Finding Managers in FIM 2010

When working with FIM 2010 we often use Reference attributes like the Manager attribute. But in FIM we cannot create a corresponding Set with all referenced Managers. The xPath query simply doesn’t allow this kind of referenced object lookup.

So what if I would like a Set or a Group containing all Managers! How do we solve that problem?

In this post I will show you one way of doing this, but please remember that there are many variations of this you could use.

Add IsManager to Schema

First we add a new boolean attribute “IsManager” to the schema in FIM. Depending on how you plan to use this you might need to add it to both the FIM Service and the FIM Synchronization Service schema.
This step I hope you all know involves creating a binding as well as adding the new attribute to the Filter Permissions.
You will also need to add it to some MPR’s to allow the management of this new attribute.
Ones we have this new boolean attribute creating a Set and/or a Group is now reduced to look at this boolean value.

Manage the IsManager flag

The problem is now to have some kind of activity that sets the IsManager attribute to “true” when a manager is configured on a user.
This can be done using a PowerShell WorkFlow activity. I show you a solution working with the PowerShell Workflow Activity you can download from codeplex.. The PowerShell I use in the activity can be downloaded UpdateIsManager.

PowerShell Activity

Let’s look at the PowerShell script I use to understand what it does and how it works.

First we set the basics like URI and load the FIMAutomation snapin.

set-variable -name URI -value "http://localhost:5725/resourcemanagementservice' " -option constant
if(@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation"} ).count -eq 0) {add-pssnapin FIMAutomation}

We then get the object that has been changed. Note that I use the “/*” in the xPath since I get the object based on ObjectID I cannot get duplicates and don’t need to specify the object type.

$exportObject = export-fimconfig -uri $URI -onlyBaseResources -customconfig ("/*[ObjectID='{0}']" -F $fimwf.TargetID.Guid)

From the modified user we read the Manager attribute to get the “target” for our change.

$target = $exportObject.ResourceManagementObject.ResourceManagementAttributes | Where-Object {$_.AttributeName -eq "Manager"}

We then build the importChange to set the IsManager attribute to true.

$importChange = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportChange
$importChange.Operation = 1
$importChange.AttributeName = "IsManager"
$importChange.AttributeValue = $true
$importChange.FullyResolved = 1
$importChange.Locale = "Invariant"

Finally we import the change on the target user

$importObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject
$importObject.ObjectType = "Person"
$importObject.TargetObjectIdentifier = $target.Value
$importObject.SourceObjectIdentifier = $target.Value
$importObject.State = 1 
$importObject.Changes = (,$importChange)
$importObject | Import-FIMConfig -uri $URI

If you apply this logic to a MultiValue reference attribute the script needs to be extended with a loop like the one below to apply the change to all referenced objects.

ForEach($value in $target.Values)

The importObject’s ObjectIdentifier would than just be $value within the loop.

The MPR

The MPR to trigger this Workflow is just a simple Request MPR that fires whenever someone changes the Manager attribute on any user.

What about deletes?

As you can see this solution will only make sure that the IsManager is set to true for all referenced managers. But it will not set it to “false” if they are no longer referenced. The problem is that if you were to detect the deletion of a manager you cannot set it to false since it might be referenced on other users. Doing that lookup, to verify this was the “last” reference, is quite costly from a resource perspective and I don’t think it’s a good idea to do it as part of the WorkFlow activity.

I think that a good approach to set the IsManager to “false” is to have a maintenance job running a PowerShell that verifies that all IsManager=”true” indeed still are referenced. That PowerShell will however have to wait for another post, another time.

Summary

Adding small boolean flags to the schema makes filters in Set’s, Group’s and Synchronization Rules very easy to implement. Using a PowerShell Workflow Activity is often the easiest and quickest way of solving workflow needs to make sure these boolean flags are kept up-to-date in FIM 2010.

Leave a Reply

Your email address will not be published. Required fields are marked *