none
AD security group as FIM Portal administrator RRS feed

  • Question

  • Hi Gurus

    i have a question. I want to add an AD Security group in FIM for the users of the group to be the FIM portal administrator. I believe to do that I need to sync the group using a management agent, and then add that group to the Sharepoint administrator group. Is this correct? If it's not then where can I find a procedure to make the members of the security group which is in an OU to be the administrators of the FIM portal? I don't want to sync the whole OU but only one group within the OU as there are other groups within the OU which I do not want to have admin rights to the portal.

    Is there a way I can achieve what I am trying to do? I haven't found any documentation to do it. As I am very new to this I apologize if the question sounds silly.

    Any help will be greatly appreciated. Thanks in advance.

    Regards,

    Tuesday, February 4, 2014 1:06 PM

Answers

  •  After running the FIMMA export, I get the error, failed creation via web services. I see the users in the FIM portal and when I add them to the Administrators set, those users cannot still access the FIM portal. I added a new user to the container and ran the sync again, added the new user to the administrator set and now the new user can access the portal as an administrator but the other users cannot. 

    Review all the disabled Management Policy Rules in the Portal; most likely the FIM MA account is not able to update the user objects, once created, and perhaps you missed supplying a necessary value like DisplayName, AccountName, or ObjectSid on the first round of exports.

    You can also review the request history in the Portal for more information on failed requests.


    Steve Kradel, Zetetic LLC

    • Marked as answer by Dipsg Thursday, February 6, 2014 11:09 PM
    Wednesday, February 5, 2014 8:31 PM

All replies

  • Hi,

    FIM doesn't use AD security groups to control admin rights - it has its own group-like objects called "sets". You can have a one-to-one relationship between a group in FIM and a set thus ensuring group members are also members of the administrative set but it's a little bit fiddly. There are various blog posts around explaining how to do this. You may find it simpler just to manually manage the administrator set in FIM in the short term - depending how many administrators you have.

    You don't need to do anything to the Sharepoint groups apart from allowing access to the FIM site as per the install documents.

    Cheers

    Dave

    Tuesday, February 4, 2014 1:19 PM
  • Hi Dave

    thank you so much for your prompt reply. I did see the Sets-->Administrator, should I add the administrator users there? I don't have many administrators but I would ideally like to add the users to the security group in AD and then I have to manage it from one place. It is a production implementation of FIM and I would like to use the system on a long term basis. If adding the administrators directly is the easier option, I would like to know the following:

    1) In the Sets in FIM, do I have to add the users from AD, to it? At the moment I can't find an option to add the users to the sets. I am logged in as the administrator of the portal but still cannot add it.

    2) If I can add users to the set, does that mean I can add a group as well?

    3)  Lastly, do I have to Sync the users in any way from the AD to the FIM or just adding them into the sets will be enough? Every time the account password etc changes, do we have to run the sync to reflect those changes in FIM?

    Thanks again, for your assistance it is much appreciated.

    Regards

    Tuesday, February 4, 2014 2:13 PM
  • 1. You need to add the users from AD who are in FIM. They have to be sync'd from AD to the FIM portal via management agents. They can be added manually, but will be missing certain attributes you need for people to authenticate to the Portal (see 3 below)

    2. No, you can't directly make a group a member of a set. The blogs (that I can't link to at the moment as this new account hasn't been verified for some reason) show a technique for creating a set membership based on users who have membership of the group, but I think this might be a bit tricky for someone completely new to FIM

    3. Yes, you need to sync the users so that they have a user account present in the FIM DB, but you don't need to sync the password. FIM authentication uses the AD password but you must have the AD SID present (and some other attributes) for this to work. Read some of the MS scenario docs (again, I would link directly but am not allowed at the mo)

    Tuesday, February 4, 2014 2:26 PM
  • Hi Dave

    Thanks again for your valuable inputs. Yes I have seen a similar description at the following:

    http://social.technet.microsoft.com/Forums/en-US/af3aa40f-b307-4468-b2ce-6eebc6dc459b/fim-dynamic-provisioning-of-attributebased-membership-groups?forum=ilm2

    http://www.networksteve.com/enterprise/topic.php/How_to_add_a_members_of_a_particular_group_into_a_set/?TopicId=47726&Posts=1

    But this is my problem, the users who are the members of the security group belong to different OUs. The security group has been created specifically for FIM admin users. How can I pick and choose specific users from different OUs and sync them? I could not find any doco to suggest that. 

    Thanks again for all your help.

    Regards


    • Edited by Dipsg Wednesday, February 5, 2014 8:25 PM edit
    Tuesday, February 4, 2014 8:17 PM
  • In all honesty, automating the membership of the FIM Administrator set is not a great solution for the same reasons that automating membership in the Domain Admins group is dicey; the Admins have great power over the FIM Service and could cause some unrecoverably bad things to happen.  Much better to restrict it to two or three people, and carefully delegate additional privileges via the MPRs as needed...

    Steve Kradel, Zetetic LLC

    Tuesday, February 4, 2014 9:35 PM
  • Hi Steve

    Thanks for your response. I agree with you however this still gives rise to my initial question. How can I sync particular users from specific OUs into FIM sync? If I can create a AD Management agent which can do that, then that will be solution to my problems. Any articles which can explain that?

    Thanks again, as you can understand because I am quite new to this technology and there is not a lot of information I can find. Hence the forums are my best bet.

    Thanks again for your assistance. 

    Regards

    Tuesday, February 4, 2014 10:43 PM
  • Any objects in the metaverse that also have a type mapping to the FIM MA will appear in the FIM Portal.

    In the simplest configuration, you could create an AD MA, select only a few containers / OUs, perhaps in combination with a connector filter rule, create a projection rule to get only the appropriate user accounts into the metaverse, and then in the FIM MA, ensure that there's an Object Type Mapping between the FIM Portal "Person" and metaverse "person" (and also check that the FIM MA has the required attribute flows like displayName, objectSid, etc.).

    The AD MA cannot filter based on group membership; only on OU and object-level attributes, and group membership is an attribute of the group, not the user.


    Steve Kradel, Zetetic LLC

    Tuesday, February 4, 2014 10:51 PM
  • On Tue, 4 Feb 2014 22:43:42 +0000, Dipsg wrote:

    How can I sync particular users from specific OUs into FIM sync

    I'm not sure I understand why you want to do this in the first place.


    Paul Adare - FIM CM MVP
    I am Dyslexia of Borg. Prepare to have your arse laminated.

    Tuesday, February 4, 2014 10:52 PM
  • Hi Paul

    thanks for your question. The reason being that I have particular users in AD that I want to make administrators in the portal and they are scattered all around the AD. I believe to make the users admin in the FIM portal I have to import them in the portal first and then add them to the Administrators set in the portal. How can I get those particular users into FIM from different AD OUs?

    Thanks

    Dipan

    Wednesday, February 5, 2014 7:45 PM
  • On Wed, 5 Feb 2014 19:45:00 +0000, Dipsg wrote:

    thanks for your question. The reason being that I have particular users in AD that I want to make administrators in the portal and they are scattered all around the AD. I believe to make the users admin in the FIM portal I have to import them in the portal first and then add them to the Administrators set in the portal. How can I get those particular users into FIM from different AD OUs?

    Isn't the goal to get all of the users into the portal so that this subset
    you want to manage them and the portal can do so?
    If so then you're making things harder than they need to be. Get all users
    into the portal first, then you can make the subset of users
    administrators.


    Paul Adare - FIM CM MVP
    C treats you like a consenting adult. Pascal treats you like a naughty
    child. Ada treats you like a criminal. -- Bruce Powel Douglass

    Wednesday, February 5, 2014 8:14 PM
  • Thanks Steve for your response.

    I have done that, I can see the users imported to the FIM portal under Users. However there is a new problem now. After running the FIMMA export, I get the error, failed creation via web services. I see the users in the FIM portal and when I add them to the Administrators set, those users cannot still access the FIM portal. I added a new user to the container and ran the sync again, added the new user to the administrator set and now the new user can access the portal as an administrator but the other users cannot. I believe that the reason being that the object ID of the accounts have not been sync'd successfully in FIM. I have two options, first to delete the users from FIM or second to modify the management agents to bring accross the appropriate IDs. How can I achieve either?

    I apologise for the new line of question, but I am finding that to do small things in this product requires a lot of work and there is not much info out there.

    Regards,

    Wednesday, February 5, 2014 8:25 PM
  • Also, I am looking at the following article but this does not work.

    http://social.technet.microsoft.com/wiki/contents/articles/17242.fim-troubleshooting-failed-creation-via-web-services-invalidrepresentationexception-valueviolatesuniqueness.aspx

    • Edited by Dipsg Wednesday, February 5, 2014 8:26 PM edit
    Wednesday, February 5, 2014 8:26 PM
  •  After running the FIMMA export, I get the error, failed creation via web services. I see the users in the FIM portal and when I add them to the Administrators set, those users cannot still access the FIM portal. I added a new user to the container and ran the sync again, added the new user to the administrator set and now the new user can access the portal as an administrator but the other users cannot. 

    Review all the disabled Management Policy Rules in the Portal; most likely the FIM MA account is not able to update the user objects, once created, and perhaps you missed supplying a necessary value like DisplayName, AccountName, or ObjectSid on the first round of exports.

    You can also review the request history in the Portal for more information on failed requests.


    Steve Kradel, Zetetic LLC

    • Marked as answer by Dipsg Thursday, February 6, 2014 11:09 PM
    Wednesday, February 5, 2014 8:31 PM
  • Hi Paul

    Thanks and I agree with you.  However I have test accounts and specific accounts that I don't want to bring across. I believe any Sync tool should have the flexibility of letting you chose that. Anyway I am past that problem because I have found an OU where all the administrators are added. As per your suggestion I have sync'd all the administrators to the FIM portal. However adding them to the Administrator Set doesn't solve the initial problem of those users not having admin access to the portal. I have mentioned the issues in my reply to Steve. Any ideas as to how this can be resolved? Any help will be greatly appreciated.

    Regards

    Wednesday, February 5, 2014 8:34 PM
  • Thanks Steve!!!

    I looked under Search Requests in the FIM Portal and it shows me a lot of failed requests. If I click on one such failed request it gives me the error: "Attribute Failure Code: 'ValueViolatesUniqueness', Attribute Name 'ObjectSID'

    If I go to the Applied Policy tab, it shows me Synchronization: Synchronization account controls users it synchronizes. I did enable this MPR before running the export sync on the FIMMA (which gave the same errors) The MPR has the following arguments:

    Synchronization: Synchronization account controls users it synchronizes 

    Grant Right - yes

    Authentication Workflows - no

    Authroization Workflows - no

    Action Workflows - no

    Is there a setting here that I can change. I have the luxury of having domain/enterprise admin account access. Can I run the FIMMA with that account. Will that help?

    I thank you so much for your help again.

    Regards

    Wednesday, February 5, 2014 11:06 PM
  • It's pretty normal to exclude AD OUs from the AD MA imo. In fact, I would argue it's best practice. AD is usually full of all sorts of junk you don't want in FIM and often there are OUs that need to remain under manual admin without FIM touching them inappropriately. Or am I misreading the requirement here?

    Thursday, February 6, 2014 10:05 AM
  • On Thu, 6 Feb 2014 10:05:10 +0000, Dave Nesbitt wrote:

    It's pretty normal to exclude AD OUs from the AD MA imo. In fact, I would argue it's best practice. AD is usually full of all sorts of junk you don't want in FIM and often there are OUs that need to remain under manual admin without FIM touching them inappropriately. Or am I misreading the requirement here?

    I think the initial requirement was to synch a few specific user accounts
    from various OUs to the portal in order to add them to the Administrators
    set to allow them to manage the portal and after that was accomplished to
    sync everyone else.
    My point was that since everyone else is going to wind up in the portal
    eventually why not reverse the workflow and sync everyone then do the
    Administrator thing.


    Paul Adare - FIM CM MVP
    Only two things are infinite, the universe and human stupidity,
    and I'm not sure about the former. -- Albert Einstein

    Thursday, February 6, 2014 10:18 AM
  • Hi Paul, Dave and Steve

    Thank you all for all your valuable inputs. I have successfully resolved the issue. This is what I did. 

    I observed from the metaverse search in the Synchronization tool that after running the full synchronization on the ADMA following the synchronization order specified by Microsoft, the amount of objects was doubling. There were about 180 objects to begin with and it doubled. I checked a number of solutions online which asked me to delete the object from the connector. However considering the number of objects that would have been a lot of work. So I decided to delete the users from the FIM portal and manually run the sync again. I got this script from Carol Wapshere:

    http://social.technet.microsoft.com/Forums/en-US/58796732-a605-4f22-8c27-17ea4f0968fe/using-powershell-to-delete-all-users-from-the-portal?forum=ilm2

    The good thing about the script is that a few users can be added to the Administrator set in the portal and the script will not delete it. That way selective objects can be protected and not all access to the portal is lost. After that I ran the syncs in order, added the users to the Admin set and it all worked fine. I know it is a bit of a sledgehammer approach but I believed that might be the best under current circumstances. 

    Thank you all again for taking your time out and answering my question. You have been great help!!

    Regards,

    Thursday, February 6, 2014 11:32 PM