Lithnet ACMA Codeless Business Rules Engine for Microsoft

Lithnet ACMA Codeless Business Rules Engine for Microsoft Forefront Identity Manager 2010 R 2 Ryan Newington ryan@lithiumblue. com

Monash University Has a 30 year-old FORTRAN-based provisioning system 600 perl scripts No idea what most of them do

Planning for FIM We were collecting some 15 Business Requirements Specifications documents Some very complex rules around provisioning and entitlements Monash University is a large organization with a complex network of partners, affiliates and owned entities across a dozen different countries There about 58 identifiable cohorts of people that require different entitlements and authorization data 186 different email domains that we manage 250, 000 active identities, from 4 discreet source systems 600, 000 course information objects 900 org units 810 attribute value changes, evaluated under 3100 different conditions

Implementing FIM service is slow DREs/EREs Requires code extensions Has references, but difficult to exploit relationships No OOB support for inheritance, back-linking Creating new objects automatically is tricky

Information Architecture 4 distinct types of activities we needed to perform with our knowledge 1. Transfer 2. Transform 3. Create 4. Act

Information Architecture

ACMA Fundamentals ECMA 2. 2 MA with an SQL database backend Provides very basic building blocks that you can use to create almost anything Uses a declarative language syntax to build attributes Event-driven – Actions are taken on objects upon export as they change Objects can find other objects and send events and changes to them Extend references to become relationships Key concept is constructors which can update, delete, and add attribute values Execution rules trigger the constructors to run and create their values

Attribute Constructors ACMA defines 5 types of attribute constructors Declarative Value Constructor The most commonly used constructor type Allows one to declare the value or values of an attribute Unique Value Constructor Identical to the DVC, but provides the ability to generate a unique attribute value Attribute Delete Constructor Simple, but effective. Deletes all values from an attribute Reference Lookup Constructor Builds a reference to another object by performing a database query Sequential Integer Constructor Taps into the SQL 2012 ‘sequence’ function to allow assigning incrementing or cycling values to an attribute

Rules Constructors are executed when defined execution rules are met There are 5 types of rules Object Change Rule Attribute Change Rule Evaluates if an attribute has a value or not Value Comparison Rule Evaluates if an attribute has been added, updated, or deleted Attribute Presence Rule Evaluates if an object has been added, updated, deleted, or undeleted Evaluates if an attribute has a certain value Event Rule Determines if a particular event has been passed to the object

Transforms are used to take existing information and turn it into something new 25 transforms supported AD group scope to string Get DN component AD group type to string Multivalued to single-valued Apply bitmask Portal group strings to AD group. Type Bitmask to boolean Regex find and replace Boolean to bitmask Remove diacritics Concat string SID to domain Cryptographic hash SID to string Data type convertor Simple lookup Date. Time converter Substring Delimited text file lookup Trim string Format number XML file lookup Format string

Demo Business Rules Each user must have a display. Name made of their first name and surname Each user must have a unique account. Name attribute (in the format fnnn. XXXX or nnnn. XXXX) Each supervisor must have a direct. Reports attribute, built from all users that have that person listed as their supervisor A user with direct. Reports must have the has. Direct. Reports attribute set to true Each user must be assigned a home folder group between 1 -100, and have a home folder path generated at d: Home. Foldersgroup. XXXusername The name of a user’s department must be stored in their ou. Name attribute A user with a supervisor must have an attribute containing the supervisor’s account. Name The ability to create an admin account for a user must exist

Source Data First name Surname Supervisor Expiry Date OU Number Employee ID 2015 -01 -01 1111 1 James Taylor Don Mc. Lean Ref: James Taylor 2015 -02 -01 2222 2 Cat Stevens Ref: James Taylor 2015 -03 -01 3333 3 Sting Ref: James Taylor 2015 -04 -01 1111 4 Name OU Number IT 1111 Finance 2222 HR 3333

Questions

Other features Undelete objects (returning users) Temporal events ACMA as a datasource/generic SQL MA