Hi, one more crazy question: as we know all FIM WF activities run under FIM Service Account which is fine unless you have an MPR set to trigger other actions on an attribute change. so, MPR is not trigged even if requestors are set to 'All People' which seems to exclude FIM Service account from the list of users. switching to custom UpdateAttributeActivity (yes, thanks' to Ensynch for their prototype) which sets ActorId to zeros and acts under user id solves the problem, but I feel that there must be another way to use builting FIM function evaluator and trigger an MPR then... Any ideas on which set to use for requestors or how to do user impersonation?

Hi Evgeniy! You can set whatever resource you like as requestor by setting the ActorID in the parent workflow (in the XOML) and that means any resource, even groups, RCDC's or custom resources. The ActorID is inherited from the parent workflow into the function activity (and any other activity). Setting an ActorID to only zeros will end up being the FIM Service account performing the request. If you wish to have a dynamic impersonation I guess you'll have to use a custom activity that looks up and sets the ActorID to the parent workflow at runtime, this should work (haven't tested) since the ActorID inheritance usually doesn't take place until execution of the following activities. http://msdn.microsoft.com/en-us/library/microsoft.resourcemanagement.workflow.activities.sequentialworkflow.actorid.aspx //Henrik Edit: For activities that expose an ActorID themselves inheritance only works if you haven't explicitly specified it on the activity. Henrik Nilsson, ILM/FIM MVP Blog: http://www.idmcrisis.com Company: Cortego (http://www.cortego.se)

Henrik, I have no problems with custom activities that inherit requestor id from parent WF. that's all fine. What I mean... somewhere inside the Action stage of my workflow I need to recalculate a string attribute as a concatenation of 2 other attributes. I can use either builtin FIM function evaluator for this or use my own activity that will finally raise UpdateResource request. seeing into logs I was really surprised that my own custom activity inherits ActorID from its parent (as I wanted) and there's another request in the logs to update only this attribute. and requestor is a right person, and all MPRs watching for this attributes changes work fine but if I would use FIM function evaluator (just for fun) it will _not_ inherit original ActorID from the parent workflow. so 'FIM Service Account' will be in the logs updating this attribute and no MPRs are trigged. the only goal for this excercise is that all those FIM WF Activities are so slow, so I thought that builtin function evaluator may be a little bit faster than mine.

Henrik, I have no problems with custom activities that inherit requestor id from parent WF. that's all fine. What I mean... somewhere inside the Action stage of my workflow I need to recalculate a string attribute as a concatenation of 2 other attributes. I can use either builtin FIM function evaluator for this or use my own activity that will finally raise UpdateResource request. seeing into logs I was really surprised that my own custom activity inherits ActorID from its parent (as I wanted) and there's another request in the logs to update only this attribute. and requestor is a right person, and all MPRs watching for this attributes changes work fine but if I would use FIM function evaluator (just for fun) it will _not_ inherit original ActorID from the parent workflow. so 'FIM Service Account' will be in the logs updating this attribute and no MPRs are trigged. the only goal for this excercise is that all those FIM WF Activities are so slow, so I thought that builtin function evaluator may be a little bit faster than mine.

For purpose you are trying to use function activity maybe You want to take a look at ResolveGrammarActivity - http://msdn.microsoft.com/en-us/library/microsoft.resourcemanagement.workflow.activities.resolvegrammaractivity.aspx, however please note that (...) . This API is for FIM internal use and is currently not supported. (...). But it can be used to build expression evaluators as you are trying to build.

For purpose you are trying to use function activity maybe You want to take a look at ResolveGrammarActivity - http://msdn.microsoft.com/en-us/library/microsoft.resourcemanagement.workflow.activities.resolvegrammaractivity.aspx, however please note that (...) . This API is for FIM internal use and is currently not supported. (...). But it can be used to build expression evaluators as you are trying to build.

Hi! I'm sorry but I made a deeper look into the function evaluator yesterday before I first answered your question and it actually looked like it would inherit the workflow ActorID but now when you say it doesn't I had another look and it turns out 'E05D1F1B-3D5E-4014-BAA6-94DEE7D68C89' (FIM Service Account) is hardcoded into the function activity when doing the update and that might not be the perfect solution. For some reason the inherited ActorID is used when resolving expressions but as I said above, not when performing an update therefore you'll have to fall back on a custom activity/workflow (UpdateResource activity) if you wish to impersonate your updates. You won't gain anything by using the function activity compared to a UpdateResource activity since it's using the same underlying data access layer. //HenrikHenrik Nilsson, ILM/FIM MVP Blog: http://www.idmcrisis.com Company: Cortego (http://www.cortego.se)

Hi! I'm sorry but I made a deeper look into the function evaluator yesterday before I first answered your question and it actually looked like it would inherit the workflow ActorID but now when you say it doesn't I had another look and it turns out 'E05D1F1B-3D5E-4014-BAA6-94DEE7D68C89' (FIM Service Account) is hardcoded into the function activity when doing the update and that might not be the perfect solution. For some reason the inherited ActorID is used when resolving expressions but as I said above, not when performing an update therefore you'll have to fall back on a custom activity/workflow (UpdateResource activity) if you wish to impersonate your updates. You won't gain anything by using the function activity compared to a UpdateResource activity since it's using the same underlying data access layer. //HenrikHenrik Nilsson, ILM/FIM MVP Blog: http://www.idmcrisis.com Company: Cortego (http://www.cortego.se)

That's really strange to have this ActorID hardcoded in function evaluator... anyway, thanks' for reply.