Friday, January 11, 2013 4:55 PM
This thread seems on par with what I'm trying to ask... http://social.technet.microsoft.com/Forums/en-GB/ilm2/thread/74645d48-493c-408c-81e1-94ea598c10ab?prof=required
Basically I am looking for a way to flow the "member" attribute of a group to a different user object.
The underlying issue I'm trying to make a solution for is with Shared mailboxes in Exchange and the problem that auto-populate for shared mailboxes doesn't work when groups are used. So I am trying to figure out how to accomodate that in FIM to keep the member list of a security group to always be in sync with the msExchDelegateListLink attribute of the Shared Mailbox account.
Does Flow Scope come into play for this? or know of a different approach to accomplish this?
There would be a known mapping for the Shared Mailbox of what group is used to grant full access to it, and so based on that set:
group.member = user.msExchDelegateListLink
Friday, January 11, 2013 11:13 PM
I'm not sure I completely understand your situation, but if you want to flow an attribute from one object to another, the best way to do it is through FIM Service workflows. If you have a reference to the object on your user, you can use the reference to get attributes on the value like //Target/Manager/DisplayName. Or you can create a custom workflow that does whatever you need it to do.
If you are only using the synchronization engine, it's a bit more tricky, since you can't point to other objects like that.. In that case maybe it's best to add the information to the source before flowing in the identities, og adding it using a Rules Extension.
Monday, January 14, 2013 2:22 PM
Thank you for the assistance and appreciate the response.
So if I had a reference attribute assigned to the shared mailbox account called "managingGroup" for example, and that referenced the security group, I could in theory call that in a workflow as a parameter to be "//Target/ManagingGroup/members"..... my question in doing it that way, would the changes be seen as deltas if the group members change for the user object? or would I need to do the opposite and configure the reference on the group to ensure when the group changes, that the user also changes?
Looking at this thread, I'm guessing this would be the next dilemma...http://social.technet.microsoft.com/Forums/pl-PL/ilm2/thread/1b9577d6-f2e2-47a9-a921-83573b9c88e7..... in which case got any suggestions? I'm not all that familiar with custom activities and rules extenstions being new to this.
Thursday, January 24, 2013 8:52 AM
I'm still confused here, but let me try to give you an answer to what I think you are trying to do.
I am assuming the situation is like this:
- You have a securitygroup I will call "SecurityGroup".
- You have a group (not account), called "managingGroup". This group references a security group (I will call this reference SecGroupReference).
- your goal is to put members from the "SecurityGroup" into "managingGroup". You want to do this by adding "SecurityGroup" to secGroupReference, and any changes to "SecurityGroup" should result in an update in "managingGroup" members.
You need a workflow that triggers on changes in the "SecurityGroup" members. This workflow should search for distributiongroups that holds the ObjectId of "SecurityGroup" in secGroupReference. When it finds it, it should compare members, and add or remove non-matching members, on the distributionGroup.
Am I getting close?
Thursday, January 31, 2013 6:23 PM
In relations to my above answer I would like to tell you that Søren Granfeldt just released his library of awesome generic custom workflows. They're easy to install, and they will allow you to do almost anything.. There are still limitations..
But included are two activities that could be interesting for you:
1. One that copies data from 1 to N resources of any kind. "Copy Values" or perhaps "Lookup value" or "Code Run"
2. One that creates a new resource. "Create Object"
These should be sufficient to reach your goal.
Check it out here: http://fimactivitylibrary.codeplex.com/
Thursday, January 31, 2013 9:53 PM
I would suggest using a custom powershell activity which is also available in that library i assume. Also a lot of example out there on how to update a resource in FIM through the powershell.
Regards Furqan Asghar