AD Security Groups automatically assigned to a newly created user in FIM 2010CN RRS feed

  • Question

  • Hi team,

    I am trying to get my head around a way to accomplish a custom deployment in FIM 2010. In AD i can automatically create users with a specific Security Group membership by copying the default user with necessary membership upon creation. The process is as simple as it gets. 

    Now, in order to mirror that behaviour in FIM, what should I do? Could you point me in the right direction? AD gruops are Global Security ones.

    Thanks in advance!

    Thursday, April 12, 2018 7:58 AM

All replies

  • In an AD-only situation, AD is authoritative for the user and the group. When you bring FIM into the picture, there is an assumption that you are using the FIM Portal or you have some other system/process involved which means AD may not always be authoritative for the group. It is the group, not the user, that controls the membership. In short, the design depends on which system controls the groups. If you had a limited number of "default users" and you are synchronizing groups out to AD via FIM Portal, an easy way to handle this is to create a custom object type for each default user.  Example: If the default user #1 needs to be in 3 groups, create 3 criteria-based groups that add in the custom object type default user #1 to the groups.  Those criteria-based groups can be synchronized back out to AD and nested into any existing AD group(s).  You don't have to create a custom object type, of course.  You could simply have a custom attribute or utilize an existing attribute that specifies the "type" of account and use that attribute to build your group memberships.  If you are not synchronizing groups from the FIM Portal out to AD then you are looking at writing a custom workflow that reaches out to AD directly and adds membership that way.  If you are in more of an ad-hoc situation where a random account that has any number of groups in it and you want to copy that account's group membership, then I would humbly say that you are looking to build a technology solution that will create (more) security problems for you.  Accounts will get more and more groups over time.  Instead, I would say to invest the time into building a limited number of default users that have the bare minimum number of group membership and use owner approval-based groups to let group owners approve/deny membership.  I know it is easy for me to write such things, but I believe that is the right approach based on some of the messes I've seen at other companies who have copied group membership in an ad-hoc fashion.  I hope this helps you.


    Jeff Ingalls

    • Edited by Jeff IngallsMVP Thursday, April 12, 2018 2:17 PM Added using custom attribute instead of a custom object type
    Thursday, April 12, 2018 1:48 PM
  • Take a look at this doc on group managment

    David Lundell, Get your copy of FIM Best Practices Volume 1

    Monday, April 16, 2018 7:27 PM