Calculating the domain and populating user attributes across multiple MIM implementations.

This post has been republished via RSS; it originally appeared at: Core Infrastructure and Security Blog articles.

First published on MSDN on May 09, 2018

OVERVIEW:

 

Enterprise environments often contain multiple independent MIM installations that serve as a development, staging, and production environments. Ideally, code should be written and tested in the Development environment and transferred to staging for validation then transferred to production with no environmental modifications being required.

 

I often run across Synchronization or Attribute Flow Rules that contain the domain name “hard coded” in the content of these rule’s logic.  Below is one method for replacing these “hard coded” domain names by dynamically populating user attributes with the appropriate domain associated to the environment the workflow is executing within (re. development, staging, or production).

 

A single workflow can be migrated from development to staging to production without modification.

 

SOFTWARE REQUIREMENTS:

 

This solution uses the Microsoft Identity Manager Portal and MIMWAL workflow components. To install the MIM WAL, please refer to the following document(s).

 

EXAMPLE ASSUMPTIONS:

 

Each environment (Re. development, staging, and production) has a distinctly different domain name. In this case the domains are as follow:

 

Development TestContoso.com

 

Staging StageContoso.com

 

Production Contoso.com

 

USER ATTRIBUTES:

 

Our example will calculate the domain and populate the following attributes of the user:

 

Domain (ex. mydomain.com)

 

userPrincipalName (ex. user.name@mydomain.com)

 

Email (ex. user.name@mydomain.com)

 

CREATE THE WORKFLOW:

 

The following example workflow will calculate the domain, regardless of the environment (re. Test, Staging, Production) and eliminating the need for modification during code promotion.

 

Launch the MIM Portal with Admin Rights.

 

Select Workflows

 

Select New

 

Enter the workflow name (ex. Set Attributes Containing Domain Names )

 

Select Action as the Workflow Type.

 

 

Select Next

 

CREATE WORKFLOW ACTIVITY #1

 

Select Add Activity

 

Select WAL: Update Resource as the Activity

 

 

Press the Select button.

 

In the Activity Display Name enter “ Query Domain Name

 

Place a checkmark in the Advance Features checkbox.

 

Place a checkmark in the Query Resources checkbox.

 

In the Queries Section enter Domain as the Key

 

In the Queries Section enter //DomainConfiguration as the XPath Filter

 

 

Next, assign the value returned from the Query to a Workflow Data Variable called Domain .

 

In the Updates section, enter [//Queries/Domain/DisplayName] as the Value Expression

 

In the Updates section, enter [//WorkflowData/Domain] as the Target .

 

 

Select Save to save the first activity of the Workflow.

 

Note: Attribute names variables, Key, XPathFilter, Value Expression, and Target values are case sensitive.

 

CREATE WORKFLOW ACTIVITY #2:

 

Select Add Activity

 

Select WAL: Update Resource as the Activity

 

 

Press the Select button.

 

Enter the Activity Display Name (ex. Update User Attributes )

 

Next, we will Read the WorkflowData/Domain attribute into an Activity variable.

 

Under Updates, enter [//WorkflowData/Domain] as the Value Expression

 

Under Updates, enter $Domain as the Target

 

 

Select Add to add another row to the Updates section.

 

 

Continue to Add rows and enter the following additional Value Expressions and Targets:

 


Description


Value Expression


Target


Set the lower case of the user accountName to the Account variable.


LowerCase([//Target/accountName])


$Account


Set the Domain name variable to lowercase.


LowerCase($Domain)


$Domain


Set the Email variable by concatenating values.


Concatenate($Account,”@”,$Domain,”.com”)


$Email


Set the UPN variable userPrincipalName by concatenating values.


Concatenate($Account,”@”,$Domain,”.com”)


$UPN


Set the Domain attribute in the user record to the value of the Domain variable.


$Domain


[//Target/Domain]


Set the mail attribute in the user record to the value of the Email variable.


$Email


[//Target/mail]


Set the userPrincipalName attribute in the user record to the value of the UPN variable.


$UPN


[//Target/userPrincipalName]

 

NOTE: All MIMWAL Functions, including LowerCase and Concatenate used in tis example, can be referenced at the following location:

 

https://github.com/Microsoft/MIMWAL/wiki/Functions

 

Once completed, the second activity of the workflow will appear as follows:

 

 

Select the Save Button to save the second activity.

 

Select OK and Submit to save the Workflow.

 

CREATE A SET

 

Next, create a set of user objects that do not have a value for one or all of the attributes needing to be populated (re. Domain, mail, or userPrincipalName).

 

Select Sets , New

 

In the Display Name enter a name for the set (Ex. ~Users requiring Domain mail or userPrincipalName values)

 

Select Next

 

Check Enable criteria-based membership in current set .

 

Change all resources to user

 

Change all to any

 

Select Add Statement

 

Select Click to Select Attribute and choose the Domain attribute

 

Select is then from the drop down menu select not starts with

 

Select click to select value , enter %

 

Note: % is a wild card value meaning having any value, excludes nulls.

 

Repeat the above steps for the Mail and User Principal Name attributes. This should result in the following:

 

 

Select the View Members button to test the set.

 

Select Finish , Submit to save the Set.

 

CREATE A MANAGEMENT POLICY RULE:

 

Finally, create a Management Policy Rule (MPR) that applies the Workflow to the set of users.

 

Select Management Policy Rules, New

 

In the Display Name enter the name of the MPR (ex. !~Update Users Domain Mail and userPrincipalName Values)

 

In the Type section select Set Transition

 

 

Select Next

 

On the Transition Definition Tab in the Transition Set section select the stacked paper icon.

 

Choose the set that was created above (Ex. ~Users requiring Domain mail or userPrincipalName values) by placing a checkmark in the box next to the name.

 

 

Select Ok

 

In the Transition Type section retain the default setting of Transition In

 

Select Next

 

In the same manner select the workflow created above (Re. Set Attributes Containing Domain Names)

 

Select Finish and Submit to save.

 

COMPLETED:

 

At this point, all new users entering the set for the first time will have the Workflow executed and the Domain, Mail and User Principal Name attributes populated from the formula in the workflow.

 

The attribute results for each of our domains (Re. Development, Staging, and Production) from the assumptions made in this example:

 


ATTRIBUTE


DEVELOPMENT DOMAIN


STAGING DOMAIN


PRODUCTION DOMAIN


Domain


testcontoso


stagecontoso


contoso


mail


user.name@testcontoso.com


user.name@stagecontoso.com


user.name@contoso.com


userPrincipalName


user.name@testcontoso.com


user.name@stagecontoso.com


user.name@contoso.com

 

 

 

ADDITIONAL NOTES:

 

In the event the workflow is updated with additional logic, and/or you simply want to re-run the workflow against all members of the set, the following steps can be taken.

 

WARNING: Depending upon how many members are in the set, this could take some time to complete and could impact performance.

 

Open the Management Policy Rule and check Policy is Disabled.

 

 

Select Finish and Submit to save.

 

Open the Workflow and check Run on Policy Update

 

Select OK and Submit .

 

 

Open the Management Policy Rule and remove the check from Policy is Disabled .

 

 

Select Finish and Submit . This will cause the workflow to immediately start processing against all members of the set.

 

Note : All create, and update actions performed above are recorded as transactions in the Search Requests view of the portal. Additionally, any workflow executions against users and their status is also recorded in the Search Request view.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.