none
About criteria-based groups and MPR RRS feed

  • Question

  • Hi,

    We have to define groups in FIM with criteria-based feature. Groups are "dynamically" provisionned by FIM when a special value of a user attribut is set.

    Ex : Groups for French people, with criteria based "Country = France".

    When a user is updated with the Country value of "France", groups is automatically updated.

    Very good.

    The problem is that we have to synchronize users and groups with an AD. We have configured sets, workflow and MPR for users, and when an update is done (manually or by FIM sync), an expected rule entry is created and with MV sync it is propagated to AD.

    But we wanted to have the same thing for groups. However, the dynamic update operated by FIM (following the user attribut set) is not "seen" as a request. So no ERE is created because the related MPR does'nt see the operation.

    How could we do to make the automatic update of a criteriad-based group trigger our MPR and so the AD update ?

    BR,

    Tuesday, September 13, 2016 9:08 PM

Answers

  • EREs are linked to the objects, in this case users and groups, they are not linked to the individual attribute changes, i.e. membership changes of groups; membership is synchronized through an attribute flow. You should configure synchronization of the groups in the same way as you have of users.

    Briefly, create a sync rule with a relationship of group -> group for AD; be sure to include the outbound attribute flow of member -> member; create a set of groups to provision to AD; create a workflow to attach the AD groups sync rule; create an MPR to run that workflow against that set.

    Then when a set is created it will be provisioned to AD, when a user is added as a member of that group via criteria, that will be exported to AD in the member->member attribute flow. Membership of the group will then update in AD (assuming you are using one AD connector and so groups and users are in the same connector space for referential integrity to work).


    • Proposed as answer by Leo Erlandsson Thursday, September 15, 2016 1:41 PM
    • Marked as answer by Emmanuel BILLOT Wednesday, September 28, 2016 4:13 PM
    Thursday, September 15, 2016 9:36 AM

All replies

  • EREs are linked to the objects, in this case users and groups, they are not linked to the individual attribute changes, i.e. membership changes of groups; membership is synchronized through an attribute flow. You should configure synchronization of the groups in the same way as you have of users.

    Briefly, create a sync rule with a relationship of group -> group for AD; be sure to include the outbound attribute flow of member -> member; create a set of groups to provision to AD; create a workflow to attach the AD groups sync rule; create an MPR to run that workflow against that set.

    Then when a set is created it will be provisioned to AD, when a user is added as a member of that group via criteria, that will be exported to AD in the member->member attribute flow. Membership of the group will then update in AD (assuming you are using one AD connector and so groups and users are in the same connector space for referential integrity to work).


    • Proposed as answer by Leo Erlandsson Thursday, September 15, 2016 1:41 PM
    • Marked as answer by Emmanuel BILLOT Wednesday, September 28, 2016 4:13 PM
    Thursday, September 15, 2016 9:36 AM
  • Many thanks for your help, it works, i didn't understood the real mecanism at the beginning.

    Emmanuel IT

    Thursday, September 15, 2016 10:38 PM