There are many different ways in which we can modify the data to fit our needs. I will show a few of the most common ones I use in my customer projects, but every project has unique requirements and also a unique set of competences which will govern the options we choose.

When working with FIM, there are several places where data transformations can happen. They are as follows:

Since we have the workflow engine in the FIM Service, you will find many examples of how to modify data using workflow activities. However, do keep in mind that using the synchronization engine will maintain data consistency in a way that is very hard to do using workflows.

Microsoft Lync is one example where management cannot be made using built-in capabilities in FIM. As we saw in Chapter 5, User Management, the AD MA has some built-in functionalities to cover some Exchange management. And even though Lync also uses AD as its main source of information, the AD MA in FIM has no knowledge of Lync.

There are basically two problems we need to solve. They are as follows:

The term deprovisioning is often used when talking about deleting objects in some CDS (Connected Data Source). But deprovisioning is much more than just that.

Carol Wapshere has written a great article explaining our options about deprovisioning. Go to http://aka.ms/FIMDeprovisioning and read it before you start using the option to deprovision.

A typical scenario related to what we have discussed in this book may be that we would like FIM to delete obsolete distribution groups in Active Directory based on some policy. But we do not want FIM to delete users or security groups in AD even if some FIM administrator makes a mistake in the FIM Service configuration.

We need to use code to make the decision.

On the Configure Deprovisioning page of our AD MA, instead of having Stage a delete on the object for the next export run, we use the option Determine with a rules extension.

This means we need to make use of another method, DeprovisionAction IMASynchronization.Deprovision...

This is an example where I used SSIS to solve a problem where the data structure in the data source did not meet the requirements of FIM. I then used SSIS to transform the data into a structure easily used by FIM.

The information in this case was defined in a database with two tables, of which one table contained information about the organizational units within the company.

The other table contained information about the roles users had within each organizational unit. The screenshots are just showing an example and are not the actual roles and units that my customer was using.

The goal was to create groups in Active Directory with the users as members. But they didn't just want the organizational units as groups. They also wanted one group for each unique role within a specific organizational unit.

So the goal was to use SSIS to structure this data into the FIM-optimized structure you have seen in the HR database at The Company in this book.

From the small...

It is very rare to have a FIM project where the data in all CDSs (Connected Data Sources) are structured in a way that can be easily consumed and managed by FIM.

You will often need to use one or several of the transformation ways we have discussed in this chapter. I am personally a friend of limiting the code base in the FIM implementations, since I believe the cost of maintaining this code over time is often underestimated. This is why I have grown fond of using SSIS lately. SSIS is today a really powerful tool when it comes to data transformations.

In this chapter we have seen examples of how PowerShell, non-declarative, classic rules extensions, and SSIS can be used to transform data, making it manageable by FIM.

In the next chapter, we will take a look at the outcast member of the FIM products, FIM Certificate Management. It is time to show how FIM can be used to manage Smart Cards.