Modify set xpath query request failed with multi-value reference attribute
I have a custom multivalue reference attribute on my User schema (call it UserFolders) which contains a subset of UniqueIdentifiers which are the keys for a custom object - call it "UserFolder". The schema of the UserFolder object contains a FolderID and a UserID (foreign keys). I need to define a group of all the users who are linked to folders by the presence of a UserFolder object. A search scope that would return the set of users for a specific folder would look like this (and I wouldn't need to use the UserFolders attribute at all): /Person[ObjectID = /UserFolder[FolderID = 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx']/UserID] However, going by the rules stated in the Unsupported filter definitions section of the FIM documentation, I always knew that "Multiple location steps are not supported, except when referencing the membership of a set". So looking at this differently, consider the following alternative using the UserFolders attribute bound to the User: /Person[UserFolders = /UserFolder[FolderID = 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx']] Now both the queries above return the same results in a search scope, and option #1 is known to be unsupported, but I can't find a reason anywhere why option #2 either wouldn't work (it doesn't for me) nor wouldn't be supported. Can someone please confirm that the above query (in bold) should work and is supported (or otherwise)? I don't want to have to resort to creating sets for every variation of /UserFolders[FolderID = 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx')] that I'm going to have because that will bloat the FIM db, but at this stage it's the only way I can get the group criteria working, i.e. /Person[UserFolders = /Set[ObjectID='xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx']/ComputedMember] Thanks in advance. Bob Bradley, www.unifysolutions.net (FIMBob?)
November 29th, 2010 7:02pm

Bob, I guess the answer to you question is 'Administrator Filter Permission' set (or non-Administrator) which also defines Allowed Membership references. Play with adding UserFolder attribute to this set or create something like 'All Groups and Sets'. I have a custom object called 'Role' and multi-value attribute 'Owner' (standard FIM schema) which points to all role owners. So the following query: /Person[ObjectID = /Role[RoleName = 'test']/Owner] works perfect and returns all users who are listed as role owners
Free Windows Admin Tool Kit Click here and download it now
November 30th, 2010 2:51am

Good to know ... I thought I'd used this sort of filter definition before, and I've already been down the filter permissions path ... but you give me renewed hope!Bob Bradley, www.unifysolutions.net (FIMBob?)
November 30th, 2010 2:55am

Just tried a reverse request to find all Roles a person owns: /Role[Owner= /Person[DisplayName='utest']] works perfect. Try to use 'Owner' instead of UsedID for Folders. It's also a multivalued attribute.
Free Windows Admin Tool Kit Click here and download it now
November 30th, 2010 3:10am

I just tried this: /Group[Owner=/Person[DisplayName='Administrator']] Search Scope returns 1 group record ... but I get a "Request Failed" when I try to save it as a group. We're talking vanilla attributes/objects above ... so I can only imagine it's the FIM version ... I'm using FIM Version 4.0.3561.2 ... are you?Bob Bradley, www.unifysolutions.net (FIMBob?)
November 30th, 2010 3:45am

Understood, I'm using this query for 'My Roles' link in NavBar only, will check it with dynamic group membership and return. but don't think it should work.
Free Windows Admin Tool Kit Click here and download it now
November 30th, 2010 4:02am

as I thought it wouldn't work: it fails to create such a filter for a group using advanced edit form Microsoft.ResourceManagement.Service: System.InvalidOperationException: Operation is not valid due to the current state of the object. at Microsoft.ResourceManagement.FilterEvaluation.Language.Statement.CreateDereferencedValue(QueryFilter query, AttributeSchema dereferencedAttribute, Time time) looking into code private static DereferencedValue CreateDereferencedValue(QueryFilter query, AttributeSchema dereferencedAttribute, Time time) { if (!dereferencedAttribute.IsMembershipAttribute && !(query is StoredSetFilter)) { throw LoggingManager.Instance.ReportError(new InvalidOperationException()); } return DereferencedValue.Create(query, dereferencedAttribute, time); } and public bool IsMembershipAttribute { get { if (!this.IsComputedMembershipAttribute) { return this.IsExplicitMembershipAttribute; } return true; } } and public bool IsExplicitMembershipAttribute { get { return this.Name.Equals("ExplicitMember", StringComparison.OrdinalIgnoreCase); } } and finally public bool IsComputedMembershipAttribute { get { return this.Name.Equals("ComputedMember", StringComparison.OrdinalIgnoreCase); } } we'll see that XPath filter will accept either a Set or ExplicitMember/ComputedMember attributes So you'll have to create a shadow set for each group, or (as I have made) have part of membership and groups calculated in external SQL table with triggers and stored procedures
November 30th, 2010 5:08am

I just thought that there's another solution to get security groups for your UserFolders filled with users. I have this in my production - your UserFolder is almost the same as my Role. So I have a Role object in FIM linked to a Role object in MV. then I have another AD MA to manage roles only. I have a FIM outbound sync rule that maps MV Role to AD MA Group. so all roles have a corresponding groups in AD. You can flow membership from FIM UserFolder (Role) to MV Role and then to AD MA Group. there's also another AD MA (the second one) that imports groups from AD to MV as groups and further to FIM as groups. Same with membership - you can flow it from FIM to AD with both MAs - as roles (userfolders) and as groups (to have outlook plugin make its work) I have 2 AD MAs for the same domain, same OUs - no problems at all. The only exception I have is membership taken from an external SQL table.
Free Windows Admin Tool Kit Click here and download it now
November 30th, 2010 2:01pm

I see - I thought about doing something similar with sets in fim instead of "roles" but I think that might break something. As it turns out in this case the authoritative source is FIM ... so you're saying flow your role objects in fim out as group objects then back into fim as groups ... interesting! Opted in my case to go with a mix of explicit and dynamic membership for now, but I'll be sure to keep this approach in mind. Thanks!Bob Bradley, www.unifysolutions.net (FIMBob?)
November 30th, 2010 5:27pm

the only actual reason for having such a funky setup is that not every role has to have an AD group and not every AD group is a role :) more over when you need to have a dynamic group, something like 'All users having access to Brisbane file servers', you'll have to either write a FIM WF activity to go through all UserFolders and collect their membership into one group, or use a simple stored procedure doing the same thing against a SQL table... and finally I had to go with roles as I hit a kerberos token size limit for some users having too many groups assigned.
Free Windows Admin Tool Kit Click here and download it now
December 1st, 2010 2:44am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics