How Active Sync-Enabled Adapters Work
This section describes:
-
Overview of the basic steps of adapter processing
-
Active Sync variable context
-
Using rules
-
Using forms
-
Launching workflow processes
Basic Steps of Adapter Processing
All Active Sync-enabled adapters follow the following basic steps when
listening or polling for changes to the resource defined in Waveset.
When the adapter detects that a resource has changed, the Active Sync-enabled
adapter:
-
Extracts the changed information from the resource.
-
Determines which Waveset object is affected.
-
Builds a map of user attributes to pass to the system, along
with a reference to the adapter and a map of any additional options, which
creates an Identity Application Programming Interface (IAPI)
object.
-
Submits the IAPI object to the ActiveSync Manager.
-
ActiveSync Manager processes the object
and returns to the adapter a WavesetResult object that
informs the Active Sync-enabled adapter if the operation succeeds. This object
can contain many results from the various steps that the Waveset system
uses to update the identity. Typically, a workflow also handles errors within Waveset,
often ending up as an Approval for a managing administrator.
Active Sync Namespace
The following table provides information about the common Waveset processes
or tasks related to the Active Sync category.
Process or Task Running
|
How it is Used
|
Namespace
|
ActiveSync IAPIUser
|
|
Merges attributes from the ActiveSync event into the User view.
Typical attributes on the Input Form include:
-
accounts[*].*
-
waveset.*
-
accountInfo.*
-
activeSync.<LHS Attr Name>
-
activeSync.resourceName
-
activeSync.resourceId
-
activeSync.resource
-
display.session (session for Proxy Admin)
-
global.<LHS Attr Name> (if set globals flag is set on resource)
|
ActiveSync IAPIProcess
|
-
Processes generic events on a resource by creating a Process
view.
-
Top-level fields in Process view are arbitrary inputs to the
task.
-
Collects attributes related to launching the task under the global attribute.
-
Writes the workflow to retrieve inputs from under global rather than as top-level attributes.
|
Launches the specified task with ActiveSync poll attributes dumped into
top-level workflow global attribute.
Workflow attributes assume the form:global.<LHS Attr Name>
|
Using Rules
When the Active Sync-enabled adapter detects a change to an account
on a resource, it either maps the incoming attributes to an Waveset user,
or creates an Waveset user account if none can be matched and if the
Active Sync resource has been configured to do so.
The Active Sync wizard allows you to specify rules to control what happens
when various conditions occur. The following table describes each type of
rule.
Table 3–4 Rule Types
Parameter
|
Description
|
Process Rule
|
Either the name of a TaskDefinition, or a rule that
returns the name of a TaskDefinition, to run for every
record in the feed. The process rule gets the resource account attributes
in the activeSync namespace, as well as the resource ID and name.
A process rule controls all functionality that occurs when the system
detects any change on the resource. It is used when full control of the account
processing is required. As a result, a process rule overrides all other rules.
If a process rule is specified, the process will be run for every row
regardless of any other settings on this adapter.
At minimum, a process rule must perform the following functions:
-
Query for a matching User view.
-
If the User exists, checkout the view. If not, create the
User.
-
Update or populate the view.
-
Checkin the User view.
It is possible to synchronize
objects other than User, such as LDAP Roles.
|
Correlation Rule
|
If no Waveset user’s resource info is determined to own
the resource account, Waveset invokes the Correlation Rule to determine
a list of potentially matching users/accountIDs or Attribute Conditions, used
to match the user, based on the resource account attributes (in the account
namespace).
The rule returns one of the following pieces of information that can
be used to correlate the entry with an existing Waveset account:
-
Waveset user name
-
WSAttributes object (used for attribute-based search)
-
List of items of type AttributeCondition or WSAttribute (AND-ed
attribute-based search)
-
List of items of type String (each item is the Waveset ID
or the user name of an Waveset account)
If more than one Waveset account
can be identified by the correlation rule, you need a confirmation rule or
resolve process rule to handle the matches.
For the Database Table,
Flat File, and PeopleSoft Component Active Sync adapters, the default correlation
rule is inherited from the reconciliation policy on the resource.
The
same correlation rule can be used for reconciliation and Active Sync. See Correlation and Confirmation Rules for more information.
|
Confirmation Rule
|
Rule that is evaluated for all users that are returned by a correlation
rule. For each user, the full User view of the correlation Waveset identity
and the resource account information (placed under the “account.” namespace) are passed to the confirmation rule. The confirmation
rule is then expected to return a value that can be expressed like a Boolean
value. For example, “true” or “1” or “yes”
and “false” or “0” or null.
For the Database Table, Flat File, and PeopleSoft Component Active Sync
adapters, the default confirmation rule is inherited from the reconciliation
policy on the resource.
The same confirmation rule can be used for reconciliation and Active
Sync. See Correlation and Confirmation Rules for more
information.
|
Delete Rule
|
A rule that can expect a map of all values with keys of the form activeSync. or account. A LighthouseContext object (display.session) based on the proxy administrator’s session is made available
to the context of the rule. The rule is then expected to return a value that
can be expressed like a Boolean value. For example, “true” or “1”
or “yes” and “false” or “0” or null.
If the rule returns true for an entry, the account deletion request
will be processed through forms and workflow, depending on how the adapter
is configured.
|
Resolve Process Rule
|
Either the name of the TaskDefinition or a rule that
returns the name of a TaskDefinition to run in case of
multiple matches to a record in the feed. The Resolve Process rule gets the
resource account attributes as well as the resource ID and name.
This rule is also needed if there were no matches and Create Unmatched Accounts is not selected.
This workflow could be a process that prompts an administrator for manual
action.
|
Create Unmatched Accounts
|
If set to true, creates an account on the resource when no matching Waveset user
is found. If false, Waveset does not create the account unless the
process rule is set and the workflow it identifies determines that a new account
is warranted. The default is true.
|
Populate Global
|
If set to true, populates the global namespace in addition to the activeSync
namespace. The default value is false.
|
If the Adapter Does Not Find the User
If Waveset cannot find a match with an existing Waveset user,
it turns an update operation into a create operation if the Create Unmatched
Accounts setting is true, or the Resolve Process workflow indicates a feedOp
of create.
The feedOp field is available to forms that contain
logic to create, delete, or update users. You can use this field to disable
or enable fields that are specific to one kind of event (for example, the
generation of a password when the feedOp field is set to
create).
This example feedOp field creates a password only
when the Active Sync-enabled adapter detects a user on the resource that is
not matched by a user in Waveset, and creates the user in Waveset.
Example 3–2 Example feedOp Field
<Field name=’waveset.password’>
<Disable>
<neq>
<ref>feedOp</ref>
<s>create</s>
</neq>
</Disable>
<expression>
<cond>
<notnull>
<ref>activeSync.password</ref>
</notnull>
<ref>activeSync.password</ref>
<s>change12345</s>
</cond>
</expression>
</Field>
|