Microsoft KB Archive/317823

= How to Use MMS to Create a Fire Scenario =

Article ID: 317823

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Metadirectory Services 2.2 Service Pack 1

-



This article was previously published under Q317823



SUMMARY
You can use Together Administration Management Agent (TAMA) to both provision users and manage objects when users are either hired or fired. To create a hire scenario, configure TAMA to create connectors in another management agent. It is more complicated to create a fire scenario. This article describes how to use Microsoft Metadirectory Services (MMS) to create a fire scenario.

NOTE: Before you complete the procedure that is described in this section, you must understand how TAMA operates. For additional information about TAMA, click the article number below to view the article in the Microsoft Knowledge Base:

303031 Understanding the Together Administration Management Agent (TAMA)



How to Create a Fire Scenario
Before you create a fire scenario, configure TAMA, and then provision your users to one or more other connected directories. In addition, verify that Active Directory management agent has created enabled users in your Active Directory domain. You can adapt this concept for use with any management agent or connected directory.

How to Select a Metaverse Trigger Attribute
Before you create a fire scenario, you must select the attribute that triggers the deletion of the object. Generally, the disconnection comes from an Human Resources (HR)-type database. As an example, populate an attribute (for example, employeeStatus) in the HR database, and then set the value to Terminated.

The following text is an example of how your HR database may assign different employeeStatus values: employeeStatus = FullTime employeeStatus = PartTime employeeStatus = Contractor employeeStatus = Terminated NOTE: The employeeStatus attribute is not currently in MMS. If an attribute is present in a connected directory, but it is not present in MMS, update the MMS schema. For more information about how to use Custom.oid and Custom.poi files to update the schema, see the &quot;Appendix C: MMS Schema Files and Utilities&quot; topic that is located in the MMS System Administration Manual online document.

How to Create Attribute Flow Rules for the HR Management Agent
The advanced attribute flow rules for the HR management agent automatically update the employeeStatus attribute if you change the value. because you only need the value to be updated for person objects, test the metaverse object to verify their structuralObjectClass is equal to person.

To set attribute flow for employeeStatus in the HR management agent:  In Compass, click HR management agent. Click Attribute Flow. Click the Advanced Attribute flow rules tab.  Add the following advanced attribute flow rule: If $mv.structuralObjectClass = Person then $mv.employeeStatus = $cd.employeeStatus endif 

How to Use the $Disconnect_Specific Function
After you configure the attribute flow to update the value of the employeeStatus attribute from the HR directory to the metaverse, implement the $Disconnect_Specific function to disconnect joined entries. These entries include entries that are joined by either the join process or by provisioning. These processes are similar; the only difference between the processes is that the objects that are provisioned by TAMA are also stamped with the $cs.msMMS-ManagedByProfile attribute that is set to TRUE.

To set the $Disconnect_Specific function in attribute flow, follow these steps.

NOTE: In this example, this function is only in the Active Directory management agent. In many real world scenarios, there may be a number of connected directory management agents in which you must implement this code:  In Compass, click Active Directory management agent.</li> Click Attribute Flow.</li> Click the Advanced Attribute Flow tab.</li>  Add the following code to the advanced attribute flow script: If $mv.structuralObjectClass = Person Then If $mv.employeeStatus = Terminated Then $Disconnect_Specific($MA) endif endif NOTE: This code checks if the object is a person object, and then tests to see if the employeeStatus attribute is equal to Terminated. If these conditions are met, the code disconnects the object under the management agent where this code is run. </li></ol>

For additional information about the $Disconnect_Specific function, click the article number below to view the article in the Microsoft Knowledge Base:

294699 Use of the $Disconnect_Specific Function in MMS

How to Use the CD Flow Script to Send Attributes on Disconnect
The CD flow script is executed for objects that are both disconnected and have been assigned the $cs.msMMS-managedbyprofile = TRUE attribute. In addition, this script only makes assignments to the connected directory.

To configure the CD flow script:  In Compass, click Active Directory management agent.</li> Click Attribute Flow.</li> Click the CD Flow tab.</li>  Add the following code: $cd.useraccountcontrol = 514 NOTE: If you set UserAccountControl to the value of 514, the object is disabled in Active Directory when an object is disconnected. </li></ol>

How to Use the msMMS-TimeToLive Attribute
When you set the msMMS-TimeToLive(TTL) attribute on objects, you configure the amount of time the object will exist before deletion. Many companies have a time requirement for the amount of time that objects must exist in the connected directory before they are deleted. In this scenario, the TTL attribute will be configured for 30 days. In this scenario, you configured the TTL attribute globally for Entire Management Agent instead of configuring it specifically for each individual connector object. For additional information about the TTL attribute including how to set the value on individual connector objects, click the article number below to view the article in the Microsoft Knowledge Base:

299392 Understanding the MsMMS-TimeToLive Attribute

To set the msMMS-TimeToLive value:
 * 1) In Compass, click Active Directory management agent.
 * 2) On the Action menu, click Configure management agent.
 * 3) Click the Connected Directory Specifics tab.
 * 4) Click the Mode and Namespace Management tab.
 * 5) Type 2592000 (which equals 30 days) in the How long should disconnected CS entries persist box.
 * 6) Click OK to save the changes.

How to Assign a Null Value to the $mv.zcTaAccountResourceDNs Attribute
If you are using TAMA Rules to assign resources but you have not made provisions in the TAMA Rules script for terminated users, you must make the following adjustment to your rules script. This rules script example is taken from the following article:

303031 Understanding the Together Administration Management Agent (TAMA)

$v_TAMABaseDN = f=Together Administration,$parent(&quot;$my_dsa&quot;) $v_parentDn = $DN_COMPONENT($mv.DN,2)

IF $v_parentDN = MSD THEN $mv.zcTaAccountResourceDNs += res=AAA,$v_TAMABaseDN $mv.zcTaAccountResourceDNs += res=BBB,$v_TAMABaseDN ENDIF When you run this script, you assign the base portion of the resource distinguished name. This action is not necessary for TAMA, but it illustrates a useful conditional decision point. You can assign multiple resources simultaneously.  In Compass, click the TAMA that you used to provision users.</li> Click Operate MA.</li> Click TAMA Rules tab.</li>  Add the following code section to the end of the rules script: If $mv.employeeStatus = Terminated then $mv.zcTaAccountResourceDNs = $Null endif </li> Click OK.</li></ol>

After you complete the procedure that is described in this article, configure the management agent to prevent the users that have been terminated from being re-created. To use exclusion rules to prevent this behavior:  Click Active Directory management agent.</li> <li>Click Configure the management agent.</li> <li>Click Inclusions and Exclusions.</li> <li>Click Connected Directory</li> <li> Add the following code: condition 1 $mv.employeeStatus = Terminated </li></ol>

Additional query words: mms metadirectory zoomit

Keywords: kbinfo KB317823

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.