none
FIM Service Management Agent rules extensions RRS feed

  • Question

  • Hello,

    I'm working on FIM 2010 R2. I would like to define rules extension for FIM MA, but once I enter the MA's configuration the "Rules extension name" box on "Configure Extensions" is grayed out. Does FIM MA support rule extensions? What am I missing?

    Wednesday, May 8, 2013 9:33 AM

All replies

  • AFAIK, rules extensions for FIM MA are not supported in general, this document mentions it specifically pertaining to attribute flow rules: http://technet.microsoft.com/en-us/library/jj590364(v=ws.10).aspx


    Wednesday, May 8, 2013 9:50 AM
  • We'd all love to do this!

    Unfortunately, you can't use custom rules extensions with the FIM MA.

    Major oversight, in my opinion, but I imagine it's done this way to allow the automated FIM MA provisioning to work (something I would also do optionally if I had the choice!)

    - Ross Currie


    FIMSpecialist.com | MCTS: FIM 2010 | Now Offering ECMA1->ECMA2 Upgrade Services

    Wednesday, May 8, 2013 3:24 PM
  • Bob Bradley @ Unify has written a free FIM Replay MA toolset which is pretty helpful if you want to do advanced import flow rules from FIM Portal data.  For export data to the FIM Service, there's not much you can do other than transforming the data on its way into the metaverse.

    Steve Kradel, Zetetic LLC

    Wednesday, May 8, 2013 3:48 PM
  • "but I imagine it's done this way to allow the automated FIM MA provisioning to work (something I would also do optionally if I had the choice!)"

    Hi Ross,

    this is close.

    By design, from an identity object perspective, the FIM service database represents a "writeable" metaverse.  
    A “writeable” metaverse requires the metaverse data to be mirrored / replicated.

    Replication of data doesn’t require data transformations.
    This is why there is no support for rules extensions.
    For more details, see "Introduction to the FIM Service Management Agent" in Understanding Data Synchronization with External Systems.

    It would be interesting to know what the business scenarios for rules extensions on the FIM MA are.

    Cheers,
    Markus



    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation



    Thursday, May 16, 2013 6:58 PM
  • Hi,

    You should go under the "Configure attribute flow" and create a mapping with type "Advanced".

    The "Rules extension name" should be now available under the "Configure Extensions" section.

    Gael Culemme

    Thursday, May 16, 2013 10:00 PM
  • Hi,

    You should go under the "Configure attribute flow" and create a mapping with type "Advanced".

    The "Rules extension name" should be now available under the "Configure Extensions" section.

    Gael Culemme

    Yes for most MAs, but not for the FIM MA; all of the regular options that would make available the rules extension are always disabled.

    Steve Kradel, Zetetic LLC

    Thursday, May 16, 2013 10:02 PM
  • It would be interesting to know what the business scenarios for rules extensions on the FIM MA are.

    Bob Bradley, who has been given the MVP award by Microsoft for FIM points out a few in his FIM Replay article that Steve links above:

    • Eliminate the need to configure "equal precedence" for scenarios where there is no alternative when involving the FIM MA

    There are several scenarios here (e.g. group membership for migrated groups should become authoritative in the portal post migration) which are presently not achievable without configuring equal precedence.  This is always problematic and would be good to avoid by introducing a 3rd authoritative source for group membership which can trump the others.

    • Provide a means for FIM portal attributes to be used to derive additional columns (incl. in advanced attribute flows).

    The FIM MA allows only direct 1-1 attribute flows between like object classes in the FIM Portal and the FIM Metaverse using fixed class schema.  One scenario is where you wish to join on something other than the mv GUID – e.g. on the manager attribute so as to enable flow of the manager display name (redundantly) to the subordinate.

    • Provide a means for FIM portal attributes to be used to be treated as different attribute types (incl. in advanced attribute flows).

    The FIM MA allows only direct 1-1 attribute flows between like object classes in the FIM Portal and the FIM Metaverse using fixed class schema.  This prevents the use of advanced flow rules in such cases as only flowing reference attributes based on the value of another attribute of the same identity, or flowing reference types as strings to allow for advanced flow rules.
    * Note: there is a documented alternative (advanced) for this scenario when working with Portal sync rules.

    • Provide a means to define MANUAL precedence by enabling advanced attribute flows (rules extensions) from the FIM Portal

    The FIM MA allows only direct 1-1 attribute flows, and as a result any attribute contributed by the FIM Portal cannot be included in a “manual precedence rule” when the FIM MA is the only means of sourcing this attribute from the FIM Portal

    From my perspective, I should be able to do these things without using a work-around (which, as creative as it is, is what the FIM Replay method is).

    Further to Bob's comments, we have to keep in mind that a lot of the work-arounds to the traditional problems introduced by not using extensions in the FIM MA can be resolved by using Equal Precedence - a feature which FIM specialists have often advised against, and now that it has been deprecated, I could not in good faith put forward a solution using it, let alone call it "Best Practice".

    With regards to my other comment, regarding selective provisioning into the FIM Portal, there are several use cases for this:

    1) Licensing: In some cases, there is no reason for certain sets of users to go into the FIM Portal. The External Connector covers some of these cases, but there are still others where I would be forced to provision users into the Portal that don't need to be there, or architect my FIM solution in a less desirable fashion (consider the case of 'inactive' users: I may want them in the MV in case they return, but I don't want to pay CALs for users that no longer have an active account

    2) Performance: It's long been known that performance on the FIM MA is pretty bad. Even with recent improvements, there is huge overhead associated with having users in the Portal that don't need to be there. These extra users not only slow down FIM Sync Service operations, but they also slow down FIM Portal operations. Not such an issue when your organisation has 20-30,000 users, but I often deal with organisations that have 50-200,000 users.

    As mentioned, in most cases I can re-architect my solution to overcome these difficulties - but I don't feel that I should have to.

    - Ross Currie


    FIMSpecialist.com | MCTS: FIM 2010 | Now Offering ECMA1->ECMA2 Upgrade Services

    Friday, May 17, 2013 1:59 AM