How Active Sync-Enabled Adapters Work (Sun Identity Manager Deployment Guide)

Sun Identity Manager Deployment Guide

How Active Sync-Enabled Adapters Work

This section describes:

Overview of the basic steps of adapter processing
Active Sync variable context
Using rules
Using forms
Launching workflow processes

Basic Steps of Adapter Processing

All Active Sync-enabled adapters follow the following basic steps when listening or polling for changes to the resource defined in Identity Manager. When the adapter detects that a resource has changed, the Active Sync-enabled adapter:

Extracts the changed information from the resource.
Determines which Identity Manager object is affected.
Builds a map of user attributes to pass to the system, along with a reference to the adapter and a map of any additional options, which creates an Identity Application Programming Interface (IAPI) object.
Submits the IAPI object to the ActiveSync Manager.
ActiveSync Manager processes the object and returns to the adapter a WavesetResult object that informs the Active Sync-enabled adapter if the operation succeeds. This object can contain many results from the various steps that the Identity Manager system uses to update the identity. Typically, a workflow also handles errors within Identity Manager, often ending up as an Approval for a managing administrator.

Active Sync Namespace

The following table provides information about the common Identity Manager processes or tasks related to the Active Sync category.

Process or Task Running	How it is Used	Namespace
ActiveSync `IAPIUser`	Processes user-related changes on a particular resource. Performs actions directly on the full User view before launching the designated workflow process.	Merges attributes from the ActiveSync event into the User view. Typical attributes on the Input Form include: `accounts[].` `waveset.` `accountInfo.` `activeSync.<LHS Attr Name>` `activeSync.resourceName` `activeSync.resourceId` `activeSync.resource` `display.session` (session for Proxy Admin) `global.<LHS Attr Name>` (if `set globals` flag is set on resource)
ActiveSync `IAPIProcess`	Processes generic events on a resource by creating a Process view. Top-level fields in Process view are arbitrary inputs to the task. Collects attributes related to launching the task under the `global` attribute. Writes the workflow to retrieve inputs from under `global` rather than as top-level attributes.	Launches the specified task with ActiveSync poll attributes dumped into top-level workflow `global` attribute. Workflow attributes assume the form:`global.<LHS Attr Name>`

Process or Task Running

How it is Used

Namespace

ActiveSync IAPIUser

Processes user-related changes on a particular resource.
Performs actions directly on the full User view before launching the designated workflow process.

Merges attributes from the ActiveSync event into the User view.

Typical attributes on the Input Form include:

accounts[*].*
waveset.*
accountInfo.*
activeSync.<LHS Attr Name>
activeSync.resourceName
activeSync.resourceId
activeSync.resource
display.session (session for Proxy Admin)
global.<LHS Attr Name> (if set globals flag is set on resource)

ActiveSync IAPIProcess

Processes generic events on a resource by creating a Process view.
Top-level fields in Process view are arbitrary inputs to the task.
Collects attributes related to launching the task under the global attribute.
Writes the workflow to retrieve inputs from under global rather than as top-level attributes.

Launches the specified task with ActiveSync poll attributes dumped into top-level workflow global attribute.

Workflow attributes assume the form:global.<LHS Attr Name>

Using Rules

When the Active Sync-enabled adapter detects a change to an account on a resource, it either maps the incoming attributes to an Identity Manager user, or creates an Identity Manager user account if none can be matched and if the Active Sync resource has been configured to do so.

The Active Sync wizard allows you to specify rules to control what happens when various conditions occur. The following table describes each type of rule.

Table 3–4 Rule Types


Parameter	Description
Process Rule	Either the name of a `TaskDefinition`, or a rule that returns the name of a `TaskDefinition`, to run for every record in the feed. The process rule gets the resource account attributes in the activeSync namespace, as well as the resource ID and name. A process rule controls all functionality that occurs when the system detects any change on the resource. It is used when full control of the account processing is required. As a result, a process rule overrides all other rules. If a process rule is specified, the process will be run for every row regardless of any other settings on this adapter. At minimum, a process rule must perform the following functions: Query for a matching User view. If the User exists, checkout the view. If not, create the User. Update or populate the view. Checkin the User view. It is possible to synchronize objects other than User, such as LDAP Roles.
Correlation Rule	If no Identity Manager user’s resource info is determined to own the resource account, Identity Manager invokes the Correlation Rule to determine a list of potentially matching users/accountIDs or Attribute Conditions, used to match the user, based on the resource account attributes (in the account namespace). The rule returns one of the following pieces of information that can be used to correlate the entry with an existing Identity Manager account: Identity Manager user name WSAttributes object (used for attribute-based search) List of items of type AttributeCondition or WSAttribute (AND-ed attribute-based search) List of items of type String (each item is the Identity Manager ID or the user name of an Identity Manager account) If more than one Identity Manager account can be identified by the correlation rule, you need a confirmation rule or resolve process rule to handle the matches. For the Database Table, Flat File, and PeopleSoft Component Active Sync adapters, the default correlation rule is inherited from the reconciliation policy on the resource. The same correlation rule can be used for reconciliation and Active Sync. See Correlation and Confirmation Rules for more information.
Confirmation Rule	Rule that is evaluated for all users that are returned by a correlation rule. For each user, the full User view of the correlation Identity Manager identity and the resource account information (placed under the “`account.”` namespace) are passed to the confirmation rule. The confirmation rule is then expected to return a value that can be expressed like a Boolean value. For example, “true” or “1” or “yes” and “false” or “0” or null. For the Database Table, Flat File, and PeopleSoft Component Active Sync adapters, the default confirmation rule is inherited from the reconciliation policy on the resource. The same confirmation rule can be used for reconciliation and Active Sync. See Correlation and Confirmation Rules for more information.
Delete Rule	A rule that can expect a map of all values with keys of the form `activeSync.` or `account.` A LighthouseContext object (`display.session`) based on the proxy administrator’s session is made available to the context of the rule. The rule is then expected to return a value that can be expressed like a Boolean value. For example, “true” or “1” or “yes” and “false” or “0” or null. If the rule returns true for an entry, the account deletion request will be processed through forms and workflow, depending on how the adapter is configured.
Resolve Process Rule	Either the name of the `TaskDefinition` or a rule that returns the name of a `TaskDefinition` to run in case of multiple matches to a record in the feed. The Resolve Process rule gets the resource account attributes as well as the resource ID and name. This rule is also needed if there were no matches and Create Unmatched Accounts is not selected. This workflow could be a process that prompts an administrator for manual action.
Create Unmatched Accounts	If set to true, creates an account on the resource when no matching Identity Manager user is found. If false, Identity Manager does not create the account unless the process rule is set and the workflow it identifies determines that a new account is warranted. The default is true.
Populate Global	If set to true, populates the global namespace in addition to the activeSync namespace. The default value is false.

If the Adapter Does Not Find the User

If Identity Manager cannot find a match with an existing Identity Manager user, it turns an update operation into a create operation if the Create Unmatched Accounts setting is true, or the Resolve Process workflow indicates a feedOp of create.

The feedOp field is available to forms that contain logic to create, delete, or update users. You can use this field to disable or enable fields that are specific to one kind of event (for example, the generation of a password when the feedOp field is set to create).

This example feedOp field creates a password only when the Active Sync-enabled adapter detects a user on the resource that is not matched by a user in Identity Manager, and creates the user in Identity Manager.

Example 3–2 Example feedOp Field

<Field name=’waveset.password’> 
   <Disable> 
      <neq> 
         <ref>feedOp</ref> 
         <s>create</s> 
      </neq> 
   </Disable> 
   <expression> 
      <cond> 
         <notnull> 
            <ref>activeSync.password</ref> 
         </notnull> 
         <ref>activeSync.password</ref> 
         <s>change12345</s> 
      </cond> 
   </expression> 
</Field>