Monday, August 16, 2010

FIM Sync References vs. PowerShell Identity Attributes

Just thinking out load here, but Reference attributes in the Sync engine has long been one of my favourite features.  Unfortunately with great power comes some pretty long sync cycles on larger scale systems (this is a non-issue for most deployments).

Reference attributes are powerful because they abstract not only the schema from a connected system, but also the relationships such a group memberships and reporting structures.  The sync engine makes it pretty easy to flow these relationships across systems without a single line of code.  This used to be quite a bit of zScript.

How much complexity is enough to warrant a Sync Engine deployment?

If you’re only synchronizing two systems, I might ague that the Sync Engine is overkill for your solution.  If however you had lots of tricky transformations to handle, including reference attributes then I might fall back to my usual tool of choice (the sync engine).  But what if it was easy to do reference translation in a tool other than the sync engine?  Well there isn’t a great answer here yet, but the point of this post is to think about alternatives. 

PowerShell Identity Attributes

The Exchange team has cmdlets that take ‘Identity’ parameters.  These parameters can be a pain if you’re writing an XMA that expects exports to be re-imported, but once I forgave that I started to wonder if this was not a pain in the ass, but maybe a really cool feature.  The sync engine will figure out the references for you, and export them to the connected system in a format it understands.  Identity parameters in the Exchange PowerShell cmdlets act more like late-binding whereby they take an input and try to match it to the referenced object whenever you run the cmdlet.  Pretty cool, but of course this isn’t common across PowerShell cmdlets.  AFAIK it is specific to Exchange so the usefulness is quite limited, but the potential is there (yes, I’m an optimist).

Does this even matter today?

The answer in MOST cases will be no.  Craig is simply dreaming of alternatives and speaking in the third person again.  However, if I was tasked with synchronizing anything to Exchange and  Exchange only, I might consider this approach.  As soon as you have to export to ANYTHING else, then this approach loses applicability FAST.

The sync engine is still a solid, solid engine for integrating identity repositories but that doesn’t mean it isn’t fun to entertain other approaches.  If your only tool is a hammer…

No comments: