A set for groups with single owner
Can I create a set for all security groups that have only one value in the owner field?
July 20th, 2010 10:29pm

I can't think of a crafty XPath to return that answer. It might be easier to create an OwnerCount attribute that you populate by counting the Owners, in which case your Set criteria becomes simple but you have to figure out how to populate the new attribute.CraigMartin Edgile, Inc. http://identitytrench.com
Free Windows Admin Tool Kit Click here and download it now
July 20th, 2010 11:06pm

I cannot think of a way to make that happen. In XPath 1.0 you can do things like /Groups/Owner[2] but such a path is not valid in the xPath Set filters in FIM. If you are just trying to see a list of these groups as opposed to granting permissions to them you can run a query using the Powershell client to show you all of the security groups and to show you the owner and the displayname. then you can eyeball it.David Lundell www.ilmBestPractices.com
July 20th, 2010 11:24pm

THank you for the response. A count of the owners will work the best for my scenarion. However I do not have a way to do a count the owners in the multivalue reference attribute "owner" of a group. Any suggestions on how to do that?
Free Windows Admin Tool Kit Click here and download it now
July 21st, 2010 4:22pm

Both David and Craig are correct. The FIM xpath filter dialect does not support checking the count of the number of values for a given attribute. Both Craig and David provided good suggestions depending on what the purpose of your scenario is. Thanks, Nima
July 21st, 2010 7:40pm

Hi Neelima, can you please elaborate on what your scenario is? Are you trying to define permissions based on this data, or a report perhaps?
Free Windows Admin Tool Kit Click here and download it now
July 21st, 2010 7:44pm

The business requirement is to make sure there are 2 owners for sec. groups at any given time. So I am trying to check there are 2 values in it during groups creation and also need to be able to create a report of all groups with single owners so we can notify them when the second owner is invlaid (left the company etc...)
July 23rd, 2010 5:47pm

/Group[Owner=/Person[EmployeeStatus='InActive']] This will show you which groups have an owner who is InActive, which seems to at least solve part of your problemDavid Lundell www.ilmBestPractices.com
Free Windows Admin Tool Kit Click here and download it now
July 23rd, 2010 8:12pm

Thank you David. Yes that does help resolve the second part of my requirement. In the first response, you had suggestes populating an attribute by counting owners...can you expand on how I can count the owners.
July 26th, 2010 4:40am

You are welcome. As for counting that was a suggestion from my good and talented friend Craig, and I have been wondering the same thing.David Lundell www.ilmBestPractices.com
Free Windows Admin Tool Kit Click here and download it now
July 26th, 2010 7:10am

Nothing like a good compliment to start a Monday morning, thanks David! I finished the other post with "but you have to figure out how to populate the new attribute." My first approach would be to put an MPR on the Group's Owner attribute that would call an Action WF. The Action WF would then use the FIM WF Activities to: 1. count the owners 2. update the 'OwnerCount' attribute with the number of owners If the group ownership came from some other system, and you did not allow it to be modified by the FIM Service then you could entertain another approach, whereby you use the Sync Service and a scripted rule. Again, this is only a valid approach if the Group owner attribute is not modified by the FIM Service. CraigMartin – Edgile, Inc. – http://identitytrench.com
July 26th, 2010 9:00pm

Craig, MPR and WF activity was exactly where I started with 2 weeks ago. While I can get inidividual owners in the list using below syntax Word(Owner+"",1,";") Word(Owner+"",2,";") THis works as long as there is a value but if there is only one owner and no value for second attribute, I am not able to idenitfy that with comparing it to Null, I get an System.ArgumentOutOfRangeException: Specified argument was out of the range of valid values. which is where where I am stuck and started this thread to get input from all you experts.
Free Windows Admin Tool Kit Click here and download it now
July 27th, 2010 3:55pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics