To understand when a rules extension is called, you must understand how Forefront Identity Manager Synchronization Service (FIM Synchronization Service) processes identity information. FIM Synchronization Service processes identity information by creating an integrated view of the information in the connected data sources. This integrated view is generally referred to as the metaverse. Data from this integrated view is then appropriately distributed so that all objects in the connected data sources contain this integrated view as appropriate.

Synchronization Process

Creating and distributing identity information in FIM Synchronization Service is known as the synchronization process. The synchronization process consists of the following steps:

  1. Inbound synchronization creates and updates the integrated view of the identity information from the connected data sources. Inbound synchronization begins in the connector space and ends in the metaverse.

  2. Outbound synchronization distributes the integrated view of the identity information to all the connected data sources. Outbound synchronization begins in the metaverse and ends in the connector space.

The synchronization process is started from a full or delta synchronization step in a run profile. The process begins with inbound synchronization to determine whether identity data must be processed from the connector space to the metaverse, and how it will be processed. In inbound synchronization, the synchronization process uses the synchronization rules to perform the following tasks between the connector space and metaverse:

  • Create or delete connector space and metaverse objects.

  • Process connector space and metaverse objects as a result of adding or removing links between objects.

  • Flow identity information from the connector space to the metaverse.

Only after inbound synchronization is completed can the outbound synchronization step begin. Outbound synchronization distributes the integrated view from the metaverse to the connector space. This view may be exported to the connected data source. Because an object in a connector space represents the identity information in a connected data source, this object contains only the attributes from that connected data source. FIM Synchronization Service distributes only the values for the object attributes in that connector space partition.

In outbound synchronization, the synchronization process uses the synchronization rules to perform the following tasks between the metaverse and connector space:

  • Create a new connector space object as a result of a change in the metaverse object.

  • Link a metaverse object to an existing connector space object.

  • Process connector space objects as a result of removing the link between the metaverse and connector space objects.

  • Flow identity information from the metaverse to the connector space.

Synchronization Rules

Synchronization rules control the synchronization process. The synchronization rules are defined through declarative rules and the rules in a rules extension. The synchronization engine of FIM Synchronization Service uses the synchronization rules as part of the synchronization process to create and distribute the integrated view.

Note:
FIM Synchronization Service uses the synchronization rules according to the state of the connector space or metaverse object instead of using them in a predetermined order. Configure your rules based on the state of the object instead of calling the rules in a predetermined order.

The following diagram shows how the different synchronization rules are applied to the connector space and metaverse.

  • Object Deletion Rule. The object deletion rule is used during inbound synchronization to determine how to process a metaverse object when the link is removed between the connector space object and the metaverse object. When you configure an object deletion rule in Synchronization Service Manager to use a rules extension, the synchronization process calls the ShouldDeleteFromMV method in a metaverse rules extension to determine when to delete a metaverse object. For example, you can set a rule to delete a metaverse object if an employee has been terminated after a specified length of time.

  • Connector Filter Rule. The connector filter rule is used during inbound synchronization to determine whether a connector space object will be further processed. When you configure a connector filter rule in Synchronization Service Manager to use a rules extension, the synchronization process calls the FilterForDisconnection method that is implemented in a management agent rules extension. You can use this method to create sophisticated filters to determine whether attribute values of a connector space object will be further processed. For example, you can create a filter that allows only connector space objects that have an employee status attribute of active to be processed. Any connector space object that does not have an active value for the employee status is not processed.

    Note:
    This rule is always used in the synchronization process.
  • Join Rule. The join rule is used during inbound synchronization to search for an existing metaverse object that can be linked to a connector space object. When you configure a join filter in Synchronization Service Manager to use a rules extension, the synchronization process calls the MapAttributesForJoin method that is implemented in a management agent rules extension to generate a list of attribute values that is used to search for an existing metaverse object. If one or more metaverse objects are found, the ResolveJoinSearch method is called to determine which metaverse object will be joined to the disconnector object.

  • Projection Rule. The projection rule is used during inbound synchronization to create a metaverse object and link this object to the connector space object. When you configure a projection filter rule in Synchronization Service Manager to use a rules extension, the synchronization process calls the ShouldProjectToMV method that is implemented in a management agent rules extension to create a new metaverse object.

    Note:
    This is the only synchronization rule that creates a metaverse object.
  • Import Attribute Flow Rule. The import attribute flow rule is used during inbound synchronization to flow identity information from the connector space object to the metaverse object. When you configure an import attribute flow rule in Synchronization Service Manager to use a rules extension, the synchronization process calls the MapAttributesForImport method in a management agent rules extension to flow one or more attribute values from a connector space object to the metaverse object. For example, the name of an employee is defined by two separate attributes in the connector space: the firstname and lastname attributes. However, the metaverse object has a fullname attribute, which contains all the names of the employee. In this method, you can combine the firstname and lastname attributes into a single value for the fullname attribute.

    Avoid designing flow rules that rely on declarative rules or rules in a rules extension to be evaluated in a specified order when you are synchronizing an object. Rules are evaluated in an unordered manner. Use the state of an object to determine the next step in synchronizing the object instead of the event that caused the object state. The Value property of a specified attribute determines the state of an object. For example, an employee can have an active or inactive state based on the employeeStatus attribute. You can determine the state of that employee by viewing the Value property of the employeeStatus attribute. An employee who has an active state has an employeeStatus of active, and an inactive employee has an employeeStatus of inactive. For more information about object state, see Provisioning Objects in the Connector Space.

    For an example that demonstrates how to implement the MapAttributesForImport method in a rules extension, see How to: Create Unique Naming Attributes in the Metaverse.

  • Provisioning Rule. The provisioning rule is used during outbound synchronization to create new connector space objects, or to connect or disconnect connector space objects as a result of a change to a metaverse object. When a change occurs in a metaverse object, the synchronization process calls the Provision method in a metaverse rules extension. Use this rule to create new connector space objects and attribute values to be exported to other connected data sources.

    Note:
    This is the only rule that you cannot configure in Synchronization Service Manager. You must use a metaverse rules extension for the provisioning rule.
    To view examples that demonstrate how to implement this method in a rules extension, see Provisioning Objects in the Connector Space.

  • Deprovisioning Rule. The deprovisioning rule is used during outbound synchronization to determine how to process the connector space object when the link is removed between the metaverse object and the connector space object. When you configure a deprovisioning rule in Synchronization Service Manager to use a rules extension, the synchronization process calls the Deprovision method in a management agent rules extension to evaluate the connector space object when the metaverse object is deleted and the link to the metaverse object is removed. To view examples that demonstrate how to implement this method in a rules extension, see Deprovisioning Objects in the Connector Space.

  • Export Attribute Flow Rule. The export attribute flow rule is used during outbound synchronization to flow attribute values from the metaverse object to a connector space object. When you configure an export attribute flow rule in Synchronization Service Manager to use a rules extension, the synchronization process calls the MapAttributesForExport method in a management rules extension to flow one or more attributes from a metaverse object to the connector space object. For example, you can use this method to enable or disable a user account in an Active Directory Domain Services (AD DS) data source. To view an example that demonstrates how to implement this method in a rules extension, see How to: Enable or Disable User Accounts in Active Directory Domain Services.

See Also