FIM ScriptBox Item

Summary

When you manage resources with FIM, it is possible that a resource was accentually brought into the scope of the wrong outbound synchronization rule.
The objective of this article is to explain how to fix this.

To manage your resource in external systems with FIM, you need to bring them into the scope of the related synchronization rules.
This means, you link a resource with an outbound synchronization rule by creating an Expected Rules Entry (ERE).
The following picture outlines the related architecture:

This process is defined by your synchronization policy. A synchronization policy consists of 4 components:

  • A Management Policy Rule (MPR)
  • A Set
  • A Workflow
  • An Outbound Synchronization Rule

The following picture outlines the related architecture:

The process of bringing a resource into the scope of a synchronization rule starts with the transition of the resource into a specific set.
After the resource has transitioned into this set, the FIM service invokes the set transition MPR you have defined in your synchronization policy.
The MPR invokes the configured workflow.
In your workflow definition, you must have a synchronization rule and an action defined.
To bring the resource into the scope of a synchronization rule, an Add must be defined as action:

When this process has completed, your resource is in the scope of the synchronization rule:

You can find a more detailed description of this process in “Understanding Data Synchronization with External Systems”.

If you need to remove a resource from the scope of a synchronization rule, you also need to implement a synchronization policy that consists of temporary components.
The main difference is that your temporary workflow is configured to remove the resource form the scope of the synchronization rule:

While it is possible to create the required components manually, it helps you to safe some time by automating this process in form of a script.
The script would first check whether your temporary MPR, workflow and set already exist.
If so, the script deletes them.

After the object information about the resource and the synchronization rule have been retrieved the script creates the required temporary components of the synchronization policy.
When you develop the script, the only little challenge is the definition of the Workflow activity because the related attribute has a complete XML block as attribute value.
You can get the required XML block from an existing workflow definition.
The only part, the script code needs to update, is the ID of the synchronization rule:

Creating the temporary MPR is a straight forward process. In your script code, you set the following attributes:

Attribute Value
ActionParameters *
ActionType Transition In
ActionWorkflowDefinition <ID of the temporary workflow>
Disabled False
GrantRight False
ManagementPolicyRuleType SetTransition
ResourceFinalSet <ID of the temporary set>

<><><><><>To trigger a set transition in your temporary set, the script code makes the related resource a static member. As a last step, the script deletes the temporary components again. When the script has completed successfully, you should review the provisioning status of your resource. Your resource should have a pending remove operation for the related synchronization rule.

To actually remove the relationship between the resource and the synchronization rule, a synchronization cycle is required. This means, you need to run the following run profiles on your FIM management agent:

  1. Delta Import
  2. Delta Synchronization
  3. Export

 

 

 

 

To trigger a set transition in your temporary set, the script code makes the related resource a static member.
As a last step, the script deletes the temporary components again.

When the script has completed successfully, you should review the provisioning status of your resource.
Your resource should have a pending remove operation for the related synchronization rule:

To actually remove the relationship between the resource and the synchronization rule, a synchronization cycle is required.
This means, you need to run the following run profiles on your FIM management agent:

  1. Delta Import
  2. Delta Synchronization
  3. Export

 

Script Code

001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020
021
022
023
024
025
026
027
028
029
030
031
032
033
034
035
036
037
038
039
040
041
042
043
044
045
046
047
048
049
050
051
052
053
054
055
056
057
058
059
060
061
062
063
064
065
066
067
068
069
070
071
072
073
074
075
076
077
078
079
080
081
082
083
084
085
086
087
088
089
090
091
092
093
094
095
096
097
098
099
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
#--------------------------------------------------------------------------------------------------------------------
 Set-Variable -Name URI -Value "http://localhost:5725/resourcemanagementservice" -Option Constant 
#--------------------------------------------------------------------------------------------------------------------
 Function SubmitResource
 {
    Param($Resource)
    End 
    {
       $Resource | Import-FIMConfig -uri $URI `
                                    -ErrorVariable Err `
                                    -ErrorAction SilentlyContinue 
       If($Err){Throw $Err}
    }   
 }
#--------------------------------------------------------------------------------------------------------------------
 Function ExportResources
 {
    Param($Filter)
End 
{
   $CurObjects = export-fimconfig -uri $URI `
                                      –onlyBaseResources `
                                      -customconfig ($Filter)`
                                -ErrorVariable Err `
                                      -ErrorAction SilentlyContinue 
 
   If($Err){Throw $Err}
   Return $CurObjects
}
 }
#--------------------------------------------------------------------------------------------------------------------
 Function AddMemberToSet
 {
    Param($Set, $NewMember)
End
{
   $ResourceId = @($Set)[0].ResourceManagementObject.ObjectIdentifier
   $ObjectType = @($Set)[0].ResourceManagementObject.ObjectType 

       $ImportObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject
       $ImportObject.ObjectType = $ObjectType
       $ImportObject.TargetObjectIdentifier = $ResourceId
       $ImportObject.SourceObjectIdentifier = $ResourceId
       $ImportObject.State = 1 
 
       AddChangeToResource -Resource       $ImportObject `
                       -AttributeName  "ExplicitMember" `
   -AttributeValue $NewMember `
   -Operation      0

   SubmitResource -Resource $ImportObject
}
 }
#--------------------------------------------------------------------------------------------------------------------
 Function AddChangeToResource
 {
    Param($Resource, $AttributeName, $AttributeValue, $Operation)
    End
    {
       $ImportChange = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportChange
       $ImportChange.Operation = $Operation
       $ImportChange.AttributeName = $AttributeName
       $ImportChange.AttributeValue = $AttributeValue
       $ImportChange.FullyResolved = 1
       $ImportChange.Locale = "Invariant"
         
       If($Resource.Changes -eq $null)
       {$Resource.Changes = (,$ImportChange)}
       Else {$Resource.Changes += $ImportChange}
    }
 }
#--------------------------------------------------------------------------------------------------------------------
 Function CreateResource
 {
    Param($ObjectType, $DisplayName)
    End
    {
       $NewResource = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject
       $NewResource.ObjectType = $ObjectType
       $NewResource.SourceObjectIdentifier = [System.Guid]::NewGuid().ToString()
         
       AddChangeToResource -Resource      $newResource `
                           -AttributeName "DisplayName" `
                           -AttributeValue $DisplayName `
                           -Operation     "1"
                                       
       Return $NewResource
    } 
 }
#--------------------------------------------------------------------------------------------------------------------
 Function DeleteResource
 {
    PARAM($Resource)
    END
    {
   $ObjectId = (($Resource.ResourceManagementObject.ObjectIdentifier).split(":"))[2]
       $ObjectType = $Resource.ResourceManagementObject.ObjectType 

       $ImportObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject
       $ImportObject.ObjectType = $ObjectType
       $ImportObject.TargetObjectIdentifier = $ObjectId
       $ImportObject.SourceObjectIdentifier = $ObjectId
       $ImportObject.State = 2 
       
   SubmitResource $ImportObject
    } 
 }
#--------------------------------------------------------------------------------------------------------------------
 Function ExportSingleResource
 {
    Param($Filter)
End
{
   $CurObject = ExportResources -Filter $Filter

       If($CurObject -eq $null) {Throw "Resource not found: $Filter"}
   If(@($CurObject).Count -ne 1) {Throw "Multiple objects found: $Filter"}
   
   Return $CurObject
}
 }
#----------------------------------------------------------------------------------------------------------
 Function MustNotExist
 {
    Param($Filter)
End
{
   $CurObjects = ExportResources -Filter $Filter
   If($CurObjects -eq $null) {Return}
   
   $CurObjects | ForEach {
      DeleteResource -Resource $_
   }   
}
 }
#----------------------------------------------------------------------------------------------------------
 If($args.count -eq 0)
 {
    Write-Host "To run this script, you need to provide two parameters:"
Write-Host "1) The name of the affected resource"
Write-Host "2) The name of the afected synchronization rule"
Exit
 }
 If($args.count -ne 2) {Throw "A required parameter is missing!"}
 $ResourceName = $args[0]
 $SyncRuleName = $args[1]
 
 If(@(Get-PSSnapin | Where-Object {$_.Name -eq "FIMAutomation"} ).count -eq 0) {Add-PSSnapin FIMAutomation}
 Clear-Host
 $iStep = 0
 $iMax  = 12
 
 $iStep++
 $ProgressPreference ="Continue"
 Write-Progress -activity "Removing MPR: 1MPR" `
                -status "Please wait" -percentcomplete ([int]($iStep/$iMax * 100)) `
                -currentoperation "Processing step $iStep of $iMax"
 $ProgressPreference ="SilentlyContinue"
 MustNotExist -Filter "/ManagementPolicyRule[DisplayName='1MPR']"

 $iStep++
 $ProgressPreference ="Continue"
 Write-Progress -activity "Removing workflow: 1WorkFlow" `
                -status "Please wait" -percentcomplete ([int]($iStep/$iMax * 100)) `
                -currentoperation "Processing step $iStep of $iMax"
 $ProgressPreference ="SilentlyContinue"
 MustNotExist -Filter "/WorkflowDefinition[DisplayName='1WorkFlow']"
 
 $iStep++
 $ProgressPreference ="Continue"
 Write-Progress -activity "Removing set: 1Set" `
                -status "Please wait" -percentcomplete ([int]($iStep/$iMax * 100)) `
                -currentoperation "Processing step $iStep of $iMax"
 $ProgressPreference ="SilentlyContinue"
 MustNotExist -Filter "/Set[DisplayName='1Set']"
 
 $iStep++
 $ProgressPreference ="Continue"
 Write-Progress -activity "Retrieving resource: $ResourceName" `
                -status "Please wait" -percentcomplete ([int]($iStep/$iMax * 100)) `
                -currentoperation "Processing step $iStep of $iMax"
 $ProgressPreference ="SilentlyContinue"
 $Resource = ExportSingleResource -Filter "/Person[DisplayName='$ResourceName']"

 $iStep++
 $ProgressPreference ="Continue"
 Write-Progress -activity "Retrieving resource: $SyncRuleName" `
                -status "Please wait" -percentcomplete ([int]($iStep/$iMax * 100)) `
                -currentoperation "Processing step $iStep of $iMax"
 $ProgressPreference ="SilentlyContinue"
 $SyncRule = ExportSingleResource -Filter "/SynchronizationRule[DisplayName='$SyncRuleName']" 

 
 $iStep++
 $ProgressPreference ="Continue"
 Write-Progress -activity "Creating Set: 1Set" `
                -status "Please wait" -percentcomplete ([int]($iStep/$iMax * 100)) `
                -currentoperation "Processing step $iStep of $iMax"
 $ProgressPreference ="SilentlyContinue"
 $Set = CreateResource -Objecttype "Set" -DisplayName "1Set"
 SubmitResource -Resource $Set
 $Set = ExportSingleResource -Filter "/Set[DisplayName='1Set']"

 
 $iStep++
 $ProgressPreference ="Continue"
 Write-Progress -activity "Creating Workflow: 1WorkFlow" `
                -status "Please wait" -percentcomplete ([int]($iStep/$iMax * 100)) `
                -currentoperation "Processing step $iStep of $iMax"
 $ProgressPreference ="SilentlyContinue"
 $Workflow   = CreateResource -Objecttype "WorkflowDefinition" -DisplayName "1Workflow"
 $SetId      = ((@($Set)[0].ResourceManagementObject.ObjectIdentifier).split(":"))[2]
 $SyncRuleId = ((@($SyncRule)[0].ResourceManagementObject.ObjectIdentifier).split(":"))[2]
 
 $XOML = "<ns0:SequentialWorkflow x:Name=""SequentialWorkflow"" ActorId=""00000000-0000-0000-0000-000000000000"" " + `
         "WorkflowDefinitionId=""00000000-0000-0000-0000-000000000000"" RequestId=""00000000-0000-0000-0000-000000000000"" " + `
 "TargetId=""00000000-0000-0000-0000-000000000000"" xmlns:x=""http://schemas.microsoft.com/winfx/2006/xaml"" " + `
 "xmlns:ns0=""clr-namespace:Microsoft.ResourceManagement.Workflow.Activities;Assembly=Microsoft.ResourceManagement, " + `
 "Version=4.0.3531.2, Culture=neutral, PublicKeyToken=31bf3856ad364e35""> " + `
 "<ns0:SynchronizationRuleActivity RemoveValue=""{x:Null}"" AttributeId=""00000000-0000-0000-0000-000000000000"" " + `
 "AddValue=""{x:Null}"" x:Name=""authenticationGateActivity1"" SynchronizationRuleId=""" + `
 $($SyncRuleId) + `
 """ Action=""Remove""> " + `
 "<ns0:SynchronizationRuleActivity.Parameters> <x:Array Type=""{x:Type ns0:SynchronizationRuleParameter}"" /> " + `
 "</ns0:SynchronizationRuleActivity.Parameters> </ns0:SynchronizationRuleActivity> </ns0:SequentialWorkflow>"

 AddChangeToResource -Resource       $Workflow `
                     -AttributeName  "XOML" `
                     -AttributeValue $XOML `
             -Operation      "1"

 AddChangeToResource -Resource       $Workflow `
                     -AttributeName  "RequestPhase" `
             -AttributeValue "Action" `
                 -Operation      "1"

 
 AddChangeToResource -Resource       $Workflow `
                     -AttributeName  "RunOnPolicyUpdate" `
             -AttributeValue "False" `
                 -Operation      "1"
 
 SubmitResource -Resource $Workflow
 $Workflow = ExportSingleResource -Filter "/WorkflowDefinition[DisplayName='1Workflow']"
 $WorkflowId =((@($Workflow)[0].ResourceManagementObject.ObjectIdentifier).split(":"))[2]
 
 
 
 
 $iStep++
 $ProgressPreference ="Continue"
 Write-Progress -activity "Creating MPR: 1MPR" `
                -status "Please wait" -percentcomplete ([int]($iStep/$iMax * 100)) `
                -currentoperation "Processing step $iStep of $iMax"
 $ProgressPreference ="SilentlyContinue"
 $MPR = CreateResource -Objecttype "ManagementPolicyRule" -DisplayName "1MPR"
 
 AddChangeToResource -Resource       $MPR `
                     -AttributeName  "ActionParameter" `
                     -AttributeValue "*" `
                     -Operation      "0"

 AddChangeToResource -Resource       $MPR `
                     -AttributeName  "ActionType" `
                     -AttributeValue "TransitionIn" `
                     -Operation      "0"

 AddChangeToResource -Resource       $MPR `
                     -AttributeName  "ActionWorkflowDefinition" `
                     -AttributeValue $WorkflowId `
                     -Operation      "0"

 AddChangeToResource -Resource       $MPR `
                     -AttributeName  "Disabled" `
                     -AttributeValue "False" `
                     -Operation      "1"

 AddChangeToResource -Resource       $MPR `
                     -AttributeName  "GrantRight" `
                     -AttributeValue "False" `
                     -Operation      "1"
         
 AddChangeToResource -Resource       $MPR `
                     -AttributeName  "ManagementPolicyRuleType" `
                     -AttributeValue "SetTransition" `
                     -Operation      "1"
                                       
 AddChangeToResource -Resource       $MPR `
                     -AttributeName  "ResourceFinalSet" `
         -AttributeValue $SetId `
                     -Operation      "0"
                                 
 SubmitResource -Resource $MPR


 $iStep++
 $ProgressPreference ="Continue"
 Write-Progress -activity "Updating Set membership" `
                -status "Please wait" -percentcomplete ([int]($iStep/$iMax * 100)) `
                -currentoperation "Processing step $iStep of $iMax"
 $ProgressPreference ="SilentlyContinue"
 $ResourceId = ((@($Resource)[0].ResourceManagementObject.ObjectIdentifier).split(":"))[2]
 AddMemberToSet -Set $Set -NewMember $ResourceId 
 

 
 $iStep++
 $ProgressPreference ="Continue"
 Write-Progress -activity "Deleting MPR: 1MPR" `
                -status "Please wait" -percentcomplete ([int]($iStep/$iMax * 100)) `
                -currentoperation "Processing step $iStep of $iMax"
 $ProgressPreference ="SilentlyContinue"
 MustNotExist -Filter "/ManagementPolicyRule[DisplayName='1MPR']"


 $iStep++
 $ProgressPreference ="Continue"
 Write-Progress -activity "Deleting Workflow: 1Workflow" `
                -status "Please wait" -percentcomplete ([int]($iStep/$iMax * 100)) `
                -currentoperation "Processing step $iStep of $iMax"
 $ProgressPreference ="SilentlyContinue"
 MustNotExist -Filter "/WorkflowDefinition[DisplayName='1WorkFlow']"


 $iStep++
 $ProgressPreference ="Continue"
 Write-Progress -activity "Deleting Set: 1Set" `
                -status "Please wait" -percentcomplete ([int]($iStep/$iMax * 100)) `
                -currentoperation "Processing step $iStep of $iMax"
 $ProgressPreference ="SilentlyContinue"
 MustNotExist -Filter "/Set[DisplayName='1Set']"
#----------------------------------------------------------------------------------------------------------
 Trap 
 { 
    Write-Host "`nError: $($_.Exception.Message)`n" -foregroundcolor white -backgroundcolor darkred
    Exit 1
 }
#----------------------------------------------------------------------------------------------------------

 

note Note
To provide feedback about this script, create a post on the FIM TechNet Forum.
For more FIM related Windows PowerShell scripts, see the FIM ScriptBox.