While you can configure most rules by using Synchronization Service Manager, Microsoft® Forefront Identity Manager (FIM) 2010 administrators can customize the way that management agents and the metaverse work by creating rules extensions. You create rules extensions by using a programming language such as Microsoft Visual Basic .NET or C#. Rules extensions are implemented as a Microsoft .NET Framework class library or as a dynamic-link library (DLL), and they are stored in the Extensions folder of the FIM root directory.
When you create a rules extension project using Synchronization Service Manager in FIM, the project will now be created in Visual Studio 2008. If you use Visual Studio 2008 with rules extensions that were created using Visual Studio .NET 2003, the extensions will be converted to a Visual Studio 2008 project and will be converted to Microsoft .NET Framework 2.0. You will be able to run all existing rules extensions (whether they have been compiled with Microsoft .NET Framework 1.1 or Microsoft .NET Framework 2.0) on FIM without having to recompile your projects. Note, however, that all new development and debugging work done on FIM rules extensions will require the use of Visual Studio .NET Professional 2008, Visual Basic® 2008 (or Express Edition), Visual C#® 2008 (or Express Edition), and can no longer be done with Visual Studio .NET Professional 2003. For more information about upgrading Visual Studio .NET Professional 2003 projects to Visual Studio .NET Professional 2008, see this MSDN article. (http://go.microsoft.com/fwlink/?LinkID=77551)
The following table lists and describes the types of rules extensions that FIM supports.
|Rules extension type||Description|
A management agent rules extension is applied to data as it flows from the connector space to the metaverse. Each management agent can have only one rules extension. Management agent rules are:
A metaverse rules extension is applied to data as it flows from the metaverse to the connector space. The metaverse can have only one rules extension. Metaverse rules are:
Some of the common tasks that you can perform using a rules extension are:
- Transforming data
- Flowing attribute—Data transformation
is one of the most common tasks that rules extensions are used for.
Data transformation occurs during attribute flow by calculating a
target attribute value (or attribute values, in the case of a
multi-value attribute). Typically, the source of this calculation
is based on source attributes that are imported into FIM, or it is
based on information from external data sources.
- Finding Join candidates—Data
transformation can also be used to find join candidates. This is a
special case of calculating a value, or values, that is later used
in the join process to find matches in the metaverse.
- Flowing attribute—Data transformation is one of the most common tasks that rules extensions are used for. Data transformation occurs during attribute flow by calculating a target attribute value (or attribute values, in the case of a multi-value attribute). Typically, the source of this calculation is based on source attributes that are imported into FIM, or it is based on information from external data sources.
- Creating new accounts—Along with
synchronization and data transformation, the most common task that
FIM is used for is the creation of new objects, such as user
accounts or mail contacts, in single or multiple connected data
sources. This is known as provisioning.
- Checking for attribute
values—Sometimes it is necessary to check for attribute values
before making the decision of how, or if, an object is processed by
FIM. Attribute values can be checked for objects in the connector
space or in the metaverse.
- Creating unique attribute values—FIM
can be used to ensure uniqueness for specific attribute values (for
example, for an e-mail alias or a logon account name). After
attribute values are flowed into the metaverse, a search is made of
existing attribute values, and a comparison is made for
- Creating a unique naming
attribute—Every connected data source has a naming attribute
for its entries or objects. For example, in a Lightweight Directory
Access Protocol (LDAP) directory this would be the distinguished
name (also known as DN). Typically, these naming attributes are
constructed based on information that is flowed into the metaverse.
A rules extension can calculate and apply a naming attribute based
on this information, and it can guarantee uniqueness of the naming
attribute by determining if an object with that name already
exists. In this case, the rules extension can recalculate the
naming attribute and retry the operation.
- Deprovisioning accounts—Deprovisioning
is the process of managing connector space objects after they have
been disconnected from a metaverse object under certain
circumstances. In some cases you might want to remove the connector
space object permanently. In other cases you might want to keep the
connector space object in a disconnected state and have it
available to link to a metaverse object at a later time.
- Moving objects—A common task in
administrating directories is to move objects within a hierarchy.
Moving an object is accomplished by creating a new naming attribute
and assigning this attribute to the object.
- Setting initial passwords—During the
creation of a new account, it is often necessary to assign an
initial password. A rules extension can be written to immediately
assign an initial password when a new account is created.
- Enabling or disabling
accounts—Accounts on different connected data sources can be
enabled or disabled by setting specific attribute values for the
user account. One example is Active Directory where the
userAccountControl attribute determines the state of a user
account. A rules extension can modify this attribute at any place
during the attribute flow
For file-based, database, and extensible connectivity management agents, which do not support password change and set operations by default, you can create a .NET password extension dynamic-link library (DLL), which is called whenever a password change or set call is invoked for any of these management agents. Password extension settings are configured for these management agents in Synchronization Service Manager.
|Password management is supported by default in the management agents for:||By using a password extension, password management is also supported in the management agents for:|
For more information about creating and using rules extensions and password extensions, see the FIM Developer Reference.