Friday, February 4, 2011

Lookup value in FIM 2010

This workflow is now part of the FIM 2010 Granfeldt Workflow Activity Library

UPDATE: Just updated this to support other target attribute types than strings. Get the latest version. Also, you can use my PowerShell script instead of GACUTIL to put assemblies in the cache.

I'm pleased to announce that my custom workflow for looking value in the FIM portal has now been tested and released for public use.

I find this workflow interesting because you often have to populate values on users based on some other attribute. This workflow has many interesting features, i.e. you could lookup a OU for the user based on the department and have the list of OU's be maintained in the FIM Portal it self - or as the example shows below, you could have a list of "pretty names" for your cost centers and populate the CostCenter attribute based on a CostCenterId flowed from i.e. the HR system.



Parameters are -

XPathFilter: The Lookup filter for getting the value, i.e. /Person[starts-with(AccountName, 'D')]; if your query returns more than one result, the value from the first result will be used
Attribute Name: The name of the attribute that you want to get the value from (for now only single-value attributes is supported (and tested); go ahead and try with multi values if you dare...
Destination: This is where you want to put the found/extracted value (workflow has been tested with target attributes of string and numbers).

You should note that the look up is done as the Built-in Synchronization Account (so make sure that that guy can read the objects in question (in the XPath filter) and the update of the target attribute is done as the requester, so again make sure that the correct permissions are present there. Future version may include options to specify context.

To add the workflow to the portal, you'll need this information about the Activity information configuration

Display name: Lookup Attribute Value
Activity Name: Inceptio.FIM.Activities.LookupAttributeValueActivity
Description: Using XPath query looks up value in FIM
Assembly Name: Inceptio.FIM.Activities, Version=1.0.0.0, Culture=neutral, PublicKeyToken=fbba0d5fa1bd8867
Authentication, Action, Authorization: <anyone>
Type Name: Inceptio.FIM.Activities.WebUIs.LookupAttributeValueActivitySettingsPart


So how do I get the software? There are two .DLL's to put in your GAC and they can be downloaded here. Please let me know, if you have any problems with the workflow or any feature request.

20 comments:

Bob Tucker said...

Soren,

I have been trying to get this workflow to work, but I keep getting the following error...

An error occurred while enumerating the filter '/lookup[DisplayName = 'ComputerType1']'.

I have created a resourceType called lookup (confirmed case) and populated the DisplayName attribute with ComputerType1.
I have also created a resourceType called asset. I am creating an asset and calling the workflow to populate some of the fields matching on the computerType attribute.
The workflow certainly looks VERY promising, I just need to figure out what I am missing.
Thanks

Søren Granfeldt said...

Hi

Does your query work in a set? Try it out there maybe and then copy to the workflow.

Also, the lookup is done as Built-In Synchronization Account, so please also make sure that this account has permissions to read your object type and attributes or interests on these objects as well.

Bob Tucker said...

Soren,

Thanks for the reply. Is there a better way to communicate - I do not want to fill up your comment section with troubleshooting.

I have changed the xPath to /Person[AccountName='12345'] (which works in a set filter) with an attributeName of DisplayName and destination of DisplayName (about as simple as I can get). In the set, the xPath returns my object with no issues, but when using the workflow, I get "Result cannot be called on a failed match".
I have created an MPR for the built-in sync account to grant "full control" on All Objects to ensure it is not a permissions issue.

Thanks again for your help on this. This workflow looks like it could be useful in many of our engagements.

Søren Granfeldt said...

Hi, Bob

I'll trust my antispam provider and give you my mail address (soren at granfeldt.dk); drop me an mail with your details and we'll have a look into it.

Peter Stapf said...

Hello Soren,

nice work, thank you for giving it to the community.

One question, can i use you activity/workflow to set an reference attribute ?

and if yes, how to do ?

I have an ResourceType for configuration an want all my custom object to have a reference to this object so i can use the configdata in workflow.

thx
Peter

Søren Granfeldt said...

Hi, Peter

As I understand your question, you should be able to do a lookup of the reference value using my workflow and put the result into WorkflowData, i.e. //WorkflowData/ReferenceId. And then you could perhaps use that value in Function Evaluator to populate you reference value. Or you could even maybe set target o my workflow to be //Target/AttrToGetReferenceValue. Please bear in mind that it currently does support adding to multivalues target attributes

Peter Stapf said...

Ho Soren,

thx for the fast reply.

I've tried this but got an postprocessing error showing an sql error in conversing char string to unifiedidentifier.

My Config is like this:

XPath: /ConfigData[DisplayName='MyConfig']

Attribute: ObjectID

Target: [//Target/MyRefAttr]

I even try to copy MyRefAttr from an DummyObject but everythink leads to this PostProcError.

Maybe i have an error in my config of your workflow.

any ideas ?

Søren Granfeldt said...

Hi, Peter

I've actually only tested this with string values, so it probarbly won't work with reference values; however, it could be a valid extension for the next version. Maybe you could try send it through the Function Evaluator to see if this works. Otherwise, I'd have to make an updated version at some point in time to allow for the workflow to populate other attribute types, such as reference values.

Peter Stapf said...

Hi Soren,

thx so far.
it does not work even thru Function Evaluator (Integrated or the T4F).

My idea was to habe configobjects to ref with normal objects (user, group) to have different constant value in my 3 Stages (Dev, Test, Prod), because hardcoded values will be deployed by the FIM Powershell Deployment Script to the other stages.

So my thinking was to create objects wich are different in these stages an link them to my objects.

But i think i can change my solution a little bit to lookup in which stage i am and then using IIF to set different values on objects like DN-Parts.

So thanks anyway for your lookup workflow.

One last question:
How do you manage such different constant values thru FIM Stages ?

Best regards,
Peter

Haydn said...

Hi Soren,

Just wanted to say a big thanks for this workflow action. It works a treat and provides functionality that I believe should exist out of the box in any identity management product.

Once again, thanks!

Haydn

Arnaud said...

Hi,


Thanks for this useful workflow!


Does it works with multivalued string?


I've configure the activity like that :


Xpath : /MyPerson[LoginName='[//Target/LoginName]']

Attribute:
RoleFIM

Destination:
[//Target/RoleFIM]

Where RoleFIM is a multivalued string.

When the WF is executed I have "System.String[]" written in the Person's RoleFIM.

Another question, is this possible to use it to propagate attribute update with a configuration like this ?

XPath = [//Target]
Attribute = RoleFIM
Destination = /Person[LoginName='[//Target/LoginName]']/RoleFIM

Regards,

Arnaud.

Søren Granfeldt said...

Hi, Arnaud...

Thank you; the current version will only write to either a Workflow parameter or a single value string attribute and will not work with reference value. It should be able to lookup fx //Target/Manager/DisplayName, though - but not do a search as it seem you are trying to do

Søren Granfeldt said...

Hi, Peter Stapf...

With the new verison, you might be able to get it to work with reference values (not multivalues, though).

Give it a go if you want...

Daniel said...

Hi Søren

I've tried using the updated workflow.


Xpath: /Person[ObjectId= '0ae60ab7-851f-44da-880f-ed26a6d6668c'] (The id of a known user)

Att Name: AccountName
Destination: [//WorkflowData/DisplayedOwnerAccountName]

But I keep getting this error:
WorkflowInstance '6140ea9b-a0f7-4ced-bd26-e873e9db4693' could not resolve any of the defined approvers: '[//WorkflowData/DisplayedOwnerAccountName];'

Are the any tricks to getting reference values working, or is it something else?

Søren Granfeldt said...

Daniel: Are you sure that it is the lookup WF that's teasing you? I think it is another WF since there is a mentioning of an "approver".

I think you may need to extract "ObjectID" instead of AccountName if you looking to get a reference value.

Anonymous said...

Hi Søren

I'm currently creating an authorisation WF which has to extract a groups Displayed Owner, and then Ask that person for approval. (I'm skipping the extaction and entering the ObjectID manually in the lookup WF)

If I switch to extracting the ObjectID, enumeration of the filter fails: /Person[ObjectID= '0ae60ab7-851f-44da-880f-ed26a6d6668c']
(Att. Name: ObjectID)

The reason you might think that another WF might be the problem, is that my "Ask for approval" activity cannot resolve any of the defined approvers (when extracting the account name)
So either its a wrong value or the field is empty.

Daniel said...

Previous post by me :)

I can't explain why I got that last error, looking at my Log the Lookup WF reads the AccountName out just fine. So no problems there, still changing it to ObjectID did not solve my problem.

Instead i Extended my "Extract Group Owner Attribute", Custom WF to handle DisplayedOwner and convert him to a list object.

Sachin Shahi said...

Hi Soren,

When I try and create the workflow with this, I get an error in Application log like this:
WorkflowManager could not deserialize XOML definition

Relevent bits from XOML (XPath Lookup)
clr-namespace:Inceptio.FIM.Activities;Assembly=Inceptio.FIM.Activities, Version=1.0.0.0, Culture=neutral, PublicKeyToken=fbba0d5fa1bd8867" xmlns="http://schemas.microsoft.com/winfx/2006/xaml/workflow" xmlns:ns3="clr-namespace:Inceptio.FIM.Activities;Assembly=Inceptio.FIM.Activities.BuildingBlocks, Version=1.0.0.0, Culture=neutral, PublicKeyToken=b8dec76e5f77a4b6" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:ns0="

Any Ideas what could I have missed?

Sachin Shahi said...

Sorry, forgot the config part of the workflow:



What I'm trying to do is lookup Site object to find what is the homedrive path for users belonging to a particular site. Site is a custom resource type and just to make sure it wasn;t a permissions issue, I changed it to use Person type object and still the same problem.

Sachin Shahi said...

somehow it doesn't publish it, tags might be the problem, trying again.

ns2:LookupAttributeValueActivity x:Name="authenticationGateActivity9" CurrentRequest="{x:Null}" ResolvedXPathFilter="{x:Null}" XPathFilter="/site[Name='[//Target/OfficeLocation']" AttributeName="homeDirectory" Destination="[//Target/homeDirectory]"