Additional OOB and Custom Sync Rule Functions… Again!

April 6, 2011 at 9:45 PMHenrik Nilsson

One of the wishes for additional functionality in FIM I’ve had since ILM2 has been custom Sync Rule Functions and except for adding a feature request to Connect that got a lot of votes (and was closed with “Won’t Fix) I blogged about it here.


The reason I want preferably custom and more OOB functions is simply the available functions are way too limited and much too often you’ll have to fall back on MA Extensions or creating custom workflows/activities where the Function Evaluator can’t help.

I’ve discussed this with a member of the product team and he claims that even though there is a public Sync Service interface allowing for this and a FIM Service system resource type (Function) this has never been a plan, instead this has just been a way of implementing the current functions that remains in the Functionlibrary.dll that is hardcoded to both the FIM service and the Sync Service.

The Survey

Since I’m not a person that takes no as an answer I did a little survey that I addressed my MVP friends and some other FIM initiated friends (and their friends within Microsoft) giving them my ideas for new OOB functions since I’ve got the hint that custom functions are far away from being a reality and asked them to suggest functions they would like to see in FIM in a not too far future.

The Answers

Even though the hint I got and communicated in the survey that custom functions are far away and instead asked for ideas for OOB functions they wished almost everyone said that custom and reusable functions is the only way to satisfy our demands, here are some of the comments …

  • Quite frankly I don't see how they could ever satisfy all the requirements we could come up with. Allowing us to add functions is the only logical solution.
  • Please allow an extension to provide our own custom functions - this was also suggested during the summit. And while we're at it, please allow the same extension to be used for relationship criteria.
  • Could not agree more :), it's what's missing.. I can't stand sync rules.... this would help with the pain...
  • However, I totally agree that custom functions are the only way to satisfy all our requirements, including those that we can't think of right now but that we will have to face some day. In this way, no matter how many more functions we get, we won't be able to use only codeless provisioning.

As you can see above, there’s also a demand for allowing functions in the Sync Rule relationship and I totally agree, as it is now it could be hard to get usable “joins” when having similar but not perfectly equal values for joining on!

OOB functions?

Except for custom functions there’s a demand for more OOB functions that could be used by those who isn’t considering themselves developers. Some of the ideas were so similar that I took the freedom to join them. I got an answer with code examples where I choose not to include the code for readability and I hope it is clear enough anyway.

  • Delete()
    Issue a .Delete on the MV Attribute to clear out unwanted or orphaned data due to removal of flow rules
  • ToInt(string)
    Cast the string to an integer, useful when you have to change an integer based anchor into a string to contribute elsewhere but need to provision it out
  • GetBitOperator(int bitmask, mask)
    Returns true/false of whether or not a bit is active in the mask
  • ConvertGeneralTimeToISO8601(string generalizedtime)
    Converts a flat string date
  • ConvertFileTimeToISO8601(datetime filetime)
    Converts a FileTime attribute to a format the FIM WS can accept
  • GeneratePassword(number length)
    Generate complex password from some predefined character group.
  • GeneratePassword(number length, string chargroup1)
    Generate complex password using characters from chargroup1.
  • GeneratePassword(number length, string chargroup1, string chargroup2)
    Generate complex password using characters from chargroup1 and chargroup2.
  • GeneratePassword(number length, string chargroup1, string chargroup2, string chargroup3)
    Generate complex password using characters from chargroup1 and chargroup2 and chargroup3.
  • IsUnique
  • AddDays(Now(), 15)
  • AddMonths(Now(), 6)
  • Len (string value)
    Function that returns the length of a string, 0 if null or empty.
  • ToString (any type value)
    Function that converts any datatype to string.
    (it’s so irritating trying to map an integer value to a string during inbound sync, for example to employeeID and you get an error)
  • Split (string value, string separators)
    Function that splits a string into a multi-valued string.
  • Join (string multi-valued value, optional string separator)
    Function that joins a multi-valued string value into a single-valued value with an optional separator string.
  • Index (any type multivalued value, number index)
    Function that returns a single value of the same datatype as the multi-valued input value by index.
  • Add (any type multivalued value,  any type single-valued value to add)
    Function that adds a single-valued value to a multi-valued value of the same type (one use could be for handling object classes in LDAP directories)
  • Remove(any type multivalued value, any type single-valued value to remove)
    Function that removes a single-valued value from a multi-valued value of the same type.
  • RegexReplace(string value, string pattern, string replace)
    Function that does a string replace using a regex pattern.
  • StartsWith(string value, string startswith)
    Function useful for finding out if a string starts with a specific string when doing IIF’s.
    Could maybe be solved using the already available Mid function but this is easier.
  • EndsWith(string value, string endswith)
    Function useful for finding out if a string ends with a specific string when doing IIF’s.
    Could maybe be solved using the already available Mid function but this is easier.
  • IsValid(string value, string pattern)
    Function for validating an input value using a regex pattern when doing IIF’s
  • Format(string format, string value1, string value2, string value3… )
    Function that replaces the format item in a specified string with the string representation of a corresponding string in a specified parameter. I just love this function on the .Net string object and I think it could be really useful even thought I understand it could be hard implementing a user interface for and since the FIM functions can’t accept arbitrary number of parameters.
  • Now()
    Function that returns the current date and time.
  • Normalize(string value)
    Function for normalizing characters like ÅÖÄÜ etc. and removing all kinds of diacritics when for example creating email addresses. I’m told this could be done using the EscapeDNComponent function but that’s only available for outbound sync rules.
  • Word (string value, number index, string separators)
    This already available function doesn’t allow you to use an attribute as value only a fixed string.


I’m not the only one asking for this functionality but in order to make a change we need to get votes for it on Connect therefore I’ve made a new request that you can find here:

Custom and additional OOB Sync Rule Functions (again)...

Go ahead and vote for it but don’t forget to make a comment why you wish to be able to create custom functions that can be reused and have a larger set of OOB functions. Also don’t be afraid inviting you friends to vote and publish this or the connect feature request on any social media! Smile

Posted in: Forefront Identity Manager | Sync Functions | Sync Rules | Workflow


Codeless Provisioning Sync Rules – The Patent

September 21, 2009 at 8:28 PMHenrik Nilsson

Want to learn codeless provisioning the FIM 2010 way? Have a look at:

Register and you’re able to download the patent as pdf with pictures.

Posted in: Forefront Identity Manager | Sync Functions | Workflow

Tags: ,

The need for custom FIM 2010 sync rule functions

September 20, 2009 at 2:32 PMHenrik Nilsson

All of you that have been working with the ILM”2”/FIM 2010 sync rules have found the functions and custom expressions in sync rules and in the Function Activity (Ok, the Function Activity wasn’t very useful but there was a workaround, see Cortego Update Value Activity, this bug will be fixed in RC1) extremely helpful for extracting and formatting attributes or evaluation but most of you have also realized the functions are limited and in many cases you have to fall back on custom workflow activities or legacy flow rules for this.

For those of you out there that aren’t familiar with the functions and custom expressions could have a look at these excellent blog posts for more info:

During the session What’s New in FIM 2010 RC1 held by Mark Wahl at TEC 2009 Europe in Berlin we were told that custom functions wont make it to RTM but during the FIM 2010 Chalktalk session I called out for this to be added as soon as possible and I got strong support for this by Markus Vilcinskas (Thanks Markus!!!). The not perfect but positive answer I got was that this might end up in a future Feature Pack that the product team already seems to be planning and these Feature Packs might even be pushed out using Windows Update.

So why is this something I find so important?

The functions are simple and powerful but the available functions in RC0 are limited, maybe they’ll add more functions within RC1 but it wont be enough for all possible cases you’ll get into. Those of you that have had a look at my Activity Library could see that Normalize Diacritic Characters Activity, Regex Replace Activity and Generate Password Activity would make more sense as function calls but except for the Regex Activity they probably wouldn’t be suitable as a built in functions. The remaining two activities in my library, Unique Name Activity and LDAP Search Activity (the Update Value Activity will be removed from RC1 since the Function Activity included in FIM will be able to update values from RC1) would probably not be suitable as functions since they call out for external information.

Having a look at some of the functions found in the common .Net objects and compare this to what is available in RC0 you probably understand what I mean:

  • Conversion functions – For example converting accountExpires, lastLogonTimeStamp and pwdLastSet to and from Int64.
  • IndexOf or Contains - To find out if a string is contained and where, without this the included Mid function isn’t useful unless you’re absolutely certain your attribute has an exact format.
  • Len - To be able to find out the length of a string, useful to find out if for example the userAccountName attribute is longer than the allowed 20 characters in AD.
  • StartsWith, EndsWith - similar to IndexOf and Contains but could be easier to use in some cases.
  • Format - I just love this function on the .Net string object and I think it could be really useful even thought I understand it could be hard implementing a user interface for because it takes any number of input values.
  • Now – Date function to get the current date and time.
  • AddDays, AddHours, etc – System.DateTime functions for decreasing and increasing date and time values perfect for setting ExpirationTime attribute.
  • DayOfWeek, DaysInMonth, IsLeapYear, etc. – Other date time functions that could be useful in some cases.
  • Any more advanced function you might be in need of as long it’s kept simple and static.

If you have an idea of your own of what could maybe be implemented as function please add a comment to this blog post.

Am I alone in this wish?

I don’t think so, if you have a closer look at the feedback session at the ILM”2” connect site (you must have a connect account for access) or the ILM”2” forum at TechNet you’ll find a lot of request for this and cases where this could have helped out.

With custom functions FIM 2010 will be a lot more complete product!

What's the problem then?

If you have a look at Administration/All Resources in the portal you’ll see there’s already an object type called Function and when having a closer look at any of the functions you can see there’s a referenced dll and namespace, pretty much like with workflows so I believe custom functions are already prepared for unless this is for presenting functions in the UI only but then the reference to namespace and dll would be unnecessary. Personally I think the product team found out it was going to be hard to evaluate and execute function calls not to mention the possibility for abuse if they were allowing for custom functions since the function calls are executed on behalf of the sync engine.

Functions from within the portal

Having a deeper look at the bits and pieces of the current implementation the available functions together with the code for evaluating and executing the functions are implemented in the FunctionLibrary.dll, the dll referenced from the portal. Inside the FunctionLibrary.dll there is a class named AttributeFlowMappingHandler that derives from the interface IMASyncRuleCallout that is a part of the Microsoft.MetadirectoryServicesEx.dll – the same library you reference when creating MV and MA extensions! This is interesting because then there’s already an extension point from within the sync engine to a custom function library but unfortunately that’s not enough unless you wish to disassemble the FunctionLibrary.dll and make your own additions to it and then replacing the original one but that’s nothing I recommend even thought you’re an experienced developer and I’m not sure it would work anyway. What we need is a simple extension point, like for workflow activities where we reference our function library (the functions only), maybe evaluation code for each function and documentation.


If you agree with me on this you’re welcome to join the struggle! You could for example make a comment on this blog post, make a post on your own blog, talk to any FIM 2010 team members you might know or meet, post a feedback to the connect website (Feedback is still open) or why not all of the alternatives! :-)

Posted in: Forefront Identity Manager | Identity Management | Sync Functions