none
Attribute change notifications (msidmCompositeType problem) RRS feed

  • Question

  • Hello!

    I'm looking how I can track changes history in MIM. We decided to send email notifications andout what was changed.

    Yes, I know about SCSM, but looking for more simple solution.

    So, which notifications are needed:

    1.Change in HR DB attribute from 1 to 0 -> generate email to user or user's manager about this change. I think that I can use set and workflow for this, but can't buid a logics fot it.

    2. Change in users name/surname  -> generate email to user or user's manager about this change. How it can be done?

    3. Information letter to administrator about changes, what happened in AD to user account (change of all attributes, like displayName, first name and so on).

    Thanks!


    1



    • Edited by alexiszp Monday, January 16, 2017 3:15 PM
    Friday, December 23, 2016 3:47 PM

All replies

  • 1. Create two sets, one for users where the attribute = 0, and one where the attribute = 1. Create a request MPR that fires on update to that attribute. Set the before set to 1 and the after set to 0. You can attach your notification workflow to that MPR.

    2. Create a request MPR that fires when the surname or username attributes change. You can attach your notification workflow to that MPR.

    3. Have a look at the default approval notification email templates. There are a couple of built-in WorkflowData fields you can use to put the changes in to an email.


    Thanks,
    Brian

    Consulting | Blog | AD Book

    Saturday, December 24, 2016 2:08 AM
    Moderator
  • Brian, thanks for helping.

    So, what I have now:

    1. If I manually update my user account in MIM portal I get a email notification, where I'm using [//RequestParameter/AllChangesActionTable]. I can see there only 2 new values. I have found a solution that I need to use notification in AuthZ phase of MPR. Can somebody give me an example how it can be done? But in another sources I see that this will not work with Requestor "Forefront Identity Manager Service Account". Is it so? 

    2. I can get email notification if values are changed on MIM portal, but if values are going from HR DB I get error PostProcessingError "This unknown request parameter cannot be proceeded" from Requestor "Forefront Identity Manager Service Account". I have added this Requestor to a newly created set "All Peoples" as manually member (I think that it is better to do this than to make "All Resources" requestor). 

    After solution will start to work I will document it in this topic.

    Thanks to all!


    1

    Tuesday, December 27, 2016 2:43 PM
  • So, now I can receive notifications about User attributes which were changed on Portal.

    I'm using for User changes a Request MPR and Transition In MPR with set for atributes which can change 0->1->...

    But when I try to get such notifications from changes in HR DB I get errors:

    As I understand my changes are matched to 3 MPRs:

    And in Server Logs:

    Warning 28-12-2016 15:46:35 Microsoft.ResourceManagement 2 None

    System.InvalidOperationException: This unknown request parameter cannot be processed.

       at Microsoft.ResourceManagement.Utilities.ExceptionManager.ThrowException(Exception exception)

       at Microsoft.ResourceManagement.WFActivities.Resolver.ConstructAllChangesActionTable(String parameters)

       at Microsoft.ResourceManagement.WFActivities.Resolver.ResolveAttribute(String match, Boolean isFunctoidArg, ResolverOptions resolveOptions, String& attributeName)

       at Microsoft.ResourceManagement.WFActivities.Resolver.ResolveEvaluatorWithoutAntiXSS(String match, ResolverOptions resolveOptions)

       at Microsoft.ResourceManagement.WFActivities.Resolver.ResolveEvaluatorForWithAntiXSS(String match, ResolverOptions resolveOptions)

       at Microsoft.ResourceManagement.WFActivities.Resolver.ReplaceMatches(String input, Boolean useAntiXssEncoding, ResolverOptions resolveOptions)

       at Microsoft.ResourceManagement.Workflow.Hosting.EmailNotificationServiceImpl.ResolveMailMessage(Guid requestId, Guid targetId, Guid actorId, Dictionary`2 workflowDictionary, String toLine, String ccLine, String bccLine, Guid emailTemplateIdentifier, EmailResolutionOptions options, String& failedToResolvePrincipals)

       at Microsoft.ResourceManagement.Workflow.Activities.EmailNotificationActivity.ResolveMail(Object sender, EventArgs e)

       at System.Workflow.ComponentModel.Activity.RaiseEvent(DependencyProperty dependencyEvent, Object sender, EventArgs e)

       at System.Workflow.Activities.CodeActivity.Execute(ActivityExecutionContext executionContext)

       at System.Workflow.ComponentModel.ActivityExecutor`1.Execute(T activity, ActivityExecutionContext executionContext)

       at System.Workflow.ComponentModel.ActivityExecutor`1.Execute(Activity activity, ActivityExecutionContext executionContext)

       at System.Workflow.ComponentModel.ActivityExecutorOperation.Run(IWorkflowCoreRuntime workflowCoreRuntime)

       at System.Workflow.Runtime.Scheduler.Run()


    Does somebody have any ideas?


    1

    Wednesday, December 28, 2016 8:45 PM
  • Any ideas, even stupid :) are welcomed.

    Thanks!


    1

    Thursday, December 29, 2016 12:22 PM
  • After some investigation I have located my problem and found this article:

    https://social.technet.microsoft.com/wiki/contents/articles/23191.handling-a-composite-type-request-for-multivalued-attributes.aspx

    I have changed MIISServer.exe.config to false value and restarted IIS and  Forefront Identity Manager Server Service, but problem is still exists.

    Can somebody help with this problem?

    Thanks!


    1

    Monday, January 16, 2017 3:19 PM
  • You don't need to turn of aggregation if you are using MIMWAL activities. Not a good idea, but with aggregation turned of, it should have worked for you, so I suggest you test with one MPR enabled at a time to identify which WF is failing.
    Tuesday, January 17, 2017 9:55 AM
  • I know which Workflow is falling.

    It is a pretty simple with one activity.

    Workflow(Change User Attribute):

    Workflow type=Action

    Activities=Send an Email Notification to user with changed attributes.

    MPR:

    Type = Request

    Requestors= All People (with FIM Service account)

    Operations=Create Resource + Modify a single valued attribute

    Permissions = False

    Target Resource Definition Before Request = All People (with FIM Service account)

    Target Resource Definition After Request = All People (with FIM Service account)

    Resource Attributes = All Attributes

    Policy Workflows = Action Change User Attribute

    I don't using MIMWAL at this workflow and somewhere in my project, but planning to use in future.

    But, I have changed agregation type to "false" and problem is not resolved. Services were restarted.


    1

    Tuesday, January 17, 2017 10:19 AM
  • So are you seeing individual requests in the request history now or still a single composite request? Also what error are you getting now?
    Tuesday, January 17, 2017 11:03 AM
  • Error is same, from Composite type Request, you can see it at attached screenshots.

    Requests:

    Details from "Update" Request

    Request Parameters

    System Event Request:

    Request Parameters:


    But even with composite type request it must be working, becouse this is standart feature, so I can't understand what is wrong.


    1

    Tuesday, January 17, 2017 12:47 PM
  • And Reuest Status Details


    1

    Tuesday, January 17, 2017 12:48 PM
  • What does the new entry look like? It should be like <resourceSynchronizationClient aggregate="false"/> and in a uncommented section. Also you'll need to restart the Sync server and try the export again. You should then see individual requests in the FIM Service request history. I'm not sure if this is supposed to work OOB with composite requests (most likely not from the error you are getting), but once you start getting individual request, any further troubleshooting with be much easier.
    Tuesday, January 17, 2017 5:14 PM
  • New entry looks like:

    As I understant commenting is inside <!-- and --> construction, so I wroted it outside.

    Again, I get the same error with composite requests:


    1

    Wednesday, January 18, 2017 10:55 AM
  • There is a default active empty section <resourceSynchronizationClient/>. you should edit the existing one than creating a new one. Just find and replace??
    Wednesday, January 18, 2017 11:09 AM
  • Yes, I have tried this at previous step, and situation is same.

    Thanks!


    1

    Wednesday, January 18, 2017 11:50 AM
  • The problem is in Email Notification (it's funny).

    Notification is using [//RequestParameter/AllChangesActionTable]  to show changes to user account.

    If we are using simple "text" notification - it is working, but without list of changes it is almost useless.


    1

    Thursday, January 19, 2017 12:28 PM
  • Do you really want to send an e-mail when any attribute changes or just some of them, e.g. name?

    If it is just something like name changes you change the MPR to fire off these attributes and phrase the email something like:

    User [their ID] name has changed, the new values are:

    Lastname: [//Target/LastName] 

    Firstname: [//Target/FirstName]

    You would then have to have separate MPR+WF+Email template for each attribute change. Not ideal, but would get you further.

    Note: Even if you get [//RequestParameter/AllChangesActionTable] working it will only show the new values and not the old ones.

    Friday, January 20, 2017 10:18 AM