Scheduled notifications from the FIM Portal

Posted on by Carol

I was asked today to implement notification emails on changes to certain groups. Like many situations with the FIM Portal this turned out to be trickier than expected. A number of the groups are criteria-based so don’t actually have a member attribute as such. With no member-update request happening there’s nothing to actually trigger a notification workflow on.

Fortunately the customer was happy to have a daily scheduled email with a summary of changes, rather than immediate emails on every change. So I took inspiration from Bob Bradley’s Housekeeping Policy approach to solve the problem.

ROPU Workflows

The first thing to know about is the “Run on policy update” workflow.

When combined with a “Transition In” MPR this has the very useful effect of re-applying the policy to all members of the Transition In Set upon any change to the MPR. “Any change” includes enabling the MPR, so this is a simple way to force the policy to run against all the objects that are already in the set – effectively re-running any Action workflows, such as a notification.

So all I need to do is get an object in a set, make my ROPU workflow, then just toggle the Disabled switch off and on for the MPR when I want to fire the notification. Easy!

Workflow Configuration

The first thing my workflow does is call the PowerShell activity to gather the information I want to insert into the email. I format it as HTML and then pass it back to the workflow in a WorkflowData parameter.

The Email Template then simply includes the WorkflowData parameter:

 

Transition Set and MPR

Before I can create the MPR I need to create a set. It really doesn’t matter what is in the set in this example as I’m not using any values from the Target in the workflow, however I only want it to have one member so the notification only triggers once. For convenience I have the object receiving the notification as the member. (I expect I could extend this idea to include other objects needing notifications as well, though I’d need some logic matching set-members to their specific notification requirements.)

The MPR is then very simple to set up:

  • Type: Transition In
  • Disabled: True
  • Set: The set I created above
  • Action Workflow: The Notification workflow

Toggling the MPR

The final step is a simple little script that enables and then immediately disables the MPR, and which you can schedule as required.

This script uses the FIMPowerShell Function library from http://technet.microsoft.com/en-us/library/ff720152(v=ws.10).aspx
 

PARAM ($MPRName)

# Enables then disables an MPR.
# Used to trigger ROPU workflow.

. E:\scripts\FIMPowerShell.ps1

$Filter = "/ManagementPolicyRule[DisplayName='{0}']" -f $MPRName

$MPRObj = export-fimconfig -CustomConfig $Filter -OnlyBaseResources

$ModifyImportObject = ModifyImportObject -TargetIdentifier $MPRObj.ResourceManagementObject.ObjectIdentifier -ObjectType "ManagementPolicyRule"
SetSingleValue -ImportObject $ModifyImportObject -AttributeName "Disabled" -NewAttributeValue "False"
$ModifyImportObject | Import-FIMConfig

$ModifyImportObject = ModifyImportObject -TargetIdentifier $MPRObj.ResourceManagementObject.ObjectIdentifier -ObjectType "ManagementPolicyRule"
SetSingleValue -ImportObject $ModifyImportObject -AttributeName "Disabled" -NewAttributeValue "True"
$ModifyImportObject | Import-FIMConfig

I've been doing IT for 30 years, and IdM for 15. I live in Australia and build IdM solutions based on Microsoft Identity Manager. I also play the violin, but that doesn't help much with the IdM solutions.

2 Replies to “Scheduled notifications from the FIM Portal”

  1. This is extremely cool. Thanks much for sharing!

    One thing that seems somewhat vague here is how you are getting that “time slice” of what has changed in the group members on criteria-based groups.

    I am fairly certain that I could get Powershell to give me the current /computedmember of criteria-based groups, but I am curious how you are getting just what has happened in the previous 24 hours.

  2. Hi Matt. It’s not very high tech – I keep a dump of the group list from the day before and then do a comparison. For criteria groups this means running an export-fimconfig using the group filter. At some point in the future I may get something in a reports database I can use instead.

    Also should add that I attempted to insert html in that workflow data and it didn’t work at all because FIM helpfully converted the symbols to html codes, so only basic text works. You can get round it with a custom notification activity or by sending the email direct from powershell (which kind of makes this whole process a bit pointless).

    Still the MPR toggling is a useful approach for other things as well. I’m using it so I can schedule cleanup jobs to run at night based on transition sets, instead of firing as soon as the object transitions in.

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA Image

*