-
Notifications
You must be signed in to change notification settings - Fork 2
Samples
Below you can find different sample rules as inspiration for creating rules that fit your setup.
Also, under Source Code in the Sample folder, you will find tons of files with rules that are being used in real life and you should be able to build your own rules to fit your environment from these samples.
This rule provision a new user to Active Directory (the 'ad' Management Agent) if the metaverse object matches the specifed conditions. Notice the initial flow for the DN where the #param:EscapedCN# is used in constructing the DN. The value in the parameter 'EscapedCN' enables you to constructed a DN component that is escaped by the framework to make sure that special characters (i.e. commas and slashes) are escaped properly before constructing the DN and using it with Active Directory.
<Rule>
<Name>provision person to ad</Name>
<Description></Description>
<TargetManagementAgentName xsi:type="xsd:string">ad</TargetManagementAgentName>
<Enabled>true</Enabled>
<SourceObject>person</SourceObject>
<TargetObject>user</TargetObject>
<Action>provision</Action>
<Conditions>
<ConditionBase xsi:type="ConditionIsPresent">
<Description></Description>
<MVAttribute>domainNamingContext</MVAttribute>
</ConditionBase>
<ConditionBase xsi:type="ConditionIsPresent">
<Description></Description>
<MVAttribute>adOrganizationalUnit</MVAttribute>
</ConditionBase>
<ConditionBase xsi:type="ConditionIsPresent">
<Description></Description>
<MVAttribute>displayName</MVAttribute>
</ConditionBase>
<ConditionBase xsi:type="ConditionIsPresent">
<Description></Description>
<MVAttribute>accountName</MVAttribute>
</ConditionBase>
<ConditionBase xsi:type="ConditionMatch">
<Description></Description>
<MVAttribute>employeeStatus</MVAttribute>
<Pattern>^Active$</Pattern>
</ConditionBase>
</Conditions>
<InitialFlows>
<AttributeFlowBase xsi:type="AttributeFlowConstant">
<EscapedCN>CN=#mv:displayName#</EscapedCN>
<Constant>#param:EscapedCN#,#mv:adOrganizationalUnit#</Constant>
<Target>[DN]</Target>
</AttributeFlowBase>
<AttributeFlowBase xsi:type="AttributeFlowConstant">
<Constant>Passw0rd</Constant>
<Target>unicodePwd</Target>
</AttributeFlowBase>
<AttributeFlowBase xsi:type="AttributeFlowConstant">
<Constant>512</Constant>
<Target>userAccountControl</Target>
</AttributeFlowBase>
<AttributeFlowBase xsi:type="AttributeFlowAttribute">
<UppercaseTargetValue>true</UppercaseTargetValue>
<Source>accountName</Source>
<Target>sAMAccountName</Target>
</AttributeFlowBase>
</InitialFlows>
</Rule>This sample show a complete Rules file that have the section External that describes properties of another DLL that implements provisioning code for FIM/MIM. MRE has the ability to call out to a DLL for handling specific situations that cannot yet be handled by the default MRE framework. By specifying an external and a rule with type 'External' you can extend the functionality of MRE. The rule below calls the Provision entrypoint in the mvextensionslegacy.dll for all persons that have no connector to the AD management agent.
<?xml version="1.0" encoding="utf-8"?>
<RulesFile>
<Externals>
<External>
<ReferenceId>LegacyProvisionCode</ReferenceId>
<Type>Provision</Type>
<Filename>mvextensionlegacy.dll</Filename>
</External>
</Externals>
<Rules>
<Rule>
<Name>Test Code</Name>
<Action>Provision</Action>
<Type>External</Type>
<ExternalReferenceId>LegacyProvisionCode</ExternalReferenceId>
<TargetManagementAgentName>ad</TargetManagementAgentName>
<Enabled>true</Enabled>
<SourceObject>person</SourceObject>
<TargetObject>user</TargetObject>
</Rule>
</Rules>
</RulesFile>This rule provision a new contact to Active Directory (the ADContacts Management Agent) if the metaverse object is connected to HR. There is only on initial flow which populates the DN with a fixed OU location but a variable CN by using the value of the metaverse attribute 'uid'.
<Rule>
<Name>Provision contact in AD</Name>
<Description></Description>
<TargetManagementAgentName>ADContacts</TargetManagementAgentName>
<Enabled>true</Enabled>
<SourceObject>contact</SourceObject>
<TargetObject>contact</TargetObject>
<Action>provision</Action>
<RenameDnFlow>
</RenameDnFlow>
<Conditions>
<ConditionBase xsi:type="ConditionIsPresent">
<Description>Only if contact has uid</Description>
<MVAttribute>uid</MVAttribute>
</ConditionBase>
<ConditionBase xsi:type="ConditionConnectedTo">
<ManagementAgentName>HR</ManagementAgentName>
</ConditionBase>
</Conditions>
<InitialFlows>
<AttributeFlowBase xsi:type="AttributeFlowConstant">
<Constant>CN=#mv:uid#,OU=Contacts,DC=fabrikam,DC=com</Constant>
<Target>[DN]</Target>
</AttributeFlowBase>
</InitialFlows>
</Rule>This rule deprovision a contact from Active Directory if the metaverse is no longer connected (or present) in HR.
<Rule>
<Name>Deprovision contact in AD</Name>
<Description></Description>
<TargetManagementAgentName>ADContacts</TargetManagementAgentName>
<Enabled>true</Enabled>
<SourceObject>contact</SourceObject>
<TargetObject>contact</TargetObject>
<Action>deprovision</Action>
<RenameDnFlow>
</RenameDnFlow>
<Conditions>
<ConditionBase xsi:type="ConditionNotConnectedTo">
<ManagementAgentName>HR</ManagementAgentName>
</ConditionBase>
</Conditions>
<InitialFlows>
</InitialFlows>
</Rule>Below is a sample rule that provision a user to the SYSX system if the metaverse attribute has the value of 'Y'. The DN of the new user is set to a new GUID and the attribute userType is set to the text 'Primary' and the attribute userCategory is set to the text Employee -
<Rule>
<Name>Provision Person ==> SYSX</Name>
<Description></Description>
<TargetManagementAgentName>SYSX</TargetManagementAgentName>
<Enabled>true</Enabled>
<SourceObject>person</SourceObject>
<TargetObject>user</TargetObject>
<Action>provision</Action>
<RenameDnFlow>
<Source>accountname</Source>
<Target>SYSUSRNAME</Target>
<ReprovisionOnRename>true</ReprovisionOnRename>
</RenameDnFlow>
<Conditions>
<ConditionBase xsi:type="ConditionMatch">
<Description>Check if isSYSXUser is Y</Description>
<MVAttribute>isSYSXUser</MVAttribute>
<Pattern>^Y$</Pattern>
</ConditionBase>
</Conditions>
<InitialFlows>
<AttributeFlowBase xsi:type="AttributeFlowGuid">
<Target>[DN]</Target>
</AttributeFlowBase>
<AttributeFlowBase xsi:type="AttributeFlowConstant">
<Constant>Primary</Constant>
<Target>userType</Target>
</AttributeFlowBase>
<AttributeFlowBase xsi:type="AttributeFlowConstant">
<Constant>Employee</Constant>
<Target>userCategory</Target>
</AttributeFlowBase>
</InitialFlows>
</Rule>Below is a sample rule that renames a user (DN) in the AD Management Agent system if the metaverse object has an accountname, a displayname and an employee status of 'ACTIVE'.
Notice: Study the notation for the value of NewDN 'CN=#mv:displayName# (#mv:accountName#),#mv:adOU#'. The text #mv:# is replaced with the value of the named metaverse attribute or blank if the value is not present -
<Rule>
<Name>rename active user with adou</Name>
<Description></Description>
<TargetManagementAgentName>ad</TargetManagementAgentName>
<Enabled>true</Enabled>
<SourceObject>person</SourceObject>
<TargetObject>user</TargetObject>
<Action>rename</Action>
<ConditionalRename>
<NewDNValue>CN=#mv:displayName# (#mv:accountName#),#mv:adOU#</NewDNValue>
<DNAttribute>[DN]</DNAttribute>
<Conditions>
<ConditionBase xsi:type="ConditionIsPresent">
<Description>accountName must be present</Description>
<MVAttribute>accountName</MVAttribute>
</ConditionBase>
<ConditionBase xsi:type="ConditionIsPresent">
<Description>adOU must be present</Description>
<MVAttribute>adOU</MVAttribute>
</ConditionBase>
<ConditionBase xsi:type="ConditionMatch">
<Description>employeeStatus is ACTIVE</Description>
<MVAttribute>employeeStatus</MVAttribute>
<Pattern>^ACTIVE$</Pattern>
</ConditionBase>
</Conditions>
</ConditionalRename>
</Rule>The following sample rule provisions a user to LDAP as an inetOrgPerson, but also adds in the customPerson and customMail object classes
<Rule>
<Name>Provision Person ==> LDAP</Name>
<Description></Description>
<TargetManagementAgentName>LDAP</TargetManagementAgentName>
<Enabled>true</Enabled>
<SourceObject>person</SourceObject>
<TargetObject>inetOrgPerson</TargetObject>
<TargetObjectAdditionalClasses>customPerson,customMail</TargetObjectAdditionalClasses>
<Action>provision</Action>
<Conditions>
<ConditionBase xsi:type="ConditionMatch">
<Description>Check if LDAP user is Y</Description>
<MVAttribute>isLdapUser</MVAttribute>
<Pattern>^Y$</Pattern>
</ConditionBase>
</Conditions>
<InitialFlows/>
</Rule>If the additional object classes are stored in a metaverse attribute, you can use the following syntax (where additionalObjectClasses is the name of your metaverse attribute.
<Rule>
<Name>Provision Person ==> LDAP</Name>
<Description></Description>
<TargetManagementAgentName>LDAP</TargetManagementAgentName>
<Enabled>true</Enabled>
<SourceObject>person</SourceObject>
<TargetObject>inetOrgPerson</TargetObject>
<TargetObjectAdditionalClasses>#mv:additionalObjectClasses#</TargetObjectAdditionalClasses>
<Action>provision</Action>
<Conditions>
<ConditionBase xsi:type="ConditionMatch">
<Description>Check if LDAP user is Y</Description>
<MVAttribute>isLdapUser</MVAttribute>
<Pattern>^Y$</Pattern>
</ConditionBase>
</Conditions>
<InitialFlows/>
</Rule>