First read: Intro to User and Group Management Then read Design Concepts for Reference Attributes Then you will understand how to take additional Data from HR and bring it in and flow it out to groups. This will require a multi-valued table in your database referencing the members of the groups.David Lundell, Get your copy of FIM Best Practices Volume 1 http://blog.ilmbestpractices.com/2010/08/book-is-here-fim-best-practices-volume.html

We have an HR SQL feed setup as an authoritative source to provision new users to FIM and AD as well as provide updates to existing user HR authoritative attributes. We would also like to send through names of managed groups in the feed that the user should be added to either during initial provisioning or during subsequent changes. I'm thinking this could be done in a custom activity that would execute in an Action workflow after the commit phase for provisioning the user to FIM. Are there other and/or better options for automating this through FIM? Steve

I just now had time to read through both these documents, my apologies. The first document describes how to flow data from HR and automatically flow it out to FIM Criteria Based Groups. The scenario with the client is where they have less than 40 CBGs and over 1000 manually managed groups. I already have the FIM system configured in production for distribution lists and security groups of either type and bi-directional flow setup where I can add a person to a group in FIM and update AD or add a new member to the group in AD and sync it back to FIM. While complex, it works fine. The Criteria Based Groups are also updating automatically based on the HR authoritative attribute updates. The question I had was if I also wanted to flow through something like the display names of additional manually managed groups through a multi-valued attribute in the HR feed, would there be an easy way to update the member references on the group objects in FIM and have that flow out as updates to the corresponding AD groups during synchronization? I'm thinking not, since the request to add the new user would first need to get past the Commit phase of the FIM processing, and then process any group updates. Therefore, if this is done through FIM, I would expect to have to process manually managed group updates from an HR feed in a custom workflow activity which is processed after any new users are comitted to the system. However, since I have bi-directional updates working for groups loaded in FIM from either AD or the FIM portal, it may be a simpler design to just update the groups directly in AD from the HR portal and sync them back to FIM, rather than using a custom activity to send group updates to FIM and sync them back out to AD.