none
Rule Extension for Removing group membership of a user RRS feed

  • Question

  • Hi,

    Requirement:

    whenever the join between user in target AD and source AD user breaks offs or unjoin, the group membership of target user should be cleared.

    Is there any way of doing this without code extension? I don't think so.

    I think I need a rule extension which gets fired at event of disconnect/unjoin/deprovisioning.

    Can someone help me with a piece of code that will do this .

    Thanks in advance.


    • Edited by ak862014 Friday, January 9, 2015 9:20 PM
    Friday, January 9, 2015 9:16 PM

Answers

  • FIM does not operate on the memberOf attribute for a user (since this is a back-link attribute in AD). Instead membership of groups is controlled by the member attribute of the groups. Therefore, what you're describing here seems nearly inpossible to do in the Sync Engine. Instead, I would look into doing this in the FIM portal where you can do manipulation on the membership attribute for groups, i.e. you could have an attribute that can only exist in the source directory and when that attribute is no longer present on a user in the FIM Portal/Service, you could have a workflow that removes the user from all groups that it is a member of.

    Regards, Soren Granfeldt
    blog is at http://blog.goverco.com | facebook https://www.facebook.com/TheIdentityManagementExplorer | twitter at https://twitter.com/#!/MrGranfeldt

    • Marked as answer by ak862014 Monday, January 12, 2015 8:05 PM
    Sunday, January 11, 2015 10:31 AM
  • If you have groups managed by FIM their membership will be updated automatically. When you disjoin user from MV object it will be removed from the group members attribute (in usuall setup this is how it works).

    Can you explain little bit more your setup?


    Borys Majewski, Identity Management Solutions Architect (Blog: IDArchitect.NET)

    • Marked as answer by ak862014 Monday, January 12, 2015 8:05 PM
    Monday, January 12, 2015 1:02 PM

All replies

  • FIM does not operate on the memberOf attribute for a user (since this is a back-link attribute in AD). Instead membership of groups is controlled by the member attribute of the groups. Therefore, what you're describing here seems nearly inpossible to do in the Sync Engine. Instead, I would look into doing this in the FIM portal where you can do manipulation on the membership attribute for groups, i.e. you could have an attribute that can only exist in the source directory and when that attribute is no longer present on a user in the FIM Portal/Service, you could have a workflow that removes the user from all groups that it is a member of.

    Regards, Soren Granfeldt
    blog is at http://blog.goverco.com | facebook https://www.facebook.com/TheIdentityManagementExplorer | twitter at https://twitter.com/#!/MrGranfeldt

    • Marked as answer by ak862014 Monday, January 12, 2015 8:05 PM
    Sunday, January 11, 2015 10:31 AM
  • Thanks Soren.

    One want clarification I want to give here is when the Unjoin happens. I want the groups to be cleared in target AD which were added by FIM during sync process. Also we do not have FIM Portal in place. We only have FIM Service in picture. So do I need to create a new attribute flow for this which clears the users from all groups that it is a member of when unjoin happens. so now what would be the best trigger for this workflow to happen. Does this needs a new MA exclusively for this task? Apologies, I am new to FIM !

    Also, I want to see the logs where I could check what all groups names , the user was added to by FIM. I believe thats in SQL server database. This works out in case where I manually want to remove groups from target AD which were added by FIM after checking the logs.

    Sunday, January 11, 2015 11:21 AM
  • If you have groups managed by FIM their membership will be updated automatically. When you disjoin user from MV object it will be removed from the group members attribute (in usuall setup this is how it works).

    Can you explain little bit more your setup?


    Borys Majewski, Identity Management Solutions Architect (Blog: IDArchitect.NET)

    • Marked as answer by ak862014 Monday, January 12, 2015 8:05 PM
    Monday, January 12, 2015 1:02 PM