Hi
The MVExtension (MVMegaDLL) still needs to see all attributes in the schema through the MA. On the AD connector (or whichever is failing), click Select Attributes (might need "show all" tick box in the top right) and select unicodePwd
Cheers
Danny G
External Confidential
-----Original Message-----
From: Discussion for MS IDM tools liks ILM and FIM <[log in to unmask]> On Behalf Of Alistair Young
Sent: 14 February 2020 10:53
To: [log in to unmask]
Subject: Re: Deploying rules extensions DLLs
would anyone have seen this before during a provision in the MvMegaDll?
"attribute unicodePwd is not a member of the attribute inclusion list"
it's write-only so not in the MA CS attribute selector so I'm not sure how it can be included. I'm csentry["unicodePwd"].Value = "..." after StartNewConnector when the error is raised by mim.
thanks,
Alistair
________________________________________
From: Discussion for MS IDM tools liks ILM and FIM <[log in to unmask]> on behalf of Alistair Young <[log in to unmask]>
Sent: 14 February 2020 09:19
To: [log in to unmask]
Subject: Re: Deploying rules extensions DLLs
Warning. This email did not originate from the University.
You should only open any links or attachments if you are certain this email is genuine and the content is safe.
Warning. This email contains web links and originates from outside of the University.
You should only click on these links if you are certain that the email is genuine and the content is safe.
thanks Tim, that is just what I needed. I wasn't sure if both DLLs would be called if one or other existed.
So MegaDLLoSaurus is essentially a butler that accompanies a new object into each CS and provides just enough clothes to preserve their dignity, leaving with the message "you're tailor shall arrive shortly". The tailor is the MA MapAttributesForExport, with the rest of the outfit. The object is then in a proper state to leave MIM and enter the wide world. hmmm I might call the former, Jeeves.dll
If they ever create an OSCARS for lists, I shall be nominating this one...
cheers,
Alistair
________________________________________
From: Discussion for MS IDM tools liks ILM and FIM <[log in to unmask]> on behalf of Tim Purkiss <[log in to unmask]>
Sent: 13 February 2020 16:47
To: [log in to unmask]
Subject: Re: Deploying rules extensions DLLs
Warning. This email contains web links and originates from outside of the University.
You should only click on these links if you are certain that the email is genuine and the content is safe.
Agree on the last point.
MV Extension should be used to provision objects to the relevant MA connector spaces with the minimum set of attributes needed to create it. This is your initial flow.
Individual MA Rules Extensions should be used to manage all attributes (import or export) that can’t be set using a direct rule. There’s no harm in setting an initial value from the MV Extension then potentially a different value from the Rules Extension (e.g. setting an account as disabled on creation, then activating it when a status flag is set. This might happen in the same Sync step or later if the status changes).
In a preview, you can see this in action:
Import Attribute Flow – fires all the Direct import rules and Import Rules Extension logic.
Provisioning Summary – shows the results of the MV Extension provisioning code Connector Updates – show the results of any export attribute flow rules (direct or rules extensions)
The MV Extension can also handle the deletion rule for the MV – i.e. you can create more complex rules to delete MV objects beyond just deletion of source records from the connector space (for example, we will delete MV records if external staff accounts are deleted but not students).
There are a few techniques for structuring the code that can be helpful. E.g. Use a case statement to check for the FlowRuleName in the MapAttributesForImport/Export routines and then call a separate function to do the work for each rule. I find this makes the code easier to work with.
Tim
Tim Purkiss
---------------
Technical Architect: Identity & Applications IT Service Operations IT & Digital Services University of London
From: Discussion for MS IDM tools liks ILM and FIM <[log in to unmask]> On Behalf Of Paul Green
Sent: 13 February 2020 15:43
To: [log in to unmask]
Subject: Re: Deploying rules extensions DLLs
The provision method of the MVExtension gets called on every sync, though you’re right in that if you’re doing a delta sync, it would only be called if there was a pending change. But that would be true on a management agent extension too.
This is why, if you make a change and run a delta sync, MIM will warn you and suggest you do a full sync to evaluate every object.
I’d do initial flows in the MVExtension and persistent flows in the management agent extension.
Get Outlook for iOS<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2Fo0ukef&data=02%7C01%7Cdanielg%40IDENTITYEXPERTS.CO.UK%7Cbbff8712279547984fa808d7b13c09b6%7C1d962d68d4484434b62d5660971874c4%7C1%7C0%7C637172743738242457&sdata=mP1yCtc2fO5u5chUloDUP2px2u6VU9G5n3peQWzxZw8%3D&reserved=0>
________________________________
From: Alistair Young <[log in to unmask]<mailto:[log in to unmask]>>
Sent: Thursday, February 13, 2020 15:38
To: Paul Green; [log in to unmask]<mailto:[log in to unmask]>
Subject: Re: Deploying rules extensions DLLs
Is it better to only use MA.MapAttributesForExport and check the connector count for the object. If zero, then it's initial flow and DN and password etc can be set?
The docs state MegaDLL.Provision "Evaluates connected objects in response to a change to a metaverse object.".
But if there's a sync and nothing changes, then MegaDLL.Provision doesn't get called and all the rules in the DLL don't get applied. So what's in the CS ends up in the target system, which may not be what I want. I think I see now.
cheers,
Alistair
________________________________________
From: Discussion for MS IDM tools liks ILM and FIM <[log in to unmask]<mailto:[log in to unmask]>> on behalf of Paul Green <[log in to unmask]<mailto:[log in to unmask]>>
Sent: 13 February 2020 15:08
To: [log in to unmask]<mailto:[log in to unmask]>
Subject: Re: Deploying rules extensions DLLs
Warning. This email contains web links and originates from outside of the University.
You should only click on these links if you are certain that the email is genuine and the content is safe.
Hi Alistair,
Your mega metaverse DLL (you should patent the name) wouldn’t work. You can set attributes *on initial creation* using a metaverse extension, but not persistently.
Generally you’ll have:
1. A rules extension DLL for each management agent (where you use any coded rules) and
2. A metaverse extension. As Andy said, this does three things only really: provisions new objects to the connector space of a management agent; de-provisions objects from a connector space (or all connector spaces); renames objects in a connector space.
Hope that helps!
Paul
Get Outlook for iOS<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2Fo0ukef&data=02%7C01%7Cdanielg%40IDENTITYEXPERTS.CO.UK%7Cbbff8712279547984fa808d7b13c09b6%7C1d962d68d4484434b62d5660971874c4%7C1%7C0%7C637172743738242457&sdata=mP1yCtc2fO5u5chUloDUP2px2u6VU9G5n3peQWzxZw8%3D&reserved=0>
________________________________
From: Discussion for MS IDM tools liks ILM and FIM <[log in to unmask]<mailto:[log in to unmask]>> on behalf of Alistair Young <[log in to unmask]<mailto:[log in to unmask]>>
Sent: Thursday, February 13, 2020 15:03
To: [log in to unmask]<mailto:[log in to unmask]>
Subject: Re: Deploying rules extensions DLLs
I'm reading the MIM 2016 Handbook which uses a Metaverse DLL to "provision to the connector space". The Provision terms comes from this article:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Farchive%2Fblogs%2Fconnector_space%2Fthe-complete-synchronization-process-part-1-new-user-synchronization&data=02%7C01%7Cdanielg%40IDENTITYEXPERTS.CO.UK%7Cbbff8712279547984fa808d7b13c09b6%7C1d962d68d4484434b62d5660971874c4%7C1%7C0%7C637172743738242457&sdata=cImMr%2FarvV43dRbewvjnpLV7lozJK0b%2BjuDAcZu08mk%3D&reserved=0
their flow is:
SQL -> MA1 -> import -> sync -> project -> Mv -> provision to MA2 CS -> export -> target system (AD)
is it better to use MapAttributesForExport in a MA2 DLL? I can see that would keep each MA's rules in its own DLL.
or a giant MvProvision DLL that knows about all MAs.
So the two options are:
- Mv objects go as-is into each CS, MapAttributesForExport used to "santise" them prior to export, for each MA independently or
- Mega Metaverse DLL "sanitises" all objects for all CS so MapAttributesForExport isn't needed as they're "ready to go" when export is run
I think!
cheers,
Alistair
________________________________________
From: Discussion for MS IDM tools liks ILM and FIM <[log in to unmask]<mailto:[log in to unmask]>> on behalf of Andy Swiffin (Staff) <[log in to unmask]<mailto:[log in to unmask]>>
Sent: 13 February 2020 14:40
To: [log in to unmask]<mailto:[log in to unmask]>
Subject: Re: Deploying rules extensions DLLs
Warning. This email contains web links and originates from outside of the University.
You should only click on these links if you are certain that the email is genuine and the content is safe.
The Rules extension DLL for each MA has sections for importing _and_ exporting attributes:
Public Sub MapAttributesForImport
And
Public Sub MapAttributesForExport
The MV rules extension is concerned just with provisioning target systems, but also handles moving or renaming an object, which is just a change of DN.
You don't provision out to the connector space, that has to be populated with a confirming import after an export so a typical sequence might be
MA1 full import (it's a sql ma so there's no delta import)
MA1 Delta sync
MA2 Delta import
MA2 Delta sync
MA3 Export
MA3 Delta import
MA3 Delta Sync
MA4 Export
MA4 Delta import (no delta sync because ma4 doesn't contribute anything).
HTH
Andy
-----Original Message-----
From: Discussion for MS IDM tools liks ILM and FIM <[log in to unmask]<mailto:[log in to unmask]>> On Behalf Of Alistair Young
Sent: 13 February 2020 14:10
To: [log in to unmask]<mailto:[log in to unmask]>
Subject: Re: Deploying rules extensions DLLs
thanks Paul,
I see each MA has its own DLL for importing attributes, whereas there is only one DLL for provisioning out to connector spaces. Is that how it works? In the IMVSynchronization.Provision method it's normal to just cycle through all the known MAs and provisioning the object into each CS in turn?
cheers,
Alistair
________________________________________
From: Discussion for MS IDM tools liks ILM and FIM <[log in to unmask]<mailto:[log in to unmask]>> on behalf of Paul Green <[log in to unmask]<mailto:[log in to unmask]>>
Sent: 12 February 2020 12:36
To: [log in to unmask]<mailto:[log in to unmask]>
Subject: Re: Deploying rules extensions DLLs
Warning. This email contains web links and originates from outside of the University.
You should only click on these links if you are certain that the email is genuine and the content is safe.
Hi Alistair,
Yes, exactly that. You don't even need to restart the sync engine if it's just the modification of a rules extension.
If MIM is in the middle of sync'ing and you update anything in the extensions folder, MIM will throw an exception and stop the sync (and you'll probably find that you have to restart the service if it does).
Thanks,
Paul.
On 12/02/2020, 12:31, "Discussion for MS IDM tools liks ILM and FIM on behalf of Alistair Young" <[log in to unmask] on behalf of [log in to unmask]<mailto:[log in to unmask]@UHI.AC.UK>> wrote:
Dear Amazing List,
does anyone have best practice advice for managing/deploying DLLs? I have my MA DLL and Metaverse DLL, developed on another machine and kept in git. Of course the build fails as it includes a copy operation to the Extensions folder of the sync engine but I'm not bothered about that as the DLL is created just fine. Is it just a case of manually copying the DLLs over and "restarting" the sync engine? Curious as VisualStudio, if run on the mim server will copy the DLL automatically without a restart. Will the sync engine pick up changes to anything in the Extensions folder? If so, I imagine changing anything in there during an import/sync/export would not end well.
thanks,
Alistair
########################################################################
To unsubscribe from the MICROSOFT-IDENTITY list, click the following link:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.jiscmail.ac.uk%2Fcgi-bin%2Fwebadmin%3FSUBED1%3DMICROSOFT-IDENTITY%26A%3D1&data=02%7C01%7Cdanielg%40IDENTITYEXPERTS.CO.UK%7Cbbff8712279547984fa808d7b13c09b6%7C1d962d68d4484434b62d5660971874c4%7C1%7C0%7C637172743738242457&sdata=W%2BPWxPQ%2BhJMjYA4Tm84UvgyS%2BrEZxbQPdFMDOfamqXY%3D&reserved=0
Given that changes in your requirements may occur, and that final performance will depend on a variety of factors, not all of which are known in detail at this stage, none of the statements in this email constitutes a representation for which Identity Experts (IE) can accept any liability. Any guidance or advice provided should only be binding on IE once further diligence and design are undertaken and a final contract setting out expressly agreed terms and conditions is signed between authorised representatives of our companies
Identity Experts Limited | Registered Office: The Media Centre, 7 Northumberland Street, Huddersfield, HD1 1RL, England | Registered Number: 9002786 | VAT number: GB189003893
This e-mail may contain confidential and/or legally privileged material for the sole use of the intended recipient. If you are not the intended recipient (or authorized to receive for the recipient) please contact the sender by reply e-mail and delete all copies of this message. If you are receiving this message internally within the group of Identity Expert companies, you should consider the contents “CONFIDENTIAL”
########################################################################
To unsubscribe from the MICROSOFT-IDENTITY list, click the following link:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.jiscmail.ac.uk%2Fcgi-bin%2Fwebadmin%3FSUBED1%3DMICROSOFT-IDENTITY%26A%3D1&data=02%7C01%7Cdanielg%40IDENTITYEXPERTS.CO.UK%7Cbbff8712279547984fa808d7b13c09b6%7C1d962d68d4484434b62d5660971874c4%7C1%7C0%7C637172743738242457&sdata=W%2BPWxPQ%2BhJMjYA4Tm84UvgyS%2BrEZxbQPdFMDOfamqXY%3D&reserved=0
########################################################################
To unsubscribe from the MICROSOFT-IDENTITY list, click the following link:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.jiscmail.ac.uk%2Fcgi-bin%2Fwebadmin%3FSUBED1%3DMICROSOFT-IDENTITY%26A%3D1&data=02%7C01%7Cdanielg%40IDENTITYEXPERTS.CO.UK%7Cbbff8712279547984fa808d7b13c09b6%7C1d962d68d4484434b62d5660971874c4%7C1%7C0%7C637172743738242457&sdata=W%2BPWxPQ%2BhJMjYA4Tm84UvgyS%2BrEZxbQPdFMDOfamqXY%3D&reserved=0
The University of Dundee is a registered Scottish Charity, No: SC015096
########################################################################
To unsubscribe from the MICROSOFT-IDENTITY list, click the following link:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.jiscmail.ac.uk%2Fcgi-bin%2Fwebadmin%3FSUBED1%3DMICROSOFT-IDENTITY%26A%3D1&data=02%7C01%7Cdanielg%40IDENTITYEXPERTS.CO.UK%7Cbbff8712279547984fa808d7b13c09b6%7C1d962d68d4484434b62d5660971874c4%7C1%7C0%7C637172743738242457&sdata=W%2BPWxPQ%2BhJMjYA4Tm84UvgyS%2BrEZxbQPdFMDOfamqXY%3D&reserved=0
########################################################################
To unsubscribe from the MICROSOFT-IDENTITY list, click the following link:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.jiscmail.ac.uk%2Fcgi-bin%2Fwebadmin%3FSUBED1%3DMICROSOFT-IDENTITY%26A%3D1&data=02%7C01%7Cdanielg%40IDENTITYEXPERTS.CO.UK%7Cbbff8712279547984fa808d7b13c09b6%7C1d962d68d4484434b62d5660971874c4%7C1%7C0%7C637172743738242457&sdata=W%2BPWxPQ%2BhJMjYA4Tm84UvgyS%2BrEZxbQPdFMDOfamqXY%3D&reserved=0
Given that changes in your requirements may occur, and that final performance will depend on a variety of factors, not all of which are known in detail at this stage, none of the statements in this email constitutes a representation for which Identity Experts (IE) can accept any liability. Any guidance or advice provided should only be binding on IE once further diligence and design are undertaken and a final contract setting out expressly agreed terms and conditions is signed between authorised representatives of our companies
Identity Experts Limited | Registered Office: The Media Centre, 7 Northumberland Street, Huddersfield, HD1 1RL, England | Registered Number: 9002786 | VAT number: GB189003893
This e-mail may contain confidential and/or legally privileged material for the sole use of the intended recipient. If you are not the intended recipient (or authorized to receive for the recipient) please contact the sender by reply e-mail and delete all copies of this message. If you are receiving this message internally within the group of Identity Expert companies, you should consider the contents “CONFIDENTIAL”
________________________________
To unsubscribe from the MICROSOFT-IDENTITY list, click the following link:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.jiscmail.ac.uk%2Fcgi-bin%2Fwebadmin%3FSUBED1%3DMICROSOFT-IDENTITY%26A%3D1&data=02%7C01%7Cdanielg%40IDENTITYEXPERTS.CO.UK%7Cbbff8712279547984fa808d7b13c09b6%7C1d962d68d4484434b62d5660971874c4%7C1%7C0%7C637172743738252412&sdata=fBR3rVphjh68TokuIIi4bK%2Ba04HbxP9q4OUc6YIYjyg%3D&reserved=0
Given that changes in your requirements may occur, and that final performance will depend on a variety of factors, not all of which are known in detail at this stage, none of the statements in this email constitutes a representation for which Identity Experts (IE) can accept any liability. Any guidance or advice provided should only be binding on IE once further diligence and design are undertaken and a final contract setting out expressly agreed terms and conditions is signed between authorised representatives of our companies
Identity Experts Limited | Registered Office: The Media Centre, 7 Northumberland Street, Huddersfield, HD1 1RL, England | Registered Number: 9002786 | VAT number: GB189003893
This e-mail may contain confidential and/or legally privileged material for the sole use of the intended recipient. If you are not the intended recipient (or authorized to receive for the recipient) please contact the sender by reply e-mail and delete all copies of this message. If you are receiving this message internally within the group of Identity Expert companies, you should consider the contents “CONFIDENTIAL”
________________________________
To unsubscribe from the MICROSOFT-IDENTITY list, click the following link:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.jiscmail.ac.uk%2Fcgi-bin%2Fwebadmin%3FSUBED1%3DMICROSOFT-IDENTITY%26A%3D1&data=02%7C01%7Cdanielg%40IDENTITYEXPERTS.CO.UK%7Cbbff8712279547984fa808d7b13c09b6%7C1d962d68d4484434b62d5660971874c4%7C1%7C0%7C637172743738252412&sdata=fBR3rVphjh68TokuIIi4bK%2Ba04HbxP9q4OUc6YIYjyg%3D&reserved=0
________________________________
To unsubscribe from the MICROSOFT-IDENTITY list, click the following link:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.jiscmail.ac.uk%2Fcgi-bin%2Fwebadmin%3FSUBED1%3DMICROSOFT-IDENTITY%26A%3D1&data=02%7C01%7Cdanielg%40IDENTITYEXPERTS.CO.UK%7Cbbff8712279547984fa808d7b13c09b6%7C1d962d68d4484434b62d5660971874c4%7C1%7C0%7C637172743738252412&sdata=fBR3rVphjh68TokuIIi4bK%2Ba04HbxP9q4OUc6YIYjyg%3D&reserved=0
########################################################################
To unsubscribe from the MICROSOFT-IDENTITY list, click the following link:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.jiscmail.ac.uk%2Fcgi-bin%2Fwebadmin%3FSUBED1%3DMICROSOFT-IDENTITY%26A%3D1&data=02%7C01%7Cdanielg%40IDENTITYEXPERTS.CO.UK%7Cbbff8712279547984fa808d7b13c09b6%7C1d962d68d4484434b62d5660971874c4%7C1%7C0%7C637172743738252412&sdata=fBR3rVphjh68TokuIIi4bK%2Ba04HbxP9q4OUc6YIYjyg%3D&reserved=0
########################################################################
To unsubscribe from the MICROSOFT-IDENTITY list, click the following link:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.jiscmail.ac.uk%2Fcgi-bin%2Fwebadmin%3FSUBED1%3DMICROSOFT-IDENTITY%26A%3D1&data=02%7C01%7Cdanielg%40IDENTITYEXPERTS.CO.UK%7Cbbff8712279547984fa808d7b13c09b6%7C1d962d68d4484434b62d5660971874c4%7C1%7C0%7C637172743738252412&sdata=fBR3rVphjh68TokuIIi4bK%2Ba04HbxP9q4OUc6YIYjyg%3D&reserved=0
Given that changes in your requirements may occur, and that final performance will depend on a variety of factors, not all of which are known in detail at this stage, none of the statements in this email constitutes a representation for which Identity Experts (IE) can accept any liability. Any guidance or advice provided should only be binding on IE once further diligence and design are undertaken and a final contract setting out expressly agreed terms and conditions is signed between authorised representatives of our companies
Identity Experts Limited | Registered Office: The Media Centre, 7 Northumberland Street, Huddersfield, HD1 1RL, England | Registered Number: 9002786 | VAT number: GB189003893
This e-mail may contain confidential and/or legally privileged material for the sole use of the intended recipient. If you are not the intended recipient (or authorized to receive for the recipient) please contact the sender by reply e-mail and delete all copies of this message. If you are receiving this message internally within the group of Identity Expert companies, you should consider the contents “CONFIDENTIAL”
########################################################################
To unsubscribe from the MICROSOFT-IDENTITY list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=MICROSOFT-IDENTITY&A=1
|
