Download article
First published on MSDN on Jun 19, 2015
Introduction to Workflows
Workflows within the FIM Portal are used in combination with Sync rules to build, manage, control, or manipulate data that. Prior to the FIM Portal any manipulation of data from one data source to be managed to or from another data source need Custom Rules Extensions that required an understanding of Visual Basics or C#, which often required onsite developers or 3rd party consultants that are often expensive and hard to come by. One of the many issues with having to use Rules Extensions to manage data was scalability, maintenance or troubleshooting. After the rules extensions are in place if a need arises where a change needs to be implemented it would once again require onsite developers or at that point someone with a basic knowledge of VB and or C# to understand the existing Rules Extension in order to make the necessary changes. The worst possible scenario is where a change is needed in the Rules Extension and the source code is nowhere to be found for one reason or another. Workflows are used to perform a variety of different task which include but certainly not limited Notification when a specific action has taken place, Authorization when someone would like to make a change to a specific attribute, or actions such as completing a function on behalf of the user when a specific action has taken place. A combination of all these different task can be performed for any desired circumstance. In the end Workflows are put in place for automation of your environment as well as streamlining your organization’s processes. More importantly these workflows can be used to follow a specific standard such as naming conventions and applying appropriate permissions.
Often when these steps are performed manually they are done incorrectly and not necessarily by incompetence but by common mistakes like Typos, or forgetfulness. Workflows by them-selves do nothing but when they are associated with an MPR (Management Policy Rule) they can be used to perform functions as mentioned previously. These same workflows can be associated with multiple MPR’s but it is important to understand what the workflows are doing and when they should be “Triggered” or “Applied”. If not properly planned and tested you could find yourself in a looping scenario where a workflow gets applied again and again because the action that the workflow performs is associated with a “trigger” that applies the workflow. For example if you have a workflow that builds a display name but the MPR that “triggers” the workflow is for multiple attribute such as Create and Modify First Name, Last Name, or Display Name than the very action being performed would build or modify the objects Display Name, which would cause the workflow to be triggered a second time where even if the 2nd result would build the same Display Name and there may not be a change its still wasted resources on your machine, and additional unnecessary SQL “Churn”. Other situations could exist where the workflow gets in an endless loop which would eventually slow your environment to a crawl. Bottom line is to be sure and test any and all workflows before they are put in production.
Workflow Types
When you first install the Forefront Identity Manager Portal you are given 3 Types to choose Each Workflow type having additional functions associated with that particular activity. Additionally there is a select Run On Policy Update which is used in conjunction with Transition Set MPR’s
The 3 Workflow Types
-
Authentication
-
Lockout Gate
-
One-Time Password Email Gate
-
One-Time Password SMS Gate
-
Password Gat
-
QA Gate
Authorization
-
Approval
-
Filter Validation
-
Function Evaluator
-
Group Validation
-
Notification
-
Requestor Validation
Action
-
Active Directory Password Reset Activity
-
Function Evaluator
-
Notification
-
Synchronization Rule Activity
Working with the Default Workflow library
The following information is directly from the following Link.
(References TechNet Article
http://technet.microsoft.com/en
–
us/library/ff800820(v=WS.10).aspx)
- Functions Reference
Configuring
attribute flow mappings is an elementary task when configuring synchronization rules. The simplest form of an attribute flow mapping is a direct mapping. As indicated by the name, a direct mapping takes the value of a source attribute and applies it to the configured destination attribute. There are cases where you either need existing attribute values to be modified or new attribute values to be calculated before the system applies them to a destination.
Functions are a built-in method used to define the type of modification you need the synchronization engine to apply when generating an attribute value for an object.
In FIM, you can group the existing functions into the following categories:
-
Data Manipulation Functions.
- Functions to perform a variety of manipulation operations on strings.
Data Retrieval Functions.
- Functions to extract data from attribute values.
Data Generation Functions.
- Functions to generate values.
Logic Functions.
- Functions to perform operations based on conditions.
Data Manipulation Functions
- Data manipulation functions are used to perform a variety of manipulation operations on strings.
| |
| The |
| string1 + string2 + … |
| Two or more strings |
| All input string parameters are concatenated with each other. |
| One string |
| |
| The |
| String UpperCase(string) |
| One string |
| All lower case characters of the input parameter are Example: UpperCase(“test”) results |
| One string |
| |
| The |
| String LowerCase(string) |
| One string |
| All upper case characters of the input parameter are converted to lower case characters. Example: LowerCase(“TeSt”) results in “test”. |
| One string |
| |
| The |
| String ProperCase(string) |
| One string |
| The first character of every space-delimited word in the input parameter is converted to upper case, and all upper case characters are converted to lower case characters. If a word in the input parameter starts with a non-alphabet character, the first character of the word is not converted to upper case. Examples:
|
| One string |
| |
| The |
| String LTrim(string) |
| One string |
| The leading white space characters contained in the input parameter are removed. Example: LTrim(“ Test ”) results in “Test ”. |
| One string |
| |
| The |
| String RTrim(string) |
| One string |
| The trailing white space characters contained in the input parameter are removed. Example: RTrim(“ Test ”) results in “ Test”. |
| One string |
| |
| The |
| String Trim(string) |
| One string |
| The leading and trailing white space characters contained Example: Trim(“ Test ”) results in |
| One string |
| |
| The |
| String RightPad(string, length, padCharacter) |
|
|
| If the length of Examples:
|
| If If the length of |
| |
| The |
| String LeftPad(string, length, padCharacter) |
|
|
| If the length of Examples:
|
| If If the length of If |
| |
| The |
| Int BitOr(mask, flag) |
|
|
| This
|
| A new version of |
| |
| The |
| Int BitOr(mask, flag) |
|
|
| This function converts both parameters to binary representation and compares them:
|
| A new version of |
| |
| The |
| String DateTimeFormat(dateTime, format) |
|
|
| The The string specified in
Example: DateTime(“12/25/2007”, “yyyy-MM-dd”) results in “2007-12-25”. |
| A string resulting from applying |
| |
| The |
| String ConvertSidToString(ObjectSID) |
| |
| The specified binary SID is converted to a string. |
| A string representation of the SID. |
| |
| The |
| Byte[] ConvertStringToGuid(stringGuid) |
| |
| The string |
| A binary representation of the |
| |
| The |
| String ReplaceString(string, OldValue, NewValue) |
|
|
| All occurrences of
Example: ReplaceString(“OnenrMicrosoftnrWay”,”nr”,” “) returns “One Microsoft Way”. |
| A string with all occurrences of |
| |
| The |
| String Mid(string, pos, numChars) |
|
|
| Return Example: Mid(“Britta Simon”, 3, 5) would return “itta ”. |
| A string containing
If there are no |
Data generation functions
Data generation functions are used to generate values for specific data types.
| |
| The |
| String CRLF |
| No parameters |
| A CRLF is returned. Example: AddressLine1 + CRLF() + AddressLine2 results in:
|
| A CRLF is the output. |
Logic Functions
Logic functions are used to perform an operation based on conditions evaluated by the system.
| |
| The |
| Object IIF(condition, valueIfTrue, valueIfFalse) |
|
The following are functions available for use as expressions in the IIF function as Example: NotEquals(EmployeeType, “Contractor”) Example: LessThan(Salary, 100000) Example: GreaterThan(Salary, 100000) Example: LessThanOrEquals(Salary, 100000) Example: |
| |
| If Example: IIF(Eq(EmployeeType,”Intern”),”t-“ + Alias, Otherwise, it returns the user’s |
| The output is |
Now that you are at least a bit more familiar with working with the Default Workflows within the FIM Portal, you may wish to begin understanding Advanced Work Flows which utilize Custom Workflow Activities built with the .NET Framework.
Understanding Advanced Workflows (Coming Soon)
