none
FIM Portal Groups - Change from criteria based to manual RRS feed

  • Question

  • Hi,

    I have groups in FIM portal that are criteria-based.

    I need to change those groups to manual in order to add/remove users from them via my code with RMGroup resourceType.

    I can´t use xpath filters anymore because it will be quite complex and FIM doesn't accept it.

    I tried to, in code, remove the filter, set an empty filter, set MembershipLocked to false, ... every thing

    I allways get the error "Policy prohibits the request from completing", so without changing the groups to manual, I still can´t add/remove users to the groups with my code.

    If I change the group from criteria-based to manual membership in the UI, it works. The code is calling the FIM webservices using the same credentials  I use to access the portal.

    Note: I also have a MPR granting all permissions in all Attributes to AllGroups to administrators

    How can I do it programmatically?

    Help is really appreciated,

    Many thanks,

    DevDiver


    • Edited by DevDiver Tuesday, March 10, 2015 5:36 PM
    Tuesday, March 10, 2015 4:06 PM

All replies

  • You are probably running afoul of the MPR called "Group management workflow: Group information validation for dynamic groups" which reacts to changes to members of the "Dynamic groups" set (filter: Membership Locked is true) by running the Group Validation Workflow. So setting Membership Locked to false takes it out of that set but that puts it into the Static Groups set which is monitored by another MPR that triggers that same workflow.

    Per the UI "This activity evaluates a request and fails authorization if the request would leave the group with properties that are unsupported by FIM group management, for example, adding an explicit member to a group whose membership is dynamically calculated."

    Attributes for Dynamic groups

    Filter is not null

    MembershipLocked is true

    Deferred Evaluation may be true

    MemberShip Add Workflow is None

    ExplicitMember is null

    Temporal may be true

    Attributes for Static Groups

    Filter is Null

    MembershipLocked is false

    Deferred Evaluation is null or false

    MemberShip Add Workflow may be populated

    ExplicitMember may be populated

    Temporal is null

    If you follow these rules it should pass the Group Validation Workflow


    David Lundell, Get your copy of FIM Best Practices Volume 1 http://blog.ilmbestpractices.com/2010/08/book-is-here-fim-best-practices-volume.html

    • Proposed as answer by UNIFYBobMVP Saturday, May 30, 2015 5:19 PM
    Friday, April 24, 2015 3:36 PM
  • Further to David's suggestion, I can confirm that I've used the FIM Function Evaluator to change groups in the reverse way (static => dynamic), so in theory it should work the other way too.

    Bob Bradley (FIMBob @ TheFIMTeam.com) ... now using FIM Event Broker for just-in-time delivery of FIM 2010 policy via the sync engine, and continuous compliance for FIM

    Saturday, May 30, 2015 5:22 PM