none
How to assign Owner when importing group from AD to portal.? RRS feed

  • Question

  • I have some distribution groups in AD and while importing them on Portal i want to make them Owner approval type aand Assign a owner. the Owner value should be refernce Type so can i pass value like this -  CN=FIMAdmin,OU=XYZ,DC=ABC,DC=com and mapp it with Owner attribute in Group Inbound Rule ?
    Thursday, March 7, 2013 7:28 AM

Answers

  • From How Do I Synchronize Groups from AD DS to FIM

    While you can synchronize group objects from AD DS to FIM without populating values for these attributes (DisplayedOwner, Owner), they are technically required by FIM so that the group is manageable within FIM, specifically:

    • An Owner-approval group needs an owner so that they can manage membership in the group.
    • FIM requires that the Displayed Owner is a member of the Owner group.

    One option that you have is to populate both attributes based on the managedBy attribute in AD DS. However, this method may require additional updates to your AD DS because managedBy is often not populated in AD DS.

    Another method is the configuration of workflows in FIM to initialize the attributes when a new group object has been imported from AD DS into FIM. Using workflows to initialize attribute values can have an impact on your environment when a large amount of objects has been imported from AD DS. You should keep this in mind when you perform bulk imports of new objects from AD DS.

    The third method to initialize these values is a scripted approach based on the FIM Windows PowerShell™ cmdlets. By using the scripted method, you can retrieve a list of the affected objects, set the values that you want, and import them back into your FIM Service data store. The tradeoff of the scripted method is the required manual interaction that can be time consuming.

    Thursday, March 7, 2013 7:39 AM

All replies

  • From How Do I Synchronize Groups from AD DS to FIM

    While you can synchronize group objects from AD DS to FIM without populating values for these attributes (DisplayedOwner, Owner), they are technically required by FIM so that the group is manageable within FIM, specifically:

    • An Owner-approval group needs an owner so that they can manage membership in the group.
    • FIM requires that the Displayed Owner is a member of the Owner group.

    One option that you have is to populate both attributes based on the managedBy attribute in AD DS. However, this method may require additional updates to your AD DS because managedBy is often not populated in AD DS.

    Another method is the configuration of workflows in FIM to initialize the attributes when a new group object has been imported from AD DS into FIM. Using workflows to initialize attribute values can have an impact on your environment when a large amount of objects has been imported from AD DS. You should keep this in mind when you perform bulk imports of new objects from AD DS.

    The third method to initialize these values is a scripted approach based on the FIM Windows PowerShell™ cmdlets. By using the scripted method, you can retrieve a list of the affected objects, set the values that you want, and import them back into your FIM Service data store. The tradeoff of the scripted method is the required manual interaction that can be time consuming.

    Thursday, March 7, 2013 7:39 AM
  • Hi Gaston ,

    Thank you for ur reply, Can you please explain how can i construct a Workflow to set owner when Groups are getting imported from AD to FIM portal. ? 

    Thursday, March 7, 2013 7:54 AM
  • If you're using OOB functionality, you can create a Workflow with function evaluator like

    Destination: [\\Target\DisplayedOwner]

    Value: Creator

    Instead of this you can write your own activy that updates manager or use already existing activities like Søren Granfeldt's:http://blog.goverco.com/2013/01/first-official-release-of-workflow.html

    In addition you need a MPR that fires this WF after the group is created


    Thursday, March 7, 2013 8:45 AM