Provisioning is the process of creating, connecting, and
disconnecting objects in a connector space, based on changes to
objects in the metaverse. Provisioning performs object-level
actions, such as:
Creating a new connector space object and setting initial
attribute values for the object.
Disconnecting connector space objects from the metaverse.
Renaming and moving existing connector space objects (that is,
changing the distinguished name attribute).
Export attribute flow rules are always called after
provisioning rules have been run. Be aware that export attribute
flow rules could modify attributes that were set by the
provisioning rules. For this reason, any "one-time" operations,
such as setting an initial password, should be done in the
provisioning rules, not the export attribute flow rules.
To implement provisioning, you create and enable a rules
extension. When you enable provisioning rules, they affect all
objects in the metaverse. Provisioning rules are called whenever a
metaverse object is modified by the following methods:
An attribute has been added, modified, or deleted by import
attribute flow rules.
A connector space object has been joined to a metaverse
A connector space object has been projected to the
A connector space object has been connected using Joiner.
A connector space object has been disconnected from a metaverse
object and the metaverse object has not been deleted.
A management agent is run with a step type Full Import and
Full Synchronization or step type Full
The rules extension for provisioning rules can take advantage of
the transactional capabilities of Microsoft Identity Integration Server 2003. In a case in which a connector space object is
provisioned to multiple connected data sources and one of the
provisioning rules fails, the complete synchronization operation
will be rolled back by default. However, whenever a provisioning
rule fails, it will report a rules exception to Microsoft Identity Integration Server 2003. You can write a rules extension to
identify exceptions and handle them on a management agent basis by
doing the following:
Calling a routine to handle the exception, and then proceeding
with the synchronization. In this case the synchronization will
Calling a routine to analyze the exception and determine its
severity. If the exception is too serious to continue, return it to
Microsoft Identity Integration Server 2003. In this case the
entire provisioning transaction will be rolled back.
Letting the exception go directly to Microsoft Identity Integration Server 2003. In this case the entire provisioning
transaction will be rolled back.
The following flow chart shows the sequence in which
provisioning rules are applied.
If you synchronize the metaverse with a connected data source
that uses a hierarchical structure, it is important to note that
Microsoft Identity Integration Server 2003 will synchronize
attributes between containers, but it will not create the
containers. That is, if you are provisioning a child object,
Microsoft Identity Integration Server 2003 does not create the
parent automatically. Import the Active Directory container
hierarchy before provisioning objects to the connector space. You
can do this by creating a management agent for Active Directory
that does not contain any join or projection rules, and then run it
in import mode. This creates disconnector objects in the Active
Directory connector space for each of the selected containers.