Auto remove a user from a security group on a user attribute change RRS feed

  • Question

  • Hello,

    We need to add a person to a group representing their post.  I have two view tables, one for users and one for posts.  The user has a postid attribute and the post has an immutableid.  I'm flowing the post into the MV and using an inbound sync rule to create a security group in the FIM Service.  Workflow (FIMWAL update) fires on completion of the 'create' request.  This will run a query to find the user that has the same postid as the post group immutableid which is the stored in the query key.  The query result is then flowed to the 'ExplicitMember' attribute of the group.  This works fine on create but not on a modify driven activity, that is when the users' postid changes.

    The objective is to remove the user from the post group when their postid no longer matches the immutableid of the group because the user has changed post.

    In the example above i used a manually-managed group as we couldn't find a way to write the value expression into the Filter attribute using the workflow thus enabling us to use a dynamic group which would be the nirvana in this instance.

    However, is there another way of removing the user programmatically from the group when there is a change to the postid. I have the MPR configured so that it will call a workflow when this attribute is modified on the user, i'm just stuck on what to run in the workflow.  Can Powershell be used in this example to work out what the post group is that the user is in before the postid was changed and then remove the user from that group??  Or is there a way of auto creating a dynamic group by being able to specify the correct xml to feed to [//Target/Filter]??


    Wednesday, February 24, 2016 8:30 PM

All replies

  • Rob-

    Why not define a criteria based group for each Post ID? That will solve this for you automatically.


    Consulting | Blog | AD Book

    Thursday, February 25, 2016 1:22 AM
  • And beside dynamic groups, why not directly let groupmembership flow from SQL MA using multi-value table/view, since you already have all data in SQL MA.

    Simple combine person and post/group table to one view, and setup another multi-value table for user-to-group assignment. Should be simple to setup with some SQL.


    Peter Stapf - ExpertCircle GmbH - My blog:

    Thursday, February 25, 2016 8:42 AM
  • Yes Rob - you can use the native Function Evaluator to write the XML to the filter property of the group (I have done this myself).  To set this up I extended the native GROUP schema to include a custom STRING (unique value) binding - in your case this would be "PostID".  You should also have a multi-value STRING property of PERSON with their post IDs imported from your SQL source (let's call this Posts).  Then just create a dynamic group manually the way you would for an example post, and then from the advanced properties copy the XML into your favourite text editor (don't be put off if you can't get your group filter to "visualise" as these can be problematic with multi-value bindings).  In the XML you will see something like /Person[Posts='<whatever unique key you import for your post>'].  Replace the key value with [//Target/PostID] since your (request based) MPR will fire when the provisioned group is created or modified.  Then paste this modified XML into a CUSTOM EXPRESSION in a Function Evaluator activity (action) workflow.  Now that we have the MIMWAL to use there may be a more elegant way of doing the same thing - but at the time I needed to do this my challenge was to avoid writing any custom code ;).

    Bob Bradley (FIMBob @ ... now using FIM Event Broker for just-in-time delivery of FIM 2010 policy via the sync engine, and continuous compliance for FIM

    Sunday, February 28, 2016 2:52 PM