none
Logging the change in Membership of a Security Group on the Portal. How can we do it? RRS feed

  • Question

  • We wish to track membership changes in various Global Security Groups known to FIM. All our groups are Open i.e. anyone can join without need for approval.

    Memberships are updated in AD and synchronized to FIMMA.

    If I manually modify a Security Group by using the Portal as Administrator, I see an entry in the Requests & Approvals/Search Requests like:

    Update to Group 'sg_HR_managers' Request      

    However, all group update requests sent by the Synchronization Engine via the Export to FIMMA do not seem to be searchable in the Requests & Approvals/Search Requests 'log'  WHY NOT? I thought FIM kept a trace of all Requests.

    Membership changes DO actually flow from AD to FIMMA very well, but the customer has now asked for changes in memberships to be logged.

    Help!

    Thursday, October 3, 2013 11:52 AM

Answers

  • Hello,

    since FIM 2010 R2 the exports to FIM MA are batched/aggregate, so you have to lookup to the rquests that are called Update to "msidmCompositeType".

    This is kind of a wrapper objects which could hold update to many objects in the Portal.

    Update to msidmCompositeType '' means updates to more that one object.

    Update to msidmCompositeType 'mygroup' means multiple updates to this one object only.

    You'll find the object changes in the RequestParameter attribute, formatted in XMl.

    Read more on how to extract the information out of this new objecttype from Craigs blog post.

    You can disable the aggregate function in FIM Service.exe config file, but this will slow down exports.

    You can then to Logging with the Reporting Part of FIM, or with the Powershell Activity. I do something similar on group member changes (ex. starting scripts). If you need more info on Powershell Activity feel free to ask.

    If you have some experience in developing you could also use/modify the FIM logging acivity in workflows/MPRs that are triggert on group member changes

    Regards
    Peter


    Peter Stapf - Doeres AG - My blog: JustIDM.wordpress.com



    • Edited by Peter_Stapf Thursday, October 3, 2013 12:54 PM
    • Marked as answer by HaroldHare Thursday, October 3, 2013 1:29 PM
    Thursday, October 3, 2013 12:35 PM

All replies

  • Hello,

    since FIM 2010 R2 the exports to FIM MA are batched/aggregate, so you have to lookup to the rquests that are called Update to "msidmCompositeType".

    This is kind of a wrapper objects which could hold update to many objects in the Portal.

    Update to msidmCompositeType '' means updates to more that one object.

    Update to msidmCompositeType 'mygroup' means multiple updates to this one object only.

    You'll find the object changes in the RequestParameter attribute, formatted in XMl.

    Read more on how to extract the information out of this new objecttype from Craigs blog post.

    You can disable the aggregate function in FIM Service.exe config file, but this will slow down exports.

    You can then to Logging with the Reporting Part of FIM, or with the Powershell Activity. I do something similar on group member changes (ex. starting scripts). If you need more info on Powershell Activity feel free to ask.

    If you have some experience in developing you could also use/modify the FIM logging acivity in workflows/MPRs that are triggert on group member changes

    Regards
    Peter


    Peter Stapf - Doeres AG - My blog: JustIDM.wordpress.com



    • Edited by Peter_Stapf Thursday, October 3, 2013 12:54 PM
    • Marked as answer by HaroldHare Thursday, October 3, 2013 1:29 PM
    Thursday, October 3, 2013 12:35 PM
  • Hello,

    since i currently also dealing with searching the request log for specific changes to objects i wrote a little script and put it on my blog.

    Maybe useful to your needs.

    https://justidm.wordpress.com/2013/10/06/fim-2010-r2-searching-for-request-details-in-msidmcompositetype/

    Regards
    Peter


    Peter Stapf - Doeres AG - My blog: JustIDM.wordpress.com

    Sunday, October 6, 2013 1:52 PM
  • Peter , can you please provide some heads up for tracking group membership changes using powershell

    Thanks

    Thursday, October 10, 2013 12:23 PM
  • Have a look at the script in my blog article I Posted above.

    With this script you can search your Request Log like this:

    Get-FIMRequestDetails.ps1 Group DisplayName "YourGroupName"

    you will get all the changes (Add/Removes/etc) from the request log, you can modify this script to in Addition resolv the Guids that will be returned by my script. I will maby post a update in the future.

    The script contains all what you Need to build your own script.

    Regards
    Peter 


    Peter Stapf - Doeres AG - My blog: JustIDM.wordpress.com

    Thursday, October 10, 2013 1:02 PM