none
RBAC - Automatic Group Membership based on user attributes RRS feed

  • Question

  • Hi,

    I am new to this but want to ask if  Automatic Group membership based on their AD attributes, mainly Department, Jobtitle etc is possible?

    1. We provision users from SAP via FIM to AD. Users remain Disabled until Service 

        Desk activates their AD accounts and then put them into AD groups based on their 

        role and requested access to different resources as part of user onboarding process.

    2. These users then appear in FIM portal, where we have SSPR setup. Disabled users are removed from portal.

    3. We now want to start syncing Groups from AD to FIM portal.

    4. The required user attributes will also need to be enabled to come across from AD to 

        FIM Portal.

    Theoretically I believe, this is what needs to be done but not sure if correct and how.

    5. We do the necessary configuration in MPRs/Sets/Workflows to define automation, 

        where FIM picks the necessary user attributes and then puts them into the selected 

        groups based on the combination of their unique attribute combination also defined 

        earlier as part of the configuration.

    6. There will be multiple mapping for roles to groups and when changes happen in AD, 

        then group membership should change automatically.

     

    I am not sure if this is feasible in FIM portal or is there any other more elegant way to do this.

    But I definitely want to avoid the code route at the start of the user provisioning process, as this will become part of user onboarding process, with automated.

    Thanks,

    MS

    Thursday, November 12, 2015 3:23 PM

All replies

  • I am new to this but want to ask if  Automatic Group membership based on their AD attributes, mainly Department, Jobtitle etc is possible?

    Absolutely and very easy.  You create the group in Portal as Dynamic.  For Department="A" and JobTitle="Guru" etc.


    Nosh Mernacaj, Identity Management Specialist

    • Proposed as answer by Nosh Mernacaj Thursday, November 12, 2015 4:21 PM
    Thursday, November 12, 2015 4:06 PM