none
Provisioning a User to multiple Groups in AD DS RRS feed

  • Question

  • Hi Guys,

    Need guidance regarding provisioning a user to from metaverse to multiple groups in AD DS. I have been searching a lot. But I could found only "How to provision a group to AD DS with multiple users."

    Scenario is: I have a user that is being synced from an external system.  I can add that user to an OU. Now based on some condition, I need to provision this user to multiple groups in AD DS. Groups can be Distributed or Security. 

    It is exactly the same, when I create an user in AD DS and in "member of" tab I add multiple groups. 

    Any guidance/help regarding this will be appreciated.

    Thanks 

    Friday, December 29, 2017 7:24 AM

Answers

  • Hi Fahaad,

    First of, I am not sure if you are aware of the built in Group Management in MIM Portal where you can create a group and define the criteria, then users are added and removed automatically. You can create all the groups and then any user that matches those criteria, will be added to all the groups at once.  Of course you can do this for both SGs and DLs.

    Not sure why you would not use this since it requires very little work, but if this is not what you need, continue reading.

    If you want a scenario where you add the user to many groups at once, from the user object, certainly possible, but a little more involved.

    Here is how I have done it.

    1- Created a multivalue attribute on user object called "Entitlements" where you can put the names of all groups you want the user to be member of

    2- For each group, create the group where the criteria is "All users with entitlement <this group>"


    Nosh Mernacaj, Identity Management Specialist

    • Marked as answer by Fahaad Majeed Thursday, January 4, 2018 9:56 AM
    Friday, December 29, 2017 7:47 PM
  • 1- Seems like a permission issue. You need to follow the guide and make sure you have enabled the right MPRs.

    2- You can do that via PowerShell


    Nosh Mernacaj, Identity Management Specialist

    • Marked as answer by Fahaad Majeed Wednesday, February 7, 2018 4:01 PM
    Wednesday, February 7, 2018 2:29 PM
  • Hi Fahaad-

    For #1, you need to make sure all the attributes in your criteria based group's filter are in the filter permissions for MIM. You can access those lists under Administration>Filter Permissions in the portal.

    For #2, this is certainly doable. If it's a one-time event each year, I'd lean towards using PowerShell like Nosh says. If you do want to fully automate it, you should be able to flow the XPath filter from SQL to the MIM Service. Note that there is some XML that wraps the filter so you'll want to look at a sample group that you make in the portal to get the flows right.


    Thanks,
    Brian

    Consulting | Blog | AD Book

    • Marked as answer by Fahaad Majeed Wednesday, February 7, 2018 4:01 PM
    Wednesday, February 7, 2018 2:32 PM
    Moderator

All replies

  • Hi Fahaad,

    First of, I am not sure if you are aware of the built in Group Management in MIM Portal where you can create a group and define the criteria, then users are added and removed automatically. You can create all the groups and then any user that matches those criteria, will be added to all the groups at once.  Of course you can do this for both SGs and DLs.

    Not sure why you would not use this since it requires very little work, but if this is not what you need, continue reading.

    If you want a scenario where you add the user to many groups at once, from the user object, certainly possible, but a little more involved.

    Here is how I have done it.

    1- Created a multivalue attribute on user object called "Entitlements" where you can put the names of all groups you want the user to be member of

    2- For each group, create the group where the criteria is "All users with entitlement <this group>"


    Nosh Mernacaj, Identity Management Specialist

    • Marked as answer by Fahaad Majeed Thursday, January 4, 2018 9:56 AM
    Friday, December 29, 2017 7:47 PM
  • If you don't want to use the FIM Service for some reason and just want to this in the Sync Engine, another option is to use a multi-valued table in SQL to construct your group memberships and import that data back in with a SQL MA.

    Using the FIM Service as Nosh describes is certainly going to be easier and faster, though.


    Thanks,
    Brian

    Consulting | Blog | AD Book

    Sunday, December 31, 2017 12:35 AM
    Moderator
  • Thanks Nosh. It would really help me.

    Thursday, January 4, 2018 9:56 AM
  • Hi Brian,

    Although Nosh's solution is good. But just asking for another reference, if I import data back using a SQL MA then what field I can choose for group membership. Just like we can use samAccountname for logon name etc.

    Thanks

    Thursday, January 4, 2018 10:32 AM
  • Hi Nosh,

    Sorry to bother you again. Actually I am stuck again. While creating the criteria-based group from FIM portal, I am getting the following error:

    Error processing your request: The operation was rejected because of access control policies.
    Reason: The server workflow rejected the operation.
    Attributes: 
    Correlation Id: 5c082fd6-1d52-4c06-9934-398f51f2fae6
    Request Id: 969bb4fd-6248-47e9-b5f9-aa20d0e270af
    Details: Filter definition is not permitted.

    Can you please guide me for this. 

    Another Scenario:

    Moreover, I have written a SQL MA, which reads the required data from source system and create all the required groups in FIM.  (With "Manual" in Member selection option as facing issues in "Criteria Based").  I need to create around 80+ Security and DL groups each year. So configuring criteria for each group would be difficult. So is it possible, that I can configure criteria for each group by some way through the same SQL MA. I mean by creating an attribute and setting its values from source.

    I would be thankful to you for your guidance.

    Regards 


    F.

    Wednesday, February 7, 2018 12:30 PM
  • 1- Seems like a permission issue. You need to follow the guide and make sure you have enabled the right MPRs.

    2- You can do that via PowerShell


    Nosh Mernacaj, Identity Management Specialist

    • Marked as answer by Fahaad Majeed Wednesday, February 7, 2018 4:01 PM
    Wednesday, February 7, 2018 2:29 PM
  • Hi Fahaad-

    For #1, you need to make sure all the attributes in your criteria based group's filter are in the filter permissions for MIM. You can access those lists under Administration>Filter Permissions in the portal.

    For #2, this is certainly doable. If it's a one-time event each year, I'd lean towards using PowerShell like Nosh says. If you do want to fully automate it, you should be able to flow the XPath filter from SQL to the MIM Service. Note that there is some XML that wraps the filter so you'll want to look at a sample group that you make in the portal to get the flows right.


    Thanks,
    Brian

    Consulting | Blog | AD Book

    • Marked as answer by Fahaad Majeed Wednesday, February 7, 2018 4:01 PM
    Wednesday, February 7, 2018 2:32 PM
    Moderator
  • Thanks for the response. 


    F.

    Wednesday, February 7, 2018 4:00 PM