Sets dynamically updated from memberships of specific groups
Hi I've seen several posts here explaning that referencing Groups from Sets is not allowed. I am currently running large-enteprise FIM solution where I populate the MV and FIM portal from one authoritative AD. From FIM I need to provision user objects to several AD's based on specific group memberships in the authoritative AD. I've created all the bells and whistles to populate FIM from the authoritative AD and enabled provisioning to the other AD's using T-MPRS that provision based on the transitioning of specific groups. As Sets i've defined dynamically updated Sets based on the following XPATH syntax: /Person[ObjectID = /Group[ObjectID = '481b75f8-2745-4f85-b945-feca75618822']/ComputedMember] Where ObjectID is the ID of a specific group. This works like a charm. Then I created Sets that reference the Sets i defined above so I have higher level Sets that contain user membership of several referenced Sets (thereby groups). In that way I can define high level Sets aimed at controlling provisioning with several ADs. The higher level Sets reference the lower level using the Criteria Based Membership UI in the Set defintion, with the following criterias: Select user that match any of the following conditions: Resource ID in <Name of lower level Set 1> Resource ID in <Name of lower level Set 2> Etc. I defined T-MPRS that control the transition-in and transition-out and created workflows and synchronization rules accordingly. Everythings works as expected. Now - my questions: - I've seen in several places that referencing group objects from Sets using XPATH statements is not supported, and even not possible after applying update 1 for FIM 2010, is that correct? - Will my Sets referencing Groups stop to work if I apply update 1 on my currently FIM 2010 RTM based solution ? - Are there any known issues by referencing Groups from Sets, will it work even though not supported? - Are there any alternative solution of populating Sets with the membership of Groups (pre-existing, prepopulated) ? Please explain in details. Any info highly appreciated? Cheers Søren
November 26th, 2010 5:35pm

Soren - I'm surprised you (and some others it seems, going by various posts here) have actually managed to get this working at all because the FIM documentation clearly states here that this is not supported - http://technet.microsoft.com/en-us/library/ff356871(WS.10).aspx, specifically: Sets cannot reference the membership of Group resources. The following filter is not supported: /Person[Manager = /Group[ObjectID = ‘7CF6B5A3-01B2-45d3-8337-5EB521DDA08D’]/ComputedMember]. I have tried to do this previously and ran into this limitation ... the FIM implementation I was working on was using a custom activity to synchronise static set membership whenever static group membership changes occurred, and I thought there must be a more effective way of doing this ... obviously the FIM consultant who set up this custom activity knew of the limitation :). I have not attempted the above xpath since installing Update 1, but I am tempted to try again ... however, if the construct is unsupported I figure there is most likely a good reason for this (i.e. I would expect it would have to have been deliberately inhibited for this NOT to work). I did come across an MPR last week which I hadn't noticed before - the name of which escapes me at the moment, but I'll post it when I get back into work tomorrow - and this MPR seems to tighten up restrictions on set definitions made by administrators. I have temporarily disabled this MPR because a set definition that I had set up previously wasn't saving ... I guess I need to know why that is too. I am wondering if this same MPR is responsible for preventing the above set definition from working too? Just revisited this recent post: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/bbf28844-e6ed-4816-b5a2-6c85bd749c91 ... which credits the restriction to the applying of KB978864. Bob Bradley, www.unifysolutions.net (FIMBob?)
Free Windows Admin Tool Kit Click here and download it now
November 28th, 2010 7:36am

Thanks for your reply Bob. As I have worked a deal with MIIS earlier this is clearly a great disappointment for me, that working with groups hasn't improved much in terms of out-of-the-box functionality. Working with filtered provisioning based on group memberships has always been somewhat of a challenge, and this is such a basic use case of an Identity Management product. Using XPath principles for querying dynamically is such a great idea in FIM, but it seems that it is not implemented transparently. I could come up with several solution pricinciples for circumventing this, i.e.: - Custom workflow as you describe in your post (steep learning curve ahead!) - "Classic" extension stuff that runs through groups and writes into a custom user attribute if a membership is detected (bad performance and issues with detecting deprovisioning). - Some Powershell thingy to shadow a group with explicit members to a Set with explicit members (might also perform poorly), and then used the shadow'ed Sets for T-MPR provisioning. Any input regarding actual solutions would be of great value to me - anyone? Cheers Søren
November 28th, 2010 11:05am

Thanks for your reply Bob. As I have worked a deal with MIIS earlier this is clearly a great disappointment for me, that working with groups hasn't improved much in terms of out-of-the-box functionality. Working with filtered provisioning based on group memberships has always been somewhat of a challenge, and this is such a basic use case of an Identity Management product. Using XPath principles for querying dynamically is such a great idea in FIM, but it seems that it is not implemented transparently. I could come up with several solution pricinciples for circumventing this, i.e.: - Custom workflow as you describe in your post (steep learning curve ahead!) - "Classic" extension stuff that runs through groups and writes into a custom user attribute if a membership is detected (bad performance and issues with detecting deprovisioning). - Some Powershell thingy to shadow a group with explicit members to a Set with explicit members (might also perform poorly), and then used the shadow'ed Sets for T-MPR provisioning. Any input regarding actual solutions would be of great value to me - anyone? Cheers Søren
Free Windows Admin Tool Kit Click here and download it now
November 28th, 2010 11:05am

I empathise, as I too come from a long MIIS/ILM background, and right now I'm struggling with an Xpath statement that I believe ought to be supported but isn't (one of those which works fine in a search scope but isn't allowed in either a set or a group). The name of the MPR which I temporarily disabled last week is "General workflow: Filter attribute validation for administrator" (there's another for non-administrators, but that's not a concern for me right now). At the time I was thinking this must be something new, but of course it's always been there ... we have been maintaining filter permission objects for our custom schema extensions from the beginning, and this is just the mechanism that FIM uses to apply these permissions (uses an activity called "Administrator Filter Permission" called from a workflow "Filter Validation Workflow for Administrators"). So this was a red herring ... back to my own challenge of working out a solution within the confines of supported xpath ...Bob Bradley, www.unifysolutions.net (FIMBob?)
November 28th, 2010 9:01pm

I empathise, as I too come from a long MIIS/ILM background, and right now I'm struggling with an Xpath statement that I believe ought to be supported but isn't (one of those which works fine in a search scope but isn't allowed in either a set or a group). The name of the MPR which I temporarily disabled last week is "General workflow: Filter attribute validation for administrator" (there's another for non-administrators, but that's not a concern for me right now). At the time I was thinking this must be something new, but of course it's always been there ... we have been maintaining filter permission objects for our custom schema extensions from the beginning, and this is just the mechanism that FIM uses to apply these permissions (uses an activity called "Administrator Filter Permission" called from a workflow "Filter Validation Workflow for Administrators"). So this was a red herring ... back to my own challenge of working out a solution within the confines of supported xpath ...Bob Bradley, www.unifysolutions.net (FIMBob?)
Free Windows Admin Tool Kit Click here and download it now
November 28th, 2010 9:01pm

Not that it really helps to ease your pain; however, here is something that works at least for ILM. I'm wondering if there is a practical solution to move the memberOf calculation magic in form of a workflow into FIM... Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation
November 28th, 2010 9:13pm

Not that it really helps to ease your pain; however, here is something that works at least for ILM. I'm wondering if there is a practical solution to move the memberOf calculation magic in form of a workflow into FIM... Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation
Free Windows Admin Tool Kit Click here and download it now
November 28th, 2010 9:13pm

Soren - did you end up solving your problem? I am working on a generic ECMA idea which synthesizes and syncs a memberOf attribute of Person based on the group.member collection in the metaverse. Trying to work out if there's a demand for this ...Bob Bradley, www.unifysolutions.net (FIMBob?)
June 17th, 2011 12:24pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics