Microsoft Identity Integration
Server 2003 Developer Reference
How Rules
Extensions Are Called
To understand when a rules extension is called, you have to
understand how identity information is processed by Microsoft
Identity Integration Server 2003. Identity Integration Server
processes identity information by creating an integrated view of
the information in the connected data sources. This integrated view
is then appropriately distributed so that all objects in the
connected data sources contain this integrated view as
appropriate.
Synchronization Process
Creating and distributing identity information in Identity
Integration Server is known as the synchronization process. The
synchronization process is composed of these steps:
Inbound synchronization—creates and updates the integrated view
of the identity information from the connected data sources.
Inbound synchronization begins in the connector space and ends in
the metaverse.
Outbound synchronization—distributes the integrated view of the
identity information to all the connected data sources. Outbound
synchronization begins in the metaverse and ends in the connector
space.
The synchronization process is started from a full or delta
synchronization step in a run profile. The process begins with
inbound synchronization to determine if and how identity data needs
to be processed from the connector space to the metaverse. In
inbound synchronization, the synchronization process uses the
synchronization rules to perform the following tasks between the
connector space and metaverse:
Create or delete connector space and metaverse objects.
Process connector space and metaverse objects as a result of
adding or removing links between objects.
Flow identity information from the connector space to the
metaverse.
Only after inbound synchronization is completed can the outbound
synchronization step begin. Outbound synchronization distributes
the integrated view from the metaverse to the connector space. This
view may be exported to the connected data source. Because an
object in a connector space represents the identity information in
a connected data source, this object contains only the attributes
from that connected data source. Identity Integration Server
distributes only the values for the object attributes in that
connector space partition.
In outbound synchronization, the synchronization process uses
the synchronization rules to perform the following tasks between
the metaverse and connector space:
Create a new connector space object as a result of a change in
the metaverse object.
Link a metaverse object to an existing connector space
object.
Process connector space objects as a result removing the link
between the metaverse and connector space objects.
Flow identity information from the metaverse to the connector
space.
Synchronization Rules
The synchronization process is controlled by the synchronization
rules. The synchronization rules are defined through declarative
rules and the rules in a rules extension. The synchronization rules
are used by the synchronization engine of Identity Integration
Server as part of the synchronization process to create and
distribute the integrated view.
Important The synchronization
rules are used by Identity Integration Server according to the
state of the connector space or metaverse object rather than in a
predetermined order. Configure your rules based on the state of the
object rather than the rules being called in a predetermined
order.
The following diagram shows how the different synchronization
rules are applied to the connector space and metaverse.
Object Deletion Rule. The object deletion rule is used during
inbound synchronization to determine how to process a metaverse
object when the link is removed between the connector space object
and the metaverse object. When an object deletion rule is
configured in Identity Manager to use a rules extension, the
synchronization process calls the IMVSynchronization.ShouldDeleteFromMV
method in a metaverse rules extension to determine when to delete a
metaverse object. For example, you can set a rule to delete a
metaverse object if an employee has been terminated after a
specified length of time.
Connector Filter Rule. The connector filter rule is used during
inbound synchronization to determine if a connector space object
will be further processed. When a connector filter rule is
configured in Identity Manager to use a rules extension, the
synchronization process calls the IMASynchronization.FilterForDisconnection
method implemented in a management agent rules extension. You can
use this method to create sophisticated filters to determine if
attribute values of a connector space object will be further
processed. For example, you can create a filter that allows only
connector space object with an employee status attribute of active
to be processed. Any connector space object that does not have an
active value for the employee status will not be processed.
Note This rule is always used in
the synchronization process.
Join Rule. The join rule is used during inbound synchronization
to search for an existing metaverse object that can be linked to a
connector space object. When a join filter is configured in
Identity Manager to use a rules extension, the synchronization
process calls the IMASynchronization.MapAttributesForJoin
method implemented in a management agent rules extension to
generate a list of attribute values that is used to search for an
existing metaverse object. If more than one metaverse object is
found, then the IMASynchronization.ResolveJoinSearch
method is called to determine which metaverse object will be joined
to the disconnector object.
Projection Rule. The projection rule is used during inbound
synchronization to create a metaverse object and link this object
to the connector space object. When a projection filter rule is
configured in Identity Manager to use a rules extension, the
synchronization process calls the IMASynchronization.ShouldProjectToMV
method implemented in a management agent rules extension to create
a new metaverse object.
Note This is the only
synchronization rule that creates a metaverse object.
Import Attribute Flow Rule. The import attribute flow rule is
used during inbound synchronization to flow identity information
from the connector space object to the metaverse object. When an
import attribute flow rule is configured in Identity Manager to use
a rules extension, the synchronization process calls the IMASynchronization.MapAttributesForImport
method in a management agent rules extension to flow one or more
attribute values from a connector space object to the metaverse
object. For example, the name of an employee is defined by two
separate attributes in the connector space, the firstname
and lastname while the metaverse object has a
fullname attribute which contains all of the names of the
employee. In this method, you can combine the firstname and
lastname attributes into a single value for the
fullname attribute.
Avoid designing flow rules that rely on declarative rules or
rules in a rules extension to be evaluated in a specified order
when synchronizing an object. Rules are evaluated in an unordered
fashion. Use the state of an object to determine the next step in
synchronizing the object rather than the event that caused the
object state. The state of an object is determined by the Value property of a specified
attribute. For example, an employee can have an active or inactive
state based upon the employeeStatus attribute. The state of
that employee can be determined by viewing the Value
property of the employeeStatus attribute. An employee with
an active state has an employeeStatus of active, while an
inactive employee has an employeeStatus of inactive. For
more information about object state, see Provisioning
Objects in the Connector Space.
Provisioning Rule. The provisioning rule is used during
outbound synchronization to create new connector space objects or
to connect to or disconnect connector space objects as a result of
a change to a metaverse object. When a change occurs in a metaverse
object, the synchronization process calls the IMVSynchronization.Provision
method in a metaverse rules extension. Use this rule to create new
connector space objects and attribute values to be exported to
other connected data sources.
Note This is the only rule that
you cannot configure in Identity Manager. You must use a metaverse
rules extension for the provisioning rule.
For examples that demonstrate an implementation of this method
in a rules extension, see Provisioning Objects in the Connector
Space.
Deprovisioning Rule. The deprovisioning rule is used during
outbound synchronization to determine how to process the connector
space object when the link is removed between the metaverse object
and the connector space object. When a deprovisioning rule is
configured in Identity Manager to use a rules extension, the
synchronization process calls the IMASynchronization.Deprovision
method in a management agent rules extension to evaluate the
connector space object when the metaverse object is deleted and the
link to the metaverse object is removed.
Export Attribute Flow Rule. The export attribute flow rule is
used during outbound synchronization to flow attribute values from
the metaverse object to a connector space object. When an export
attribute flow rule is configured in Identity Manager to use a
rules extension, the synchronization process calls the IMASynchronization.MapAttributesForExport
method in a management rules extension to flow one of more
attributes from a metaverse object to the connector space object.
For example, you can use this method to enable or disable a user
account in an Active directory data source.
