How to Use MMS to Create a Fire Scenario (317823)


The information in this article applies to:

  • Microsoft Metadirectory Services 2.2 SP1
This article was previously published under Q317823

SUMMARY

You can use Together Administration Management Agent (TAMA) to both provision users and manage objects when users are either hired or fired. To create a hire scenario, configure TAMA to create connectors in another management agent. It is more complicated to create a fire scenario. This article describes how to use Microsoft Metadirectory Services (MMS) to create a fire scenario.

NOTE: Before you complete the procedure that is described in this section, you must understand how TAMA operates. For additional information about TAMA, click the article number below to view the article in the Microsoft Knowledge Base:

303031 Understanding the Together Administration Management Agent (TAMA)

MORE INFORMATION

How to Create a Fire Scenario

Before you create a fire scenario, configure TAMA, and then provision your users to one or more other connected directories. In addition, verify that Active Directory management agent has created enabled users in your Active Directory domain. You can adapt this concept for use with any management agent or connected directory.

How to Select a Metaverse Trigger Attribute

Before you create a fire scenario, you must select the attribute that triggers the deletion of the object. Generally, the disconnection comes from an Human Resources (HR)-type database. As an example, populate an attribute (for example, employeeStatus) in the HR database, and then set the value to Terminated.

The following text is an example of how your HR database may assign different employeeStatus values: 
employeeStatus = FullTime
employeeStatus = PartTime
employeeStatus = Contractor
employeeStatus = Terminated
NOTE: The employeeStatus attribute is not currently in MMS. If an attribute is present in a connected directory, but it is not present in MMS, update the MMS schema. For more information about how to use Custom.oid and Custom.poi files to update the schema, see the "Appendix C: MMS Schema Files and Utilities" topic that is located in the MMS System Administration Manual online document.

How to Create Attribute Flow Rules for the HR Management Agent

The advanced attribute flow rules for the HR management agent automatically update the employeeStatus attribute if you change the value. because you only need the value to be updated for person objects, test the metaverse object to verify their structuralObjectClass is equal to person.

To set attribute flow for employeeStatus in the HR management agent:
  1. In Compass, click HR management agent.
  2. Click Attribute Flow.
  3. Click the Advanced Attribute flow rules tab.
  4. Add the following advanced attribute flow rule:
    If $mv.structuralObjectClass = Person
then
$mv.employeeStatus = $cd.employeeStatus
endif

How to Use the $Disconnect_Specific() Function

After you configure the attribute flow to update the value of the employeeStatus attribute from the HR directory to the metaverse, implement the $Disconnect_Specific() function to disconnect joined entries. These entries include entries that are joined by either the join process or by provisioning. These processes are similar; the only difference between the processes is that the objects that are provisioned by TAMA are also stamped with the $cs.msMMS-ManagedByProfile attribute that is set to TRUE.

To set the $Disconnect_Specific() function in attribute flow, follow these steps.

NOTE: In this example, this function is only in the Active Directory management agent. In many real world scenarios, there may be a number of connected directory management agents in which you must implement this code:
  1. In Compass, click Active Directory management agent.
  2. Click Attribute Flow.
  3. Click the Advanced Attribute Flow tab.
  4. Add the following code to the advanced attribute flow script:
    If $mv.structuralObjectClass = Person
Then
  If $mv.employeeStatus = Terminated
  Then
  $Disconnect_Specific($MA())
  endif
endif
    NOTE: This code checks if the object is a person object, and then tests to see if the employeeStatus attribute is equal to Terminated. If these conditions are met, the code disconnects the object under the management agent where this code is run.
For additional information about the $Disconnect_Specific() function, click the article number below to view the article in the Microsoft Knowledge Base:

294699 Use of the $Disconnect_Specific() Function in MMS

How to Use the CD Flow Script to Send Attributes on Disconnect

The CD flow script is executed for objects that are both disconnected and have been assigned the $cs.msMMS-managedbyprofile = TRUE attribute. In addition, this script only makes assignments to the connected directory.

To configure the CD flow script:
  1. In Compass, click Active Directory management agent.
  2. Click Attribute Flow.
  3. Click the CD Flow tab.
  4. Add the following code:
    $cd.useraccountcontrol = 514
    NOTE: If you set UserAccountControl to the value of 514, the object is disabled in Active Directory when an object is disconnected.

How to Use the msMMS-TimeToLive Attribute

When you set the msMMS-TimeToLive(TTL) attribute on objects, you configure the amount of time the object will exist before deletion. Many companies have a time requirement for the amount of time that objects must exist in the connected directory before they are deleted. In this scenario, the TTL attribute will be configured for 30 days. In this scenario, you configured the TTL attribute globally for Entire Management Agent instead of configuring it specifically for each individual connector object. For additional information about the TTL attribute including how to set the value on individual connector objects, click the article number below to view the article in the Microsoft Knowledge Base:

299392 Understanding the MsMMS-TimeToLive Attribute

To set the msMMS-TimeToLive value:
  1. In Compass, click Active Directory management agent.
  2. On the Action menu, click Configure management agent.
  3. Click the Connected Directory Specifics tab.
  4. Click the Mode and Namespace Management tab.
  5. Type 2592000 (which equals 30 days) in the How long should disconnected CS entries persist box.
  6. Click OK to save the changes.

How to Assign a Null Value to the $mv.zcTaAccountResourceDNs Attribute

If you are using TAMA Rules to assign resources but you have not made provisions in the TAMA Rules script for terminated users, you must make the following adjustment to your rules script. This rules script example is taken from the following article:

303031 Understanding the Together Administration Management Agent (TAMA) 


$v_TAMABaseDN = f=Together Administration,$parent("$my_dsa()")
$v_parentDn = $DN_COMPONENT($mv.DN,2) 

IF $v_parentDN = MSD
THEN
      $mv.zcTaAccountResourceDNs += res=AAA,$v_TAMABaseDN
      $mv.zcTaAccountResourceDNs += res=BBB,$v_TAMABaseDN
ENDIF
When you run this script, you assign the base portion of the resource distinguished name. This action is not necessary for TAMA, but it illustrates a useful conditional decision point. You can assign multiple resources simultaneously.
  1. In Compass, click the TAMA that you used to provision users.
  2. Click Operate MA.
  3. Click TAMA Rules tab.
  4. Add the following code section to the end of the rules script:
    If $mv.employeeStatus = Terminated
then
$mv.zcTaAccountResourceDNs = $Null
endif
  5. Click OK.
After you complete the procedure that is described in this article, configure the management agent to prevent the users that have been terminated from being re-created. To use exclusion rules to prevent this behavior:
  1. Click Active Directory management agent.
  2. Click Configure the management agent.
  3. Click Inclusions and Exclusions.
  4. Click Connected Directory
  5. Add the following code:
    condition 1
$mv.employeeStatus = Terminated
Modification Type:MajorLast Reviewed:9/30/2003
Keywords:kbinfo KB317823
©2003 Microsoft Corporation. All rights reserved.