none
best practice for calculate username in workflow

    Question

  • Hello!

    Is there an best practice regarding calculating usernames in workflow action/rules? It seems everyone is doing this differently. i want to create a username at import from HR ma, check if it already exists and if not provision the account. 

    1 char from Firstname + 7 chars (max) from surname, and if accountname exists, append a digit to make it unique.

    Can you share your tips and possible actions that you are using to resolve this? 

    Have a great day
    Tobias Wallenqvist
    Sweden

    dimanche 24 mars 2013 09:19

Réponses

  • It depends what you mean by unqiue, and what the state is of your Active Directory.

    There are two general approaches to this:

    1) Confirm the username is unique in FIM

    2) Confirm the username is unique in AD

    In one camp, you have the argument that "under best practice", any query to an external system should go through the established Framework, ie, the Management Agent. And so 1) is the only suitable option. To facilitate this, you would need to ensure that any accounts which might clash with your naming standard need to be brought into FIM.

    In the other camp, you have the argument that "under best practice", FIM should guarantee that an account name is unique in the target system by querying the target system. And that there may be legitimate reasons why certain user accounts should not be brought into FIM - eg, administrator accounts, etc.

    I tend to follow the first approach, as my thought is:

    - I don't want any synchronisation rules having a dependency external to FIM.
    - If an account shouldn't be managed by FIM, such as administrator accounts or service accounts, it should have a different naming standard to regular users anyway

    The way I generally do this is on import into the Metaverse. In the IAF I search the Metaverse to see if the username already exists. This is obviously only possible using the Management Agent Rules Extensions, not the declarative synchronisation rules.

    Hope that helps

    - Ross Currie


    FIMSpecialist.com | MCTS: FIM 2010 | Now Offering ECMA1->ECMA2 Upgrade Services

    lundi 25 mars 2013 02:54

Toutes les réponses

  • It depends what you mean by unqiue, and what the state is of your Active Directory.

    There are two general approaches to this:

    1) Confirm the username is unique in FIM

    2) Confirm the username is unique in AD

    In one camp, you have the argument that "under best practice", any query to an external system should go through the established Framework, ie, the Management Agent. And so 1) is the only suitable option. To facilitate this, you would need to ensure that any accounts which might clash with your naming standard need to be brought into FIM.

    In the other camp, you have the argument that "under best practice", FIM should guarantee that an account name is unique in the target system by querying the target system. And that there may be legitimate reasons why certain user accounts should not be brought into FIM - eg, administrator accounts, etc.

    I tend to follow the first approach, as my thought is:

    - I don't want any synchronisation rules having a dependency external to FIM.
    - If an account shouldn't be managed by FIM, such as administrator accounts or service accounts, it should have a different naming standard to regular users anyway

    The way I generally do this is on import into the Metaverse. In the IAF I search the Metaverse to see if the username already exists. This is obviously only possible using the Management Agent Rules Extensions, not the declarative synchronisation rules.

    Hope that helps

    - Ross Currie


    FIMSpecialist.com | MCTS: FIM 2010 | Now Offering ECMA1->ECMA2 Upgrade Services

    lundi 25 mars 2013 02:54
  • Hello Ross and thanks for your input.

    i have reviewed som code that other people have set ut, i have seen workflow actions connecting via LDAP to an AD to look for an username. I have also seen an action that create the username via regexp thingie, duplicates is often common.

    i feel there is not standard  in creating usernames. its up to the rule creator to come up with a new way every time.

    /T

    lundi 25 mars 2013 06:07
  • i feel there is not standard  in creating usernames. its up to the rule creator to come up with a new way every time.

    That's correct. Keep in mind it also depends on the requirements of your organisation, and this may be why there's no standard way.

    For some organisations, the username is defined by the source application - eg, a staff ID or a student number - and so there's no requirement to generate a unique username in the first place.

    Other organisations either don't have a unique value, or want to generate a "user friendly" value and then it comes down to what level of overhead you're willing to accept.

    If you've architected your FIM solution in a certain way, you may not need to query the external directory. You have to ask yourself if you are happy with the result in this case.

    Alternatively, the overhead associated with querying an external directory may be low enough to do so. But what if you have multiple directories? Does your username have to be unique across all of them? How much overhead are you willing to accept to query each of them?

    It comes down to what level of certainty do you require, and how much overhead can you accept.

    - Ross Currie


    FIMSpecialist.com | MCTS: FIM 2010 | Now Offering ECMA1->ECMA2 Upgrade Services

    lundi 25 mars 2013 06:31
  • Yes, i have reviewed all of those questions. in this and the other cases i have looked at, there is only one fim towards one directory and some aditional systems/agents. Nothing complicated. I have recommended to use the username provided by the HR system, but they need a specially crafted one.

    I will create a custom action  that fit my unique needs.. :)

    lundi 25 mars 2013 06:35
  • As a way out idea.. and most likely it is not possible, but it might be...

    Using ASP.NET interrogate AD to determine a unique samaccountname given first and lastnames as input.

    The logic in the aspx page can be what you feel is needed and a valid, unique samaccountname can be displayed.

    This aspx page could then be added to the Navigational Bar as a new resource. So an admin can just click the link and provide names and get a valid accountname back on demand.

    Not sure just what is allowed as a custom .aspx and FIM

    lundi 25 mars 2013 12:28