I am trying to determine the best way to assign rights to applications at user creation timeusing fim rc1.Is it possible to have a tick box in the User Creation page that effectively places a user in a group?In addition to this the tick box would need to be populated based on group membership when viewedin the user editing or viewing screen.Thanks,Matthew

Hi Matthew,Have you considered using dynamic groups for this purpose.Flow of action will be something like,1) Create dynamic group based on user properties like all users whose costcenter is 'X'2) Create a user with costcenter attribute3) After the user is created it will become the member of the group by virtue of the filter used.If you want the tick box option, i think eventually you would have to write a custom activity to add user to the group and use that activity for user creation.Thanks,Sri

Yes, I had considered dynamic groups, but that option seems a bit convoluted to me as you're assigning rights based onattribute valueson the User object and thenassign those rightsusing groups in the connected directories.In that scenario, we would end up needing to expand the User schema and havededicated attribute/s for each application. I'd prefer to avoid this, but if thats the only way I guess its acceptable.Anyone

Hi Matthew! Dynamic groups is the easiest way to manage authorization if your requirements allow handling it during provisioning. Historically most application have had their own authorization schemes which isn't always such a good idea and amongst the solutions there have been RBAC and other ways of grouping people that in most cases have resulted in a stiff model with a lot of problems as soon as the organization is changing. Using attributes could be a more agile way of assigning rights but doing it during provisioning isn't necessarily where you should do it so my recommendation is to start with your requirements and then search for the right way of solving the problem. Using attributes for authorization often requires an advanced policy framework and unless FIM dynamic groups can fulfill your requirements I recommend you to have a look at for example XACML and ABAC. //HenrikHenrik Nilsson Blog: http://www.idmcrisis.com Company: Cortego (http://www.cortego.se)

Thanks for your suggestions Henrik.