Action Approval

May 11, 2011 at 8:49 PMHenrik Nilsson

To start with, I’m not sure this is supported and maybe this is old news…

Anyway, have you ever wanted to interrupt a request with an approval when a new resource is provisioned into FIM (and already written to App DB) when you can’t do it in the authorization stage or maybe when a resource is transitioning in or out of a set even though the approval activity is an authorization activity and you OOB can’t add it to an action workflow?

With a small tweak this is possible…

  1. Head for Administration (within the portal, are you with me?)
  2. Click All Resources and then probably as number one the resource type - Activity Information Configuration
  3. What you see now is all the available activities within FIM and what we want to do is create a new one so go ahead and click the New button (maybe you have to give yourself rights as an administrator to add Activity Information Configuration resources)
  4. Add the following values to the Common Attributes page:
    Description: This activity applies for approval from specific approvers by mail and from action workflows.
    Display Name: Action Approval
  5. Switch to the Extended Attributes page and add the following values (these values are the same as for the AuthZ Approval activity, the only difference is “Is Action activity”):
    Activity Name: Microsoft.ResourceManagement.Workflow.Activities.ApprovalActivity
    Assembly Name: Microsoft.IdentityManagement.Activities, Version=4.0.2592.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35
    Is Action Activity: Checked
    Type Name: Microsoft.IdentityManagement.WebUI.Controls.ApprovalActivitySettingsPart
  6. Click OK and then Submit.

What we’ve just done is created a new Activity resource that’s basically a copy of the original Approval activity (leaving the OOB FIM configuration unchanged is a best practice) but with the difference it’s available for interrupting action workflows before subsequent activities actually do anything that requires an approval.

image

Have fun!

Posted in: Forefront Identity Manager | Workflow | Approval

Tags: , , ,

Additional OOB and Custom Sync Rule Functions… Again!

April 6, 2011 at 9:45 PMHenrik Nilsson

One of the wishes for additional functionality in FIM I’ve had since ILM2 has been custom Sync Rule Functions and except for adding a feature request to Connect that got a lot of votes (and was closed with “Won’t Fix) I blogged about it here.

Why?

The reason I want preferably custom and more OOB functions is simply the available functions are way too limited and much too often you’ll have to fall back on MA Extensions or creating custom workflows/activities where the Function Evaluator can’t help.

I’ve discussed this with a member of the product team and he claims that even though there is a public Sync Service interface allowing for this and a FIM Service system resource type (Function) this has never been a plan, instead this has just been a way of implementing the current functions that remains in the Functionlibrary.dll that is hardcoded to both the FIM service and the Sync Service.

The Survey

Since I’m not a person that takes no as an answer I did a little survey that I addressed my MVP friends and some other FIM initiated friends (and their friends within Microsoft) giving them my ideas for new OOB functions since I’ve got the hint that custom functions are far away from being a reality and asked them to suggest functions they would like to see in FIM in a not too far future.

The Answers

Even though the hint I got and communicated in the survey that custom functions are far away and instead asked for ideas for OOB functions they wished almost everyone said that custom and reusable functions is the only way to satisfy our demands, here are some of the comments …

  • Quite frankly I don't see how they could ever satisfy all the requirements we could come up with. Allowing us to add functions is the only logical solution.
  • Please allow an extension to provide our own custom functions - this was also suggested during the summit. And while we're at it, please allow the same extension to be used for relationship criteria.
  • Could not agree more :), it's what's missing.. I can't stand sync rules.... this would help with the pain...
  • However, I totally agree that custom functions are the only way to satisfy all our requirements, including those that we can't think of right now but that we will have to face some day. In this way, no matter how many more functions we get, we won't be able to use only codeless provisioning.

As you can see above, there’s also a demand for allowing functions in the Sync Rule relationship and I totally agree, as it is now it could be hard to get usable “joins” when having similar but not perfectly equal values for joining on!

OOB functions?

Except for custom functions there’s a demand for more OOB functions that could be used by those who isn’t considering themselves developers. Some of the ideas were so similar that I took the freedom to join them. I got an answer with code examples where I choose not to include the code for readability and I hope it is clear enough anyway.

  • Delete()
    Issue a .Delete on the MV Attribute to clear out unwanted or orphaned data due to removal of flow rules
  • ToInt(string)
    Cast the string to an integer, useful when you have to change an integer based anchor into a string to contribute elsewhere but need to provision it out
  • GetBitOperator(int bitmask, mask)
    Returns true/false of whether or not a bit is active in the mask
  • ConvertGeneralTimeToISO8601(string generalizedtime)
    Converts a flat string date
  • ConvertFileTimeToISO8601(datetime filetime)
    Converts a FileTime attribute to a format the FIM WS can accept
  • GeneratePassword(number length)
    Generate complex password from some predefined character group.
  • GeneratePassword(number length, string chargroup1)
    Generate complex password using characters from chargroup1.
  • GeneratePassword(number length, string chargroup1, string chargroup2)
    Generate complex password using characters from chargroup1 and chargroup2.
  • GeneratePassword(number length, string chargroup1, string chargroup2, string chargroup3)
    Generate complex password using characters from chargroup1 and chargroup2 and chargroup3.
  • IsUnique
  • AddDays(Now(), 15)
  • AddMonths(Now(), 6)
  • Len (string value)
    Function that returns the length of a string, 0 if null or empty.
  • ToString (any type value)
    Function that converts any datatype to string.
    (it’s so irritating trying to map an integer value to a string during inbound sync, for example to employeeID and you get an error)
  • Split (string value, string separators)
    Function that splits a string into a multi-valued string.
  • Join (string multi-valued value, optional string separator)
    Function that joins a multi-valued string value into a single-valued value with an optional separator string.
  • Index (any type multivalued value, number index)
    Function that returns a single value of the same datatype as the multi-valued input value by index.
  • Add (any type multivalued value,  any type single-valued value to add)
    Function that adds a single-valued value to a multi-valued value of the same type (one use could be for handling object classes in LDAP directories)
  • Remove(any type multivalued value, any type single-valued value to remove)
    Function that removes a single-valued value from a multi-valued value of the same type.
  • RegexReplace(string value, string pattern, string replace)
    Function that does a string replace using a regex pattern.
  • StartsWith(string value, string startswith)
    Function useful for finding out if a string starts with a specific string when doing IIF’s.
    Could maybe be solved using the already available Mid function but this is easier.
  • EndsWith(string value, string endswith)
    Function useful for finding out if a string ends with a specific string when doing IIF’s.
    Could maybe be solved using the already available Mid function but this is easier.
  • IsValid(string value, string pattern)
    Function for validating an input value using a regex pattern when doing IIF’s
  • Format(string format, string value1, string value2, string value3… )
    Function that replaces the format item in a specified string with the string representation of a corresponding string in a specified parameter. I just love this function on the .Net string object and I think it could be really useful even thought I understand it could be hard implementing a user interface for and since the FIM functions can’t accept arbitrary number of parameters.
  • Now()
    Function that returns the current date and time.
  • Normalize(string value)
    Function for normalizing characters like ÅÖÄÜ etc. and removing all kinds of diacritics when for example creating email addresses. I’m told this could be done using the EscapeDNComponent function but that’s only available for outbound sync rules.
  • Word (string value, number index, string separators)
    This already available function doesn’t allow you to use an attribute as value only a fixed string.

Conclusion

I’m not the only one asking for this functionality but in order to make a change we need to get votes for it on Connect therefore I’ve made a new request that you can find here:

Custom and additional OOB Sync Rule Functions (again)...

Go ahead and vote for it but don’t forget to make a comment why you wish to be able to create custom functions that can be reused and have a larger set of OOB functions. Also don’t be afraid inviting you friends to vote and publish this or the connect feature request on any social media! Smile

Posted in: Forefront Identity Manager | Sync Functions | Sync Rules | Workflow

Tags:

PowerShell Activity for FIM

September 4, 2010 at 8:31 AMHenrik Nilsson

Carol(MissMiis) has created a really nice activity for executing PowerShell scripts, both local and remote and it opens up for all kinds of possibilities! Check it out!

http://www.wapshere.com/missmiis/powershell-activity

Posted in: Forefront Identity Manager | Identity Management | Workflow

Tags: , ,

How to load balance FIM

November 23, 2009 at 11:26 AMHenrik Nilsson

Darryl Russi have posted a great article on how to configure for more than one instance of the FIM Service.
If you haven’t discovered Darryl’s blog yet, make sure you bookmark it or add a feed subscription!

Service Partitions - Multiple Middle Tiers, Request & Workflow Processing

Posted in: Forefront Identity Manager | Identity Management | Workflow

Tags: ,

EnumerateResourcesActivity - the follow-up

November 16, 2009 at 10:13 PMHenrik Nilsson

A couple of months ago Joe Zamora (the CShark) was trying to solve the mysteries around the EnumerateResourcesActivity, a great activity that you could use from your own custom activities/workflows but not from the FIM workflow designer, read Joe’s post here. After a lot of work, some help from Nima in the product team and a couple of not that useful tips from me Joe got it working. See the forum post where me and Joe was trying to accomplish this here.

The EnumerateResourcesActivity is the only activity that could search for and return resources in FIM and it does so simply by you giving it an XPath query. It’s a really nice activity except it’s got limitations in that it can only contain a single child activity (actually not strange at all, the same goes for the ReplicatorActivity) and it has a got a designer that doesn’t allow for adding the child activity declaratively so you’re forced to add the single child using code. The EnumerateResourcesActivity work pretty much as the ReplicatorActivity in that it iterates bunch of values only in the case of the EnumerateResourcesActivity it finds the values (resources) before iterating them. An important aspect of workflow crafting is that an activity can’t be executed twice and that is handled by the EnumerateResourcesActivity by creating duplicates of the child activity objects (and descendant objects of the child activity) for each iteration before the iteration is started therefore you can’t use the original activity object references for getting activities within the iterations.

Joe used a CodeActivity as the single child but the solution I’m going to show you will use a SequenceActivity instead making it possible to add more than one single activity because you will probably want to do work suited for other activities like add a user to the group you have found or something like that.

I won’t go through all the stuff around activity crafting, for this you’ll have to turn to the Windows Workflow Foundation developer center , the Forefront Identity Manager 2010 Developer Reference or maybe the oracle scrapheap's named Google and Bing. First of all we need some code in the designer part of our custom Activity class (A custom activity is usually created from two partial classes when you create it in Visual Studio). In the InitializeComponent method I create a EnumerateResourcesActivity, add a SequenceActivity to it and to the SequenceActivity I add a CodeActivity but I leave for you to create more child activities to the SequenceActivity after the CodeActivity. Finally I add the EnumerateResourcesActivity to the custom activity I’m currently creating:

private void InitializeComponent()
{
    this.CanModifyActivities = true;

    // codeActivity
    this.codeActivity = new CodeActivity();
    this.codeActivity.ExecuteCode += new System.EventHandler(this.codeActivity_ExecuteCode);

    // sequenceActivity
    this.sequenceActivity = new SequenceActivity();
    this.sequenceActivity.Activities.Add(this.codeActivity);

    // enumResourcesActivity 
    this.enumResourcesActivity = new Microsoft.ResourceManagement.Workflow.Activities.EnumerateResourcesActivity();
    this.enumResourcesActivity.PageSize = 100;
    this.enumResourcesActivity.XPathFilter = "/Person";
    this.enumResourcesActivity.Activities.Add(this.sequenceActivity);
            
    // MyCustomActivity
    this.Activities.Add(this.enumResourcesActivity);
    this.Name = "MyCustomActivity";

    this.CanModifyActivities = false;
}

Did you notice the XPathFilter property of the EnumerateResourcesActivity that I’ve set to return all person objects? You might think it’s strange that I add a CodeActivity as the only child of the SequenceActivity but I use this for getting the resource for the current iteration and it also gives a method that you could use for assigning values to siblings further down the execution chain from the CodeActivity that I leave up to you to add.

Here’s how I extract the value from the EnumerateResourcesActivity:

void codeActivity_ExecuteCode(object sender, EventArgs e)
{
    SequenceActivity s = (SequenceActivity)((CodeActivity)sender).Parent;
    ResourceType resource = EnumerateResourcesActivity.GetCurrentIterationItem(s) as ResourceType;

    // Perform initialization of any sibling activities here but remember you must reference
// them as I’ve done above with the SequenceActivity
// and a good way of doing it could be for example...
// UpdateResourceActivity u = s.Activities.OfType<UpdateResourceActivity>().First();
// or other generic “queries”.
}

First of all we need to get the SequenceActivity of the current iteration and since we know it’s the parent of the CodeActivity we could get the Parent property object of the current CodeActivity object instance that we’ve got from the sender parameter. Then we call the static GetCurrentIterationItem method passing in the SequenceActivity object instance and this should return the resource for the current iteration.

Next I leave up to you to use the values of the found resources to do whatever you wish and that could be for example update the resources found, delete the resources found or maybe create new resources from whatever values the found resources contain.

Posted in: Forefront Identity Manager | Identity Management | Workflow

Tags: , ,

FIM 2010 RC1 Breaking change, DesignerHostProvider :-(

October 4, 2009 at 1:20 PMHenrik Nilsson

In my activities I’ve been using the ProcessParameterPicker extensively, a control that show’s a button with the text “Lookup” and when clicked you would have the possibility to select from different available attributes.

In RC0 this control was available by calling base.DesignerHostProvider.CreateParameterPickerControl() from a class that inherited ActivitySettingsPart since the DesignerHostProvider property was protected, with other words available from inherited classes.

designerHostProvider RC0

In RC1 the Product Team don’t want us too use the ProcessParameterPicker control from custom activities anymore so they’ve made it internal. This made all my activities useless in RC1 unless the ProcessParameterPicker is removed from the code.

designerHostProvider RC1

Another breaking change is that the Microsoft.IdentityManagement.WebBase.dll has been removed and what it used to contain has been moved to Microsoft.IdentityManagement.WFExtensionInterfaces.dll but this is simply solved by removing the reference to Microsoft.IdentityManagement.WebBase.dll and updating the reference to Microsoft.IdentityManagement.WFExtensionInterfaces.dll.

Currently I’m waiting for the VHD to be released before I’ll update my library for RC1 and we’ll see how I’ll be able to handle the ProcessParameterPicker…

They’ve also forgotten to update the SDK with this change.
(On the “Using Custom Activities in FIM” page, ActivitySettingsPart):
image 

I’ve added a request to the make the ProcessParameterPicker available again because I don’t see the reason why this has been taken away for custom activities: https://connect.microsoft.com/feedback/ViewFeedback.aspx?FeedbackID=495726&SiteID=433

Update 2009-10-05: Microsoft have chosen to make the ProcessParameterPicker internal with this explanation...

As part of the changes between RC0 and RC1 we locked down the vast majority of our classes, including the class that you identified here, as a best practice of exposing only supported interfaces publically.

Posted in: Forefront Identity Manager | Workflow

Tags:

Codeless Provisioning Sync Rules – The Patent

September 21, 2009 at 8:28 PMHenrik Nilsson

Want to learn codeless provisioning the FIM 2010 way? Have a look at: http://www.patents.com/CODELESS-PROVISIONING-SYNC-RULES/US20090222833/en-US/

Register and you’re able to download the patent as pdf with pictures.

Posted in: Forefront Identity Manager | Sync Functions | Workflow

Tags: ,

Introduction to WF 4.0 webcast

May 19, 2009 at 5:48 PMHenrik Nilsson

My former collegue and Biztalk MVP Alan Smith have posted the first in a series of webcasts about Workflow Foundation 4.0 that I believe will be the version we'll see in the final version of Forefront Identity Manager 2010.

Visit Alan's blog http://geekswithblogs.net/asmith/archive/2009/05/19/132272.aspx or go directly to http://bloggersguides.net/ where Alan publishes his webcasts and more...

Posted in: Forefront Identity Manager | Workflow

Tags: ,

Using the Normalize Diacritic Characters Activity

May 11, 2009 at 10:13 AMHenrik Nilsson

I got a comment from Joe Stepongzi today and he didn’t like my Normalize Diacritic Characters Activity that is a part of my Cortego ILM 2 Workflow Activity Library:

I am not sure I like the Normalize Diacritic Characters Activity..
As certain values could be changed to multiple characters instead of one..
I think email addresses should be done at the source and not handled in ILM "2"

The use of the Normalize Diacritic Characters Activity is to normalize characters with different kinds of diacritics into pure characters or how I should define it? The main reason I've created this activity is that I'm from Sweden and must handle "ÅÄÖ" but I'm also working for a company that has a lot of employees in the eastern European countries and that is a nightmare when trying to create for example email addresses. This could be hard to understand for Britain’s and Americans since English is a language where diacritics are sparsely used and this wouldn't have been a problem if the Americans would have understood from the beginning there are other languages than English and a need for other standards than ASCII. Here are a couple of examples of what could be accomplished (I do hope your browser supports Unicode otherwise you'll probably see a lot of boxes):

As you see the activity is only normalizing diacritics by removing any Unicode spacing marks and this is how it works code wise using the System.Globalization namespace for normalization of diacritics:


public static string NormalizeDiacriticChars(string input)
{
   string formD = input.Normalize(NormalizationForm.FormD);
   StringBuilder sb = new StringBuilder();
   for (int i = 0; i < formD.Length; i++)
   {
      UnicodeCategory uc = CharUnicodeInfo.GetUnicodeCategory(formD[i]);
      if (uc != UnicodeCategory.NonSpacingMark)
      {
         sb.Append(formD[i]);
      }
   }
   return (sb.ToString().Normalize(NormalizationForm.FormC));
}

First of all the input string is normalized into Form D that decomposes characters in this way:

  • å –> aRing
  • Ё –> E + Umlaut
  • æ –> a + e (Used in Danish, Norwegian and old English more)
  • –>  ++ (Hangul letter used in Korea)

Then all characters defined as Unicode spacing marks are removed and in the example above the ring and the dots (umlaut) are removed. Finally the remaining string is normalized into Form C, composing characters back, for example:

  • a -> a (The ring is already removed)
  • E -> E (The umlaut is already removed)
  • a + e –> æ (Note: if the original input would have been “ae” it would not become “æ”)
  • + + –>

Normalizing a eastern European name like "Lāčkāja Lapiņš" would end up as "Lackaja Lapins" and a typical Swedish name like "Åsa Öberg" would end up as "Asa Oberg", a lot easier to handle for creating different kind of names and also widely accepted in the countries where diacritic characters are used.

As you can see, characters are not as Joe thought changed into multiple characters but he do have a point in that for example email addresses should be handled at the source and not in ILM2/FIM2010... But if you would like accounts and mailboxes to be automatically created from for example an HR system, one of the best practices of Identity Management... You might be forced to create the email addresses and other system names following your naming standards unless you trust your HR personnel having full control over all existing email addresses and names. It’s up to you to make sure input characters are valid but by using this activity you don’t have to worry about macrons, curls, dots, accents and so on but as you can see the  and æ characters is not changed or removed so they would still a be problem when creating email addresses.

A solution to make sure you get valid strings after normalization could be to use my Regex Replace Activity to remove or replace any remaining characters that isn’t valid in the context you’re using it. In order to get unique names or email addresses you could use my Unique Name Activity. Both these activities is contained in the Cortego ILM 2 Workflow Activity Library. The pattern "[^a-zA-Z0-9\s]" could be used in the Regex Replace Activity to find and remove or replace all characters that is not within a-z, A-Z, 0-9 and whitespace characters.  

If you would like to know more about Unicode Normalization this is a great guide: Unicode Normalization Forms. If you would like to know how different characters from different scripts including Cyrillic, Greek, Latin, Thai, Katakana, and so on are composed/decomposed you could have a look at these Normalization Charts. A description of different kinds of diacritics could be found at Diacritic - Wikipedia.

Finally, do you trust your HR personnel or do you have a Catbert at your company? Laughing

Posted in: Workflow | Forefront Identity Manager

Tags: , , , , ,

Cool feature using the RegexReplaceActivity

April 30, 2009 at 1:28 PMHenrik Nilsson

The RegexReplaceActivity that is introduced in the Cortego ILM 2 Workflow Activity Library is using the Regex class of System.Text.RegularExpressions namespace and by using the Replacement parameter of the Replace function we could actually do some real cool stuff. The Replacement parameter of the Replace function is translated into the Replacement property of the RegexReplaceActivity and there is no requirement the Replacement parameter must contain a plain text, it could in fact contain a replacement pattern as well and here is an example taken from the MSDN - Regular Expressions Examples used to change the format of dates. Please notice it's just an example, you're the one that must know how actual values are formatted and I don't know if using the EmployeeEndDate attribute with this example is appropriate.

Replace dates of the form mm/dd/yy with dates of the form dd-mm-yy.

Input value (from Expression): 04/30/09 or 04/30/2009 (there's a 2 to 4 characters quantifier for year in the Regex Pattern)
RegEx Pattern: \b(?<month>\d{1,2})/(?<day>\d{1,2})/(?<year>\d{2,4})\b
Replacement: ${day}-${month}-${year} 

Regex Replace MDYToDMY  

Output value (Destination expression): 30-04-09 or 30-04-2009 – isn’t that cooljQuery15207980085869857615_1318365216111?
What happens is that the input data is captured into variables that are then used to format a new value.

Realize what you could do with this, you could in fact simply extract parts from or format input data to what ever you like!
A good source for more info about regular Expressions is .NET Framework Regular Expressions.

Posted in: Forefront Identity Manager | Workflow

Tags: , , ,