1dent1ty cHa0s

So, wouldn’t it be nice to see all of the groups a user is a member of or owns directly on the Edit or View User pages? In this installment I will demonstrate how to accomplish this using some functions of the Object Visualization Configuration XML for the User object. First let us establish what this is going to look like when we are done:

Object Visualization Configuration

In the example we are adding a new Grouping to the default OVC for User:

Then we add a series of controls:

I should note here that if you have any spaces in the Name property (“Member View” vs “MemberView”) that you will get a series of IE scripting errors. In this section we are making use of the UocListView control which returns the nice table. Also, note that we’re using a special token variable here to specify the FirstName of the user. The syntax is to prefix the name of the attribute with “Attribute_” and then encapsulate the token in %’s. For example:

• %Attribute_AccountName%
• %Attribute_DisplayName%

Within the control we have a series of Properties:

 
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
 

There are few here that I will call attention to:

• ColumnsToDisplay – this sets up the system names of the columns we expect to see in our list
• ResultObjectType – specifies the object type(s) we expect to get back
• ItemClickBehavior – there are two values possible here, ClientPopup or Server; if you choose the later then clicking on the object will trigger a postback to the item otherwise you get a popup
• UsageKeywords – optional, great if you want to turn the ShowSearchControl on and specify a filter to be used by default; in this case AllMyGroupMemberships represents a custom SearchScope I built earlier
• ListFilter – this is the inline filter that populates the list; note that we’re making use of some additional tokens here, notably the ObjectID of the user we’re currently operating on which makes the search relative

Finding Members and Owners

With the ListFilter we can specify what it is we are searching for, and in this case we have two different types of queries we are performing. In the example above we see filter for determining the groups a user is a member of by searching the ComputedMember and ExplicitMember attributes. For the Owner filter we need to look at the Owner attribute like so:

Putting It All Together

You can download the entire OVC XML files based on the default versions here:

…or you can just copy the Grouping sections out of each one and transfer them to your own custom OVC. You can find the OVC XML reference online here:

• ILM “2” Object Visualization Configuration XML Reference

One of the things that has changed in the Release Candidate is that you no longer have to edit the Microsoft.IdentityManagement.Activities.arp file; in fact it is gone entirely. As of RC0 this file is replaced with the ActivityInformationConfiguration object and it performs the exact same role as before. So, after building your workflow, registering it in the GAC, and restarting the Microsoft Identity Lifecycle Manager Service, you will need to create one of these objects and then define your WF activity parameters. All of that will be covered in more detail in the next release of our workflow walkthrough document. For now, I wanted to concentrate on facilitating the object creation since RC0 didn’t ship with any OVC definitions to Create, Edit or View the new object type. I’ve created the definitions for you and you can download the OVC XML here:

Now you will need to create three new OVC definitions using the following figure as a template:

• Go to Administration, Object Visualization Configuration, and click on New
• Set the Display Names to:
• Configuration for Creating Activity Information Configuration
• Configuration for Editing Activity Information Configuration
• Configuration for Viewing Activity Information Configuration
• Set Target Object Type to ActivityInformationConfiguration
• For Configuration Data, click Browse and select the appropriate XML file you downloaded earlier
• Check the box that corresponds to the OVC you are configuration (Create, Edit or View)

In the end you’ll have three new OVC configurations; for example, the Edit one should look like so:

Once you are all done creating these objects, execute an IISRESET on the portal to refresh the configuration. Now you’re ready to add your custom WF activities to the portal:

• Go to Administration, All Resources, and click on Activity Information Configuration
• Click New, you should see the Create OVC:

You can also edit or view an existing entry:

That’s it, enjoy!

The fully installed VHD for ILM 2 is back and updated for the Release Candidate. Also different this time around is the dependency for Hyper-V; you can no longer run this as a Virtual Server 2005 or Virtual PC image. Also gone are all of the older 32-bit dependencies, the VHD is now 100% x64. You will require the following in order to run the new VHD:

• Windows Server 2008 with Hyper-V (running on Hyper-V capable hardware obviously)
• 8GB memory is recommended, 4GB minimum
• 60GB of disk space

If you are participating in TAP/RDP or just doing your own internal testing then you’ll want to have this VHD loaded and available. I don’t suggest doing your development or testing on this VM; however when you run into an issue in your own environment you will want to fire this puppy up and see if you can reproduce it here. Why, because once you’ve opened your bug on Connect you’ll want to give concise instructions on how to repro it and being able to repro it on the VM will make it much easier for the Dev’s to isolate the issue. Having to duplicate your environment will take time and may drop in priority.

Why don’t you want to use this as your testing environment? Well, the VM is a self-contained environment featuring all of the following roles installed on the same server:

• Active Directory Certificate Services
• Active Directory Domain Services
• DNS Server
• File Services
• Web Server (IIS)

Although not a role, the server is also a self-contained Exchange 2007 server with the Hub Transport, Client Access, and Mailbox roles installed. In addition, it’s also running SQL Server 2008 and since we’re on a DC, all of the service accounts are running with elevated privileges. For instance, the service account responsible for the ILM 2 Web Services (ILMService in the VM) is running as a Domain Admin which isn’t something you should be doing typically and will obscure errors that you might normally see in a restricted environment.

This is a DC/CA/Web/SQL/Exchange Server, thus the need for 4-8GB of memory. To top it off, this is Evaluation software folks, so parts of the image will expire in 90 days (Exchange) or 180 days (Server 2008 Enterprise) from its inception on 11/2/2008. You will get pestered by the Activation warnings as well – a challenging task considering the self-contained nature of the image. I would recommend changing the product key for the OS to one of your MSDN licenses (assuming you have an MSDN/TechNet subscription) to remove the OS time bomb. In order to do this, you will need to first configure the adapter within the VM to use a valid IP within your Hyper-V network, connect and activate – then reset the adapter configuration back to the required 192.168.1.100 settings specified in the PDF file.

Download details: ILM "2" RC Demo Hyper-V VHD

So, you’ve added some nifty new attributes to a new or existing object in the ILM Service Database and now you’re trying to add the attribute as part of a filter in perhaps a Dynamic Set definition, you hit submit and you get an Access Denied?

You can find out more information as to why this failed by checking Search Requests and opening up the failed request.

Notice the Filter validation failed for request message. Clicking the Applied Policy tab shows us which policies affected the operation:

If you click the hyperlink for Modify Filter Subject to Administrator Filter Scope you can follow the object all the way to the Workflow responsible for this behavior – Filter Validation Workflow for Administrators. You’ll notice there is an admin and a non-admin filter, and opening the admin version allows us to take a peak at what the filter is doing:

Hopefully the virtual light bulb has gone off now – when you extend the schema you will probably need to add the new attributes to various Filter Scopes so that they can be used in filters, otherwise you will get the Access Denied error.

So, you want to set the groupType attribute on an AD group but all you have to work with are the scope and type attributes on the ILM 2 group object. To make matters worse, they are both String types and the groupType attribute wants an Integer. To solve this problem you need to assemble the value based on the values present in scope and type. To understand what you need to assemble you should review the schema definition for groupType. We need to create a mapping in our Sync Rule that transforms the data on the fly, so let us see if Codeless Provisioning is up to the task.

Now this approach might seem like the logical way to approach this:

IIF(CustomExpression(Eq(scope,"Global")),2,0)
+
IIF(CustomExpression(Eq(scope,"DomainLocal")),4,0)
+
IIF(CustomExpression(Eq(scope,"Universal")),8,0)
+
IIF(CustomExpression(Eq(type,"Distribution")),0,2147483648)

…but it doesn’t work. When you concatenate values together they are always concatenated as strings. What we need to do then is to nest the IIF statement like so:

IIF(Eq(type,"Distribution"),IIF(Eq(scope,"Universal"),8,IIF(Eq(scope,"DomainLocal"),4,IIF(Eq(scope,"Global"),2,0))),IIF(Eq(scope,"Universal"),-2147483640,IIF(Eq(scope,"DomainLocal"),-2147483644,IIF(Eq(scope,"Global"),-2147483646,0))))

 

…but it’s not exactly intuitive. There are currently no arithmetic functions for adding two Number values, nor are there any functions to add date values; both of which are major oversights for the current release. Below is an example of the Outbound Sync Rule; however the groupType value is not displayed accurately. You should be able to copy and paste the above rule directly into the flow definition once you choose CustomExpression: Voila – now you no longer need two separate Sync Rules to flow one attribute. Thanks go to David Lundell and Andreas Kjellman for helping to puzzle this one out.

It's out, the docs are updated, now get to work!

• ILM Best Practices: ILM 2 RC 0 is here!
• ILM Best Practices: Other interesting changes in ILM RC0
• Bobby and Nima's ILM Blog: Announcing Identity Lifecycle Manager "2" Release Candidate

I am certainly glad to see the "managed:" moniker go away but the requirement for SQL Server 2008 has me concerned. Will adoption of ILM 2 be stalled because of this requirement?