Model Generator overview
Applies To: Forefront Identity Manager
The Microsoft BHOLD Model Generator module and the BHOLD Model Loader utility are tools that enable you to import user and organizational information from an authoritative identity store (such as Active Directory), to link that data to create a normalized role model, and then to import the role model into the BHOLD Core database. You use Model Generator in a test environment to design your role model and then use Model Loader to import the role model into your production BHOLD Core database. By using this method, you can evaluate various designs without committing them to your production database. Using Hyper-V or a similar virtual-machine technology for your test environment is an especially effective way to accomplish this task because you can easily take snapshots at each stage of the development process and, if necessary, roll back to an earlier stage by applying the applicable snapshot. For more information about creating and managing role models by using BHOLD, see Microsoft BHOLD Suite Concepts Guide.
You can use Model Generator to create two types of role models:
A basic role model that consists of organizational structure, user identities, and default roles that Model Generator automatically creates. To create a basic role model, you supply three input files: An organizational-unit (orgunit) file, a user file, and an account-permission file (also known as a target file).
A complete role model that includes roles and permissions that you specify. To create a complete role model, you supply the same input files as for the basic model, plus a role file and a permission-application file.
For a complete description of the input files, see BHOLD Model Generator file formats in Microsoft BHOLD Suite Technical Reference.
Regardless of the number of input files that are used, Model Generator has five stages:
Import Files—In this stage, the information that you supply in the input files is imported into the BHOLD Core database and linked to form the nucleus of the role model. This includes orgunits, users, roles, accounts, applications, permissions, and roles that are specified in the input files. Model Generator can add these to an existing role model in the BHOLD Core database, or it can clear (reset) the database before adding the objects specified in the input files. In this stage, Model Generator also creates personal roles for users plus membership and supervisor roles for orgunits and other roles that are defined in the input files.
Membership Roles—In this stage, Model Generator creates additional membership roles for the newly created orgunits and links them to the appropriate permissions. Unlike the membership roles that are created in the first stage, however, the membership roles created in this stage are marked as proposed roles, allowing you to enable them on a case-by-case basis.
Attribute Roles—In this stage, you can select user attributes and their values for creating roles for specific users. For example, if the User object in BHOLD Core has a custom attribute named Reports_To, you can use that attribute to create a role for all the users who report to a given manager. You can run this stage multiple times to specify different values for the attribute that you choose.
Proposed Roles—In this stage, you have the opportunity to replace the personal roles created in the Import Files stage with proposed roles linked to each orgunit. This allows you to use the BHOLD Core portal to activate the role for each user separately.
Ownership Roles—In this stage, Model Generator links supervisor (ownership) roles to users who will act as the owners of the role-model elements (orgunits or roles) that the ownership role applies to. In the File Import stage, Model Generator creates supervisor roles for each orgunit and role, as well as supervisor roles that are specified in the Roles file. Should any supervisor roles without supervisors (owners) result, the Ownership Roles stage lets you specify the users that will be assigned to those supervisor roles.
It is not necessary to complete each stage of the wizard. In addition, subsequent stages are not dependent on previous stages, other than the initial File Import stage, of course. Consequently, you can skip over a stage and then return to it later.
At the completion of each stage, Model Generator backs up the results, allowing you to roll back the model to an earlier stage without having to rerun the wizard from the beginning.
When you have completed your role model, you can export the role model to an XML file, copy the file to your production BHOLD Core server, and then use Model Loader to import the role model into your BHOLD Core database.
The following are the steps you need to follow in order to use Model Generator and Model Loader to design and populate your BHOLD role model and then transfer the role model to your production BHOLD deployment:
Install BHOLD Core and BHOLD Model Generator in a test environment. For this purpose, you can install SQL Server and BHOLD modules on a standalone domain controller. Using a virtual machine is recommended to allow you to take and revert to snapshots. For information about installing BHOLD Core and BHOLD Model Generator, see Microsoft BHOLD Suite SP1 Installation Guide.
Prepare the input files. At a minimum, you must prepare input files that list the orgunits, the users, and the user accounts in your organization. For information about the structure and contents of the input files, see Preparing Model Generator input files elsewhere in this guide.
Review the Model Generator stages and decide how you will use them to complete the design of your role model. For more information, see Before you begin in this guide.
Run Model Generator to import the information in your input files into the BHOLD Core database, to create additional roles, and to generate an export file. See Using the BHOLD Model Generator wizard in this guide for details.
Copy the export file to your production BHOLD Core server and import the data in the file into the BHOLD Core database. See Importing the role model into the production BHOLD database in this guide for more information.