2 Way Account Expires Rules Extension

Updated 11/26/2017

To assist in the understanding of managing the "accountExpires" attribute in AD with the "employeeEndDate" attribute in the FIM / MIM Portal I have created supporting post to go deeper in to how to implement this below solution.

Rules Extensions –Understanding Date Time Conversion Part 1

The following is C# code that can be used to build a Rules Extension to be applied to the ADMA which converts the following:

1. accountExpires attribute on a user in AD to the Employee End Date attribute in the Portal

2. Employee End Date of a user in the Portal to the accountExpires attribute in AD.

Pre-Requsite

  • Create the following custom attribute in the metaverse if it does not already exist
     Name  Attribute Type
     employeeEndDate  Indexed String

The following code is pulled from the Rules Extension -MAExtension Post

 

Management Agent Attribute Flow

 

When setting the attribute flow be sure to verify that you are selecting the correct Flow Direction and Mapping Type of Advanced, notice the exceptionally long names to the name of the rules extension, this is not ideal but for the initial instruction of how to deploy this solution I named the function this way to assist in the understanding of the data flow from connector space to and from the Metaverse.

Attribute Flow

accountExpires  <-  employeeEndDate           cd.user:accountExpires<-mv.person:employeeEndDate

accountExpires  -> employeeEndDate            cd.user:accountExpires->mv.person:employeeEndDate

in the updated example I use a much cleaner naming standard for my functions

To Convert the accountExpires attribute to the employeeEndDate in the metaverse to be exported to the FIM Portal add the following piece of code is required within the "void IMASynchronization.MapAttributesForImport" section

case "employeeEndDate":
if (csentry["accountExpires"].IntegerValue == 0 || csentry["accountExpires"].IntegerValue == 9223372036854775807)
{
// This is a special condition, do not contribute and delete any current value
mventry["accountExpires"].Delete();
}
else
{
DateTime dtFileTime = DateTime.FromFileTime(csentry["accountExpires"].IntegerValue);
mventry["employeeEndDate"].Value =
dtFileTime.ToString("yyyy'-'MM'-'dd'T'HH':'mm':'ss'.000'");
}
break;

IMPORTANT NOTE:

Notice the format of the DateTime that the accountExpires attribute is being converted into "yyyy'-'MM'-'dd'T'HH':'mm':'ss'.000'" Notice the 'T' , if the dtFileTime.ToString is not in this exact format the sync engine will fail to export the value to the FIM / MIM Portal. This is not the same format used for all data sources, other SQL , ORACLE, other data sources may except a wide array of date time formats but when working with the FIM / MIM Portal it has to be this format.

 

If you are setting the employeeEndDate in the FIM Portal and you wish to update the accountExpires attribute in Active Directory than you need to add the following code within the "void IMASynchronization.MapAttributesForExport" section

case "accountExpires":

CultureInfo provider = CultureInfo.InvariantCulture;

if (mventry["accountExpires"].ToString() != "")
{
DateTime dtFileTime = DateTime.ParseExact(mventry["employeeEndDate"].Value, "yyyy'-'MM'-'dd'T'HH':'mm':'ss'.000'", provider);

csentry["accountExpires"].IntegerValue = dtFileTime.ToFileTime();
}
break;

 

If you wish to be able to set the accountExpires or the employeeEndDate value from either Active Directory or the FIM Portal you will need to make this bidirectional. This can be accomplished by having both pieced of the above code in place as well as setting equal precedence in the Synchronization Service for the employeeEndDate attribute for the Peron object. equalPrecedence

Need another example of the code Rules Extensions –Understanding Date Time Conversion Part 2

## http://blogs.msdn.com/connector_space ##

DateTimeAttributes.txt