Tuesday, 24 February 2015

FIM2010: Filter objects on export

Intro

FIM allows you to filter objects on import through filters in the connector configuration. The same functionality is not available on export. There are two methods available to provision a selected set of objects to a target system through synchronization rules. This article shortly describes these two mechanisms and also describes a third using provisioning code.

Synchronization Rules

Synchronization rules allow codeless provisioning. It also allows you control over the population of objects you want to create in a certain target system.

Triplet

The first way of doing this is by defining a set of objects, a synchronization rule, a workflow that adds the synchronization rule to an object and a Management Policy Rule (MPR) that binds them together. In the set definition you can define filters. You can select a limited population of objects by configuring the correct filter on the set. triplet

Scoping filter

The second method defines the filter directly on the synchronization rule, so you do not need a set, workflow and MPR. You simply define the conditions the target population needs to satisfy before they can be provisioned to the target system. outbound system scoping filter Scope filter

Coded provisioning

Coded provisioning allows for very complex provisioning and it is also the only option on projects where you use only the Synchronization Engine. What follows is only a portion of a more complex provisioning strategy:
  • Define an xml structure
  • For each connector that requires filtering on export, define the filters in xml
  • Make sure to use the same name for all connector configuration files and save them in their respective MaData folders
  • In the provisioning code, load all configuration files
  • For each object you consider for provisioning, check the filter

Sample configuration file

<Configuration>
  <MaConfiguration Name="AD MA">
    <Export-Filters>
      <Filter Name="DepartmentFilter" IsActive="true">
        <Condition Attribute="Department" Operation="Equals" IsActive="true">Sales</Condition>
      </Filter>
    </Export-Filters>
  <MaConfiguration>
</Configuration>

Sample source code

Following code is on itself not functional, but you get an idea of how the complete implementation can look like:
private bool checkFilter(MVEntry mventry, Filter filter)
{
  foreach (FilterCondition condition in filter.Conditions)
    {
      // Return false if one of the conditions is not true.
      if (!checkCondition(mventry, condition))
      {
        return false;
      }
  }
  return true;
}

 

private bool checkCondition(MVEntry mventry, FilterCondition condition)
{
  string attributeValue = condition.Attribute;
  if (mventry[attributeValue].IsPresent)
  {
    if (mventry[attributeValue].IsMultivalued)
    {
      foreach (Value value in mventry[attributeValue].Values)
      {
        bool? result = 
          condition.Operation.Evaluate(value.ToString());
        if (result.HasValue)
        {
          return result.Value;
        }
      }
      return condition.Operation.DefaultValue;
    }
    else
    {
      bool? result = condition.Operation.Evaluate(mventry[attributeValue].Value.ToString());
      if (result.HasValue)
      {
        return result.Value;
      }
      return condition.Operation.DefaultValue;
    }
  }
  return condition.Operation.DefaultValue;
}

1 comment:

Jinal said...

I am quite new to FIM but my requirement is some what similar.

I am maintaining multiple system permission (Group) and its member. Member information ( Like StudentName , Branch etc are same) just permission is different for different user and system wise.

It is like one table for user basic information and other for its permission. Now permission is depend on system.

Example
User Basic Info
samAccountName Full Name
U1 - Test User

User Permission
U1 - System1 - Permission1
U1- System2 - Permission2

Here you can assume that System1 and System2 are name of AD and oracle MA.

Now during export only System1 related permission get exported to AD. System2 related permission get exported to Oracle.

Any help would be appreciable.