2 Way Account Expires Rules Extension
Updated 11/26/2017
To assist in the understanding of managing the "accountExpires" attribute in AD with the "employeeEndDate" attribute in the FIM / MIM Portal I have created supporting post to go deeper in to how to implement this below solution.
Rules Extensions –Understanding Date Time Conversion Part 1
The following is C# code that can be used to build a Rules Extension to be applied to the ADMA which converts the following:
1. accountExpires attribute on a user in AD to the Employee End Date attribute in the Portal
2. Employee End Date of a user in the Portal to the accountExpires attribute in AD.
Pre-Requsite
- Create the following custom attribute in the metaverse if it does not already exist
Name Attribute Type employeeEndDate Indexed String
The following code is pulled from the Rules Extension -MAExtension Post
Management Agent Attribute Flow
When setting the attribute flow be sure to verify that you are selecting the correct Flow Direction and Mapping Type of Advanced, notice the exceptionally long names to the name of the rules extension, this is not ideal but for the initial instruction of how to deploy this solution I named the function this way to assist in the understanding of the data flow from connector space to and from the Metaverse.
accountExpires <- employeeEndDate cd.user:accountExpires<-mv.person:employeeEndDate
accountExpires -> employeeEndDate cd.user:accountExpires->mv.person:employeeEndDate
in the updated example I use a much cleaner naming standard for my functions
To Convert the accountExpires attribute to the employeeEndDate in the metaverse to be exported to the FIM Portal add the following piece of code is required within the "void IMASynchronization.MapAttributesForImport" section
case "employeeEndDate":
if (csentry["accountExpires"].IntegerValue == 0 || csentry["accountExpires"].IntegerValue == 9223372036854775807)
{
// This is a special condition, do not contribute and delete any current value
mventry["accountExpires"].Delete();
}
else
{
DateTime dtFileTime = DateTime.FromFileTime(csentry["accountExpires"].IntegerValue);
mventry["employeeEndDate"].Value =
dtFileTime.ToString("yyyy'-'MM'-'dd'T'HH':'mm':'ss'.000'");
}
break;
IMPORTANT NOTE:
Notice the format of the DateTime that the accountExpires attribute is being converted into "yyyy'-'MM'-'dd'T'HH':'mm':'ss'.000'" Notice the 'T' , if the dtFileTime.ToString is not in this exact format the sync engine will fail to export the value to the FIM / MIM Portal. This is not the same format used for all data sources, other SQL , ORACLE, other data sources may except a wide array of date time formats but when working with the FIM / MIM Portal it has to be this format.
If you are setting the employeeEndDate in the FIM Portal and you wish to update the accountExpires attribute in Active Directory than you need to add the following code within the "void IMASynchronization.MapAttributesForExport" section
case "accountExpires":
CultureInfo provider = CultureInfo.InvariantCulture;
if (mventry["accountExpires"].ToString() != "")
{
DateTime dtFileTime = DateTime.ParseExact(mventry["employeeEndDate"].Value, "yyyy'-'MM'-'dd'T'HH':'mm':'ss'.000'", provider);
csentry["accountExpires"].IntegerValue = dtFileTime.ToFileTime();
}
break;
If you wish to be able to set the accountExpires or the employeeEndDate value from either Active Directory or the FIM Portal you will need to make this bidirectional. This can be accomplished by having both pieced of the above code in place as well as setting equal precedence in the Synchronization Service for the employeeEndDate attribute for the Peron object.
Need another example of the code Rules Extensions –Understanding Date Time Conversion Part 2
## https://blogs.msdn.com/connector_space ##
Comments
- Anonymous
October 25, 2017
@Anthony: The variable names in both your examples are disordered (accountExpires vs. employeeEndDate), meaning the example in fact is wrong and not working! Even if the errors are not very difficult to find, you should correct this as soon as possible! Thank you.- Anonymous
October 25, 2017
Actually this was taken from a working environment, just because you can’t get it to work doesn’t mean it’s broken. Are you defining the variables correctly , what is your precedence for the attributes ?If your looking for additional examples of how to construct the code the additional post also utilize the Account Expires Codehttps://blogs.msdn.microsoft.com/connector_space/2017/06/23/rules-extensions-ma-extension/https://blogs.msdn.microsoft.com/connector_space/2017/06/23/rules-extensions-helper-functions/https://blogs.msdn.microsoft.com/connector_space/2016/02/12/rules-extensions-mapattributesforimport/- Anonymous
November 20, 2017
Curious if comments are working again...
- Anonymous
- Anonymous
- Anonymous
November 20, 2017
Yes they are! :-)Me again: did you receive the mail from Tim Macaulay? It contains further details about my statement (which I retain still valid, btw)- Anonymous
November 20, 2017
This example is just that an example, if you don’t like it I’m sure you can find another free blog out there where people post and update on their own time outside of normal working hours often well into the night.
- Anonymous