Introducing Hierarchical Provisioning

Yesterday I was eating my bowl of Frosted Miniwheats (by Kellogg) for dinner and out fell a coupon for another free box of Miniwheats. “Oh hot lam!” I exclaimed to myself. I had totally not seen the offer stamped on the front of the box for a free box of Miniwheats when I had purchased the jumbo, bachelor sized box of Miniwheats at Costco last Sunday. A bowl of Miniwheats alone is enough to brighten my days, but winning another 12oz of the half-sugar, half-fiber narcotic ? Well that’s like Christmas in May. I love hidden surprises.

Much like my box of Frosted Miniwheats, FIM 2010 has a few hidden surprises of it’s own that lurk underneath the covers and are often ignored. One of these features is Hierarchical Provisioning. Much like the name would imply, Hierarchical Provisioning allows objects, and more importantly, any missing parent containers, to be provisioned into the connector spaces of LDAP MAs . Previously in MMS, MIIS, and ILM 2007, if one wanted to provision a user into a container in Active Directory, one would need to ensure that they created the container in Active Directory prior to provisioning the user with MMS/MIIS/ILM. However, with Hierarchical Provisioning, you do not need to do this anymore. With some settings configured in the Management Agent (MA), the missing container can be created automatically by the Active Directory Management Agent, and then the object provisioned within it.

The steps to configure this feature are relatively straight forward. Assume that you want to provision the following user into Active Directory: “cn=Bobby Gill, ou=Redmond, ou=Users, dc=fabrikam, dc=com”. In this case, the Redmond OU does not exist in the Active Directory domain. Before the ILM AD MA can provision this new user into the OU specified, the OU needs to be created in Active Directory. This is where Hierarchical Provisioning comes into play.

 As an ILM Admin, to enable Hierarchical Provisioning on a LDAP MA, you need to configure a mapping within the MA such that anytime upon export the MA detects that a parent of a object doesn’t exist, it knows what object to create in the connected directory for that parent. This configuration is done within the LDAP MA screens by mapping valid DN components to object classes in the connected directory. In this case, you would set up a mapping between the “OU” DN component to the object class “organizationalUnit”. Thus in the above scenario, when the MA is exporting the object to AD and realizes that the “OU=Redmond” parent is missing, it will look up the mapping for the “OU” component and first create a new organizationalUnit object named “Redmond” and then export the new user into the container.

 Steps to configure Hierarchical Provisioning:

1. Create a new instance of your favorite LDAP Management Agent. Personally, I’m a Microsoft guy, so obviously I always choose Active Directory Domain Services.
2. You’ll notice a new page on the left tab titled ‘Configure Provisioning Hierarchy’.
3. Map DN components to Object Classes. The DN Component list box lists all known valid DN components for the given directory, this is inferred by analyzing the LDAP schema of the directory. To the right is the list of available object classes in the directory, again taken from the LDAP schema.

4.)    Mappings are created by selecting a DN component in the left list box, and a object class in the right list box, and then clicking “new”. You can only create 1 mapping per DN component.

 Once setup, Hierarchical Provisioning is transparent to the actual provisioning mechanism. Thus, if you are using Synchronization Rules or even a traditional scripted Metaverse Extension, these settings will be applied to both at export time. Hierarchical Provisioning further reduces the burden on IT Pros by allowing much more flexibility in terms of provisioning decisions made in the FIM Workflows and eliminates an often tedious manual step whenever a new business unit comes online and an associated container or OU needs to be created.

The feature is available to all LDAP Management Agents and is available in the ILM "2" RC0.