Extending ILM "2" to manage and provision computer objects
One topic for ILM “2” that came up repeatedly at TechEd IT Pro North America this year was extensibility. Specifically, many customers asked how the system can be configured to manage an arbitrary resource, enabling them to apply policies to and provision any resource they care about. To demonstrate this, I included a demo in Fred Delombaerde’s extensibility breakout session where we demonstrated how ILM can be configured to manage computers. Part of this demo involved managing computer security group memberships and provisioning new computers to Active Directory.
A few people asked if we had the steps to perform that scenario documented anywhere. Since we didn’t publish a hands on lab for this, I’ve included a step by step to accomplish the scenario below.
What is the objective?
Our goal is to manage computers assets.
Steps to accomplish our goal:
1. Create a Computer object type.
2. Create objects of type Computer.
3. Add the computer objects to a security group called “All Computers”.
4. Have computers provisioned automatically to AD.
How to do it?
1. The first thing we need to do is extend the schema to support computer object types. Create a computer object type.
a. Go to https://localhost/identitymanagement/aspx/schema/Schema.aspx
b. Click on “New” and fill in the details for the new object type as below.
c. Click “Finish” and “Submit”.
d. A computer object type is created now, and we can actually now begin creating and managing computers. If additional attributes beyond those on the base Resource type are desired for computers, you can create them and bind them to the computer object type.
2. Create a new search scope “All Computers”. The search scope will enable selecting computers to add to a group later on.
a. Go to Administrative Settings > Search Scope Configuration: https://localhost/identitymanagement/aspx/customized/CustomizedObjects.aspx?type=SearchScopeConfiguration&display=Search+Scope+Configuration
b. Click on “New” and fill in the fields as below.
Click “Finish” and “Submit”
c. Go to Run->Cmd and run “iisreset”.
Syncing Computers to the Metaverse:
To provision computers to downstream systems, we must first represent them in the metaverse. Computer objects can be sync’ed to the metaverse through a combination of configuration in the portal and in the ILM MA screens within the Identity Manager. The overall steps for replicating Computer objects in the portal are:
1.) Add the Computer object type to the Synchronization Filter (such that the ILM MA can see it).
2.) Configuring the App Store <-> Metaverse object type mapping within the ILM MA that will replicate computers into the metaverse.
1. Go to the “All Resources” page.
2. Click on Page 2, and click on Synchronization Filter.
3. There will be a single Synchronization Filter object defined.
4. Add Computer to the Synchronize ObjectType Description reference attribute.
At this point, Computer objects should now be visible from the ILM MA. Return to Identity Manager and follow these steps:
1.) Click on the ILM MA, and select “Refresh Schema”
2.) You should see a new schema update being pulled back as a result of the previous action.
3.) Go to the MA properties, go to Object Types, click “Show All” and you will see the computer object type.
The next thing you need to do is configure the mapping between the object type in the app store and that in the metaverse. This is new in Beta 3, in that by creating this mapping you will automatically replicate objects from the App store into the Metaverse and vice versa.
Before we can add a mapping for the Computer object, we must first define an object type to represent it in the metaverse.
1. Go to the Metaverse Designer page in Identity Manager and select "Create Object Type" from the list of actions.
2. Specify a name for the new object type and select any attributes you want in the metaverse for this object.
3. Now go back to the ILM MA properties, go to Object Types, click “Show All” and you will see the computer object type. Select it. Note: You will need to repeat this step for the AD MA as well, so that you can define attribute flows for Computers in AD.
4. Go to "Configure Object Type Mappings" in the ILM MA properties and "Add Mapping” between the Computer object and an object type in the metaverse. (Note in beta 3, your metaverse object type has to be prefixed with ‘managed:’ in order to be visible here.)
5. Go to Attribute Flow, you will see the mapping you selected on the previous page visible here. Set up all necessary attribute flows to replicate a Computer object into the managed:Computer object type. Note if you want data to flow both ways you will need to setup flows in both directions.
In order to being provisioning computers to AD using processes in ILM, you need to first define a synchronization rule for computers, along with the provisioning process and Management Policy that triggers it.
1. Create a new synchronization rule for computers.
a. Go to https://localhost/IdentityManagement/aspx/syncrule/AllSyncRules.aspx
b. Click on “New”
c. Specify general information for the synchronization rule and indicate this is an outbound synchronization rule. If we were importing data from AD into ILM this would be an inbound synchronization rule.
d. Proceed to the Scope page, selecting the managed object type representing computers in the metaverse, your AD MA, and the computer object type on the MA as below.
e. Proceed to the Relationship page and specify the relationship criteria used to identify related computers. The example below uses DisplayName as the criteria. Select the object creation option and if desired, the relationship termination options as below.
f. Proceed to the Outbound Attribute Flow page to define the flows for this synchronization rule. For this example, we will provide the minimum flows required to provision the computer to AD: We’ll define a flow for our relationship criteria (DisplayName), and for the dn of the computer.
g. Define the flow for the DisplayName. Click on the “Click to define flow” link and specify the flow as below. Click OK when finished.
h. Define the flow for the dn attribute. Click “New Attribute Flow” and click on the “Click to define flow” link to bring up the flow definition page again.
i. Select “dn” as the “Destination” for the flow.
ii. For the flow’s “Source”, specify the value that should be used.
i. Make sure you’ve selected “Initial Flow Only” for both the flows defined above.
2. Create a new action process to add the synchronization rule to computers that should be provisioned.
a. Go to the processes page in the portal: https://localhost/IdentityManagement/aspx/process/AllProcesses.aspx
b. Click on “New”.
c. Specify some general info about the process as below. Select “Action” as the process type. Click Next to proceed to define the activity.
d. From the list of available activities, select the Synchronization Rule Activity and click “Select”.
e. Select the computer synchronization rule created previously as below, and click save.
f. Now we’re finished defining the provisioning workflow, so click Finish and submit the new process.
3. Create a new set that will contain the computer objects you want to provision.
a. Go to the sets page in the portal: https://localhost/IdentityManagement/aspx/sets/AllSets.aspx
b. Click on “New”.
c. Specify some general info about the process as below and proceed to define the Dynamic Membership of the set.
d. Select the “Enable dynamic membership in current set” option and define the set’s membership criteria. In the example below we’re creating a set of all computers, so we simply select “All computers” from the first line of the filter statement, and do not add any statements or sub conditions to further filter the membership.
e. Click Finish and submit the request to create the new set.
4. Create a new Management Policy Rule to kick off the provisioning process when a new computer is created in ILM.
a. Go to the Management Policies page in the portal: https://localhost/IdentityManagement/aspx/policy/AllPolicies.aspx
b. Click on “New”.
c. Specify some general info about the Management Policy as below and proceed to define the Operation and Users.
d. Specify the operation and users that should trigger the computer provisioning process. In the image below we’ve indicated that the operation we care about is the creation of new objects (computers), and the requestor of the operation can be anyone. Proceed to the Condition After page when finished with this page.
e. Now you must specify the set of resources whose creation should trigger our provisioning process. Here we select the set of “All computers” we defined earlier.
f. Finally we select the provisioning action process we want to run in the Policy Workflows page. Click Finish and we’re done!
Now let’s create a new computer and a security group containing it as its member and see them provisioned to AD.
1. Create instance of Computer object type “Comp0001”
a. Go to https://localhost/identitymanagement/aspx/customized/AllCustomizedObjectTypes.aspx - All Resources
Click on “Computer”
b. Click on “New”
c. Fill in as below
Click “Finish” and “Submit”
d. New object of type computer “Comp0001” is created
2. Create a Group named “All Computers”
a. Go to the Security Groups page in the portal: https://localhost/identitymanagement/aspx/Groups/CreateSecurityGroup.aspx?Previous=..%2fGroups%2fAllGroups.aspx
b. Fill in as below
Click “Next”.
Deselect “Adminstrator”
From the drop down select “All Computers”
Select “Comp0001” and click “Finish” , “Submit”.
3. Go to the created group “All Computers” @ https://localhost/identitymanagement/aspx/Groups/AllGroups.aspx
a. Click on the group “All Computers”
b. Go to members section
c. So the computer object “Comp0001” is part of “All Computers” group.
Make sure the sync script that came installed on the beta 3 vpc is running. After waiting a short while for the data to be sync’d out to AD, open the AD Users and Computers console and verify the computer was provisioned successfully.
- Nima