Microsoft Identity Integration Server 2003 graphic

Rules extensions

While you can configure most rules by using Identity Manager, Microsoft Identity Integration Server 2003 administrators can customize the way that management agents and the metaverse work by creating rules extensions. You create rules extensions by using a programming language such as Microsoft Visual Basic .NET or C#. Rules extensions are implemented as a Microsoft .NET Framework class library or as a dynamic-link library (DLL), and they are stored in the Extensions folder of the Microsoft Identity Integration Server 2003 root directory.

The following table lists and describes the types of rules extensions that Microsoft Identity Integration Server 2003 supports.

Rules extension type	Description
Management agent	A management agent rules extension is applied to data as it flows from the connector space to the metaverse. Each management agent can have only one rules extension. Management agent rules are: Connector filter rules Join rules Projection rules Attribute flow rules Deprovisioning rules
Metaverse	A metaverse rules extension is applied to data as it flows from the metaverse to the connector space. The metaverse can have only one rules extension. Metaverse rules are: Provisioning rules Object deletion rules

Some of the common tasks that you can perform using a rules extension are:

Transforming data
- Flowing attribute—Data transformation is one of the most common tasks that rules extensions are used for. Data transformation occurs during attribute flow by calculating a target attribute value (or attribute values, in the case of a multi-value attribute). Typically, the source of this calculation is based on source attributes that are imported into Microsoft Identity Integration Server 2003, or it is based on information from external data sources.
- Finding Join candidates—Data transformation can also be used to find join candidates. This is a special case of calculating a value, or values, that is later used in the join process to find matches in the metaverse.
Creating new accounts—Along with synchronization and data transformation, the most common task that Microsoft Identity Integration Server 2003 is used for is the creation of new objects, such as user accounts or mail contacts, in single or multiple connected data sources. This is known as provisioning.
Checking for attribute values—Sometimes it is necessary to check for attribute values before making the decision of how, or if, an object is processed by Microsoft Identity Integration Server 2003. Attribute values can be checked for objects in the connector space or in the metaverse.
Creating unique attribute values—Microsoft Identity Integration Server 2003 can be used to ensure uniqueness for specific attribute values (for example, for an e-mail alias or a logon account name). After attribute values are flowed into the metaverse, a search is made of existing attribute values, and a comparison is made for uniqueness.
Creating a unique naming attribute—Every connected data source has a naming attribute for its entries or objects. For example, in a Lightweight Directory Access Protocol (LDAP) directory this would be the distinguished name (also known as DN). Typically, these naming attributes are constructed based on information that is flowed into the metaverse. A rules extension can calculate and apply a naming attribute based on this information, and it can guarantee uniqueness of the naming attribute by determining if an object with that name already exists. In this case, the rules extension can recalculate the naming attribute and retry the operation.
Deprovisioning accounts—Deprovisioning is the process of managing connector space objects after they have been disconnected from a metaverse object under certain circumstances. In some cases you might want to remove the connector space object permanently. In other cases you might want to keep the connector space object in a disconnected state and have it available to link to a metaverse object at a later time.
Moving objects—A common task in administrating directories is to move objects within a hierarchy. Moving an object is accomplished by creating a new naming attribute and assigning this attribute to the object.
Setting initial passwords—During the creation of a new account, it is often necessary to assign an initial password. A rules extension can be written to immediately assign an initial password when a new account is created.
Enabling or disabling accounts—Accounts on different connected data sources can be enabled or disabled by setting specific attribute values for the user account. One example is Active Directory where the userAccountControl attribute determines the state of a user account. A rules extension can modify this attribute at any place during the attribute flow.

Password extensions

For file-based, database, and extensible connectivity management agents, which do not support password change and set operations by default, you can create a .NET password extension dynamic-link library (DLL), which is called whenever a password change or set call is invoked for any of these management agents. Password extension settings are configured for these management agents in Identity Manager.

Password management is supported by default in the management agents for:	By using a password extension, password management is also supported in the management agents for:
Active Directory Active Directory Application Mode (ADAM) Lotus Notes Novell eDirectory Windows NT 4.0 Sun and Netscape directory servers	Attribute-value pair text files Delimited text files Directory Services Markup Language (DSML) Extensible Connectivity Fixed-width text files IBM DB2 Universal Database IBM Directory Server LDAP Data Interchange Format (LDIF) Microsoft SQL Server Oracle Database

For more information about creating and using rules extensions and password extensions, open the

Microsoft Identity Integration Server 2003 Developer Reference.