Specifying the OU to provision FIM users and groups to AD.
-
Thursday, January 24, 2013 5:39 PM
I'd like to be able to provision users and groups to AD and specify the OU for each within the create form. I suppose I could map user 'department' to an OU, (as Furqan suggests in this post: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/e4af6822-f8ac-4b85-8000-ed2985e2dbf2) but what about SGs that don't have a department field?)
Or perhaps I create a custom OU field for the new user and group form?
Just looking for best practices out there for dealing with the lack of OU support in FIM (which by the way seems very odd given that MS owns both products).
Thanks!
Follow-up question: When synchronizing from AD to FIM, it seems as if the 'ou' attribute is not populated - at least it is not populated when looking at the at the user's metaverse object after an import and sync on AD. The flow status states 'NOT APPLIED' and while the ou is listed as a Data Source Attribute the Initial and Final values are null. Why wouldn't the OU value be populated with the user's OU?
All Replies
-
Thursday, January 24, 2013 8:41 PM
Well - you have at leas few options:
1. Create sets of users in various departments, appropriate synchronization rules, and manage assignment of objects to approperiate synchronization rules. Based on number of possible values might be challenging to maintain (however this also can be automated - creation of set, workflow, SR etc. for each new value of given department)
2. Abandon SRs for this task and move to good old MV rules extension with some configuration and manage object DNs within a code - might be valid solution depends on your coding skills and SR-religion ;).
3. Something in between - actually I did it in this way few times.
Create an object which will define such mapping, few attributes - Attribute you will search on (Key), value you will search for (Value), and desired OU path for key and value. Then simple MPR and workflow which will be fired on a user on update of this attribute (Key) and will look for correct mapping object for given value which is set on a user (Value) and will assign it a proper mapping object (I used reference because it was convenient for me also for other purposes).
And in this way you have a valid path on each user and your SR is simple.
4. User Craig's Powershell Activity or Soren's C# activity to put together piece of code which will calculate correct OU value for a user and update it on a user in some attribute - like OuPath.
This is beauty - plenty of options to do this and achieve what is desired. Some work required ...
Tomek Onyszko, memberOf Predica FIM Team (http://www.predica.pl), IdAM knowledge provider @ http://blog.predica.pl
- Marked As Answer by Osho27 Friday, January 25, 2013 1:33 PM
-
Friday, January 25, 2013 1:34 PM
Thanks Tomaz - I'll look further into our requirements and figure out which strategy makes most sense.
-
Sunday, January 27, 2013 8:52 AM
There is an IsPresent function that can be used in the Sync Rules and you can know if the department is present or not.
you can use a custom expression to the set the dn similar to the following.
"CN="+EscapeDNComponent(displayName)+ IIF(IsPresent(Department), ",OU=" +EscapeDNComponent(Department) ,"") + IIF(IsPresent(Location),",OU=" +EscapeDNComponent(Location),"") +",DC=contoso,DC=com"
It will only provision users and groups in the parent OU if the sub OU attribute like department is not present.
.png)
