Manual and FIM based Management of AD Group Membership

    Obecná diskuse

  • In our AD environment every group has a "child" group (the child group is a member of the parent).  The reason for this set up is so that we can manage group membership manually and through FIM.  Membership in the parent group is managed manually.  Membership in the child group is managed by FIM.  The issue is that when a new group is added to the master data source (a SQL DB) FIM is responsible for provisioning the parent and child group to AD.  So FIM is aware that both groups exist and it knows that the child group is a member of the parent group.  FIM is unaware of any members that have been manually added to the parent group.  This is where the issue is.  When the membership of the child group changes in the master data source this change gets synchronised to AD and it causes the membership of both the child and parent group to be updated.  In the case of the parent group all members beside the child group are removed.  What I would like to happen is for FIM to not change the parent group membership after the group is created in AD.

    Is this possible?

    3. března 2012 0:35

Všechny reakce

  • Hi,

    Have you tried something like this?

    1. Set an attribute on the groups to distinguish parent from child.

    2. Create a sync rule for the parent groups with membership attribute flow set to "Initial flow only".

    3. Create a sync rule for the child groups with the membership attribute flow as normal.

    I haven't tried it, but it might work.



    3. března 2012 13:47
  • Hi Sami,

    Thanks for the suggestions.  The problem is that you cannot set the Initial Flow Only flag on reference attributes and the Membership attribute is a reference attribute.

    5. března 2012 16:55
  • Ah--I hadn't realized that. Sorry about that.

    Perhaps something like this might be possible? (I'm not sure how to do step two without custom coding a workflow though.)

    1. Create your sync rule with the membership attribute flow.

    2. Create a workflow that's triggered when a group is created. Have the workflow check if the group has a member that is a group object. (I think this might have to be a custom workflow... Although there may be an XPath query that can do this.) If so, set an attribute on the group to indicate it is a parent group.

    3. When a group joins that set, remove the sync rule with the membership attribute flow. If you're still managing other aspects of parent groups, create an SR without the membership attribute flow and add that to the group at this time.

    • Upravený SamiVV 6. března 2012 18:41
    5. března 2012 17:17
  • I think Sami's on the right track, though I haven't done anything like this either.

    Regarding Step 2, if you can set an attribute (perhaps an initial flow only) on the parent group on export (via outbound sync rule) that is then flowed in with an inbound sync rule and then brought to the portal, you should be able to define a set based on it that would contain all the parent groups that are in AD.  Then the set transition MPR can handle the removal and addition of SRs as suggested.  There may be a way to do that with DREs but I still have trouble understanding the intended use of those.

    If all the potential manually-added members of the parent group are also in the portal, I would think there could also be  a way to keep management of the parent group members in the portal where approvals can be handled, changes more easily audited, etc.  It might complicate the group creation process, though.


    6. března 2012 16:54