synchronization service manager. Both Active Directory and email service are both heavily populated from before Forefront.
1. Active Directory -
2. Email Service - Novell Groupwise
3. FIM Service
4. Flat file - This file is similar to the HR database from Technet examples.Let me explain our long term goals is to allow HR to create/maintain users from FIM portal and provision their AD account. Another goal is to allow users to validate there groupwise password against AD LDAP password(We have already tested this and it works correctly for those accounts that have both AD and groupwise.) However our active directory is a bit of a mess there are 2000+ email accounts that do not have AD accounts I would like to provision AD accounts from Groupwise, how would I go about this? Also for the existing accounts I would like to have the flat file to join and correct information within the AD, how would I go about this?
Currently the FIM portal and meta-verse are empty or can be emptied easily. My last question is it possible to create custom views on the portal website for creating/editing users editing user information, the reason I ask is because eventually we will have two different departments entering information into the portal. One who will be able to enter all personal information and one that will be able to enter only telephone number and a few more fields.
All Replies
-
Tuesday, December 11, 2012 12:24 AM
You will need to roughly follow these steps:
- Create inbound attribute flows for Groupwise. You need to set your join and projection rules here
- Create inbound attribute flows for Flat file, join rules here
- Create the outbound attribute flows for your ADMA, join rules here
- Create and MV Extension with code like the following
if(mventry.ConnectedMAs["GroupWise"].Connectors.Count == 1 && mventry.ConnectedMAs["ADMA"].Connectors.Count == 0) { //Provisioning code }
- Import the data from groupwise (provisioning off)
- Join the existing data in AD (provisioning off)
- The run a Full sync on one MA with provisioning on
- Export new users to AD
Take a look at this for customizing the portal.
- Edited by Cameron Zivkovic Tuesday, December 11, 2012 12:27 AM
-
Wednesday, December 12, 2012 4:15 AM
Sounds like you may have three different set of requirements here by the way:
1) A one off synchronisation between your flat-file and AD
2) A one-off (or ongoing?) provisioning of all mail accounts from groupwise
2) An ongoing provisioning mechanism between the FIM Portal and AD.
Is that correct? I wasn't sure whether you wanted the groupwise part to be ongoing or not.
If so, I would recommend you do the one-off parts and the ongoing parts separately:
For one-off:
- Create the AD MA and the flatfile MA (and the groupwise MA if you want this as a one-off)
- Write some provisioning code that provisions anyone in groupwise but not in AD (as per Cameron's logic)
- project all objects from the flatfile into MV and configure flow rules in both MA's appropriately, marking flatfile as authoritative
- (for one-off groupwise) Turn provisioning off and project all objects from groupwise into MV.
- join all objects from AD to the existing objects in the Metaverse that the flatfile contributed (do not have any projection for AD MA)
- The AD MA should have a bunch of exports pending for any records that joined to those from the flatfile
- Turn provisioning on and run a full sync on groupwise MA to generate new records in AD for the 2000+For ongoing:
- Delete the flatfile MA
- If you want groupwise to be ongoing, leave it there, else delete it if it was one-off provisioning only
- Create FIM Service MA + customise portal for user registration
- Use MV Extension code or create some Synchronization Rules in the Portal to provision FIM-Portal-created users in AD."the reason I ask is because eventually we will have two different departments entering information into the portal. One who will be able to enter all personal information and one that will be able to enter only telephone number and a few more fields. "
This would be fairly simple to achieve:
- Create a set of users for each department
- Create 3 MPR's: One letting all users read the necessary attributes; one letting one set modify all personal information; one set letting the other set only modify the telephone/other fields.
- When customising your RCDC, you're able to specify the RightsLevel by binding to the rights level of the current user for that attribute. Eg, from the default RCDC for the FirstName attribute, you can see how they do this:
my:RightsLevel="{Binding Source=rights, Path=FirstName}
Basically, this checks the rights level the user accessing the form has, determines whether they have read/write and displays the field appropriately (edit box for edit rights, label/display field for read only). You may be able to find more examples of that in the RCDC Reference- Ross
MCTS: Forefront Identity Manager 2010, Configuring
- Edited by Ross Currie Wednesday, December 12, 2012 4:16 AM
-
Friday, January 11, 2013 4:30 AM
Hi Ross,
Thank you for pointing me in the right direction. I have created both sets (HR and Telephone Service) which are currently being manually-managed members. My Question is how do I go about creating the following 3 MPR's: One letting all users read the necessary attributes; one letting one set modify all personal information; one set letting the other set only modify the telephone/other fields. I have tried several times and seem to be failing. If it would be possible can somebody please post a sample one so I can get an idea of what goes where.
Also regarding customizing the RCDC, which RCDC do i have to edit Configuration for User editing, Configuration for User Viewing, Configuration for User creation, or do I need to do it to all of them?
Regarding your example for FirstName I am trying to understand where the
my:RightsLevel
comes into play. I'm assuming from the technet article that you provided I must include the following into the XML
"<my:ObjectDataSource my:TypeName="PrimaryResourceRightsDataSource" my:Name="rights"/>"
Upon further review I have looked at the default Configuration for User creation and this is what i see for FirstName;
"<my:Control my:Name="FirstName" my:TypeName="UocTextBox" my:Caption="{Binding Source=schema, Path=FirstName.DisplayName}"" my:Description="">" - "<my:Properties>" "<my:Property my:Name="Required" my:Value="{Binding Source=schema, Path=FirstName.Required}" />" "<my:Property my:Name="Columns" my:Value="34" />" "<my:Property my:Name="MaxLength" my:Value="128" />" "<my:Property my:Name="Text" my:Value="{Binding Source=object, Path=FirstName, Mode=TwoWay}" />" "</my:Properties>" "</my:Control>"
From this example where would I substitute ""my:RightsLevel="{Binding Source=rights, Path=FirstName"}"
Before I forget I want to thank you in advance for your assistance
- Edited by epatri Friday, January 11, 2013 4:32 AM To make it more readable
-
Friday, January 11, 2013 10:43 AM
Create a SET called 'Telephone Operators' and add members to it
Create a Request MPR Called 'Telephone Operators Can edit User Telephones'
in the 'Specific Set of Requestors' select Telephone Operators
Select the Check Box 'Modify a single-valued attribute'
Select the Check Box 'Grants Permission'
Hit Next
'Target Resource Definition Before Request' should be 'All People' (This means that Telephone Operators can update telephoneNumber for all the users of FIM, if you want specific people to be edited use their SET)
'Target Resource Definition After Request' should be 'All People' (This means that Telephone Operators can update telephoneNumber for all the users of FIM, if you want specific people to be edited use their SET)
In the 'Resource Attributes' hit 'Select specific attributes' and type officePhone; mobile; mobilePhone;
hit next and then submit
Here you have granted Telephone Operators permission to edit phone attributes of all the people.
.png)
