FIM Portal Groups - Change from criteria based to manual

Hi,

I have groups in FIM portal that are criteria-based.

I need to change those groups to manual in order to add/remove users from them via my code with RMGroup resourceType.

I cant use xpath filters anymore because it will be quite complex and FIM doesn't accept it.

I tried to, in code, remove the filter, set an empty filter, set MembershipLocked to false, ... every thing

I allways get the error "Policy prohibits the request from completing", so without changing the groups to manual, I still cant add/remove users to the groups with my code.

If I change the group from criteria-based to manual membership in the UI, it works. The code is calling the FIM webservices using the same credentials  I use to access the portal.

Note: I also have a MPR granting all permissions in all Attributes to AllGroups to administrators

How can I do it programmatically?

Help is really appreciated,

Many thanks,

DevDiver


  • Edited by DevDiver Tuesday, March 10, 2015 5:36 PM
March 10th, 2015 4:06pm

You are probably running afoul of the MPR called "Group management workflow: Group information validation for dynamic groups" which reacts to changes to members of the "Dynamic groups" set (filter: Membership Locked is true) by running the Group Validation Workflow. So setting Membership Locked to false takes it out of that set but that puts it into the Static Groups set which is monitored by another MPR that triggers that same workflow.

Per the UI "This activity evaluates a request and fails authorization if the request would leave the group with properties that are unsupported by FIM group management, for example, adding an explicit member to a group whose membership is dynamically calculated."

Attributes for Dynamic groups

Filter is not null

MembershipLocked is true

Deferred Evaluation may be true

MemberShip Add Workflow is None

ExplicitMember is null

Temporal may be true

Attributes for Static Groups

Filter is Null

MembershipLocked is false

Deferred Evaluation is null or false

MemberShip Add Workflow may be populated

ExplicitMember may be populated

Temporal is null

If you follow these rules it should pass the Group Validation Workflow

Free Windows Admin Tool Kit Click here and download it now
April 24th, 2015 11:37am
Further to David's suggestion, I can confirm that I've used the FIM Function Evaluator to change groups in the reverse way (static => dynamic), so in theory it should work the other way too.
May 30th, 2015 1:25pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics