How Rules Extensions Are Called

  • Article

To understand when a rules extension is called, you have to understand how identity information is processed by Microsoft Identity Lifecycle Manager 2007, Feature Pack 1. Identity Integration Server processes identity information by creating an integrated view of the information in the connected data sources. This integrated view is then appropriately distributed so that all objects in the connected data sources contain this integrated view as appropriate.

Synchronization Process

Creating and distributing identity information in Identity Integration Server is known as the synchronization process. The synchronization process is composed of these steps:

  1. Inbound synchronization—creates and updates the integrated view of the identity information from the connected data sources. Inbound synchronization begins in the connector space and ends in the metaverse.
  2. Outbound synchronization—distributes the integrated view of the identity information to all the connected data sources. Outbound synchronization begins in the metaverse and ends in the connector space.

The synchronization process is started from a full or delta synchronization step in a run profile. The process begins with inbound synchronization to determine if and how identity data needs to be processed from the connector space to the metaverse. In inbound synchronization, the synchronization process uses the synchronization rules to perform the following tasks between the connector space and metaverse:

  • Create or delete connector space and metaverse objects.
  • Process connector space and metaverse objects as a result of adding or removing links between objects.
  • Flow identity information from the connector space to the metaverse.

Only after inbound synchronization is completed can the outbound synchronization step begin. Outbound synchronization distributes the integrated view from the metaverse to the connector space. This view may be exported to the connected data source. Because an object in a connector space represents the identity information in a connected data source, this object contains only the attributes from that connected data source. Identity Integration Server distributes only the values for the object attributes in that connector space partition.

In outbound synchronization, the synchronization process uses the synchronization rules to perform the following tasks between the metaverse and connector space:

  • Create a new connector space object as a result of a change in the metaverse object.
  • Link a metaverse object to an existing connector space object.
  • Process connector space objects as a result removing the link between the metaverse and connector space objects.
  • Flow identity information from the metaverse to the connector space.

Synchronization Rules

The synchronization process is controlled by the synchronization rules. The synchronization rules are defined through declarative rules and the rules in a rules extension. The synchronization rules are used by the synchronization engine of Identity Integration Server as part of the synchronization process to create and distribute the integrated view.

Important  The synchronization rules are used by Identity Integration Server according to the state of the connector space or metaverse object rather than in a predetermined order. Configure your rules based on the state of the object rather than the rules being called in a predetermined order.

The following diagram shows how the different synchronization rules are applied to the connector space and metaverse.

Synchronization rules

  • Object Deletion Rule. The object deletion rule is used during inbound synchronization to determine how to process a metaverse object when the link is removed between the connector space object and the metaverse object. When an object deletion rule is configured in Identity Manager to use a rules extension, the synchronization process calls the IMVSynchronization.ShouldDeleteFromMV method in a metaverse rules extension to determine when to delete a metaverse object. For example, you can set a rule to delete a metaverse object if an employee has been terminated after a specified length of time.

  • Connector Filter Rule. The connector filter rule is used during inbound synchronization to determine if a connector space object will be further processed. When a connector filter rule is configured in Identity Manager to use a rules extension, the synchronization process calls the IMASynchronization.FilterForDisconnection method implemented in a management agent rules extension. You can use this method to create sophisticated filters to determine if attribute values of a connector space object will be further processed. For example, you can create a filter that allows only connector space object with an employee status attribute of active to be processed. Any connector space object that does not have an active value for the employee status will not be processed.

    Note  This rule is always used in the synchronization process.

  • Join Rule. The join rule is used during inbound synchronization to search for an existing metaverse object that can be linked to a connector space object. When a join filter is configured in Identity Manager to use a rules extension, the synchronization process calls the IMASynchronization.MapAttributesForJoin method implemented in a management agent rules extension to generate a list of attribute values that is used to search for an existing metaverse object. If one or more metaverse objects are found, the IMASynchronization.ResolveJoinSearch method is called to determine which metaverse object will be joined to the disconnector object.

  • Projection Rule. The projection rule is used during inbound synchronization to create a metaverse object and link this object to the connector space object. When a projection filter rule is configured in Identity Manager to use a rules extension, the synchronization process calls the IMASynchronization.ShouldProjectToMV method implemented in a management agent rules extension to create a new metaverse object.

    Note   This is the only synchronization rule that creates a metaverse object.

  • Import Attribute Flow Rule. The import attribute flow rule is used during inbound synchronization to flow identity information from the connector space object to the metaverse object. When an import attribute flow rule is configured in Identity Manager to use a rules extension, the synchronization process calls the IMASynchronization.MapAttributesForImport method in a management agent rules extension to flow one or more attribute values from a connector space object to the metaverse object. For example, the name of an employee is defined by two separate attributes in the connector space, the firstname and lastname while the metaverse object has a fullname attribute which contains all of the names of the employee. In this method, you can combine the firstname and lastname attributes into a single value for the fullname attribute.

    Avoid designing flow rules that rely on declarative rules or rules in a rules extension to be evaluated in a specified order when synchronizing an object. Rules are evaluated in an unordered fashion. Use the state of an object to determine the next step in synchronizing the object rather than the event that caused the object state. The state of an object is determined by the Value property of a specified attribute. For example, an employee can have an active or inactive state based upon the employeeStatus attribute. The state of that employee can be determined by viewing the Value property of the employeeStatus attribute. An employee with an active state has an employeeStatus of active, while an inactive employee has an employeeStatus of inactive. For more information about object state, see Provisioning Objects in the Connector Space.

    For an example that demonstrates an implementation of the IMASynchronization.MapAttributesForImport method in a rules extension, see Example: Creating a Unique Naming Attribute in the Metaverse.

  • Provisioning Rule. The provisioning rule is used during outbound synchronization to create new connector space objects or to connect to or disconnect connector space objects as a result of a change to a metaverse object. When a change occurs in a metaverse object, the synchronization process calls the IMVSynchronization.Provision method in a metaverse rules extension. Use this rule to create new connector space objects and attribute values to be exported to other connected data sources.

    Note  This is the only rule that you cannot configure in Identity Manager. You must use a metaverse rules extension for the provisioning rule.

    For examples that demonstrate an implementation of this method in a rules extension, see Provisioning Objects in the Connector Space.

  • Deprovisioning Rule. The deprovisioning rule is used during outbound synchronization to determine how to process the connector space object when the link is removed between the metaverse object and the connector space object. When a deprovisioning rule is configured in Identity Manager to use a rules extension, the synchronization process calls the IMASynchronization.Deprovision method in a management agent rules extension to evaluate the connector space object when the metaverse object is deleted and the link to the metaverse object is removed.

    For examples that demonstrate an implementation of this method in a rules extension, see Deprovisioning Objects in the Connector Space.

  • Export Attribute Flow Rule. The export attribute flow rule is used during outbound synchronization to flow attribute values from the metaverse object to a connector space object. When an export attribute flow rule is configured in Identity Manager to use a rules extension, the synchronization process calls the IMASynchronization.MapAttributesForExport method in a management rules extension to flow one of more attributes from a metaverse object to the connector space object. For example, you can use this method to enable or disable a user account in an Active directory data source.

    For an example that demonstrates an implementation of this method in a rules extension, see Example: Enabling Or Disabling a User Account in Active Directory.

See Also

Synchronization Rules Mapped to Rules Extension Methods

Send comments about this topic to Microsoft

Build date: 2/16/2009