Introduction to TAMA Connected Directory Connected Directory Active Directory Connected Directory Connected Directory HR Connected Directory Connected Directory Exchange Metadirectory Me
Trang 1Contents
Overview 1
Using TAMA and Active Directory MA to
Implementing a Central Account Scenario 15
Lab A: Implementing a Central Account
Review 27
Module 8: Managing Enterprise Identity Using TAMA
Trang 2to represent any real individual, company, product, or event, unless otherwise noted Complying with all applicable copyright laws is the responsibility of the user No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property
2000 Microsoft Corporation All rights reserved
Microsoft, BackOffice, MS-DOS, Windows, Windows NT, <plus other appropriate product
names or titles The publications specialist replaces this example list with the list of trademarks provided by the copy editor Microsoft is listed first, followed by all other Microsoft trademarks
in alphabetical order > are either registered trademarks or trademarks of Microsoft Corporation
in the U.S.A and/or other countries
<The publications specialist inserts mention of specific, contractually obligated to, third-party trademarks, provided by the copy editor>
Other product and company names mentioned herein may be the trademarks of their respective owners
Trang 5Overview
! Introduction to TAMA
! How TAMA Works
! Using TAMA and Active Directory MA to Create Users
! Implementing a Central Account Scenario
! Best Practices
Business organizations spend a significant amount of time and effort ensuring that recently hired employees are provided with the accounts needed to access the resources they need to successfully complete their jobs Similarly, there is also a business need to remove all accumulated accounts from employees who leave the organization
The Together Administration management agent (TAMA) in Microsoft®
Metadirectory Services version 2.2 (MMS), with its ability to integrate and manage identity information, enables administrators in the account provisioning process TAMA helps organizations to lower their total cost of ownership of account resources by automating many common administrative functions required to provision new accounts TAMA also helps organizations reduce the risks associated with unauthorized data access and automating the deletion process of defunct accounts
At the end of this module, you will be able to:
! Describe the purpose of TAMA in managing enterprise identity
! Describe how TAMA works
! Describe how to create users by using TAMA and Active Directory management agent
! Implement a central account scenario by using TAMA
! Identify the best practices for implementing TAMA
In this module, you will learn
about using TAMA to
automate the creation and
deletion of user accounts in
each connected directory
Trang 6Introduction to TAMA
Connected Directory
Connected Directory
Active Directory
Connected Directory
Connected Directory
HR
Connected Directory
Connected Directory
Exchange
Metadirectory
Metaverse
Connector Namespace
Connector Namespace
Connector Namespace
Connector Namespace
Connector Namespace
Connector Namespace
Ne w
Ob jec ts
Ne w
Ob jec ts
Ne w
Ob jec ts
Reflector Mode MA
TAMA
TAMA is a special kind of management agent TAMA constructs a connector namespace entry that is propagated to the connected directory by another management agent, regardless of the management agent’s operating mode Unlike traditional management agents that use a connected directory as a data source, TAMA uses the metaverse namespace as its data source You can configure TAMA to scan a portion of the metaverse namespace, identify new or deleted entries, and then send the additions or deletions to the connector namespaces of the appropriate management agents For example, when an organization hires a new employee, the Human Resources administrator adds an entry to the Human Resources connected directory The following tasks occur when you add an entry to a connected directory:
1 A Human Resources management agent reflects that entry in the metaverse namespace
2 When the Human Resources administrator runs TAMA, TAMA locates the new entry in the metaverse namespace and then creates corresponding connector entries in the applicable connector namespaces
3 When the management agent is run, the management agent adds the new entry to the other connected directories
After the completion of these tasks, TAMA enables you to administer all of your directories together
You can delete an object created by TAMA For example, if you delete
an object in a Human Resources connected directory, the corresponding object
in the Active Directory™ directory service is also deleted (that is, if you configure it to be deleted when the corresponding entry in the connected directory is deleted)
This graphic is a build-up
graphic The first slide
illustrates how new objects
are imported into the
metaverse namespace
through a management
agent operating in Reflector
mode The second slide
illustrates how TAMA
performs multiple updates to
the connector namespace
The third slide illustrates
that the connected
directories are updated the
next time their associated
management agents are
run
Note
Trang 7# How TAMA Works
! TAMA Components
! Flat and Complex Resources
! TAMA Attributes
! The TAMA Process
TAMA is used primarily to manage multiple connector namespaces according
to the defined TAMA resources and account profiles TAMA functions by examining directory entries in the metaverse namespace Each entry in the metaverse namespace can have one or more TAMA resources associated with it
in a TAMA account profile TAMA account profiles contain attributes that determine where new connectors should be created A knowledge about TAMA resources and account profiles, and how TAMA uses resources and account profiles is essential for understanding the TAMA process
Topic Objective
To introduce the topics
related to how TAMA works
Lead-in
Trang 8in the metaverse namespace
! Resource A resource is an object in the metadirectory that is associated
with a particular management agent All resources have an object class of zcTaAccountResource A resource is associated with a single management agent An attribute of the resource contains the distinguished name of its associated management agent Attributes associated with a resource indicate where in that particular management agent's connector namespace a
connector entry should be created This allows you to specify where in a connected directory, objects created by TAMA should be located
You can define two types of resources: flat and complex A flat resource specifies that the new connectors will be added immediately below the entry you specify The entry and the connectors are all at the same level A complex resource creates a hierarchy in the connector namespace The complex resource allows you to define how much of the metaverse namespace structure you want to recreate in connector namespace
! Account profile An account profile is an object in the metadirectory that
contains one or more resources Each entry in the metaverse namespace can have one or more resources associated with it in an account profile An account profile has an object class of msMMS-ProvisioningProfile, and is usually created in a folder called Together Administration There is also a multivalued attribute, called zcTaAccountResourceDNs, for the account profile entry that lists the distinguished names of all resources associated with that account profile
Topic Objective
To identify the TAMA
components
Lead-in
Trang 9Flat and Complex Resources
Resource Information Object Class
Type of Resource
Complex Flat
Resource Description:
Management Agent:
Location Under MA (Optional):
Select the MA Select a location
Resource Information Object Class
Type of Resource
Complex Flat
Resource Description:
Management Agent:
Location Under MA (Optional):
Tree Information Metaverse Boundary Mode Maximum Number
Of Levels
Select the MA Select a location
Creates a hierarchy
in the connector namespace
Creates a hierarchy
in the connector namespace
Specifies that the new accounts will be added immediately below the entry you specify, all at the same level
Specifies that the new accounts will be added immediately below the entry you specify, all at the same level
A TAMA resource defines the hierarchical structure used to create objects in a connected directory You create the TAMA resource to manage the entry creation in the connector namespace of management agents
Using Flat Resources
You should use flat resources whenever possible By defining several account profiles containing different flat resources for the same management agent, you can create new connectors in a complex hierarchy that already exists in the connector namespace Flat resources only create leaf entries
Flat resources create all entries in the same place For example, you can put all new additions into a New Hires organizational unit in connector namespace initially By doing this, you create one resource and put it in an account profile that is attached to an entry in the directory tree that is high enough to cause the resource to be applied to all of the relevant entries
You can also create multiple flat resources for the same management agent Each flat resource will specify a different location for new connectors under the management agent For example, an organization has several organizational units, including Accounts Payable and Accounts Receivable, which exist in the metaverse namespace When you create new entries below these organizational units, either centrally or by using another management agent, you need to have TAMA add them to the corresponding organizational units under the Email management agent in the Payable and Receivable organizational units In this scenario, each organizational unit in the metaverse namespace has an account profile that includes a flat resource record pointing to a corresponding container entry in the connector namespace That corresponding container is not required
to have the same name or the same object class as its metaverse namespace equivalent
Trang 10Using Complex Resources
Though you should use flat resources whenever possible, you can use complex resources when you want to automatically recreate an entry’s metaverse namespace hierarchy in a connector namespace Due to the fact that complex resources can be used to create parent containers as well as leaf entries, the necessary parent entries do not have to already exist in the connector namespace
When you use complex resources, you should always specify a metaverse
namespace boundary node and select All Parents in Maximum Number of Levels for the number of parents to be counted The metaverse namespace
boundary node defines how much of the metaverse namespace tree structure you might want to recreate in the connector namespace
When processing complex resources, TAMA first looks at the metaverse namespace hierarchy starting just below the boundary node you specify Then, TAMA accepts the number of parents you specify, counting down from the metaverse namespace boundary node when it adds a connector to the connector namespace of the management agent
Trang 11Set to a value of TRUE for every connector entry that is created by TAMA, and for every existing connector entry that would normally be created by TAMA
msMMS-DisconnectorFlowScript
msMMS-DisconnectorFlowScript Specifies that attribute flow is to be performed for
disconnectors that have not yet expired
Specifies that attribute flow is to be performed for disconnectors that have not yet expired
msMMS-DisconnectionTime Automatically updated when a connector namespace entry changes from a connector to a disconnectorAutomatically updated when a connector namespace entry changes from a connector to a disconnector
msMMS-TimeToLive
msMMS-TimeToLive
Associated with an MA that is used in conjunction with the msMMS-DisconnectionTime attribute to calculate how long past disconnection time a disconnector should persist before being deleted
Associated with an MA that is used in conjunction with the msMMS-DisconnectionTime attribute to calculate how long past disconnection time a disconnector should persist before being deleted
An account profile contains attributes that determine where in the management agent’s connector namespace new connectors should be created
The following table describes the attributes that are required to implement TAMA functionality in MMS
msMMS-ManagedByProfile This attribute is created and set to a value of
TRUE for every connector entry that is created
by TAMA, and for every existing connector entry that would normally be created by TAMA
If a disconnector exists, this attribute is not added This attribute causes the management agent to treat the entry as it were created by a Creator mode management agent
msMMS-DisconnectorFlowScript This attribute specifies that the attribute flow will
be performed for disconnectors that have not yet expired It is implemented as a new attribute flowtemplate to handle the flow of attributes from the connector namespace to the connected directory
Topic Objective
To explain the purpose of
the attributes involved in the
TAMA process, and their
function within the process
Lead-in
Trang 12(continued)
msMMS-DisconnectionTime This attribute is automatically updated when a
connector namespace entry changes from a connector to a disconnector The change from a connector to a disconnector is regardless of the management agent mode IF a management agent
is operating in Creator mode, disconnectors are not automatically deleted
agent that is used in conjunction with the msMMS-DisconnectionTime attribute to calculate how long past disconnection time a disconnector should persist before being deleted This attribute contains a numeric value
representing a number of seconds It can also be set on individual connector namespace records
by using normal attribute flow When set on an individual connector namespace, the specific value overrides the setting on the management agent If the value is 0, the entry should be deleted immediately If the value is –1, deletion should be deferred indefinitely If the attribute does not exist, it is assumed to have a value of 0
Trang 13The TAMA Process
Metadirectory
Sales Claims
Active Directory Resource
Active Directory Resource
Exchange Resource
Exchange Resource
TAMA
Connected Directory
Connected Directory
Active Directory
Connected Directory
Connected Directory
HR
Connected Directory
Connected Directory
Exchange
Connector Namespace
Connector Namespace
Connector Namespace
Connector Namespace
Connector Namespace
Connector Namespace
Connector Namespace
Upd ate Upd ate
Connector Namespace
Connector Namespace Update
Ne w
Ob jec ts
Ne w
Ob jec ts
Reflector Mode MA
Connector Namespace
Connector Namespace New Objects
TAMA functions by examining directory entries in the metaverse namespace to determine if those entries should have corresponding entries in one or more connector namespaces under particular management agents It does this by determining whether any account profiles or resources apply to an object in metaverse namespace
Every connector namespace entry that TAMA creates or finds is marked with the msMMS-ManagedByProfile attribute that configures the entry to function
as if it existed under a Creator mode management agent TAMA only updates the connector namespace, the management agents perform the connected directory updates
The following steps describe how profiles and resources are processed when you run TAMA:
1 The TAMA control script is called
The TAMA control script is not directly visible from MMS Compass because it requires no modification
2 The TAMA control script runs the Importt program with a -together
command-line option that puts it into TAMA mode
3 The Importt program scans the portion of the metaverse namespace it is responsible for, starting at the top
4 As the Importt program reads each entry in the metaverse namespace, it looks for account profiles
Topic Objective
To identify how account
profiles and resources are
processed when you run
TAMA
Lead-in
Delivery Tip
This graphic is a build-up
graphic The first slide
illustrates how new objects
are imported into the
metaverse namespace
through a management
agent operating in reflector
mode The second slide
illustrates how TAMA
checks the entries in the
metaverse namespace to
identify the entries in the
metaverse namespace that
have resources assigned to
them After performing this
check, TAMA starts the next
step of updating these
entries in the connector
namespace The third slide
illustrates how TAMA
performs multiple updates to
the connector namespace
The fourth slide illustrates
that the connected
directories are updated the
next time their associated
management agents are
run
Note
Trang 145 If a resource assignment script exists, it is applied to each entry
6 If an account profile exists, TAMA examines each of the resources in turn and checks to see if a corresponding connector entry exists in the connector namespace of each management agent specified in each resource
7 If connector does not exist, TAMA uses the specified management agent's
Construct New Connectors template to construct a new connector
namespace entry and join it to the entry in the metaverse namespace
8 TAMA moves on to the next entry in the metaverse namespace in its area and repeats steps 4 through 7
Trang 15# Using TAMA and Active Directory MA to Create Users
! Using the MMS Compass to Create Users
! Using Scripts to Create Users
The Active Directory management agent in a TAMA scenario presents a special case When using TAMA and the Active Directory management agent together, TAMA, through TAMA resources, determines which objects need to be created
in the connector namespace for the Active Directory management agent, for example, person entries or organizational units The Active Directory management agent determines what type of object needs to be created in Active Directory, for example user objects or contact objects By default, the Active Directory management agent is configured to create contacts in Active Directory for each corresponding person connector in its connector namespace This section describes how you can control whether the Active Directory management agent will create user or contact objects
Topic Objective
To introduce the topics
related to using TAMA and
Active Directory MA to
create users
Lead-in
Trang 16Using the MMS Compass Administration Action to Create Users
Account Profile
Entry Administration
OK Cancel
Windows NT Domain Login Name:
Microsoft 2000 Active Directory User Principal Name:
User accounts created by these Active Directory MAs Ma=adma,DsaName=mdserver,ou=Application,o=Focus Inc,c=US
Select Management Agents … Select the Active Directory MAs
that will create Users rather than contacts in AD:
Entry Administration – Microsoft Windows
Use this form to specify Windows NT and Active Directory (Windows 2000) account names for use in administering this entry
You can also use this form to select the native master forest where to create a metaverse person as a user or disable user.
In Windows NT Domain
Login Name, enter the
Select Management Agents …
Select the Management Agent where you want to create Users or Disable Users in Active Directory Please note that this operation can be scripted using attribute flow Copy and paste, or drag and drop this entry to the “Management Agent’s” edit box
mdserver Administrator Operator Security Officer Attributes Object exchange ma
adma
OK
Copy the Active Directory Management Agent
Copy the Active Directory Management Agent
The Active Directory management agent is configured to create contacts in Active Directory for corresponding people entries in the metadirectory In order
to have the Active Directory management agent create user objects, you need to
set the msMMS-ManagedByMA attribute on the metaverse namespace entry
To create user objects for a limited number of person entries, you can use the
Administration action in MMS Compass The Administration action in MMS
Compass allows you to associate one or more Active Directory management agents with a person entry This association adds the distinguished name of one
or more Active Directory management agents to the multi-valued attribute msMMS-ManagedByMA
To associate one or more Active Directory management agents to a person entry, perform the following steps:
1 In the directory pane of MMS Compass, click the person entry
2 In the control pane, click Administration
3 In the Entry Administration dialog box, click the Microsoft Windows tab, and then click Select Management Agents
4 Copy the Active Directory management agent to User accounts created by these Active Directory MAs Repeat this for each Active Directory
management agent for which you want to create users or disabled users When the user is being created in Active Directory, the Active Directory management agent analyzes the person's entry in the metaverse namespace If the Active Directory management agent determines that it has been selected to create users, it creates users Otherwise, it creates contacts