MIIS 2003 State-Based Processing
Microsoft Corporation
Published: July, 2005
Author: Brad Benefield
Editor: Justin Hall
Abstract
This subject describes how MIIS 2003 processes data objects during synchronization. It examines in detail the different data structures that are used to represent the states of objects during the synchronization process.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred.
© 2005 Microsoft Corporation. All rights reserved.
Active Directory, Microsoft, MS-DOS, Visual Studio, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Contents
MIIS 2003 State-Based Processing
What Is MIIS 2003 State-Based Processing?
How MIIS 2003 State-Based Processing Works
1
MIIS 2003 State-Based Processing
This guide describes how MIIS 2003 processes data objects during synchronization. It examines in detail the different data structures that are used to represent the states of objects during the synchronization process.
In this subject
What Is MIIS 2003 State-Based Processing?
How MIIS 2003 State-Based Processing Works
What Is MIIS 2003 State-Based Processing?
MIIS2003 processes identity information from various connected data sources based on your business requirements. The processing includes requesting the identity information from various data sources during the staging process. Your business requirements are then applied to that information by translating them to synchronization rules that are used during the synchronization process. The processing concludes with the export of required changes. These processes, each of which can run independently, are shown in the following illustration. For example, information that is requested from a connected data source can be synchronized and then resynchronized based on new business requirements before MIIS2003 exports any changes.
Identity Management Process
During each of the three processes, MIIS2003 processes a specific state, that is, the condition of the identity information that MIIS2003 has at a particular time. MIIS2003 organizes the identity information in a way that allows it to calculate the current state of the identity information at any given point in the identity management process.
During the staging process, MIIS2003 compares incoming data with the data that is already staged in the connector space. MIIS2003 stores changes to identity information about the staging object in the connector space. Staging ensures that only identity information that has not been processed yet is flagged for further processing.
During the synchronization process, MIIS2003 differentiates between updates to identity information and the information that has already been synchronized. Updates to identity information include new information that is received from a connected data source and new information that needs to be exported to the connected data source. This allows MIIS2003 to either process updates only or reprocess all identity information that is available for an object.
MIIS2003 usually synchronizes only incoming updates for subsequent synchronization runs unless you change the synchronization logic. For example, MIIS2003 can ensure that the e-mail name of a user account is comprised of the first name and the initial of the last name. MIIS2003 synchronizes only updates to user accounts unless you change the synchronization logic (in this case, what the e-mail name is comprised of). However, if the synchronization logic has changed, all of the identity information must be reprocessed because the changes can produce different synchronization results.
During the export process, MIIS2003 exports to the connected data source identity information that has been synchronized and is staged for export. It exports information that has not yet been exported and information that requires re-exporting. For improved efficiency, only the minimum amount of identity information, which includes updates to individual attributes, is exported to the connected data source.
How MIIS 2003 State-Based Processing Works
State-Based Identity Information Representation
MIIS2003 accomplishes state-based processing of identity information by storing for an object in a connected data source both a complete representation of identity information and new information, which MIIS2003 uses to calculate each state within the identity management process. The complete identity information for a state is called a hologram; the corresponding subset that represents new information is called a delta.
Using the hologram and its corresponding delta, MIIS2003 can calculate another hologram of that object that incorporates the delta information. This hologram is the representation of the object that will be stored in the connected data source after either staging, synchronization, or export completes. A data structure that consists of a pre-process hologram, a delta, and a post-process hologram is called a triple.
Storing state-based representations of identity information in the form of holograms and deltas has many advantages:
It allows MIIS2003 to divide the identity management process into independent subprocesses that focus on information that is most likely to change.
It minimizes the amount of data that is processed.
It allows MIIS2003 to request identity information at any time without having to immediately process it.
It allows changes to be applied to the synchronization logic without requesting data from the connected data source.
It allows updates to be exported to a connected data source at any time.
It allows only required changes to be exported and applied to the connected data source.
As another important advantage, state-based representation of identity information facilitates recovery of a connected data source from catastrophic failure. The connected data source can be repopulated with the current identity information that is stored in MIIS2003, which is not possible by using identity management solutions that are not state-based.
MIIS2003 maintains holograms and corresponding delta information for two process states:
Inbound. Information for the inbound state includes all identity information that has been imported from the connected data source.
Outbound. Outbound state information includes all required changes and identity information that has already been exported to the connected data source.
Inbound State Information
Inbound state information comprises all identity information that has been imported from the connected data source. To determine all subsequent deltas for the different subprocesses of the identity management process, MIIS2003 must maintain at least one complete set of identity information for an object in a connected data source. This object is known as a synchronized import hologram or hologram.
A synchronized import hologram is the representation of a connected data source object that was used as input for a successful synchronization process. A synchronized import hologram is stored with the staging object that represents the connected data source object. MIIS2003 uses the synchronized import hologram to identify new identity information that arrives for a connected data source object and that has not yet been staged. This information is called the delta pending import. The delta pending import also is stored with the staging object.
MIIS2003 uses the information stored in the synchronized import hologram and the delta pending import in a triple to produce a new representation of the object, which reflects all of the identity information that was received for this object from the connected data source. The resulting hologram is known as a pending import hologram, as shown in the following illustration.
Pending Import Hologram
The pending import hologram also shows how the representation of the object in the connected data source appears after synchronization. As such, the pending import hologram represents the future hologram of an object.
Outbound State Information
Holograms and deltas also are used to represent the state of information for a given object that is outbound to the connected data source. MIIS2003 uses outbound state information to ensure that only the information that needs to be exported to a connected data source is ultimately exported to it. MIIS2003 recognizes three types of outbound information:
Information that must be exported.
Information that is in the process of being exported.
Information that has been exported successfully, but whose export has not yet been confirmed by being reimported into MIIS2003.
Each state has corresponding delta and hologram pairs that MIIS2003 uses to calculate the object representation for each state in the connected data source.
When the outbound synchronization process produces new data that must be exported to the connected data source, MIIS2003 calculates the delta information that needs to be staged on a staging object for the next export. This delta information is known as the delta unapplied export.
During the export process, MIIS2003 exports new information to the connected data source. The values of the delta unapplied export that are processed during the export operation are copied into a data structure called the delta escrowed export. The difference between the delta unapplied export and the delta escrowed export is that the components of the delta unapplied export have never been part of an export operation.
The values of the delta escrowed export can vary depending on whether the management agent is call-based or file-based. For a file-based management agent, MIIS2003 does not receive notification of the success or failure of the export from the connected data source. In this case, the values of the delta escrowed export are copied into a data structure called the delta unconfirmed export after the export process is complete.
If a call-based management agent is used for communication with the connected data source, the communication occurs by using APIs that are implemented by the connected data source. In this case, MIIS2003 receives notification from the connected data source in the form of a return value that indicates whether the export operation was successful.
The values of the delta escrowed export for which a notification of success is received are copied into the delta unconfirmed export. If an error is received from a connected data source that uses a call-based management agent, the values of the delta escrowed export remain part of the delta escrowed export until the next successful export operation occurs.
For both file-based and call-based management agents, outbound state information is also adjusted during the staging process. The identity information in a new delta pending import is compared with the delta unconfirmed export and the delta escrowed export to determine whether exported identity information has been imported successfully from the connected data source.
Recall that the pending import hologram is the complete view of an object in a connected data source that includes all of the information that was received for this object. The delta unconfirmed export is comprised of the identity information for this object that was exported to the connected data source and for which MIIS2003 has received a notification of success. However, this information has not been reimported yet.
When MIIS2003 combines the pending import hologram and delta unconfirmed export, the result is a hologram that represents the complete object as it appears in the connected data source. This representation is called the unconfirmed export hologram. The unconfirmed export hologram is calculated in a triple, as shown in the following illustration.
Unconfirmed Export Hologram
By using the values of the unconfirmed export hologram and the delta escrowed export that is in process of being exported to the connected data source, MIIS2003 can calculate another triple for the state of an object in the connected data source. This triple represents the resulting object when these changes have been successfully applied. The corresponding hologram is called the escrowed export hologram.
The escrowed export hologram is a representation of the object in the connected data source that includes:
All identity information that was received for this object.
All identity information that has been successfully exported to the object.
All identity information that is in the process of being exported to the object.
By using the values of the escrowed export hologram and the delta unapplied export, which includes the identity information that is stored on a staging object for the next export process, MIIS2003 can calculate the future representation of an object in the connected data source after the identity information that is waiting to be exported has been successfully applied to it. The corresponding hologram is known as the unapplied export hologram, as shown in the following illustration.
Unapplied Export Hologram
Calculating the State-Based Identity Information
The four triples (the unapplied export, the escrowed export, the unconfirmed export, and the pending import) form a data structure called the synchronization tower. MIIS2003 builds the synchronization tower in memory whenever it needs to calculate the state of an object or update delta information.
Because inbound and outbound identity information are correlated to each other, when MIIS2003 needs to determine one of its holograms or deltas, it has to calculate the components of the synchronization tower from the bottom to the top, as shown in the following illustration.
Synchronization Tower
MIIS2003 minimizes the amount of information stored in a staging object by saving only the synchronized import hologram and all available delta information, as shown in the following illustration. This information is sufficient for MIIS2003 to determine the various states of how an object will appear in the connected data source depending on the progress of the identity management process.
Information Stored on a Staging Object
The unapplied export hologram, the escrowed export hologram, and the unconfirmed export hologram are previews of the object in the connected data source only if that export identity information has been persistently applied to the object and the identity information that is in process of being exported or that is planned for export is successfully applied to the object eventually.
Updating State-Based Identity Information
The following illustration shows how MIIS2003 calculates the different holograms during the identity management process.
Synchronization Throughout the Identity Management Process
The delta unapplied export is calculated during outbound synchronization. The delta escrowed export is calculated during export. The delta unconfirmed export is calculated after export to a call-based connected data source. The delta pending import is calculated during staging.
During the staging process, MIIS2003 calculates the delta pending import of the identity information that is received from the connected data source. In addition, MIIS2003 also uses the new delta pending import information to evaluate whether previously exported identity information has been successfully re-imported. As such, the delta pending import received from the connected data source also serves as confirmation that identity information that was previously exported to a connected data source has been successfully and persistently recorded in the connected data source.
When a call-based management agent is used, MIIS2003 can receive success notification for exported changes. However, such a notification does not confirm that those changes have been applied persistently to the object within the connected data source because another process in the connected data source might have applied changes to identity information that was changed by MIIS2003. Importing previously exported changes from the connected data source conclusively indicates to MIIS2003 that the changes have been applied persistently to the object.
The synchronization process consists of two subprocesses, inbound synchronization and outbound synchronization, as shown in the following illustration.
Synchronization Process