none
Set membership based on AD Group membership? RRS feed

  • General discussion

  • Hi,

    Is this still true?

    Sets cannot reference the membership of Group resources. The following filter is not supported: /Person[Manager = /Group[ObjectID = ‘7CF6B5A3-01B2-45d3-8337-5EB521DDA08D’]/ComputedMember]. http://technet.microsoft.com/en-us/library/ff356871(WS.10).aspx

    Is there another way to create/maintain a Portal Sets based on an AD Group membership?

    Thanks,

    Sk


    • Edited by D Wind Wednesday, August 15, 2012 9:40 AM
    Wednesday, August 15, 2012 9:16 AM

All replies

  • You could add a custom MA which populates the 'MemberOf' attribute on each person and then build the sets based on this attribute.
    Wednesday, August 15, 2012 10:46 AM
  • this is what we are doing.. We wrote a simple powershell script that reads AD group membership and populates the SETs. you could have the group and the associated Set in an input file, and schedule the powershell on frequent basis. you could use Quest cmdlets and FIM powershell module from codeplex to make your Powershell simple and clean..
    Thursday, August 16, 2012 1:58 AM
  • Prakaaz, let me see if I understand what you are saying:

    - you created the FIM powershell activity you got from codeplex, yep know this one

    - in there you execute a powershell script to obtain the group memberships per user? here you are using Quest cmdlets?

    - how do you pass the result of this powershell cmdlet/script to build the actual set?

    thanks

    Thursday, August 16, 2012 2:12 AM
  • yes. using FIM Powershell Module from codeplex, you could update FIM Sets ExplicitMember attribute like below

    Get-FIMResource -Filter $SetFilter|Set-FIMResource -Add @{ExplicitMember={$groupMember.Replace("urn:uuid:","")}}

    Here $setFilter is your target filter and You will need to first fetch the AD group members using ADSI query or Quest cmdlets. for example if you want to fetch DisplayName or EmployeeID from your group membership, you could use LDAP Query like [memberof=<GroupDN>] and retrieve any attributes from the result sets.

    so i fetch AD member's employeeID or samaccountname [in ArrayList] and also will fetch the current Sets members employeeID, 

    and will compare and identify the New Adds and Removal. Then fetch the Portal GUID for the members to be added/removed using Get-FIMResource.

    Finally Perform the Update [one by one ofcourse!] on the Set as mentioned above. 

    The benefit is i can populate any sets with one or multiple Groups [we can easily handle that in the code].. especially when you have RBAC groups in Active Directory, we need to use existing Role Groups to grant FIM Portal permissions. 

    It will take couple of days to build and test but it is worth doing. You can also build some custom WF to achieve this, but writing , managing and troubleshooting the PS is much easier than Custom WFs.


    Thursday, August 16, 2012 5:24 PM