Active Sync-enabled adapters typically use two types of forms during processing: a resource form and a user form.
Form processing occurs in three steps:
Active Sync fields are filled in with attribute and resource information. Use the activeSync namespace to retrieve and set attributes on the resource.
The resource form is expanded and derived. During this expansion, all user view attributes are available.
The user form is expanded and derived.
The $WSHOME/sample/forms directory provides sample forms that end with ActiveSyncForm.xml. They include logic for handling the cases of new and existing users, as well as logic for disabling or deleting the Identity Manager user when a deletion is detected on the resource.
Identity Manager uses two forms when processing ActiveSync user events:
Proxy Admin form. Identity Manager processes this form during both the User view creation and check in.
ActiveSync form. Identity Manager processes this form after the initial creation of the User view and after processing the Proxy Admin form. Best practice suggests assigning an empty form to the Proxy Admin so the appropriate form logic is applied to ActiveSync events, and potential problems created by default Tabbed User form are avoided.
The resource form is the form that the administrator selects from a pull-down menu when the resource is created or edited. A reference to a selected form is stored in the resource object.
Resource forms are used with Active Sync-enabled adapters in the following ways:
Translate incoming attributes from the schema map.
Generate fields such as password, role, and organization.
Provide simple control logic for custom processing, including logic for handling the cases of new and existing users, as well as logic for disabling or deleting the Identity Manager user when a deletion has been detected.
Copy and optionally transform attributes from activeSync to fields that the user form takes as inputs. The required fields for a creation operation are waveset.accountId and waveset.password. Other field can be set, too, (for example, accounts[AD].email or waveset.resources).
Cancel the processing of the user by setting IAPI.cancel to true. This is often used to ignore updates to certain users.
The following example shows a simple field that will ignore all users with the last name Doe.
Resource forms include logic for handling the cases of new and existing users, as well as logic for disabling or deleting the Identity Manager user when a deletion has been detected.
The user form is used for editing from the Identity Manager interface. You assign it by assigning a proxy administrator to the adapter. If the proxy administrator has a User form associated with him, this form is applied to the User view at processing time.
You set a proxy administrator for an adapter through the ProxyAdministrator attribute, which you can set to any Identity Manager administrator. All Active Sync-enabled adapter operations are performed as though the Proxy Administrator was performing them. If no proxy administrator is assigned, the default user form is specified.
Best practice suggests keeping common changes, such as deriving a full name from the first and last name, in the User form. The resource form should contain resource-specific changes, such as disabling the user when their HR status changes. However, you can alternatively place it in an included form after the desired attributes are placed in a common path, such as incoming.
An overview of ActiveSync form processing includes the following phases:
You create the view using the Proxy Admin form. Avoid letting the MissingFields FieldRef populate global attributes from the Proxy Admin form by assigning an empty form to the Administrator.
Before the ActiveSync form is processed, Identity Manager adds the specific ActiveSync view attributes to the view.
Identity Manager processes the Input form or the Parameterized ActiveSync form. During this form processing step resources, roles, and the organization are usually specified along with associated resource account attributes. The feedOp flag is used to disable/enable fields based on the type of event and the IAPI.cancel attribute might be set to ignore specific events. You might also decide to use the viewOptions.process flag to specify a custom provisioning task to process the ActiveSync events.
Identity Manager checks in the view and processes the Proxy Admin form.