Contents
Overview 1
Introduction to TAMA 2
How TAMA Works 3
Using TAMA and Active Directory MA to
Create Users 11
Implementing a Central Account Scenario 15
Lab A: Implementing a Central Account
Scenario Using TAMA 25
Best Practices 26
Review 27

Module 8: Managing
Enterprise Identity
Using TAMA

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.

 2000 Microsoft Corporation. All rights reserved.

Microsoft, BackOffice, MS-DOS, Windows, Windows NT, <plus other appropriate product
names or titles. The publications specialist replaces this example list with the list of trademarks
provided by the copy editor. Microsoft is listed first, followed by all other Microsoft trademarks
in alphabetical order. > are either registered trademarks or trademarks of Microsoft Corporation
in the U.S.A. and/or other countries.

<The publications specialist inserts mention of specific, contractually obligated to, third-party
trademarks, provided by the copy editor>

Other product and company names mentioned herein may be the trademarks of their respective
owners.


Module 8: Managing Enterprise Identity Using TAMA i

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Instructor Notes
Instructor_notes.doc

Presentation:
xx Minutes


Lab:
xx Minutes

Module 8: Managing Enterprise Identity Using TAMA 1

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Overview
!
Introduction to TAMA
!
How TAMA Works
!
Using TAMA and Active Directory MA to Create Users
!
Implementing a Central Account Scenario
!
Best Practices


Business organizations spend a significant amount of time and effort ensuring
that recently hired employees are provided with the accounts needed to access
the resources they need to successfully complete their jobs. Similarly, there is
also a business need to remove all accumulated accounts from employees who
leave the organization.
The Together Administration management agent (TAMA) in Microsoft
®

Metadirectory Services version 2.2 (MMS), with its ability to integrate and
manage identity information, enables administrators in the account provisioning

process. TAMA helps organizations to lower their total cost of ownership of
account resources by automating many common administrative functions
required to provision new accounts. TAMA also helps organizations reduce the
risks associated with unauthorized data access and automating the deletion
process of defunct accounts.
At the end of this module, you will be able to:
!
Describe the purpose of TAMA in managing enterprise identity.
!
Describe how TAMA works.
!
Describe how to create users by using TAMA and Active Directory
management agent.
!
Implement a central account scenario by using TAMA.
!
Identify the best practices for implementing TAMA.

Topic Objective
To provide an overview of
the module topics and
objectives.
Lead-in
In this module, you will learn
about using TAMA to
automate the creation and
deletion of user accounts in
each connected directory.
2 Module 8: Managing Enterprise Identity Using TAMA


BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Introduction to TAMA
Connected
Directory
Connected
Connected
Directory
Directory
Active
Active
Directory
Directory
Connected
Directory
Connected
Connected
Directory
Directory
HR
HR
Connected
Directory
Connected
Connected
Directory
Directory
Exchange
Exchange
Metadirectory

Metaverse
Metaverse
Metaverse
Connector
Namespace
Connector
Namespace
Connector
Namespace
Connector
Namespace
Connector
Namespace
Connector
Namespace
N
e
w

O
b
j
e
c
t
s
N
e
w


O
b
j
e
c
t
s
N
e
w

O
b
j
e
c
t
s
Reflector
Mode MA
New Objects
New Objects
New Objects
Update
Update
Update
Update
Update
Update
Management Agent's Run

U
p
d
at
e
U
pd
at
e
U
p
d
at
e
Update
Update
Update
TAMA
TAMA
TAMA


TAMA is a special kind of management agent. TAMA constructs a connector
namespace entry that is propagated to the connected directory by another
management agent, regardless of the management agent’s operating mode.
Unlike traditional management agents that use a connected directory as a data
source, TAMA uses the metaverse namespace as its data source. You can
configure TAMA to scan a portion of the metaverse namespace, identify new or
deleted entries, and then send the additions or deletions to the connector
namespaces of the appropriate management agents. For example, when an

organization hires a new employee, the Human Resources administrator adds an
entry to the Human Resources connected directory. The following tasks occur
when you add an entry to a connected directory:
1. A Human Resources management agent reflects that entry in the metaverse
namespace.
2. When the Human Resources administrator runs TAMA, TAMA locates the
new entry in the metaverse namespace and then creates corresponding
connector entries in the applicable connector namespaces.
3. When the management agent is run, the management agent adds the new
entry to the other connected directories.

After the completion of these tasks, TAMA enables you to administer all of
your directories together.

You can delete an object created by TAMA. For example, if you delete
an object in a Human Resources connected directory, the corresponding object
in the Active Directory
™
directory service is also deleted (that is, if you
configure it to be deleted when the corresponding entry in the connected
directory is deleted).

Topic Objective
To explain the purpose of
TAMA in managing
enterprise identity.
Lead-in

Delivery Tip
This graphic is a build-up

graphic. The first slide
illustrates how new objects
are imported into the
metaverse namespace
through a management
agent operating in Reflector
mode. The second slide
illustrates how TAMA
performs multiple updates to
the connector namespace.
The third slide illustrates
that the connected
directories are updated the
next time their associated
management agents are
run.
Note
Module 8: Managing Enterprise Identity Using TAMA 3

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

#
##
#

How TAMA Works
!
TAMA Components
!
Flat and Complex Resources

!
TAMA Attributes
!
The TAMA Process


TAMA is used primarily to manage multiple connector namespaces according
to the defined TAMA resources and account profiles. TAMA functions by
examining directory entries in the metaverse namespace. Each entry in the
metaverse namespace can have one or more TAMA resources associated with it
in a TAMA account profile. TAMA account profiles contain attributes that
determine where new connectors should be created. A knowledge about TAMA
resources and account profiles, and how TAMA uses resources and account
profiles is essential for understanding the TAMA process.
Topic Objective
To introduce the topics
related to how TAMA works.
Lead-in

4 Module 8: Managing Enterprise Identity Using TAMA

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

TAMA Components
TAMA Enables You to Administer All Connected
Directories Together
Resource Is an Object in the Metadirectory That Is
Associated with a Particular Management Agent
Account Profile Is an Object in the Metadirectory
That Contains One or More Resources



When MMS is installed, a sample instance of TAMA, called the provisioning
agent, is created. TAMA enables you to administer all connected directories
together. TAMA acts globally, unlike other management agents that manage a
specific instance of a specific connected directory. TAMA examines directory
entries in the metaverse namespace (or a specified branch of the metaverse
namespace) to determine if those entries require corresponding entries in one or
more connector namespaces under particular management agents. TAMA does
this by determining whether any resources or account profiles apply to an object
in the metaverse namespace.
!
Resource. A resource is an object in the metadirectory that is associated
with a particular management agent. All resources have an object class of
zcTaAccountResource. A resource is associated with a single management
agent. An attribute of the resource contains the distinguished name of its
associated management agent. Attributes associated with a resource indicate
where in that particular management agent's connector namespace a
connector entry should be created. This allows you to specify where in a
connected directory, objects created by TAMA should be located.
You can define two types of resources: flat and complex. A flat resource
specifies that the new connectors will be added immediately below the entry
you specify. The entry and the connectors are all at the same level. A
complex resource creates a hierarchy in the connector namespace. The
complex resource allows you to define how much of the metaverse
namespace structure you want to recreate in connector namespace.
!
Account profile. An account profile is an object in the metadirectory that
contains one or more resources. Each entry in the metaverse namespace can
have one or more resources associated with it in an account profile. An

account profile has an object class of msMMS-ProvisioningProfile, and is
usually created in a folder called Together Administration. There is also a
multivalued attribute, called zcTaAccountResourceDNs, for the account
profile entry that lists the distinguished names of all resources associated
with that account profile.
Topic Objective
To identify the TAMA
components.
Lead-in

Module 8: Managing Enterprise Identity Using TAMA 5

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Flat and Complex Resources
Resource Information Object Class
Type of Resource
ComplexFlat
Resource Description:
Management Agent:
Location Under MA
(Optional):
Select the MA
Select a location
Resource Information Object Class
Type of Resource
ComplexFlat
Resource Description:
Management Agent:
Location Under MA

(Optional):
Tree Information
Metaverse
Boundary Mode
Maximum Number
Of Levels
Select the MA
Select a location
Creates a hierarchy
in the connector
namespace
Creates a hierarchy
in the connector
namespace
Specifies that the new
accounts will be added
immediately below the
entry you specify, all at
the same level
Specifies that the new
accounts will be added
immediately below the
entry you specify, all at
the same level


A TAMA resource defines the hierarchical structure used to create objects in a
connected directory. You create the TAMA resource to manage the entry
creation in the connector namespace of management agents.
Using Flat Resources


You should use flat resources whenever possible. By defining several account
profiles containing different flat resources for the same management agent, you
can create new connectors in a complex hierarchy that already exists in the
connector namespace. Flat resources only create leaf entries.
Flat resources create all entries in the same place. For example, you can put all
new additions into a New Hires organizational unit in connector namespace
initially. By doing this, you create one resource and put it in an account profile
that is attached to an entry in the directory tree that is high enough to cause the
resource to be applied to all of the relevant entries.
You can also create multiple flat resources for the same management agent.
Each flat resource will specify a different location for new connectors under the
management agent. For example, an organization has several organizational
units, including Accounts Payable and Accounts Receivable, which exist in the
metaverse namespace. When you create new entries below these organizational
units, either centrally or by using another management agent, you need to have
TAMA add them to the corresponding organizational units under the Email
management agent in the Payable and Receivable organizational units. In this
scenario, each organizational unit in the metaverse namespace has an account
profile that includes a flat resource record pointing to a corresponding container
entry in the connector namespace. That corresponding container is not required
to have the same name or the same object class as its metaverse namespace
equivalent.
Topic Objective
To identify differences
between flat and complex
resources.
Lead-in

6 Module 8: Managing Enterprise Identity Using TAMA


BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Using Complex Resources
Though you should use flat resources whenever possible, you can use complex
resources when you want to automatically recreate an entry’s metaverse
namespace hierarchy in a connector namespace. Due to the fact that complex
resources can be used to create parent containers as well as leaf entries, the
necessary parent entries do not have to already exist in the connector
namespace.
When you use complex resources, you should always specify a metaverse
namespace boundary node and select All Parents in Maximum Number of
Levels for the number of parents to be counted. The metaverse namespace
boundary node defines how much of the metaverse namespace tree structure
you might want to recreate in the connector namespace.
When processing complex resources, TAMA first looks at the metaverse
namespace hierarchy starting just below the boundary node you specify. Then,
TAMA accepts the number of parents you specify, counting down from the
metaverse namespace boundary node when it adds a connector to the connector
namespace of the management agent.

Module 8: Managing Enterprise Identity Using TAMA 7

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

TAMA Attributes
TAMA Attribute
TAMA Attribute
TAMA Attribute
Description

Description
Description
msMMS-ManagedByProfile
msMMS-ManagedByProfile
Set to a value of TRUE for every connector entry that is
created by TAMA, and for every existing connector entry
that would normally be created by TAMA
Set to a value of TRUE for every connector entry that is
created by TAMA, and for every existing connector entry
that would normally be created by TAMA
msMMS-DisconnectorFlowScript
msMMS-DisconnectorFlowScript
Specifies that attribute flow is to be performed for
disconnectors that have not yet expired
Specifies that attribute flow is to be performed for
disconnectors that have not yet expired
msMMS-DisconnectionTime
msMMS-DisconnectionTime
Automatically updated when a connector namespace
entry changes from a connector to a disconnector
Automatically updated when a connector namespace
entry changes from a connector to a disconnector
msMMS-TimeToLive
msMMS-TimeToLive
Associated with an MA that is used in conjunction with
the msMMS-DisconnectionTime attribute to calculate how
long past disconnection time a disconnector should
persist before being deleted.
Associated with an MA that is used in conjunction with
the msMMS-DisconnectionTime attribute to calculate how

long past disconnection time a disconnector should
persist before being deleted.


An account profile contains attributes that determine where in the management
agent’s connector namespace new connectors should be created
The following table describes the attributes that are required to implement
TAMA functionality in MMS.
TAMA Attribute Description

msMMS-ManagedByProfile This attribute is created and set to a value of
TRUE for every connector entry that is created
by TAMA, and for every existing connector
entry that would normally be created by TAMA.
If a disconnector exists, this attribute is not
added. This attribute causes the management
agent to treat the entry as it were created by a
Creator mode management agent.
msMMS-DisconnectorFlowScript This attribute specifies that the attribute flow will
be performed for disconnectors that have not yet
expired. It is implemented as a new attribute flow
tem
plate to handle the flow of attributes from the
connector namespace to the connected directory.

Topic Objective
To explain the purpose of
the attributes involved in the
TAMA process, and their
function within the process.

Lead-in

8 Module 8: Managing Enterprise Identity Using TAMA

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

(continued)
TAMA Attribute Description

msMMS-DisconnectionTime This attribute is automatically updated when a
connector namespace entry changes from a
connector to a disconnector. The change from a
connector to a disconnector is regardless of the
management agent mode. IF a management agent
is operating in Creator mode, disconnectors are
not automatically deleted.
msMMS-TimeToLive This attribute is associated with a management
agent that is used in conjunction with the
msMMS-DisconnectionTime attribute to
calculate how long past disconnection time a
disconnector should persist before being deleted.
This attribute contains a numeric value
representing a number of seconds. It can also be
set on individual connector namespace records
by using normal attribute flow. When set on an
individual connector namespace, the specific
value overrides the setting on the management
agent. If the value is 0, the entry should be
deleted immediately. If the value is –1, deletion
should be deferred indefinitely. If the attribute

does not exist, it is assumed to have a value of 0.