Hi all, May I know how to move user out of one group based on some value (like expiration date)? For example: UserA is a contractor of the companyA. He is in a group called "Vender Internet Access" which allows him to access Internet via ISA. UserA has an expiration date such as "30 days". After 30 days he joined the group, he should be moved out of this group. Any sample for the time-based set and workflow? Thanks!

The key to being able to do this is being able to store a date value against each individual group membership such that a set can be calculated to give the members that have expired and need to have their membership revoked. The default group and user objects alone (with the group's member attribute containing a set of references to user objects) does not support this requirement. What you need to have is a way of recording a relationship between a group and a user, and assigning additional properties to this relationship ... in this case the simplest piece of info to store is the expiry date (the default created date will give you the date the membership was added). Here's what I did to achieve exactly this (only the names have been changed to protect the innocent!): Created a new schema object UserGroup, with additional attributes UserID (reference of user in membership), GroupID (reference to group) and ExpiryDate (calculated as x days after the user was added to the group ... in your case I presume this is recorded in a custom user attribute ... although this could be stored elsewhere if necessary) Created a custom workflow action activity to create/delete instances of the UserGroup object class, and sets the ExpiryDate based on a simple date calculation performed as part of that activity when invoked in a "create mode" Created a custom workflow activity to remove users from group membership Created an action workflow incorporating an instance of the above activity (create mode) Created an action workflow incorporating an instance of the above activity (delete mode) Created an action workflow incorporating an instance of activity to remove a user from a group Created an MPR (request based) to invoke the create mode action workflow whenever references were added to any group's ExplicitMember attribute Created a set as follows Select UserResource that match all of the following conditions: ExpiryDate after 1 day ago Created an MPR (set transition IN) to invoke the group member removal workflow for the corresponding group/member defined in an expiring UserGroup instance (transitions into the above set definition), followed by an instance of the delete mode action workflow for that same UserGroup instance There's a bit to it I know, and in my case I was able to reuse some generic FIM CRUD (create/read/update/delete) activities I've developed which meant that there wasn't any additional C# work required once I had these activities nailed. I think this sort of thing, once mastered, adds enormous value to any FIM implementation - and I can see no reason why it couldn't be made totally generic and part of a future FIM release :).Bob Bradley, www.unifysolutions.net (FIMBob?)

How about using temporal Sets? The expiration date (now - 30 days) is known. In this case, you could simply work with an attribute value - e.g.: X=1 and use this in a criteria based group. New users must have X=1 and becom members of the group that way. You can use the transition out of temporal Set trigger to set X = 0, which will take the object out of the group. That way, there is no need for any custom workflow (coding) and you don't need to store a date. Cheers, Markus Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Yep ... know you can do that, and you will note that my solution is also using a temporal set Markus :). The difference here is that I read into the question that the retention period varies from user to user - i.e. is not constant for the group. Hence the expiration date isn't associated with either the user or the group ... so you need somewhere else to store it. If the group always has the same retention period then your option works fine.Bob Bradley, www.unifysolutions.net (FIMBob?)

Yep ... know you can do that, and you will note that my solution is also using a temporal set Markus :). The difference here is that I read into the question that the retention period varies from user to user - i.e. is not constant for the group. Hence the expiration date isn't associated with either the user or the group ... so you need somewhere else to store it. If the group always has the same retention period then your option works fine.Bob Bradley, www.unifysolutions.net (FIMBob?)