none
FIM & AD Group Membership RRS feed

  • Question

  • Hi,

    We know that FIM can't have a group with half of its members flowing from an AD MA and another half from a FIM MA. All members must exist in the source MA.

    Assuming we already have 5 AD Groups with members, that we would like to manage from the FIM Portal - would these be the correct steps to achieve this:

    1. Export existing AD Group + members to the FIM Portal (via AD MA & FIM MA) + all the User accounts
    2. I am assuming all the Group members will appear in the Portal and the 'member selection' will be set to 'manual'?
    3. Modify the FIM MA & AD MA Group attribute flows
    4. Modify the Group/Member MV attribute precedence to the FIM MA on top

    Anything else?

    Thank you,

    SK



    • Edited by D Wind Wednesday, December 5, 2012 7:54 AM
    Wednesday, December 5, 2012 7:53 AM

Answers

  • Hi SK,

    The approach you have outlined will work.

    Another approach that would allow you to manage membership in both FIM and AD would be to use nested groups (assuming any applications that are relying on the membership can enumerate nested groups)

    assuming your group is called Group A you would leave this group in AD, unmanaged by FIM.

    Create a group Group B, use FIM to manage the membership of Group B and flow this membership back to AD.

    Make Group B a member of Group A to grant all of the FIM managed members the rights of Group A.

    Obviously, this adds some overhead to the organisations group strategy so if it was for a large amount of groups and the organisation is happy to manage all groups using FIM going forward, then stick to your approach.

    However, if the organisation needs to manage the membership of this (and potential others) group using both FIM and AD, this approach may assist you.

     

    • Marked as answer by D Wind Thursday, December 6, 2012 6:09 AM
    Thursday, December 6, 2012 4:23 AM
  • The method you describe is about right. In your scenario, AD would be authoritative on the Group/Member attribute up to step 3, in order to populate the members attribute in the FIM Portal and, after step 4, the FIM Portal would be the authoritative source for members.

    This is a pretty common scenario when you are transitioning groups from being managed within AD to being managed within the FIM Portal.

    If you have an actual need to manage the groups within both places, the group nesting that cr4711 mentions is probably the best way to go. If nesting wasn't an option (eg, if your applications weren't able to enumerate nested groups), then I would probably end up writing a custom workflow that combines members from two fields (eg, "adMembers" and "fimMembers") into a single field any time one of the two was modified. The beauty of the FIM Portal is that we can actually do some tricky stuff with Reference fields in custom workflows, unlike the Sync Service where we are pretty restricted in how we can use Reference types within rules extensions.


    MCTS: Forefront Identity Manager 2010, Configuring

    • Marked as answer by D Wind Thursday, December 6, 2012 6:09 AM
    Thursday, December 6, 2012 4:49 AM

All replies

  • Hi SK,

    The approach you have outlined will work.

    Another approach that would allow you to manage membership in both FIM and AD would be to use nested groups (assuming any applications that are relying on the membership can enumerate nested groups)

    assuming your group is called Group A you would leave this group in AD, unmanaged by FIM.

    Create a group Group B, use FIM to manage the membership of Group B and flow this membership back to AD.

    Make Group B a member of Group A to grant all of the FIM managed members the rights of Group A.

    Obviously, this adds some overhead to the organisations group strategy so if it was for a large amount of groups and the organisation is happy to manage all groups using FIM going forward, then stick to your approach.

    However, if the organisation needs to manage the membership of this (and potential others) group using both FIM and AD, this approach may assist you.

     

    • Marked as answer by D Wind Thursday, December 6, 2012 6:09 AM
    Thursday, December 6, 2012 4:23 AM
  • The method you describe is about right. In your scenario, AD would be authoritative on the Group/Member attribute up to step 3, in order to populate the members attribute in the FIM Portal and, after step 4, the FIM Portal would be the authoritative source for members.

    This is a pretty common scenario when you are transitioning groups from being managed within AD to being managed within the FIM Portal.

    If you have an actual need to manage the groups within both places, the group nesting that cr4711 mentions is probably the best way to go. If nesting wasn't an option (eg, if your applications weren't able to enumerate nested groups), then I would probably end up writing a custom workflow that combines members from two fields (eg, "adMembers" and "fimMembers") into a single field any time one of the two was modified. The beauty of the FIM Portal is that we can actually do some tricky stuff with Reference fields in custom workflows, unlike the Sync Service where we are pretty restricted in how we can use Reference types within rules extensions.


    MCTS: Forefront Identity Manager 2010, Configuring

    • Marked as answer by D Wind Thursday, December 6, 2012 6:09 AM
    Thursday, December 6, 2012 4:49 AM
  • Thank you both!
    Thursday, December 6, 2012 6:10 AM