Microsoft Identity Lifeycycle Manager "2:" Policies

  • Article

Now that I have explained that the concept of organizing things into sets is the most fundamental idea in Microsoft Identity Lifecycle Manager "2," I can tell you about a notion that builds upon it: management policy rules.  Now I have no idea why we use that wordy term, when the single word, policy, would do just as well.  Perhaps it is because, in the ignominious tradition of such names as Windows Communication Foundation and Windows Presentation Foundation, we still believe that three words are better than one despite P-Diddy and J-Lo having firmly established that barely one word will usually do better than two.  Anyhow, when we say, management policy rule, grit your teeth and think of policy

A management policy rule is one of the various types of objects that is included by default in Microsoft Identity Lifecycle Manager "2."  Like any other type of object, it has attributes.  In particular, thanks to my colleague, Jack Kabat, who figured out how to make policies work, management policy rules have these attributes, among others:

  1. Principal Set
  2. Action Type
  3. Action Parameter
  4. Resource Current Set
  5. Resource Final Set
  6. Grant Right
  7. Authentication Workflow Definition
  8. Authorization Workflow Definition
  9. Action Workflow Definition

You will note that the term set appears several times in this list of attributes, which is why I need to introduce that concept before moving on to this topic.  Together, these attributes define whether a request by someone to do something to an object is permissable, and, if it is permissable, what its consequences might be.  How do those attributes accomplish that? 

If you want to say what a particular set of users is allowed to do, or what the consequences of their actions might be, then you use the Principal Set attribute to identify that set of users.  Every policy rule must define a set of principals, even if that is the built-in set of all objects, or the built-in set of all people. 

The action type parameter specifies what action requested by a principal set is covered by the policy.  Multiple actions might be identified.  The possible actions are Create, Delete, Read, Add, Remove, and Modify, those being all of the things that one is allowed to do to an object, or an attribute of an object. 

The action parameter attribute of a policy is a list of the attributes to be modified by a request covered by the policy.  For example, if a policy has, as its principal set, everyone that reports to Henry, has Read as its action parameter, and Title and Salary as the value of the action parameter attribute, then it is a policy that says whether or not everyone that reports to Henry and read the title and salary attributes of certain objects. 

The resource current set attribute identifies the set of objects that the set of principals might be requesting to perfom some operation upon.  So, if I want to say that everyone who reports to Henry have the right to delete everyone who reports to Anne, then I express that in a policy that has the set of people who report to Henry as the principal set, and the set of people who report to Anne as the resource current set. 

Now, when a request to perform some operation on an object is actually executed, that may result in the object joining or leaving a set.  For example, if Joe reports to Anne, and Henry requests that Joe's manager attribute be changed from Anne to Peter, then Joe will leave the set of people who report to Anne when the request is executed, and join the set of people who report to Peter.  Thus, for that request, the resource final set would be the set of people who report to Peter.  The resource final set attribute of a policy allows one to say what may or may not be permitted depending on what the consequences might be. 

The Grant Right attribute of a policy indicates whether, if this policy applies to a request, the policy grants the right for the request to be executed.  This attribute allows us to have one policy that applies to the request that permits it, by virtue of having the Grant Right attribute set to true, and another policy that also applies to the request, but only defines the consequences that follow from the request being executed.  The latter policy would have the Grant Right attribute set to false.  Such a policy would not prohibit a request to which it applied, but in order for that request to be permitted, at least one other applicable policy would have to grant permission for the request to be executed. 

The Authentication, Authorization and Action workflow definition attributes of a policy identify Windows Workflow Foundation workflow definitions that must be executed in response a request, if the request is permitted.  Authentication, Authorization, and Action are the three phases of the Microsoft Identity Lifecycle Manager "2" request processing model.  That processing model will be the subject of an upcoming post.