Hi all. Jef asked if I could do some doco review - very happy to help. I've only got through the Activities section so far but wanted to post these comments - hopefully this is an ok place to do it.
Build and Deployment
Note: If you get any access denied errors from FIM Service during the creation of AIC's, you may have forgotten to correct the typo "IsAuthoriztionActivity" to "IsAuthorizationActivity" in the built-in MPR called "Administration: Administrators control configuration related resources".
I didn’t know myself that such a typo existed and I just create my own AIC policy. Is there a link to a technote about this? Rather than “You may have forgotten” instead link to the technote. (I’m surprised a patch would not have fixed this.)
Create Resource Activity
Iteration
Optional. This is a lookup or function expression returning a collection of values to iterate over. use of iteration disables publication of created resource Id ("Target for Created Resource ID") and conflicting resource Id ("Target for Conflicting Resource ID").
In the “Delete Resource” activity there is a link to the Iteration page from this sub-section.
While the activity supports iteration, it is best to refrain from creating more than one resources in a single activity.
Should be “resource” not “resources”.
Why is it best? I only ever used this activity to create single resources myself, but the functionality must be there for some reason. Would be good to add a bit more explanation about why it is recommended – the main things I can think of right now is it’s much easier to track what’s going on, and there is no chance of accidentally spawning creation of thousands of objects. Or alternatively add a comment about whatever specific use case this feature was added for and state you wouldn’t use it otherwise.
BTW this group creation example is a really good one – I’ve recently been finding out just how difficult(/impossible) something like this is for certain competitor products.
Generate Unique Value Activity
Noticed one instance of “FIMServive” on the page.
It’s good you talk about bulk updates – I got into a terrible mess trying to generate a lot of AccountNames using this activity. I think it was made even worse by SQL doing an extra uniqueness lookup for that specific attribute.
Run PowerShell Script Activity
Powershell Script User: Worth mentioning that the FIMService service account is what is used to run the script by default.
Impersonation: there were problems with that and Craig’s PowerShell activity. The end result was a reg change was needed on each FIM Service server – if you didn’t make the reg change you could only impersonate members of the local Administrators group. The fact that a logon type has to be specified makes me think this might be the same. If so it would be worth expanding on the pre-reqs for the users that can be impersonated. It’s pretty common to want to say “any”, especially when it’s the original requestor we want to impersonate.
It would be really good to have a script template as a starting point, which shows how to send parameters to the script, and how to get information back from it.
I don’t agree with the comment about not using it in productions environments – in fact sometimes you have to (like when performing Exchange activities). Sounding a note of caution about spawning lots of sessions is worthwhile however.
On the comment about things failing – I use a lot of Invoke-Expression so I can set up the command I’m going to run, log the exact command, then run it, and capture the results. Try…Catch followed by testing we got a result is very helpful too. Anything to stop the script bombing out but returning a valid status. (Another thing to include – how to return a Failed status to the workflow – I normally just Throw the error message I want the request to store – that’s with Craig’s activity.)
I don’t see anything about the changes that need to be made to be able to run the FIMAutomation cmdlets. It’s possible that the config file changes are made as part of the setup, but we also need a person object for the FIMService service account that can login to the Portal and has the appropriate rights.
Finally – something on error reporting from the scripts would be good. Eg write to log fie, write the Event Log, return RequestStatusDetail to request.
Activity Advanced Features Iteration
Supported Activities does not mention Delete Resource.