Upper limit on Filter Scope Configuration Configuration

Posted on June 19, 2009 by bobbradley1967
I’ve been working for the past fortnight or so on a FIM POC, and getting myself very well aquainted with the nuances of RC0 .  Most of the issues we’ve hit so far have been documented to some extent by the likes of David Lundel & co, but today we came across something that had us stumped for a couple of hours until we realized what the issue must be … an (apparently) undocumented upper limit on the number of Allowed Attributes that you can add to a filter scope, which appears to be 254.
My MS colleague had been extending the schema with some attributes of our own for the POC, and found that every time he got to a certain point of adding them into the Admin filter scope, the next time he returned to the scope definition he was presented with an error – and from that point onwards the filter scope cannot be edited.
He discovered that a work-around was to delete the custom attribute entirely, but we had both assumed that the problem was with the schema and not the filter definition itself.  I had noted that the Application Event log was full of "Event 5, System.ServiceModel 3.0.0.0" (Message Logging task) messages complaining about a "Diagnostics.PlainXmlWriter+MaxSizeExceededException".
We put 2 and 2 together and figured that there might be an upper limit on the number of attributes – so we’ve implemented a work-around whereby we define an "Administrator Filter Scope Ex" (in addition to the default Administrator Filter Scope), and include our additional bound schema attributes in there.  These are then appended as an additional AuthZ workflow item, thereby allowing our new schema attributes to appear in the Attribute drop down lists.
Hopefully this one will be resolved by RC1 …
Posted in FIM (ForeFront Identity Manager) 2010 | Tagged | Leave a comment

XPath

Posted on February 19, 2009 by bobbradley1967

A friend of mine was finding himself drawn (somewhat against his will) into the world of XPath today when BizTalk started complaining about something called a Loop Path.  It reminded me that with the advent of ILM2 codeless provisioning we are all about to dust off our XPath skills again, and that an excellent intro resource for this is w3schools.  It also reminded me of a very cool utility a mate had sent me some years ago called XPath XPress.  I’ve attached an archive of this (.Net 1.1) utility here: XPathTester.zip.  I couldn’t find any copyright text anywhere, and it is just a tool … but if there’s any issue with me posting this here I’ll just remove it later.

Posted in XML Programming | Tagged , | Leave a comment

Conditional Operation Execution

Posted on February 19, 2009 by bobbradley1967
Before I go on to discuss Incoming Change Detection, one of the lesser understood features I’ve been using recently is the ability to jump to a label in an OpList on evaluation of a condition.  Such an OpList might look something like this:
 
In the above example, whenever a pending export is detected for my "Northwind MOSS UPMA", in addition to running the standard Export operation, I’m conditionally running a full import/delta sync on the same MA.  The condition I am testing for is the presence of unconfirmed deletes in the ILM connector space (CS) of my MA, whereby the "SQL Changes Plugin" returns true if a result set is returned from my SQL query on the ILM database.  If the result is true, I proceed to execute the additional run profile operation, otherwise I bypass it with a "GOTO" label.  Sure it’s a bit passe to see the good old VB "on condition goto label" style construct again, but as far as the (necessarily) linear OpList model is concerned it actually makes perfect sense in this context.
 
Another example of where I have used this mechanism (only today actually) is to handle a special situation where I want to disconnect and reconnect a CS object.  In my case the disconnect needs to happen on a delta import/delta sync (incoming) when a certain attribute change has been made.  At this point I use a similar construct to detect the presence of the new disconnector after the first operation has completed, and run a delta sync if my (SQL) test returns true.
 
So here we have some basic flow control logic that can be implemented in any Event Broker OpList, so remember this feature the next time you want a variaton in behaviour based on a simple condition test – and any of the "Change Detection" plugins can be used here for this purpose.
Posted in Event Broker for FIM 2010 | Leave a comment

Change Detection – Outgoing

Posted on February 12, 2009 by bobbradley1967
There are basically two key concepts which make Event Broker the ideal "orchestrator" for any ILM/MIIS solution – its ability to invoke "inbound" flows (import/sync – ideally deltas) on detecting changes in a connected directory (CD), and to invoke "outgoing" or "outbound" flows (export) on detection of changes (pending exports) within an ILM management agent (MA).  I’ll talk about the most obvious of the two (to me at least) to start with – Outgoing.
 
One of the features that was shelved for ILM2 was the concept of automatically triggering export run profiles whenever pending exports were present.  The reason that I was given as to why this didn’t make it into ILM2 was that this wasn’t as high a priority as the other features new to ILM, and was more of a "nice to have".
 
I’ve had always thought that this would have been almost a "no brainer" – but thinking about it some more, ILM would probably need to have an additional service in the mix to fire the exports, and if it’s going to have that, it might as well have the ability to handle pre and post processing (as per the concept used within the MIIS toolkit "sequencer" component).  Then there might be a need to handle conditional flows – e.g. if this condition, do something, else do something else.
 
Well while we wait for ILM3 to come along, rest assured that in the meantime you can do all of the above with Event Broker right now.
 
Simple Export Oplist
 
The simplest case is to set up an automatically fired export run profile for say an Active Directory MA – in my case my MA is called "Northwind AD MA" – as follows:
 
 
With all Event Broker operation configurations, the model is always to work with a list of operations (or an "Oplist").  In the above case the MA has an "Outgoing" Oplist with the "Autorun on Outgoing Provisioning Pending" checkbox is ON (the default for Outgoing).  When the Oplist was first created it was empty, and the only action required to achieve the desired outcome was to add a run profile operation via a dialog box as follows:
Clicking "Run Profile" raises a second dialog box which allows you to select any of the configured run profiles for the MA in context (in this case Northwind AD MA).
Note that there is nothing to prevent you from selecting from any MA, and any of its run profiles – however, the desired configuration requires only the selection of "Export" from the above list.
 
Advanced Export Oplist
 
It is possible to build on the above example by adding additional steps to the Oplist.  One such example is to set up what we ILM folk know as a "confirming (delta) import".  Now it’s true that if you have an Incoming Oplist configured for all delta imports that such a configuration is most likely doubling up.  However there are some examples where it is best to fire the confirming delta import/sync run profile immediately after the export.  In the case below, there is a need to handle an exported DELETE as a special case …
 
 
In the above I have followed on from a (successful) Export step with the execution of a special "SQL Changes Plugin", whereby the selected operation was not "Run Profile" as before, but "Plugin" – from which the SQL plugin was selected from a list of available plugins which will be discussed at a later stage.  Each operation in an Oplist has a common set of "General Properties", including an action to take based on the result of the operation (in this case the returned boolean value from the plugin).  The SQL plugin has been used to chack the ILM MA connector space for the presence of unconfirmed exported deletions, returning TRUE if these are found, otherwise FALSE.  In this case the requirement is to run a Full Import / Delta Sync run profile after every delete, otherwise do nothing (and wait for the Incoming Oplist to fire the delta import/delta sync).  This is achieved by setting up a "Label" (the third and final category of operation selected from the dialog), and using the following General Properties settings to ensure that processing bypasses the Full Import / Delta Sync if there are no deletions detected:
 
 
That’s enough on Outgoing for now … there’s a lot to cover, but this will be fleshed out in due course.  The next installment will be on "Incoming" change detection.
Posted in Event Broker for FIM 2010 | Leave a comment

Event Broker and ILM2

Posted on February 4, 2009 by bobbradley1967
Well that’s satisfying … today at the ILM2 course I found that Event Broker works beautifully with ILM2 without any changes being required to the code base .  Awesome!  Even better I was able to get delta imports firing from the MSILM database only when changes to data/rules in the ILM portal were ready to flow in to the MIIS engine.  As a result the Operations History showed just a chronological history of real changes to the ILM portal as they were detected (near) real time and synchronised with AD and ADLDS in the lab.
 
I ran this by the presenter who I’m sure was politely obliging me at first, and he totally understood the revolutionary impact this will have on the ILM2 world – given that the alternative (use of a VB script to fire a fixed import/sync/export cycle on a 1 minute timer) was a great way to clog up the Operations History and make it very hard indeed to separate real changes from ghost ones  (e.g. in one hour of the lab this equated to reducing the run history from 6 x 60 = 360 runs down to a couple of dozen.  Once I’d calibrated the listener to work efficiently with the HyperV environment, I was getting ILM portal updates being applied to AD and ADLDS (with confirming imports) within 10 seconds.
 
I’ve attached screenshots to this blog entry on how to configure the Check operation (incoming OpList) for each of the
  • MSILM
  • AD, and
  • ADLDS changes plugins required for the ILM2 lab.

Over the remaining 2 days of the ILM2 course I expect I’ll come up with ways to further refine these – for example, working out how to deal with the data from the ILM portal (MSILM MA) differently based on whether it’s rules (which seem to require full syncs on each MA subsequent to any import) or data (which only need a delta import/delta sync).  I’m thinking that there may be a case for splitting these into 2 – i.e. partitioning into an ILM rules MA and an ILM data MA, simply to allow the correct sync flows to occur.  Will ponder this some more … but one thing is for sure, and that is the case for using Event Broker with ILM has never been stronger.

That’s all … just wanted to share my Eurika moment with you … I’m thinking that there’s going to be quite a deal of interest in our "companion" service for ILM now.

Posted in Event Broker for FIM 2010 | Leave a comment

Event Driven (ED-) ILM not a pipe dream

Posted on January 28, 2009 by bobbradley1967
It’s been a worn out recording for most of us at UNIFY … trying to make the point that ILM works very nicely in Event Driven (ED) mode thankyou very much, and doesn’t have to be dumb and run on a schedule like all the other kids do it.  Nice to see that finally the worm is starting to turn as IdM architects looking to swap over to the Microsoft IdM platform (ILM) around the world are starting to show interest in our Event Broker (EB, formerly UNIFYNow) for ILM.
 
In starting out this (long overdue) blog, my intended audience is three-fold:
  • long time MIIS/ILM implementors who might see the benefits of a different approach to the BOG standard deployment
  • past and present UNIFY customers who already have ED-ILM but could probably do with a few more pointers
  • those looking at ILM for the first time and noticing the hole where the ED- bit is supposed to be (which is part-and-parcel of the other mainstream products such as Novells NIM)
I’d really love to know what exactly it is that has been preventing this from catching on.  Maybe people have to work with ILM first before they understand?  Maybe it’s ease of use?  Maybe it’s price (although I’d like to think that’s surely not the case).  Maybe its a combination of things.  Whatever it is, I’m trying to get to the bottom of it, and this year plan to devote a good number of posts to this subject in the hope that the sound of pennys dropping will be deafening .  The rebranding from UNIFYNow to Event Broker is all about reaching you the audience out there with something a little more meaningful in a name.  The fact is that until now it has been something we at UNIFY have tended to implement ourselves, partly because it has fallen in the "too hard" basket, but mainly because we haven’t had the bandwidth to take this to the world properly.  Time to change that!
 
As a prelude to these, I’d simply like to point out that the past 12 months have seen me focus my attention on another one of our UNIFY products in SharePoint Broker (SB) for ILM, where we hook up the MOSS2007 User Profiles to ILM independently of AD and give them a new leash on life.  In the process of doing so we found that people actually got the whole ED thing by conceptualising the SharePoint Broker value proposition.  The only way the SB model was ever going to work was if it was in NRT (near real time), so we found there was never any question that both SB and EB go together to achieve the desired outcome of automated bi-directional user profile management for MOSS (see the attached diagrams Point-Point Sync vs. MOSS under ED-ILM).
 
Well now we’ve come full circle and realised that there are a lot of people wanting to know how to turn ILM into ED-ILM.  I’m hoping I can show you how, beyond the marketing pre-amble that you will find on our website at UNIFY Solutions.  First installment coming shortly …
 
Cheers.
Posted in Event Broker for FIM 2010 | 1 Comment