none
Advanced import attribute flow for reference attribute "member" for "group" object RRS feed

  • Question

  • Hi Folks,

    We have a scenario that when a group is created in AD with members in it, it should flow the members for the first time to metaverse and then to FIM Portal. After this, if members are added/removed in AD for the group these changes should not flow in to the metaverse and members in FIM Portal must override the changes done directly in AD. We thought we could achieve this with a rules extension but learnt that advanced flow rules for reference attributes is not allowed.

    Any suggestions on how this can be achieved?

    Any help would be appreciated.

    Thanks,


    Veena

    Tuesday, February 2, 2016 5:30 AM

All replies

  • Hi,

    I'm not 100% sure as I never had that scenario, but you can try to use attribute precedence setting portal to 1 and AD to 2 for member attribute in mv designer.

    But I remember that I have some trouble on that on other attributes which leads that Portal wins with the null member and removes the members from AD.

    Also that would apply to all groups, If you only want that of some of the groups, I would suggest to import members to an seperate MV attribute "initalMembers". Flow that attribute to FIM Portal and trigger an workflow after group create in Portal which copy that attribute to the explicit member with the FunctionEvaluator.

    Thats what I would try and it worked on some other attributes where I set the requestor to group owner attribute, so it should be fine for member also.

    But best solution is to try to create that groups directly in Portal.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com


    • Edited by Peter_Stapf Tuesday, February 2, 2016 11:27 AM
    Tuesday, February 2, 2016 11:27 AM
  • Hi Peter,

    Thanks for your response.

    I actually had tried the precedence option but it did not seem to work. Although members flow to Metaverse from AD, it is not being detected for flow to FIM Portal as the status says "Skipped: Not Precedent" during Generate Preview of AD connector space.

    I shall try the second alternative and let you know my observations.

    Thanks,


    Veena

    Tuesday, February 2, 2016 11:57 AM
  • Hello Veena

    whenever I come across this, I choose from two Options:

    a) I import only Group objects into the Portal and use my own powershell script to read Membership for each imported Group  from AD and set the Membership of the Groups in FIM/MIM Portal

    b) I use the Replay MA (https://unifysolutions.jira.com/wiki/pages/viewpage.action?pageId=16875654) to manage precedences.

    In your case and because it is only the initial flow I would prefer a). No later changes to the configuration are required, the script is not complex.

    Henry

    Thursday, February 4, 2016 1:13 PM
  • How do you fifferentiate between first time and not first time.  There are 3 ways to manager members.

    1. AD Only

    2. FIM Only

    3. Both

    Which one is your case.


    Nosh Mernacaj, Identity Management Specialist

    Thursday, February 4, 2016 3:05 PM
  • Without Bob's solution you cannot have multiple sources of truth for a given group Membership. you can Import member from AD to the Portal or the other way around. one of them is the source the other one the target.

    using Bob's MA you have a handy tool to decide whether AD is the source or the Portal. But in any case the decision must be met per Group object. I used this in a Project and we are now able to make a decision by setting a custom Attribute on the Group in the Portal. Then the flow is AD -> Sync -> Portal -> Bob's MA -> Sync -> AD. As you can see, you don't have an Import AND Export flow for Group membership in the FIM MA.

    In no way you can have Group Membership managed in AD and the Portal for the same Group having an Import and an Export flow.

    BUT, as I am writing this and with the knowledge of MIM WAL available there is another way of solving your Problem.

    you could create an additional multivalue reference Attribute on Group object. then you flow AD Group Membership into this Attribute. then you use a Portal workflow to determine the Deltas and Transfer them into the member Attribute of the Group. the last step is to flow the regular member Attribute out to AD.

    AD -> SyncCustomMember -> PortalCustomMember -> PortalWorkflow -> PortalMember -> SyncMember -> AD Member

    Keep in mind, this solution requires full sync of the AD MA to sync changes back to the portal.

    Hope this helps, Henry

     

    Thursday, February 4, 2016 4:54 PM
  • In no way you can have Group Membership managed in AD and the Portal for the same Group having an Import and an Export flow.

    BUT, as I am writing this and with the knowledge of MIM WAL available there is another way of solving your Problem.

    you could create an additional multivalue reference Attribute on Group object. then you flow AD Group Membership into this Attribute. then you use a Portal workflow to determine the Deltas and Transfer them into the member Attribute of the Group. the last step is to flow the regular member Attribute out to AD.

    AD -> SyncCustomMember -> PortalCustomMember -> PortalWorkflow -> PortalMember -> SyncMember -> AD Member


    Thats not completely correct, you can manage same group in Portal and AD if you use equal precedence on the member attribute, I've implemented that for a customer. But thats then for the whole time, and will not solve the inital member issue of the question above.

    My suggestion was the same creating an initalMember attribute (Reference Multivale) in MV and portal and sync member from AD ti that attribute.

    Then use a workflow in Portal to copy over the member on group create requests.

    I think you can use OOB FunctionEvaluator for that, as I done this with single value reference attributes before, or you can try MIM WAL.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Thursday, February 4, 2016 5:09 PM
  • Hi Peter

    Equal Precedence on GroupMember means you can add but cannot remove Group member. Is that correct? If so, I think it is not a valid solution.

    Thursday, February 4, 2016 5:14 PM
  • No, you can also remove group members.

    Have set setting up for a couple of groups at a customer. But you need to take care of the correct run profile schedules to not loose any changes.


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Thursday, February 4, 2016 5:17 PM
  • Hi Peter,

    I tried your suggestion and created an attribute named "initialMembers" in MV and FIM Portal and added an activity in our existing Workflow to copy the initial members to "Member" during Group create.

    Now the problem is for some reason only for this attribute a separate request is being created in FIM Portal. For example if we are exporting 10 group attributes from MV to Portal including "initialMembers", then for 9 of them 1 request is being created and for "initialMembers" its a separate request with creator as "Built-in Synchronization Account". I am not able to figure out the reason for 2 separate requests.

    The issue is that by the time "initialMembers" value is been populated in Portal, the Workflow would have completed its activity and copying to Members does not happen. This is very intermittent. If "initialMembers" value reaches soon to portal, then the copying works but if it reaches after WF has completed its execution it does not make sense.

    Can you help me understand here?

    Thanks,


    Veena

    Monday, February 22, 2016 8:34 AM
  • Hi,

    I dont remember such a behavior but I think it must be by design, you can try to copy over the initalMember on modify of initalMember attribute rather than on group create.

    Since I assume that will only happen once it's nearly the same solution.

    Maybe also check if you can use a condition to check wether the value changes from "nothing" to a value, then it would be a bit more accurate.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Monday, February 22, 2016 9:14 AM
  • Hi Peter,

    If I try to copy the initalMember on modify of initalMember attribute then it will be a problem because if after a group is created, members are added in AD then it will flow to initialMembers in MV and then to initialMembers in portal. Since this will again be kind of Modify, the MPR will get triggered.

    We want members to be flown only during a group creation in AD. After it has been created if members are added they should not flow to "Member" in FIM Portal.

    Thanks,


    Veena

    Monday, February 22, 2016 9:49 AM
  • Ahh yes you'r right, I forgot your inital scenario.



    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Monday, February 22, 2016 11:01 AM
  • Hi Veena

    you should have a look at the Bob Bradleys MA. That realy solves your Problem with precedences. There is no Need for an additional Attribute. You can change precedences based on an Attribute on every Group. It is not hard to implement and is also very quick during runtime.

    Henry

    Tuesday, February 23, 2016 7:02 AM
  • Thanks Henry,

    The link https://unifysolutions.jira.com/wiki/pages/viewpage.action?pageId=16875654) is leading me to "Page Not Found" site.:(

    Has the URL changed?


    Veena


    • Edited by Veena Prabhu Tuesday, February 23, 2016 10:29 AM
    Tuesday, February 23, 2016 10:27 AM