Mark Gabarra's Blog

I promised a week of surprises and I have one final surprise for all of you.  It is with a very heavy heart that I say farewell to Microsoft.  Twelve years ago Microsoft hired me right out of college and it has been an amazing ride ever since.  My days in test helping to ship such components as OLE Automation and CLR 1.0 and 1.1.  My transition to dev to help build and ship Windows Communication Foundation 3.0 and Microsoft Identity Lifecycle Manager "2".  It has been one crazy rollercoaster.

However, recently I have been on an even crazier rollercoaster with my daughter.  This has often led to making decisions between spending time on work or time with my daughter.  Over the next year or two my daughter will be entering a very important developmental window where we will be working towards preparing her for school.  During this time a very focused effort on her can have an incredible positive impact on her life long term.

That being the case, I have decided to step away from Microsoft and devote myself full-time to my daughter during this very precious, and limited, developmental window of her life.  I step away from the role of Software Design Engineer to take on a variety of roles that are best summed up as Stay-At-Home Dad.

It has truly been a pleasure working with all everyone over the past twelve years.  I know it sounds like cheerleading to talk about how we have changed the world with our software, but I honestly believe that we can make that claim.  The CLR changed how software was written with the introduction of managed code and made it easier to write complex software.  The WCF provided a mechanism to abstract the communication layer of distributed applications in a similar manner to how the data and UI layers are separated (again making it easier to write distributed applications).  ILM "2" will change the way that identity management is done within the enterprise and has the potential to change the way identity aware applications are written.

My last day was today (Friday, November 7).  For those of you following the development of ILM "2", especially the integration with Windows Workflow Foundation, fear not.  I leave you in good hands.  Assuming that I still have access to post here I will be providing a pointer to my replacement's blog as soon as it is available.  Until then there is always Bobby and Nima's Blog.  (Had to get one last shot in you two! :) )  Thank you again for all the support and great questions that kept me posting.  Good luck with all of you endeavors and I hope to hear great things of how ILM "2", and its integration with WF, is being used to solve amazing problems!

I have tried in a few of my posts regarding the Microsoft Identity Lifecycle Manager "2" request processing model to emphasize that the Action phase can be used for a wide range of activities.  ILM2 will ship with some activities to be used inside this phase of processing that may provide insight into its flexibility.  I anticipate that one common use for this phase within enterprises will be to update the target of a request with additional, calculated data.  To help out developers interested in this scenario, I am making available a 20 minute video where I walk you through writing a custom activity to be used in the Action phase to calculate a dynamic DisplayName for a request's target resource and update that resource with the new DisplayName value.

In what I call the DisplayNameGeneratorActivity, I have created an activity that allows administrators to configure ILM2 workflow definitions to define a resource's DisplayName attribute format using the lookup grammar available within ILM2 email templates.  The activity will resolve that grammar according to a request and then update the target resource's DisplayName attribute with the result of that resolution.  This allows for enterprises to define policy around a resource's DisplayName.  For example, using this approach an enterprise can enforce that all Person resources managed in ILM2 will have their DisplayName attribute set to "LastName, FirstName (AccountName)".

Just as with the DisplayNameValidatorActivity walk through, after implementing the actual activity code, I continue to walk you through writing the code required to expose this activity through the ILM2 portal's workflow designer.  I then walk you through the actual deployment of this new activity to an ILM2 web service.  Finally, I use the ILM2 web portal to create a workflow definition including my new activity, connect it to an ManagementPolicyRule, and trigger the execution of the workflow - showing how this activity overwrites an end user's requested DisplayName with the one defined by this policy.

The concepts used in this activity will allow developers to understand how to create custom activities to be used within an ILM2 deployment for calculating dynamic attribute values for specific resources and then updating those resources within the Action phase when resources are either created or updated.  As always, enjoy...

Video Length : ~20 minutes

I have tried in a few of my posts regarding the Microsoft Identity Lifecycle Manager "2" request processing model to emphasize that the Authorization (AuthZ) phase can be used for more than just seeking another person's approval for a specific request.  ILM2 will ship with some additional validation activities to be used inside this phase of processing; however, I anticipate that enterprises may want to write their own custom validation logic.  To help out I am making available a 40 minute video where I walk you through writing a custom activity to be used in the AuthZ phase to perform additional validation on a resource's DisplayName attribute before allowing the request to be processed.

In what I call the DisplayNameValidatorActivity, I have created an activity that allows administrators to configure ILM2 workflow definitions to check the DisplayName attribute for the presence of a list of illegal words.  Both the set of illegal words and the delimiters used to define a word are configurable to allow the behavior of the activity to grow without requiring recompiling and deployment.

After implementing the actual activity code, I continue to walk you through writing the code required to expose this activity through the ILM2 portal's workflow designer.  I then walk you through the actual deployment of this new activity to an ILM2 web service.  Finally, I use the ILM2 web portal to create a workflow definition including my new activity, connect it to an ManagementPolicyRule, and trigger the execution of the workflow - showing both a case where the activity denies the request and a case where the activity allows the request.

The concepts used in this activity will allow developers to understand how to create custom activities to be used within an ILM2 deployment for doing complex inspection of a request's content to determine whether or not that request should be allowed.  As always, enjoy...

Video Length : ~40 minutes

The first step in getting started writing custom Windows Workflow Foundation activities for use in Microsoft Identity Lifecycle Manager "2" is to get your environment ready.  There are a number of ways to do this and a developers environment can be a very personal thing.  However, in an attempt to help out those of you getting started with custom activity development I am making available a 6 minute video capture of how I setup my Visual Studio for ILM2 activity development.  Hopefully this will help you better follow along subsequent posts where I actually walk you through activity development.

Enjoy.

Video Length : ~6 minutes

Ok, so I was sitting around my house one weekend trying to determine how best to continue my dive into the Microsoft Identity Lifecycle Manager "2" request processing model.  A few of you had asked for diagrams and some more conceptual information.  The potential length of such a narrative actually gave me pause to start the required post.  Then a flash of brilliance so amazing that I nearly fell out of my chair (ok, I actually asked my wife for some advice :)).  The result of which is an experiment on how to share more complex information regarding ILM2 to all of you.  Attached you will find a 20 minute presentation in WMV format.  I am hoping that you will excuse the production quality of this first attempt at such a format; however, I am hoping to continue with additional presentations including various screen capture walk through of creating custom ILM2 activities.

I look forward to hearing comments from all of you as to if this is a favorable method of passing information through my blog.

Video Length : ~20 minutes

I know it has been awhile since I posted anything, and I apologize for not keeping up with my blog.  I am sure you have learned that we have shipped Microsoft Identity Lifecycle Manager "2" RC.  This is part of what has been taking up my time lately.  I will be posting more frequently this week than I have in the past.  I am looking forward to hearing comments about some of the upcoming posts as they become available.  For now, I am going to step aside and share with you a more formal announcement of the ILM2 RC release from Lori Craw, our Group Product Manager:

I’m Lori Craw, group product manager covering identity and security at Microsoft. Today I am pleased to announce the exciting news that the Identity Lifecycle Manager “2” Release Candidate (RC) is now available.

ILM “2” builds on our Identity Lifecycle Manager 2007 investments, and includes solutions that will help IT more efficiently and effectively automate identity policies for users and their associated credentials and entitlements. An important set of features in this release focus on self-service for end users, enabling them to manage some of their own information like their passwords and groups, using self-service tools built into Office. The IT pro tools, combined with end-user self-service in Office and developer experiences using .NET and Visual Studio add up to a very powerful combination.

We’ve received great feedback on these features from our beta and TAP customers so far. We also have seen some great momentum with core partners, including Quest, Omada, and Unisys.

So what’s new in the RC, you ask? Some of the top new additions to the RC include:

- Support for scale out of the ILM "2" middle tier database and portal on separate servers, and support for multiple portal servers
- Added support for managing groups across multiple Active Directory forests
- Improvements in the request and notification emails, including customizable notification emails and request details baked into the out-of-box request emails
- Support for third-party certificate authorities (CAs)
- Performance and stability improvements
- Localization support for German and Japanese

I’d like to invite you to learn more about ILM “2” and to try out the RC for yourself by visiting www.microsoft.com/ilm2.

Regards,
Lori Craw
Group Product Manager
Microsoft Identity and Security

Another week of heads down coding and bug fixing for the latest Microsoft Identity Lifecycle Manager "2" product milestone, and another week with trouble finding time to produce a new blog post.  This week I would like to thank Brad, Paul, and the folks at Ensynch for providing me another easy post.  :)  Ensynch has just published a wonderful white paper on how to write custom Windows Workflow Foundation activities for the ILM2 product, they even made their Visual Studio project public as well.  They provided me with an early read and I believe my comments were , and I quote, "This is awesome!"  This is a great explanation on the ILM2 WF extensibility point.  Given that it did not come from me, it may be more beneficial than anything I could have produced.  Their custom activity library includes some great diagnostic activities that can be used in testing any custom solution.

Without further ado you can find the white paper in the side bar of Ensynch's Identity & Access Management Practice Area.  Or for those who want direct links:

Identity and Access Management Operations Guide - ILM 2 Workflow Activity Walkthrough

Walkthrough Project Files

I have been heads down writing code and fixing bugs for the latest Microsoft Identity Lifecycle Manager "2" product milestone.  Unfortunately, that has made it difficult to find time to produce additional blog topics for all of you.  However, someone out there has come to my rescue.  I was recently made aware of a series of TechNet webcasts called MCS Talks Infrastructure Architecture (http://blogs.technet.com/mcstalks).  These talks are being held in the United Kingdom and their next session is on Identity and Access Management.  It is taking place in two weeks from this posting.  On the off chance that some of you may be interested in attending, here is a link for more information (including registration):

News and Updates from the UK MCS Talks Team : Session 5 Details: Registration Now Available

In recently helping a Microsoft Identity Lifecycle Manager 2007 solutions expert solve a problem for their customer within the Microsoft Identity Lifecycle Manager "2" Beta 3 release.  He had already defined his scenario within the Microsoft Identity Lifecycle Manager "2" request processing model and had run into some issues with the Out-Of-Box (OOB) workflow activities.  Unfortunately, his scenario was outside the ability of the OOB support and required writing a custom activity, which I walked him through doing.  In his thank you for my assistance he included the following remark:  "I’m starting to see that ILM 2007 consultants are going to need to be very deep in WF if they want be able to exploit ILM 2 to its full potential."

While I completely agree with his assessment, it got me thinking about what advice I have for those of you out there that have a strong knowledge of the Microsoft Identity Lifecycle Manager 2007 product to assist your transition to the Microsoft Identity Lifecycle Manager "2" product.  To that point I will take yet another pause from peeling back the onion of the Microsoft Identity Lifecycle Manager "2" request processing model and focus today's blog posting on that advice.

Let me start by assuring those out there who have spent (or are about to spend) the time to understand the Microsoft Identity Lifecycle Manager 2007 product that you have not wasted your time.  The components that made up that product are still an integral part of the Microsoft Identity Lifecycle Manager "2" product.  The Synchronization Engine and Certificate Lifecycle Manager will continue to be the focal points of a number of solutions for enterprises and those solutions will look very similar to solutions built on top of Microsoft Identity Lifecycle Manager 2007.  With the release of Microsoft Identity Lifecycle Manager "2" there will be new functionality in the form of the web services platform I have been writing about up until now.  These new web services will provide additional extensibility and is where I would recommend solutions experts focusing their time.

When thinking about educating yourself about the new Microsoft Identity Lifecycle Manager "2" web services platform as a transition from Microsoft Identity Lifecycle Manager 2007 to Microsoft Identity Lifecycle Manager "2", I like to break it into three pieces:  conceptual processing model, Windows Workflow Foundation integration, and Windows Communication Foundation integration.  I would also recommend exploring these areas in that order.  The Windows Workflow Foundation and Windows Communication Foundation integration will help with implementing custom solutions using those extensibility points; however, it does not make sense to start writing custom code until you understand the concepts behind how that code will affect the processing model of the Microsoft Identity Lifecycle Manager "2" product.  Once you do understand the request processing model at a conceptual level it is most likely that your first scenario that requires custom code will involve the Windows Workflow Foundation extensibility rather than the Windows Communication Foundation extensibility.

How do you educate yourself about the Microsoft Identity Lifecycle Manager "2" request processing model?  Personally, I recommend a certain MSDN blog that is focused on this specific topic.  :)  Honestly, this is the exact purpose I am trying to fill with this blog at the moment.  Beyond my blog I would also recommend Bobby and Nima's ILM Blog (these two generally focus on actually walk you through specific scenarios rather than conceptual discussions), and the other online references in my ILM References section in the side bar of my blog.  Bobby and Nima's ILM Blog is currently the best resource for describing the Codeless Provisioning feature of Microsoft Identity Lifecycle Manager "2".  (Essentially, how to configure the Synchronization Engine without writing a single line of code.)  Hopefully more resources will become available as time goes on.

After you have gained an understanding of the Microsoft Identity Lifecycle Manager "2" request processing model I would point you towards learning how to customize the OOB web portal.  The portal that ships with Microsoft Identity Lifecycle Manager "2" supports managing custom resource types and allows for customizing the user experience for managing those types.  This customization does have its limits but will go a long way to providing custom solutions for managing resources not included within the shipping product. 

As an example, it is a good bet that enterprises will want to add a "Computer" resource type in their deployments of Microsoft Identity Lifecycle Manager "2".  This is actually an example that the product group has used in demonstrations of Microsoft Identity Lifecycle Manager "2" at various conferences.  The shipping web portal will allow you to create this resource type, attached existing attributes, and create any new attributes needed to accurately describe the data tracked for a "Computer".  The portal will then provide a default user experience for managing these types immediately.  Enterprises can go a step further and create an appropriate instance of a configuration resource to "teach" the portal how to provide a better user experience when managing these types.

How do you education yourself about customizing the Microsoft Identity Lifecycle Manager "2" web portal?  Well that is an even trickier question than the request processing model.  I am most likely not going to get into that topic on my blog (I prefer the custom code side of things).  I cannot speak for Bobby and Nima's ILM Blog but that is the resource I would recommend at the moment.  The Microsoft Identity Lifecycle Manager "2" SDK should include documentation and, hopefully, a sample or two.  If anyone reading this has their own blog, I would be happy to reference any posts you have on this topic.

Once you have an understanding of the Microsoft Identity Lifecycle Manager "2" request processing model and portal customization you will find yourself at the point where additional extensibility requires custom code (of some type).  Welcome to my world!  :)  At this point I would recommend diving deeper into the Windows Workflow Foundation technology.  Given the customization support for custom resource types in the Microsoft Identity Lifecycle Manager "2" web portal enterprises are more likely going to need custom business logic before they need custom web service clients.  I believe that the majority of custom solutions will require some sort of custom business logic.

There are two methods of Windows Workflow Foundation centered extensibility within the [IML2] product:  custom workflows and custom activities.  In both cases, the word "custom" simply means that it is not supported OOB by the Microsoft Identity Lifecycle Manager "2" product.  In the case of custom workflows this means that the Microsoft Identity Lifecycle Manager "2" web portal's process designer cannot create the appropriate XOML.  This will require using a Windows Workflow Foundation designer application, such as Visual Studio, to create a XOML out of band and then use the Microsoft Identity Lifecycle Manager "2" web portal process designer to import that workflow.  In the case of custom activities this means that the Microsoft Identity Lifecycle Manager "2" product did not ship with an activity that performs the required logic.  This will require using a code editor, such as Visual Studio, to author and compile the custom code that will express the custom business logic.  Using Windows Workflow Foundation specific language, this could be a composite activity (i.e. an activity made up of child activities) or a completely new activity.

How do you educate yourself about Windows Workflow Foundation?  This is a bit easier than the topics discussed thus far since the technology has been available for some time and there are a number of books available.  Personally, I recommend "Essential Windows Workflow Foundation" by Dharma Shukla and Bob Schmidt (ISBN #978-0321399830).  This provides a great overview of the technology and dives fairly deep, leaving appropriate topics to other resources.  It covers more than you will need to know for extending Microsoft Identity Lifecycle Manager "2"; however, that knowledge would not be wasted as it will provide context and allow you to ask questions and understand answers about why I chose to design our extensibility a certain way.  While learning about Windows Workflow Foundation I would recommend focusing on the following topics (appropriate chapter titles from "Essential Windows Workflow Foundation" provided):

1. The Windows Workflow Foundation conceptual model - [Deconstructing WF]
2. The Windows Workflow Foundation activity model - [Activity Execution] and [Advanced Activity Execution]
3. How to author Windows Workflow Foundation activities - [Activity Execution], [Advanced Activity Execution], and [Advanced Authoring]
4. XOML only workflows - [WF Programs] and [Applications]

As an additional resource for learning Windows Workflow Foundation, I am planning on spending some time here discussing the above topics in general.  I am also planning on providing detailed discussions and examples of the Windows Workflow Foundation extensibility inside of Microsoft Identity Lifecycle Manager "2".  With some general knowledge of the Windows Workflow Foundation technology and how it specifically relates to Microsoft Identity Lifecycle Manager "2" you should be able to build the vast number of possible scenarios on top of Microsoft Identity Lifecycle Manager "2".

Finally, the next level of extensibility to look at would be our integration with the Windows Communication Foundation technology.  This is the technology we used to implement our WS-STAR compliant web services.  Since we implemented our web services to be WS-STAR compliant it is not necessary to use Windows Communication Foundation and, if you are familiar with developing web service clients, you could just educate yourself about our protocols.  However, I would recommend looking into the Windows Communication Foundation technology as a way to quickly author web service clients with minimal code.  (Of course I could be biased since I helped to ship that piece of technology in my prior product team.)  The use of Windows Communication Foundation within an Microsoft Identity Lifecycle Manager "2" solution will normally involve writing a custom client to interact with our web service.  I have seen some solutions that required using Windows Communication Foundation to write a custom web service client as part of a Windows Workflow Foundation custom activity that would interact with an external web service to make business logic decisions in managing resources within Microsoft Identity Lifecycle Manager "2".

How do you educate yourself about Windows Communication Foundation?  This is a question similar to how you educate yourself about Windows Workflow Foundation.  These technologies shipped at the same time and there are a number of books available.  The interesting part here is that the books about Windows Communication Foundation often cover the entire technology and focus on writing web services instead of clients.  Writing clients tends to be a small chapter after explaining how to write services.  I do not have any specific book recommendations, but I would recommend trying to find a book that spends some time talking specifically about creating Windows Communication Foundation clients.

As a side note of some significance, there were some important differences between versions 3.0 and 3.5 of Windows Communication Foundation, and we have built Microsoft Identity Lifecycle Manager "2" on top of version 3.5.  In particular, we make use of the WS-SecureConversations standard and make use of those context headers to make our services durable.

I hope this was of some use to you Microsoft Identity Lifecycle Manager 2007 solutions experts looking to transition to Microsoft Identity Lifecycle Manager "2".  I am still hoping to provide more details here about the Microsoft Identity Lifecycle Manager "2" request processing model and Windows Workflow Foundation integration.  Ideally this post will give you some idea of how you can further educate yourself in parallel while you are waiting for me to cover the specific topic of your interest.  (Just as a reminder, if you do have a specific topic of interest please feel free to use my Contact form or by using Comments of any of my posts.)

Well a "short break" turned into something a bit longer than I anticipated.  My laptop is back in gear, and I again have the freedom of spending my writing time somewhere other than my office.  That little surprise I was working on for you is still in the works.  Unfortunately, it seems to take lining up a few more ducks that I first thought.  In the mean time I thought I would jump a bit ahead in my peeling of the Microsoft Identity Lifecycle Manager "2" onion and respond to a question I received recently from one of you out there.  This also allows me to celebrate my first post in the "Identity Lifecycle Manager Solution" category!  Essentially, the question is this (some editing done to maintain confidentiality of content):

After the sync with an external connected system completes, such as an HR system, is there an easy process to create/maintain groups based on a specific attribute?  For example, if one of the attributes of the user is CostCenter, how can we automatically create/populate/maintain a group for each value of CostCenter found in the system?

The benefit, of course, is that if a user has the value of their CostCenter change they automatically have their group membership updated and that update is reflected in AD on the next export/sync of the appropriate Management Agents.  Great for role based security!

The great news is that this functionality is extremely easy in the eventual released version of Microsoft Identity Lifecycle Manager "2".  The not so good news is that this dynamic creation of groups is not supported out of box in the current Beta release of Microsoft Identity Lifecycle Manager "2"; however, it is still possible with a little extra coding effort.

Since this is going to be a discussion of a possible solution on top of Microsoft Identity Lifecycle Manager "2", let me satisfy the legal folks here by starting with the following:

Disclaimer:  This posting and any code contained within are provided "AS IS" with no warranties, and confer no rights. Use of included code samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm.

To start this discussion let me first put aside the complex part of the solution, dynamic creation of groups based on attribute values, and start talking about dynamic group membership.  As I mentioned in an earlier post (A Discussion of Computed, Explicit, and Temporal Sets in Microsoft Identity Lifecycle Manager "2") Microsoft Identity Lifecycle Manager "2" supports a variety of set membership concepts.  Although there are differences between Group and Set objects within Microsoft Identity Lifecycle Manager "2", for discussions about membership they can be viewed as synonymous.  This means that Microsoft Identity Lifecycle Manager "2" also supports the same type of memberships for groups as it does for sets.  For this particular post the type of group membership of interest in computed (also referred to as dynamic).

A dynamic group derives its membership from its Filter attribute which is essentially an XPath expression.  As an example, lets say I wanted to create a dynamic group for all users who are in the domain "Domain1".  Looking at the schema for the Person object type in Microsoft Identity Lifecycle Manager "2" there is a string attribute Domain that contains this information.  I could then create a group whose XPath filter was "/Person[Domain='Domain1']".  This group would then populate its membership with every resource in the Microsoft Identity Lifecycle Manager "2" system of type Person that has its Domain attribute set to the value "Domain1".  Further, any new resources of type Person created with Domain set to "Domain1" will be automatically added to this group as part of its creation.  Still further, any existing resource of type Person that is updated to set its Domain attribute to "Domain1" will be automatically added to this group as part of that update.  Finally, any resource of type Person that currently has its Domain attribute set to "Domain1" that is updated to change its Domain attribute to something else will be (as you have probably guessed) automatically removed from this group as part of that update.

Lets look at a bit more complex of a scenario.  Lets say that I wanted to create a dynamic group for all users who report directly to me (have me as there direct manager).  Looking at the schema for the Person object type in Microsoft Identity Lifecycle Manager "2" there is a reference attribute Manager that contains this information.  I could then create a group whose XPath filter was "/Person[Manager='{SomeGuid}']" where "{SomeGuid}" is my Person resource's ObjectID attribute.  Now this, unfortunately, would require that I know my Person resource's ObjectID and GUID's really are not that human friendly (have you ever tried to type one manually?).  It would be nice if I could instead use something else I know to be unique on my Person resource as a way of identifying the Manager value.  With a little bit of understanding of the Person resource we can identify that the AccountName and Domain attribute pair must also be unique.  Luckily those two attributes are strings (much easier to type).  Taking that into consideration, we can now write the following XPath:  "/Person[Manager=/Person[AccountName='markgabarra' and Domain='Domain1']/ObjectID]".  This group would then populate its membership with every resource in the Microsoft Identity Lifecycle Manager "2" system of type Person that has its Manager attribute set to the value of every ObjectID value for every resource in the Microsoft Identity Lifecycle Manager "2" system of type Person that has its AccountName attribute set to the value "markgabarra" and its Domain attribute set to the value of "Domain1".  Assuming that I have correctly identified my AccountName (markgabarra) and my Domain (Domain1), this results in the embedded XPath returning only my Person resource's ObjectID, thus the total XPath results in returning every resource in the Microsoft Identity Lifecycle Manager "2" system of type Person that has its Manager attribute set to my ObjectID.

Now lets look at the scenario mentioned in the question regarding CostCenter.  From the discussion above creating a group for all Person resources in the CostCenter named "Department 100" would involve creating a dynamic group with the filter "/Person[CostCenter='Department 100']".  This answers the question about maintaining (and populating) a group based on a specific attribute since Microsoft Identity Lifecycle Manager "2" will automatically manage the group membership for the lifetime of that group.  This leaves the question of dynamically creating such groups.  To answer this I will have to take a step back and talk conceptually.  Due to schedule and resource constraints the current Beta of Microsoft Identity Lifecycle Manager "2" had to ship without the features needed to support this scenario.  However, those features will be available in the final released version of the product.

As a side note on XPath filters within Microsoft Identity Lifecycle Manager "2" for you administrators and IT Professionals out there, if you are interested in creating a filter of all resources created by a specific person you could use the direct manager example above with some minor changes.  To tell the filter to target "all resources" and not just resources of a specific type you would use the "*" wildcard.  To identify the creator of a resource you would look at the Creator attribute.  In the case of finding all resources that I created (assuming the same AccountName and Domain values for my Person resource above) you would use the following XPath filter:  "/*[Creator=/Person[AccountName='markgabarra' and Domain='Domain1']/ObjectID]".

In an earlier post (AuthN, AuthZ, and Action, oh my: Microsoft Identity Lifecycle Manager "2" Request Processing) I started to detail the different phases of request processing within Microsoft Identity Lifecycle Manager "2".  This post discussed the internal details of these phases but left for a later post the discussion of how scenarios can use these phases to solve specific problems.  For this discussion I will focus on one possible use of the Action phase of request processing to solve the problem of dynamic group creation based on specific attribute values.

Briefly summarizing the relevant content in my previous posts, it is important to know the following:

• All data operations within Microsoft Identity Lifecycle Manager "2" are actually requests to perform the specified operation and the details of each request is available through an Microsoft Identity Lifecycle Manager "2" Request resource
• All requests in Microsoft Identity Lifecycle Manager "2" go through the same phases of Request Processing: Rights Check, Authentication, Authorization, Commit, and Action
• Any phase prior to the Commit phase can deny a request from occurring
• The Authentication, Authorization, and Action phases can execute zero or more Windows Workflow Foundation workflow instances
• The configuration of these Request Processing phases is done through the management of Microsoft Identity Lifecycle Manager "2" ManagementPolicyRule, WorkflowDefinition, and Set resources

The creation of a dynamic group based on the possible values of an attribute can be done in a couple of ways.  Lets look at two possibilities:

1. The attribute in question has a restricted set of possible values enforced through Microsoft Identity Lifecycle Manager "2" schema (e.g. an integer with explicit MinValue and MaxValue, a string with explicit StringRegEx defining an enumerated string, etc)
2. The attribute in question does has an unrestricted set of possible values (it is worth noting that this solution would also work for the above scenario as well and is a more general solution to this problem)

In the first case, I would create a ManagementPolicyRule that would trigger for updates to the specified AttributeTypeDescription resource that contains the attribute's Microsoft Identity Lifecycle Manager "2" schema information (from the question above "/AttributeTypeDescription[SystemName='CostCenter']") and touched the appropriate attribute that restricted the set (from the question above "StringRegEx" since "CostCenter" is a string attribute).  To this ManagementPolicyRule I would attach a single ActionWorkflowDefinition.  This action workflow would perform the following algorithm (notes about what is available and what requires custom code are based on the current Beta of Microsoft Identity Lifecycle Manager "2" and not the final release version):

1. Retrieve the current request (available with the Microsoft Identity Lifecycle Manager "2" CurrentRequestActivity)
2. Inspect the current request's parameters to determine the change to the StringRegEx attribute (requires custom code)
3. Determine the new possible set of filters for dynamic groups for each possible value (requires custom code)
4. For each possible filter value do the following (requires custom code, can use Windows Workflow Foundation WhileActivity or ReplicatorActivity)
1. Query Microsoft Identity Lifecycle Manager "2" for any groups whose filter is the possible value (requires custom code and reentering through the Web Service layer)
2. If above query results in zero results do the following (requires custom code, can use Windows Workflow Foundation IfElseActivity)
1. Create new Microsoft Identity Lifecycle Manager "2" Group resource with appropriate filter (available with the Microsoft Identity Lifecycle Manager "2" CreateResourceActivity)

In the second case, I would create a ManagementPolicyRule that would trigger for all creates and updates of an appropriate set of resources (from the question above "All Persons") where the request touched the specific attribute (from the question above "CostCenter").  To this ManagementPolicyRule I would attach a single ActionWorkflowDefinition.  This action workflow would perform the following algorithm (notes about what is available and what requires custom code are based on the current Beta of Microsoft Identity Lifecycle Manager "2" and not the final release version):

1. Retrieve the current request (available with the Microsoft Identity Lifecycle Manager "2" CurrentRequestActivity)
2. Inspect the current request's parameters to determine the value this request set the key attribute (requires custom code)
3. Determine the new possible filters for the dynamic group for this value (requires custom code)
4. Query Microsoft Identity Lifecycle Manager "2" for any groups whose filter is the possible value (requires custom code and reentering through the Web Service layer)
5. If above query results in zero results do the following (requires custom code, can use Windows Workflow Foundation IfElseActivity)
1. Create new Microsoft Identity Lifecycle Manager "2" Group resource with appropriate filter (available with the Microsoft Identity Lifecycle Manager "2" CreateResourceActivity)

These two approaches will result in the dynamic creation of these groups when new (possible) values are detected for the key attribute.  They do not address the deletion of such groups when those values are no longer available.  This is a bit more complex of a problem, but is possible.  Staying at a very high conceptual level, I would recommend extending the schema of the Microsoft Identity Lifecycle Manager "2" Group resource to add an attribute that can be used to mark these dynamically created groups.  I would then create an Microsoft Identity Lifecycle Manager "2" temporal Set that contains an XPath filter selecting all of these dynamically created groups that were modified in the last 24 hours (I will leave the details of creating a temporal set to another post).  Next, I would create a ManagementPolicyRule that triggered on resources that transitioned into that Set and attach a single ActionWorkflowDefinition.  The action workflow would Use the Microsoft Identity Lifecycle Manager "2" ReadResourceActivity to retrieve the target resource and count the number of values in the ComputedMember attribute.  If that number is zero (meaning the group has zero membership), it would use the Microsoft Identity Lifecycle Manager "2" DeleteResourceActivity to delete the target resource.  This would result in the dynamically created groups deleting themselves shortly after their membership become empty.

The workflow definitions for these two approaches may seem complex and require a number of steps utilizing custom code and (in the case of querying Microsoft Identity Lifecycle Manager "2") reentering the Microsoft Identity Lifecycle Manager "2" Web Service layer from within workflow.  This may be disheartening to some of the potential customers of Microsoft Identity Lifecycle Manager "2"; however, let me provide some good news.  Shortly after the current Beta of Microsoft Identity Lifecycle Manager "2" released I was able to get to the missing features to better support these scenarios with less custom code.  Microsoft Identity Lifecycle Manager "2" will ship with an EnumerateResourcesActivity that will allow workflow developers to set an XPath filter and perform operations on each resource returned (or just use it to get a count of resources that match a specified filter).  Additionally, Microsoft Identity Lifecycle Manager "2" will ship with a ResourceTemplateActivity that can be used to dynamically create a resource based off of a template should a test filter return a count of zero.  In other words, the ResourceTemplateActivity can be used to perform steps 4, 5, and 5.1 in the algorithm of option two, and steps 4.1, 4.2, and 4.2.1 of option one.  The EnumerateResourcesActivity can be used to perform step 4 of option one.  In both options this reduces the amount of custom code to inspecting the contents of the request to calculate the desired filter(s).

This begs the question, how do I write this custom code?  That is a longer topic for multiple follow up posts around the topics of writing custom workflow and/or custom activities.  I will have to leave it for another time, although I am working my way in that direction and I appreciate your patience.  In the mean time, feel free to use my Contact Form or the Comments on my blog to ask questions or suggest topics.

Well my laptop is nearly recovered (I still have a few applications I need to reinstall), and I am looking forward to moving my writing time back to somewhere other than my office.  This week I am going to take a short break on peeling back the onion of the Microsoft Identity Lifecycle Manager "2" web services.  For those of you attending TechReady in Seattle I am currently planning on attending the Ask the Experts event.  I look forward to running into some of you there.  For those of you not attending TechReady I will look at picking back up next week with another topic.  There is a chance that this break may span more than one week as I am working on a little surprise for all of you.

This week my laptop decided it was time for a career change and made the transition to door stop.  Unfortunately this means that my means of posting this week is through the web dashboard instead of making use of Live Writer.  How does this affect you?  Hopefully not very much; however, you may notice a change in posting style as well as a shortened post this week.  I am working on rebuilding my laptop so that next week's post can get back to normal.

So in my previous post titled Microsoft Identity Lifecycle Manager "2" Policy Service: A Look Behind the Curtain I took some time to provide a peek inside the Microsoft Identity Lifecycle Manager "2" Policy Service.  I mentioned the different phases of request processing:  Rights Check, Authentication, Authorization, Commit the Operation, and Action.  I briefly touched on what occurred in each of those phases.  Today I would like to provide a little more insight into each of these phases.  Hopefully I will provide a primer for starting to think about how to design custom solutions on top of the Microsoft Identity Lifecycle Manager "2" Policy Service as a platform.  Understanding the request processing model is the key that opens the door for further investigation into the Microsoft Identity Lifecycle Manager "2" integration with the Windows Workflow Foundation as a point of extensibility.

Rights Check Phase

During the Rights Check phase the Microsoft Identity Lifecycle Manager "2" Policy Service determines if the user submitting the request has been explicitly granted the rights to perform the operation described by the current request.  If so, the request moves onto Authentication otherwise processing is halted and permission is denied.  This rights check is performed against (and configured by) the ManagementPolicyRule resources within the Microsoft Identity Lifecycle Manager "2" system.  By this time in the processing, the Windows Communication Foundation layer (assuming the request originated from a Web Service call) has pre-authenticated the client connection through the exposed Windows Communication Foundation channel binding.  It has also translated the SOAP envelop into an Microsoft Identity Lifecycle Manager "2" invariant representation of the operation being requested.  This happens to be the Microsoft Identity Lifecycle Manager "2" Request resource.  The Request resource contains a wealth of information about the operation being requested; however, of most importance are:  Creator, Operation, Target, and RequestParameter(s).

During this phase of processing, these pieces of information are used to determine which ManagementPolicyRule (MPR) resources in the system apply to the request.  After finding all related MPRs, the rights system does a final check to verify that at least one of those MPRs carries the GrantRight value of true.  This translates to the actor has the right to perform the operation on the target resource given the request parameter(s).  It is important to note that the operation will be allowed if (and only if) at least on MPR has GrantRight set to true.  It does not matter how many MPRs are attached with GrantRight set to false.  In fact, setting this value to false does not perform rights revocation.  The ability to set GrantRight to false is only used to create an MPR that only attach specific workflow definitions to an operation without needing to also grant rights to a set of users.  This allows enterprises to create MPRs that run a specific workflow when an actor in the "All Persons" set performs an operation without needing to grant rights to "All Persons" to perform that operation.

Should the request evaluation result in at least on MPR that contains a true value for GrantRight, this phase also stamps the Microsoft Identity Lifecycle Manager "2" Request resource with references to all relevant ManagementPolicyRule resources as well as creating resources to track the workflow definitions that may run in the upcoming phases of processing.  These place holders are Microsoft Identity Lifecycle Manager "2" resources only and do not translate into an action Windows Workflow Foundation workflow instance as of yet.  In fact, they will have an Microsoft Identity Lifecycle Manager "2" specific status of "Pending".  So upon completion of this phase one of two things has occurred:

1. Evaluation of the Microsoft Identity Lifecycle Manager "2" Request did not result in at least one MPR with GrantRight set to true.  In this case the Request is denied and an appropriate SOAP fault is sent back to the web service client.
2. Evaluation of the Microsoft Identity Lifecycle Manager "2" Request resulted in at least one MPR with GrantRight set to true.  In this case the Request is decorated with references to all relevant MPR resources and Microsoft Identity Lifecycle Manager "2" WorkflowInstance resources tracking the workflow definitions that should run in later phases of processing.

In the later case, the Request is moved into the next phase of processing.

Authentication Phase

Within the Authentication Phase, the Microsoft Identity Lifecycle Manager "2" Policy Service inspects the Request resource to see if there are any pending authentication workflow instances.  These workflow instances would have been discovered, created, and attached within the Rights Check phase above.  In the case that there are authentication workflow instances that are pending the Microsoft Identity Lifecycle Manager "2" Policy Service knows that the client has not yet gone through the required authentication gates needed to provide the second factor authentication (remember the WCF layer has already provided some initial authentication) required to perform this operation.  In this case, request processing is halted an an appropriate SOAP fault is sent back to the web service client.  This SOAP fault tells the client that additional authentication is required, provides the request identifier and the address of the Microsoft Identity Lifecycle Manager "2" second-factor authentication STS.

The client will need to interact with this STS according to the WS-Trust specification to receive a supporting security token.  At which time the client will resubmit the original request to the Microsoft Identity Lifecycle Manager "2" Policy Service with the supporting security token attached.  The Microsoft Identity Lifecycle Manager "2" Policy Service will pick up the existing Request and continue processing it within the Authentication phase.  This time, the Policy Service will determine that there are no more authentication workflow instances that are pending, but there are some that were completed.  This tells the Policy Service that there needs to be a supporting security token attached to the current request.  If, and only if, that token is present and validates to be the token generated by executing these specific workflow instances, the Policy Service will mark the request as authenticated and move it into the next phase of processing.  However, if the supporting security token is not present or does not validate properly, the Microsoft Identity Lifecycle Manager "2" Policy Service will return a SOAP fault telling the current client their request was denied.  However, the Request remains in the Authentication phase.

During the communication between the client and the STS if any of the authentication workflow instance terminate instead of complete, the Request will be marked as denied and processing halted.  So upon completion of this phase one of three things has occurred:

1. Evaluation of the Microsoft Identity Lifecycle Manager "2" Request did not result in any authentication workflow instances being created.  In this case the Request is considered authenticated (i.e. the initial authentication done by the Windows Communication Foundation layer is satisfactory) and processing moves to the next phase.
2. Evaluation of the Microsoft Identity Lifecycle Manager "2" Request resulted in at least one authentication workflow instance being created and the client passed all authentication gates provided by the Microsoft Identity Lifecycle Manager "2" STS.  Further, the client has resubmitted their request with the correct supporting security token attached.  In this case the Microsoft Identity Lifecycle Manager "2" Policy Service validates this supporting security token as being correct, the Request is considered authenticated, and processing moves to the next phase.
3. Evaluation of the Microsoft Identity Lifecycle Manager "2" Request resulted in at least one authentication workflow instance being created and the client failed at least one authentication gates provided by the Microsoft Identity Lifecycle Manager "2" STS.  In this case the STS detects the invalid authentication attempt (i.e. the authentication workflow instance terminates), the Request is denied, and processing is halted.

Again, note that there is no case for the client passed all authentication gates but provided an invalid (or null) supporting security token.  In this case, the Request remains stuck in the Authentication phase and only the current client request is responded to with a SOAP fault communicating their request is denied.

Authorization Phase

Within the Authorization Phase, the Microsoft Identity Lifecycle Manager "2" Policy Service inspects the Request resource to see if there are any pending authorization workflow instances.  These workflow instances would have been discovered, created, and attached within the Rights Check phase above.  Authorization performed in this phase could involve custom data validation (e.g. verify that a resource's DisplayName attribute does not include illegal words or characters) or external authorization (e.g. ask a person's manager for approval of a particular operation).  Should the Microsoft Identity Lifecycle Manager "2" Policy Service detect authorization workflow instances in the pending state it will attempt to execute each of these instances in turn.  An attempt will be made to execute authorization workflow instances synchronously, blocking the current thread.  This means developers who develop custom workflows and/or activities that may run in this phase need to take care to not block the workflow instance's thread for too long (definitely more on this later).  This also allows synchronous validation (such as DisplayName attribute validation logic) to either succeed or fail immediately while still allowing for external authorization (such as manager approval) to park the request until authorization occurs externally.

Processing within this phase will result in one of the four following cases:

1. Evaluation of the Microsoft Identity Lifecycle Manager "2" Request did not result in any authorization workflow instances being created.  In this case the Request is considered authorized (i.e. no additional authorization is required beyond the granting of rights in the Rights Check phase) and processing moves to the next phase.
2. Evaluation of the Microsoft Identity Lifecycle Manager "2" Request resulted in at least one authorization workflow instance being created and all authorization workflow instances have been completed.  In this case the Request is considered authorized and processing moves to the next phase.
3. Evaluation of the Microsoft Identity Lifecycle Manager "2" Request resulted in at least one authorization workflow instance being created and at least one authorization workflow instances has been terminated.  In this case the Request is denied and an appropriate SOAP fault is sent back to the web service client.
4. Evaluation of the Microsoft Identity Lifecycle Manager "2" Request resulted in at least one authorization workflow instance being created and at least one authorization workflow instances is still running.  In this case the Request requires asynchronous authorization (either a long running authorization workflow instance or external authorization).  The Request remains in the Authorization phase until all authorization workflow instances either complete or terminate.  As soon as one workflow instance terminates the Request is denied.  If all workflow instances complete, the Request is considered authorized and processing moves to the next phase.

Commit the Operation Phase

The Commit the Operation Phase is relatively self-descriptive.  Within this phase the Microsoft Identity Lifecycle Manager "2" Policy Service inspects the Request resource to extract the actual data operation(s) being requested and performs those operations.  It is important to note that the transactional nature of those operations are completely contained within this phase of processing.  That means the transaction both begins and commits (or rolls back) during this portion of processing.  Once the Request moves past this phase of processing there is no rolling back the operation (unless you manually perform the appropriate data operation(s) to compensate yourself).  There are some additional checks performed on the request during this phase of processing that could result in a Request being denied.  For example, a request tries to create a Person whose email address is already in use, or modify an integer value on a Resource with a value outside the configured boundaries.  Should this schema validation fail the request would be considered denied and processing would halt with an appropriate SOAP fault being returned to the client.

So upon completion of this phase one of two things has occurred:

1. The Microsoft Identity Lifecycle Manager "2" Policy Service is able to perform the data operation and commits it to the data store.  The Request is considered processed and processing moves on to the next phase.
2. The Microsoft Identity Lifecycle Manager "2" Policy Service is unable to perform the data operation (e.g. schema validation fails).  The Request is denied and an appropriate SOAP fault is sent back to the web service client.

Action Phase

Within the Action Phase, the Microsoft Identity Lifecycle Manager "2" Policy Service inspects the Request resource to see if there are any pending action workflow instances.  These workflow instances would have been discovered, created, and attached within the Rights Check phase above.  Action workflow instances are kicked off in the same manner as authorization workflow instances.  This means an attempt will be made to execute authorization workflow instances synchronously, blocking the current thread.  Thus, custom workflows and activities developed for use in the Action Phase of processing carry the same design requirements as those targeting the Authorization Phase of processing.  Action workflow instances are nearly identical to authorization workflow instances with one major difference, and that is how a terminated workflow instance is treated.  For authorization workflows, a terminated workflow instance stops processing and denies an Microsoft Identity Lifecycle Manager "2" Request.  However, the operation has already been performed and committed to the store by the time an action workflow is executed.  This means that a terminated action workflow does nothing to prevent the Microsoft Identity Lifecycle Manager "2" Request from completing, it just does not complete all of its work.  Terminated action workflow instances can be detected by looking for Microsoft Identity Lifecycle Manager "2" WorkflowInstance resources whose WorkflowStatus attribute is set to Terminated.

Processing within this phase will result in one of the four following cases:

1. Evaluation of the Microsoft Identity Lifecycle Manager "2" Request did not result in any action workflow instances being created.  In this case the Request is considered completed.
2. Evaluation of the Microsoft Identity Lifecycle Manager "2" Request resulted in at least one action workflow instance being created and all action workflow instances have been completed.  In this case the Request is considered completed.
3. Evaluation of the Microsoft Identity Lifecycle Manager "2" Request resulted in at least one action workflow instance being created and all action workflow instances finished with at least one action workflow instance terminating.  In this case the Request is considered completed.
4. Evaluation of the Microsoft Identity Lifecycle Manager "2" Request resulted in at least one action workflow instance being created and at least one action workflow instance is still running.  In this case the Request requires asynchronous actions to occur (either a long running action workflow instance or external interaction).  The Request remains in the Action (or ProcessingEffects) phase until all action workflow instances either complete or terminate.  Once all workflow instances complete or terminate, the Request is considered completed.

I would like to take a short detour from my current discussion of the Microsoft Identity Lifecycle Manager "2" Policy Service to focus on a particularly important concept within the Microsoft Identity Lifecycle Manager "2" platform:  set membership.  I have answered a number of questions from people regarding types of set membership in Microsoft Identity Lifecycle Manager "2".  Often these questions start off discussing something other than set membership, but quickly come down to correcting misunderstandings about set memberships.

Let me start with a quick definition of a Set.  As I mentioned in previous posts about the Microsoft Identity Lifecycle Manager "2" platform, the Policy Service component is responsible for managing the lifecycle or "Resources".  "Resources" are just a collection of data described by a schema.  Within Microsoft Identity Lifecycle Manager "2" there are a number of these "Resources" that describe metadata that helps to drive the Policy Service itself.  One of these metadata "Resources" is an object type called Set which allows the grouping of other "Resources" that meet share criteria.  The criteria used to group "Resources" within a Set can be described as a membership condition and Microsoft Identity Lifecycle Manager "2" supports different types of set membership.

To try and keep this discussion short (for a change), let me identify four types of set membership:

1. Explicit Membership – Membership of the set is explicitly managed with requests to insert and remove members directly.
2. Computed Membership – Membership of the set is computed based on a filter.  This results in implicitly managed membership by requests modifying data within the system which results in objects transitioning into or out of the target set.
3. Temporal Membership - Membership of the set is computed based on a filter that includes at least one time based criteria.  This results in implicitly managed membership similar to Computed Membership but also includes transitions triggered simply by the passage of time.
4. Parameterized Membership – Membership of the set is computed based on both a filter and some parameters provided by the client requesting membership.  This results in a fluid set membership that differs not only as data within the system changes, but also depending on whom tries to access the membership.

Microsoft Identity Lifecycle Manager "2" supports the first three but not the last one.  I would further argue that the last one actually results in undesirable behavior.  Since the set membership changes depending on who accesses the membership it becomes difficult to audit membership at any given time.  Performing actions based on this type of membership quickly becomes problematic and difficult to predict consistent results.  Some very specific scenarios exist where it seems Parameterized Membership is needed.  These scenarios center around capturing relationships.  Granting rights to read specific, sensitive attributes on Person resources to a specific person's manager.  Asking a group's owner to approve a request to join that group.  Creating a group of Person resources that reside in the same cost center.

While Microsoft Identity Lifecycle Manager "2" does not support Parameterized Membership, it does understand the need to evaluate relationships in a manner to address these (and other) scenarios.  In most (if not all) cases, these relationship based evaluations can be accomplished with three features:

1. "Reflexive Rights" - The ManagementPolicyRule (MPR) is responsible for controlling the Policy Service's request processing.  It allows enterprises to define the policy for how resources are managed including granting rights.  Rights are granted to a set of principals against a resources that start in an initial set and, as a result of the operation, end in a final set.  While each of these sets can contain one of the three supported memberships described above, they each also allow for a "reflexive" description.  The principals may be described by an attribute relative to the target of the operation.  Further the initial and final resource sets can be described by an attribute relative to the current actor.  This allows the first scenario above of granting rights to read attributes on a Person resource to a specific person's manager.  I will provide more details on MPRs in later posts.
2. "Lookup Grammar" - The Windows Workflow Foundation integration includes the ability for activities to resolve a lookup grammar to reference relationships appropriate for the current executing request.  Some of the WF activities that ship with Microsoft Identity Lifecycle Manager "2" include this integration.  One example is the ApprovalActivity that is responsible for gating requests on the acknowledgement of a set of approvers.  Using the "Lookup Grammar" feature it is possible to identify a group's owner as an approver for operations that target that group, such as requests to join.  In this particular case, an ApprovalActivity would be configured to have the approver "[//Target/Owner]".  As I dive deeper into the Windows Workflow Foundation integration and authoring of custom activities and workflows I will provide more information on the "Lookup Grammar".
3. Custom Activities - The Windows Workflow Foundation integration allows for enterprises to write their own custom activities that can be executed within the Microsoft Identity Lifecycle Manager "2" Policy Service.  This essentially allows enterprises to introduce their own custom code into how the Policy Service manages resources.  In the final example of relationship based grouping, the custom activities feature would allow enterprises to write a custom Windows Workflow Foundation activity (or custom workflow) that can detect the addition of a new Cost Center.  Upon finding a new Cost Center, the activity can simply create a new group (or set) that uses Calculated Membership to include all Person resources that are part of that Cost Center.

I know this has been a brief discussion of set membership within Microsoft Identity Lifecycle Manager "2".  Sets are a core part of the Policy Service platform, and understanding membership of those sets is the basis of being able to successfully map specific solutions onto that platform.  I hope this has provided a primer into understanding the types of memberships supported by Microsoft Identity Lifecycle Manager "2".  I have a feeling I will be revisiting this topic more than once to dive deeper into the specifics of each type of membership.  I will definitely touch base on the appropriate membership types when I start providing How-To posts for specific scenarios.

Next Week:  AuthN, AuthZ, and Action, oh my:  Microsoft Identity Lifecycle Manager "2" Request Processing

In my previous post I gave a very brief overview of the different components of the Microsoft Identity Lifecycle Manager "2" product.  I provided an especially brief description of one of those components, the Microsoft Identity Lifecycle Manager Policy Service (ILM-PS).  I would like to take some time to follow up on that post and provide a deeper description of the ILM-PS at this time.  To do that let me start by taking a step back and discuss briefly some of the motivations behind adding this component in Microsoft Identity Lifecycle Manager "2".

Inclusion of the ILM-PS into the Microsoft Identity Lifecycle Manager "2" product is the realization of a concept that started with Microsoft Identity Lifecycle Manager 2007.  Prior to the release of Microsoft Identity Lifecycle Manager 2007, the Synchronization Engine component was the entirety of the product known as Microsoft Integrated Identity Server (MIIS).  At that time MIIS was, and still is, fantastic at what it does:  synchronize, provision, and deprovision data between heterogeneous data sources.  However, managing the lifecycle of this data was done externally through the external data stores.  In other words, the Synchronization Engine would only perform synchronization, provisioning, or deprovisioning actions when there was a data change in an external store to which it was connected through a Management Agent (MA).  Further, deploying and configuring of the Synchronization Engine was a complex task that often required contracting experts, especially if an enterprise's deployment required the authoring of custom one or more custom MAs.

With the release of Microsoft Identity Lifecycle Manager 2007 the Synchronization Engine is joined by the Certificate Lifecycle Manager (CLM).  The addition of CLM begins the inclusion of the ability to manage the lifecycle of data synchronized by the Synchronization Engine.  The deployment and configuration of the Synchronization Engine remains mostly the same; however, the integration point between the Synchronization Engine and CLM is improved with the inclusion of a custom MA that sits between the Synchronization Engine and the data store that backs the CLM.  This results in the ability for enterprises to use Microsoft Identity Lifecycle Manager 2007 as a complete solution for managing certificate related data.

With the release of Microsoft Identity Lifecycle Manager "2" the Synchronization Engine and Certificate Lifecycle Manager (CLM) are joined by Policy Service.  The Policy Service extends the initial step taken by the CLM to include the ability to manage the lifecycle of data synchronized by the Synchronization Engine into the Microsoft Identity Lifecycle Management product.  Like CLM, the data store backing the Policy Service is connected to the Synchronization Engine with a custom MA.  However, unlike CLM, the Policy Service does not manage one specific type of data.  More precisely, the Policy Service introduces a platform for managing the lifecycle of different types of data providing that data can be represented as a "Resource" within the Policy Service.

The flexibility of the Policy Service starts with the flexibility of what data can be expressed as a "Resource" and, thus, managed by the Policy Service.  As I started to explain in my previous post, a resource is just a set of related data describable in a flat XML schema.  Think of it as an object.  In fact, you could think of a "Resource" as the Microsoft Identity Lifecycle Manager "2" platform's version of System.Object.  Just as all types in the .NET Framework is built on top of System.Object, all data managed in the Policy Service is built on top of "Resource".  Within the .NET Framework, System.Object is a type that does not do much on its own, but does include some basic functionality that all types share (e.g. ToString(), GetType(), GetHash(), etc).  Likewise, within the Policy Service, "Resource" represents data that does not describe much on its own but does include some basic attributes that all resources share (e.g. Creator, CreatedTime, ObjectType, ObjectID, etc).

I mentioned that a resource is a set of data describable in a flat XML schema.  To be more precise, I should say that a resource is a set of data describable in an XML schema with a maximum depth of one.  This allows for creating an object with a series of attributes (which are represented as XML elements).  These attributes can contain data represented by one of the following supported data types:  string, integer, date time, reference, boolean, or binary.  Most of these should be self-descriptive with the exception of reference.  An attribute of type reference contains a reference to another resource within the Policy Service store, specifically it contains a unique identifier of that resource.  This reference allows for creating direct relationships between two resources without needing to create a nested XML schema.  I will dive further in the resources and provide detailed examples in later posts.

It turns out that managing the lifecycle of resources only requires providing five operations:  Create, Read, Update, Delete, and Enumerate (search).  Any higher level conceptual operation that needs to be done on data can be represented as one of these five lower level operations.  For example, the operation of adding a user to a group can be modeled as an update to the group resource's attribute containing membership data.  These operations are the basis of of the WS-STAR web service endpoints exposed by the Policy Service.  This allows web service clients to talk directly to the Policy Service and create new instances or manage existing instances of resources as long as those resources are defined within the Policy Service's schema.

So far so good.  We have these things called "Resources" that can be created and managed  by web service clients talking directly to the Policy Service.  There is one problem, the data that makes up these resources can have complex management policy that needs to be enforced.  This is where the Policy Service really flexes its extensibility muscles.  Within the Policy Service is a mechanism for processing requests through the system that allows for amazing customization (if I do say so myself).  First, all clients attempting to create, read, update, delete, or enumerate resources actually submits a request to do so.  This request then is dispatched through the Microsoft Identity Lifecycle Manager "2" request pipeline.  This pipeline moves a request through five phases of processing:  Rights Check, Authentication, Authorization, Commit the Operation, Action.  (Initial authentication is accomplished at the web service layer and outside of the request pipeline, so the rights check is actually done against a client that has had some authentication done and the ILM authentication phase is really a second factor authentication.)

During the Rights Check phase the Microsoft Identity Lifecycle Manager "2" Policy Service determines if the user submitting the request has been explicitly granted the rights to perform the operation described by the current request.  If so, the request moves onto Authentication otherwise processing is halted and permission is denied.  Within the Authentication phase, the Policy Service determines if it has been configured to require additional authentication of the user.  If there is additional authentication required, processing pauses and the user is redirected to the Policy Service's custom Security Token Service (STS) for additional validation.  In the absence of additional authentication requirements, or after the user has gained additional credentials and resubmitted their request, the current request moves into the Authorization phase.  At this time the Policy Service determines if it has been configured to require additional authorization of the request.  This could involve custom data validation (e.g. verify that a resource's DisplayName attribute does not include illegal words or characters) or external authorization (e.g. ask a person's manager for approval of a particular operation).  Regardless of the content of the authorization, the Policy Service will execute all additional authorization.  If any of this authorization faults, processing of the request is halted and the current request is denied.  Only after all authorization processes have completed successfully is the request moved into the Commit phase where the actual operation is performed in the data store and committed.  Finally, the Policy Service determines if there are any additional processes that should occur as a consequence of the data operation and executes each of those appropriately.

Given the importance of this portion of the Policy Service you can bet that I will follow this post up with an even deeper dive into this component.  However, until then let me provide at least a little overview of the pieces involved.  Each of these phases allows for enterprises to configure who can perform what and what additional processes should be executed in each phase of processing the request to perform a specific operation.  Within the Policy Service, there is a concept called a ManagementPolicyRule.  Additionally, the Policy Service has a concept of a Set.  A Set is a group of resources that meet share criteria (e.g. All Persons, All Full-time Employees, All Persons with the First Name of Mark, etc).  ManagementPolicyRules are used to configure the request processing phases for sets of objects.  They grant rights to sets of principal objects (often, but not always, persons).  They reference Authentication, Authorization, and/or Action workflow definitions.  Again, Sets and ManagementPolicyRules are important enough concepts to warrant their own blog posting.  For now, understand that they exist and are used in conjunction to provide highly configurable control over the request processing phases of the Microsoft Identity Lifecycle Manager "2" Policy Service.

I have described quite a bit of stuff so far, and I hope I have not lost anyone.  I have talked about a few items of metadata that are used to configure and drive data through the Microsoft Identity Lifecycle Manager "2" Policy Service.  Schema metadata that defines different types of "Resources" in the system.  Request metadata that captures requests to perform data operations on those resources.  ManagementPolicyRules metadata that configure the different phases of request processing of those resources within the Policy Service.  Sets metadata that allows the grouping of resources that meet share criteria.  Workflow definition metadata that defines additional processing to be performed within specific phases of request processing within the Policy Service.  There is also additional metadata within the system to help configure the Synchronization Engine (bringing us back to the goal of easing the deployment and configuration of the Synchronization Engine).

This may seem like a lot of metadata.  The good news is that all of this metadata used to drive the Policy Service (and configure the Synchronization Engine within the Policy Service) is all represented within the system as "Resources" themselves.  This means that you manage the metadata that drives the Policy Service, thus managing the Policy Service, through managing resources within the Policy Service.  Further, this means that the control over the request processing of resources is inherited by these system resources as well.  In other words, if an enterprise wants to control who can create new ManagementPolicyRules, they simply create a ManagementPolicyRule granting the right to create resources that would fall within the set "All ManagementPolicyRules" to the set of appropriate users.  If an enterprise wants to add additional authorization (validation and/or approval) to the creation of custom workflow definitions they simply create a ManagementPolicyRule specifying their authorization workflow to run during the authorization phase of requests to create resources that would fall within the set "All WorkflowDefinitions".

I know that I have covered a lot of information in this post; it is definitely longer than I like to make my typical blog posting.  I will be following this up with more targeted postings on the specifics covered here; however, I am hoping that this has taken another step towards providing the groundwork for greater and deeper conversations about the Microsoft Identity Lifecycle Manager "2" Policy Service.

Next week:  A Discussion of Computed, Explicit, and Temporal Sets in Microsoft Identity Lifecycle Manager "2"

A quick note about my planned blog entry for next week:  I have answered a number of questions from people regarding types of set membership in Microsoft Identity Lifecycle Manager "2".  Sets are a key concept to building solutions on top of the Policy Service platform.  Often these questions start off as something other than set membership, but quickly come down to correcting misunderstandings about set memberships.  I would like to take a pause on my deep dive into the Policy Service to spend some time discussing the different types of set memberships within Microsoft Identity Lifecycle Manager "2".

Let me start my discussion about Microsoft Identity Lifecycle Manager "2" with a quick overview of the different major components.  Realize that the way I break down ILM "2" may be different than how other people view the product.  I joined the product team a couple of years ago after shipping the Windows Communication Foundation.  It was natural for me to work on the new web services layer.  Since then I have been immersed in the Policy Service portion of Microsoft Identity Lifecycle Manager "2" and, thus, have a view of the product that is centered on the web services as well as scenarios that consume those services.  Further, this is going to be a very high level (thus, over simplified) view of the Microsoft Identity Lifecycle Manager "2" product.  If I were to dive into any depth with each of these components this blog post would threaten to turn into a book.  So to keep this to an appropriate length, I will be staying very high level.  I will use later blog posts to dive into depths of certain portions of a few components.  That disclaimer being said let me walk you around the Microsoft Identity Lifecycle Manager "2" product.

I break the Microsoft Identity Lifecycle Manager "2" product into four major components:  Synchronization Engine, Certificate Lifecycle Manager, Policy Service, and client applications.  The Synchronization Engine and Certificate Lifecycle Manager refer to the next versions of these components that shipped in Microsoft Identity Lifecycle Manager 2007.  The Policy Service and client applications refer to brand new components shipping first with Microsoft Identity Lifecycle Manager "2".  Let's look at each of these components in turn.

Synchronization Engine

The Synchronization Engine component of Microsoft Identity Lifecycle Manager "2" is the next version of the Synchronization Engine that shipped with Microsoft Identity Lifecycle Manager 2007.  It was previously known as Microsoft Integrated Identity Server (MIIS).  It is responsible for synchronizing, provisioning, and deprovisioning data across heterogeneous data stores.  What does that mean?  Well the Synchronization Engine is intended to sit between two different data stores that contain data that relates to each other and make sure that the two different stores remain synchronized when data changes in one or the other.  For example, many large enterprises store their HR data in a special data store like SAP.  That store maintains data related to personnel (payroll, contact information, etc).  There are additional data stores in the enterprise that also maintain data about employees.  Microsoft Active Directory (AD) maintains domain logon and access credentials for network users.  It is desired (if not required) that the data within the HR system and the data within AD stay in sync.  This is where the Synchronization Engine of Microsoft Identity Lifecycle Manager "2" comes into play.

Sitting between the Synchronization Engine and the various data stores are Management Agents (MAs).  An MA knows how to transfer data between the Synchronization Engine and the data store to which it is connected and back.  Enterprises then register, and configure, these MAs with a Synchronization Engine instance and schedule how frequently to run imports and exports of the data.

In addition to simply synchronizing data I mentioned the concepts of provisioning and deprovisioning data.  To over simplify these concepts, this essentially refers to creating or deleting new data in a data store in response to data changes in a second data store.  For example, when a new employee is added to an HR system the enterprise may need a new AD account to be created for that user.  Likewise, when an employee is removed from an HR system the enterprise would want that user's AD account to be deleted as well.  These examples describe basic provisioning and deprovisioning of an AD account in response to data changes in the HR data store.

Certificate Lifecycle Manager

The Certificate Lifecycle Manager (CLM) component of Microsoft Identity Lifecycle Manager "2" is the next version of CLM that shipped with Microsoft Identity Lifecycle Manager 2007.  It is responsible for managing the lifecycle of certificates within an enterprise and managing the lifecycle of the relationships between those certificates and users.  The CLM component includes its own web services and web portal providing the functionality for managing certificates.  With enterprises relying more and more on certificates, such as smart cards, for controlling access to resources ranging from physical building access to network login managing those certificates has become critical.  CLM provides enterprises the ability to issue, revoke, audit, suspend, and perform other actions on certificates.  Admittedly this is a portion of the ILM "2" product with which I am least familiar.

Policy Service

The Policy Service (ILM-PS) component is brand new functionality first shipping with Microsoft Identity Lifecycle Manager "2".  This is the portion of the Microsoft Identity Lifecycle Management product that I know the best (due to the fact that my code ownership for this product lies within the heart of this service).  This is also the component I will be focusing on long term with this blog.  For that reason, let me keep this description brief and very conceptual.  The Policy Service component is responsible for managing the lifecycle of "resources" within Microsoft Identity Lifecycle Manager "2".  Further, it exposes the management of these "resources" through a set of WS-STAR compliant web services.  You may ask:  what is a resource?  Well I am glad you asked that.  A resource is just a set of related data describable in a flat XML schema.  Think of it as an object.  In fact, you could think of a "resource" as the Microsoft Identity Lifecycle Manager "2" platform's version of System.Object.

The WS-STAR compliant web services are built on top of the Windows Communication Foundation.  This allows enterprises to leverage Windows Communication Foundation knowledge in building custom client solutions on top of the Policy Service.  Further, the Policy Service allows for enterprises to highly customize business processes involved with managing the lifecycle of resources.  The Policy Service makes use of the Windows Workflow Foundation as its underlying orchestration engine.  This, again, allows enterprises to leverage existing knowledge when customizing the Policy Service for solving custom business solutions.  I know this is a very thin description of the Policy Service, which is a very complex and rich component within the Microsoft Identity Lifecycle Manager "2" product.  However, it is because of that complexity and richness that I would rather provide a thin description here and dedicate an entire posting to just this component next week.

Client Applications

The client applications component includes the client experiences for the new Policy Service in Microsoft Identity Lifecycle Manager "2".  This includes three different client applications:  Outlook add-on, self-service password reset client, and resource management web portal.  The Outlook add-on allows information workers within an enterprise to manage group membership directly from within Outlook.  Users can join or leave groups themselves as well as add or remove other members from one or more groups without ever leaving Outlook.  Additionally, the Outlook add-on integrates the ILM-PS approval mechanism so that users may approve or reject requests for which their approval is required from email without need for logging onto the resource management web portal.  These approval request mails come into an inbox in the same way that Outlook meeting requests arrive.  Just as you accept or reject a meeting request through special buttons on that email, you can approve or reject an approval request with special buttons on the email.

The password reset client is actually a set of clients; a GINA plugin client for XP clients and a cred man plugin for Vista clients.  These plugins add a new button to the login screen of Windows clients that allows users to request a password reset themselves.  These clients then walk the user through the authentication gates configured by an enterprise's management policy rules (more on these in a later post) to confirm their identity.  Once their identity is confirmed the clients then prompt the user for a new password and interact with the ILM-PS appropriately to reset the users password according to an enterprise's password policy.

That is a (very) brief lap around the Microsoft Identity Lifecycle Manager "2" product.  I hope that this has provided the basis for an understanding of the various components of the Microsoft Identity Lifecycle Management and how they interact with each other to provide the rich set of functionality offered by the product.  Next, I will continue to dive deeper into the product, specifically the Policy Service, eventually working towards walking through building some custom solutions on top of the Microsoft Identity Lifecycle Manager "2" platform.

Next week:  "Microsoft Identity Lifecycle Manager "2" Policy Service: A Look Behind the Curtain"