Requests

 

In the argot of Microsoft Identity Lifecycle Manager, a request is a request to perform some operation on resource or on all or some of the attributes of a resource.  The resource to which a request refers is generally known as the target of the request. 

 

Sets

 

A set is a named collection of resources identified by a given filter expression, plus any resources that are added to the set regardless of whether or not those resources match the filter expression.  Resources that are added to a set regardless of whether they is identified by the set's filter expression, are referred to as explicit members of the set, and the act of adding or removing such members is referred to as explicitly adding or explicitly removing a resource. 

 

Recursive Sets

 

Recursive sets are sets with recursive filter expression.  A recursive filter expression incorporates a secondary filter expression, and also names an attribute.  The set includes every resource identified by the named attribute of any resource that is identified by the secondary filter expression, and it also includes every resource identified by the named attribute of any resource that is a member of the set.  The attribute named by the filter of a recursive set will be referred to, below, as the recursive set's recursive attribute. 

 

Set Membership Conditions

 

A set has membership conditions which are used to determine whether any given resource, in any given state, at any given point in time, belongs to the set.  Each membership condition consists of one or more statements, each of which must be true for the given resource, in its specified state, if the resource, in that state, is to satisfy the membership condition.  A resource must satisfy at least one of the membership conditions of a set in order for it to be among those resources identified by the filter expression. 

 

Each statement of a membership condition is an assertion about the value of an attribute of a resource.  Therefore, whenever an attribute of a resource is to be modified by a request, one can identify the membership condition statements that pertain to that attribute, and, thereby, identify the sets that the resource may join or leave as a result of the modification. 

 

Management Policy Rules

 

Management policy rules stipulate who can request which changes to which resources.  They also specify which workflows must be executed at which stage in the processing of a request. 

 

Request Evaluation

 

When a request is submitted, a representation of the request is created in the Microsoft Identity Lifecycle Manager data store.  Then the implications of the management policy rules for the request are determined.  That step of determining the implications of the management policy rules for a request is generally referred to as request evaluation. 

 

The management policy rules can have the following implications for a request:

1.      They can grant the right for the request to be executed. 

2.      If no rule grants the right for the request to be executed, then the request is denied. 

3.      The rules can specify that certain authentication workflows must be completed before the request may be executed. 

4.      The rules can specify that certain authorization workflows must be completed before the request may be executed. 

5.      The rules can specify that once the request has been executed, certain action workflows must be executed on the target. 

6.      The rules can specify that once the request has been executed, certain action workflows must be executed on resources other than the target.  An action that is to be performed on a resource as a result of a request is generally referred to as a collateral action if the resource is not the target of the request. 

 

The scope of a management policy rule is most commonly defined in terms of the set that the target of the request would join if the request was to be executed.  For example, one might have a management policy rule that says that a certain action workflow is to be executed on the target of a request if the target will join the set of resources located at a certain address as a result of the request.  Consequently, in order to determine which management policy rules may apply to a request, it is necessary to ascertain which sets the target will join if the request were to be executed.  Since the request evaluation process must therefore determine at least some of the implications of the request on set membership, it has been given the task of calculating all of those implications. 

 

 

The Scope of Management Policy Rules

 

Whether a management policy rule applies to a request depends on the scope of the rule.  The scope of the rule a rule is controlled by several attributes:

1.      The ActionType attribute: this attribute identifies an operation that may be requested.  Other things being equal, a management policy rule applies to a request if the operation that is requested is one of those identified by the ActionType attribute of the rule. 

2.      The ActionParameter attribute: this attribute identifies an attribute of a resource to which a modification may be requested.  Other things being equal, a management policy rule applies to a request if the attribute of a resource to which a modification is requested is one of those identified by the ActionParameter attribute of the rule.   

3.      The PrincipalSet attribute: this attribute of management policy rules identifies a set, and, other things being equal, a management policy rule applies to a request if the initiator of the request is a member of the set identified by the PrincipalSet attribute of the rule. 

4.      The PrincipalRelativeToResource attribute: this attribute of a management policy rule identifies an attribute of a resource.  Other things being equal, a management policy rule applies to a request if it is true, for the target of the request, that the initiator of the request is identified by the value of the attribute specified by the rule's PrincipalRelativeToResource attribute.  For example, if the value of the PrincipalRelativeToResource attribute is Manager for a management policy rule, X, then, other things being equal, the rule applies to any request that is initiated by a someone who is the manager of the target of the request.  If a management policy rule has a PrincipalRelativeToResource attribute, then it cannot also have a PrincipalSet attribute. 

5.      The ResourceCurrentSet attribute: this attribute of a management policy rule identifies a set.  Other things being equal, a management policy rule applies to a request if the target of the request currently belongs to the set identified by the management policy rule's ResourceCurrentSet attribute. 

6.      The ResourceCurrentRelativeToPrincipal attribute: this attribute of a management policy rule identifies an attribute of a resource.  Other things being equal, a management policy rule applies to a request if it is true, for the initiator of the request, that the target of the request is identified by the value of the attribute specified by the rule's ResourceCurrentRelativeToPrincipal attribute.  For example, if the value of the ResourceCurrentRelativeToPrincipal attribute is Assistant for a management policy rule, X, then, other things being equal, the rule applies to any request that is initiated by a someone whose assistant is the target of the request.  If a management policy rule has a ResourceCurrentRelativeToPrincipal attribute, then it cannot also have a ResourceCurrentSet attribute. 

7.      The ResourceFinalSet attribute: this attribute of a management policy rule identifies a set.  Other things being equal, a management policy rule applies to a request if, after the request has been processed, the target of the request will belong to the set identified by the management policy rule's ResourceCurrentSet attribute. 

8.      The ResourceFinalRelativeToPrincipal attribute: this attribute of a management policy rule identifies an attribute of a resource.  Other things being equal, a management policy rule applies to a request if it will be true, for the initiator of the request, after the request has been processed, that the target of the request is identified by the value of the attribute specified by the rule's ResourceFinalRelativeToPrincipal attribute.  For example, if the value of the ResourceFinalRelativeToPrincipal attribute is Assistant for a management policy rule, X, then, other things being equal, the rule applies to any request that is initiated by someone who is requesting a modification to their own data to make someone else their assistant.  Other things being equal, the rule would also apply to any request that is initiated by someone whose current assistant is the target of the request, unless the request was to delete that resource, in which case, after the request has been processed, the target would no longer exist to be the assistant of the person who initiated the request.  If a management policy rule has a ResourceFinalRelativeToPrincipal attribute, then it cannot also have a ResourceFinalSet attribute. 

 

Rights

 

If someone makes a request, and that request is permitted according to the management policy rules, then, in the Microsoft Identity Lifecycle Manager argot, that person has the right to make that request.  However, even if a person has the right to make a request, the management policy rules may require that other people authorize the request.  In other words, the right to make a request is not always sufficient for the request to be authorized. 

 

If a management policy rule applies to a request and the value of that rule's optional GrantsRight parameter is 1, then that rule grants the right for some or all of the requested modifications to be made.  Specifically, the right is granted for the requested modifications to those attributes that are referred to by the ActionParameter attribute of the rule.  If the ActionParameter attribute of the management policy rule only refers to one attribute, but the request is to modify several attributes, then, unless other management policy rules permit the requested modifications to those other attributes, the request is denied.