none
FIM 2010 R2: Creating Security Groups in portal : OU RRS feed

  • Question

  • Hi,

    We want to create security groups in the FIM Portal and then sync them to AD. Now the groups could belong to different OUs in AD so is there a way to assign the OU in the portal ?

    Can I customise the "Create Security Group" pop-up to have an input field called "OU" which can then be appended to the account name of the group to come up with the DN ?

    Or perhaps someone has tried some other ideas for this scenario ?

    Thanks

    Wednesday, October 29, 2014 4:52 PM

All replies

  • Hi,

    You have different way to achieve this. It's depend on how many OU do you have:

    • 1-50, you can use a dropdown list
    • more than 50, use an attribute picker to select custom object OU (and then use a workflow to set base DN on group object)
    • Or use a text field (but you will have many errors)

    Regards,


    Sylvain

    Wednesday, October 29, 2014 5:43 PM
  • Hi Sylvain,

    Thanks for your quick reply.

    Let's say I have 1-50 - how do I go about creating that dropdown list ?

    Thanks

    Vidit

    Wednesday, October 29, 2014 5:46 PM
  • You can find full resources here: http://technet.microsoft.com/en-us/library/ee534918%28v=ws.10%29.aspx

    Item : UocDropDownList

    Regards,


    Sylvain

    Thursday, October 30, 2014 8:35 AM
  • Hi,

    just a addition.

    If you modify the group creation RCDC use an additional tab for the dropdown list as you can run into trouble modifying the default tabs as there are a lot of code behind actions.

    Regards
    Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Thursday, October 30, 2014 8:54 AM
  • Hi Sylvain and Peter,

    Thanks for such quick responses and the link - i'll go through that.

    I was wondering if a dropdown will be a good idea after all ! That would mean that I'll have to add a new value to the dropdown in the RCDC every time we create a new OU in AD.

    Sylvain - you mentioned in "more than 50" to use a custom attribute picker - have you tried that on your end ?

    I'm assuming that I'll have to sync all OUs from AD into FIM portal for them to be available in the attribute picker ?

    Thanks a lot once again guys

    Thursday, October 30, 2014 10:34 AM
  • Yes, you will have to sync all Ou (or a piece of OU, depending of what you want) from AD to FIMPortal. You will have to create a new ObjectType in FIMPortal. Once it's done, you can add a picker in rcdc for group.

    Of course, think about saving RCDC before updates them!

    Sylvain


    Sylvain

    Thursday, October 30, 2014 12:40 PM
  • Hi,

    Take care that you import the DN of the OUs as a string into the portal. DisplayName is good for that for example.

    Add a reference attribute to resource type "group" that will hold the reference to a OU resource type and a string attribute for the OU container.

    After the above steps from @Sylvain ceate MPRs which triggers a workflow on modification of that reference attribute (create of group will also modify this attribute so only this MPR is needed).

    The workflow should than set the string OU attribute ob group (//target/ouStringAttr) with the DN sting of the selected OU resource type, like that: //target/ouRefAttr/DisplayName

    You can then use this ouStringAttr in your outbound symc rule.

    Beside the ouStringAttr solution it is also possible to work with //WorkflowData/String variables that you can use in workflows when applying an outbound sync rule to objects (creating ERE) but I find above solution a bit more easier to implement.

    Regards
    Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Thursday, October 30, 2014 1:25 PM
  • Thanks both.

    I'll try this out and get back to you with the results :)

    Thursday, October 30, 2014 5:09 PM