locked
Provisioning Groups based on User attributes RRS feed

  • Question

  • We have an application which is connecting to ADAM and requires access to the company and department attributes on the user object which is being provisioned from AD. Unfortunately the application cannot use attributes. It can only use groups.

     

    My question is: Can we use ILM to create groups in ADAM based on the company and department attributes (this bit is easy) and have these groups populated with the users who have the corresponding attributes. For example, user Phil has a department attribute of "Mortgage Department", can we create a group called "Mortgage Department" in ADAM and add Phil as a member of this group when provisioning from ILM? If so, how would we go about this?

     

    Any assistance would be much appreciated

     

     

     

     

     

     

    Tuesday, February 5, 2008 1:45 AM

Answers

  • Finally got this working. Needed to use the "/p" option with the group populator. I assume the "p" stands for populate the group membership.

    Thursday, February 14, 2008 1:40 AM

All replies

  • Have you checked for the Microsoft Identity and Access Management Series at
    http://www.microsoft.com/technet/security/guidance/identitymanagement/idmanage/default.mspx?mfr=true.

     

    To download at : http://go.microsoft.com/fwlink/?LinkId=14842

     

    Check for Provisioning and Workflow > Group management.

     

    The group management for ADAM/AD LDS is similar to AD...

    Also check the forum for AD group management, you'll find interesting posts...

     

    HTH,
    Peter

    Tuesday, February 5, 2008 4:19 PM
  • Peter is correct. Take a look at the links he provided. The IdM Series 1.4 contains the source code and builds for the Group Management Web Application which uses GroupPopulator.exe.

    This add-on to ILM allows you to create either simple groups or attribute based groups derived from metaverse attributes that you manually enter as a query (group definition). Another on-line resource (with pictures) to take a look at is, Appendix B: Group Management Web Application User Guide

     

    Tuesday, February 5, 2008 10:15 PM
  • Thanks for taking the time to reply Peter. I already have group management working in the sense that I can provision existing AD groups into ADAM/LDS and populate the group membership. Was there anything in the documentation you referred to that would assist with my specific scenario?

    Tuesday, February 5, 2008 10:50 PM
  • Thanks Chris. So just to confirm. There is no way I can accomplish the group management function from within ILM. I have to do something like:

     

    1. Import the user objects and attributes into the metaverse from Active Directory

    2. Use the group management web application build some group rules

    3. Use the group populator to exract the info from ILM and create the groups in a seperate SQL Database

    4. Import the groups into the metaverse (and provision into ADAM)

    5. Export the groups into ADAM

     

    Regards

    Wednesday, February 6, 2008 12:51 AM
  • I'm sorry. I'm kind of lost on what you are trying to do. You are currently using GroupPopulator to manage groups in ADAM (or AD) now. Are you looking to extend it to to do both?

    Wednesday, February 6, 2008 1:01 AM
  • Hi Chris,

     

    sorry for the confusion

     

    We have an attribute assigned to all user objects in AD called department. This attribute is populated from HR (although not relevant to this discussion as it is done via a separate process) and contains the user's department details e.g. Corporate Affairs. There is an application (Vignette) which wants to make use of this attribute to authorise access to web content based on the user's department details. However, the application cannot make use of the attribute directly. It can only make decisions based on the user's group membership.

     

    The application is binding to ADAM which we are synchronising from AD using ILM 2007. What we would like to do is create groups in ADAM corresponding to each of the department attributes in AD and have these groups contain all the users which have the department attribute. So if Phil has Corporate Affairs as a department attribute in AD we wish him to be a member of a group called Corporate Affairs when we synchronise the data to ADAM.

     

    USER AD                    ------------->       Group ADAM               User ADAM

                        cn=Phil                                                      cn=Corporate Affairs           cn=phil

                        department=Corporate Affairs                       member=phil

     

    Since this is just provisioning from one Microsoft directory to another Microsoft directory using a Microsoft provisioning tool I was hoping that we could solve it in a much simpler way e.g. with a rules extension. However it looks like I have to go and buy another SQL server (actually 2 because we always have to DR) and use a process outside ILM (e.g. GroupPopulator.exe) to create separate tables etc.

     

    Regards, Paul

    Wednesday, February 6, 2008 2:33 AM
  •  

    Hi Chris,

     

    sorry for the confusion

     

    We have an attribute assigned to all user objects in AD called department. This attribute is populated from HR (although not relevant to this discussion as it is done via a separate process) and contains the user's department details e.g. Corporate Affairs. There is an application (Vignette) which wants to make use of this attribute to authorise access to web content based on the user's department details. However, the application cannot make use of the attribute directly. It can only make decisions based on the user's group membership.

     

    The application is binding to ADAM which we are synchronising from AD using ILM 2007. What we would like to do is create groups in ADAM corresponding to each of the department attributes in AD and have these groups contain all the users which have the department attribute. So if Phil has Corporate Affairs as a department attribute in AD we wish him to be a member of a group called Corporate Affairs when we synchronise the data to ADAM.

     

    USER AD  ------------>            Group ADAM          User ADAM

                        cn=Phil                                                      cn=Corporate Affairs           cn=phil

                        department=Corporate Affairs                       member=phil

     

    Since this is just provisioning from one Microsoft directory to another Microsoft directory using a Microsoft provisioning tool I was hoping that we could solve it in a much simpler way e.g. with a rules extension. However it looks like I have to go and buy another SQL server (actually 2 because we always have to DR) and use a process outside ILM (e.g. GroupPopulator.exe) to create separate tables etc.

     

    Regards, Paul

    Wednesday, February 6, 2008 3:38 AM
  •  

    Thanks Peter, sorry for the confusion.

     

    We have an attribute called department which is part of the user class in AD and is populated via our HR system (not relevant to this discussion). The department attribute defines which team the user belongs to e.g. Corporate Affairs. An application (Vignette) wishes to use this attribute to authorise access to Web content based on the user’s team. However, the application is not designed to work directly with an attribute. The application can only work with groups.

     

    The application is connecting to an ADAM instance. The ADAM instance is importing user objects from AD using ILM 2007. In order to use groups we need some way to create groups in ADAM based on the values of the department attribute and populate these groups with users who have the corresponding department attribute within the user object. For example if Phil has a department attribute value of “Corporate Affairs” then we need to create an ADAM group called Corporate Affairs and add Phil and any other users as a member

     

    AD User Object  -------------------->

    ADAM Group

    ADAM User

    cn=phil

    cn=corporate affairs

    cn=phil

    department=corporate affairs

    member=phil, …..

     

     

    Given that these are both Microsoft directories I was hoping that there was some way of doing this inside ILM rather than having to create and maintain an external database for use by the Group Populator.

     

    Many Thanks

    Wednesday, February 6, 2008 5:59 AM
  • You can use the same instance of SQL that ILM is using to host the Group Management components. This application is a free add-on built for what you are trying to do that essentially will simplify and automate the overall process; however it is optional.

    As a matter of fact, the application has the ability to build “attribute-based” groups. These types of groups are essentially "families" of groups based on attribute data, which is what you are looking to do. Using this option allows you to manage group membership within AD (or ADAM) based on the attribute values derived within the metaverse (in your case the “department” attribute). IMHO, it’s a much cleaner method.

    I think what you are looking to do is provision groups and determine group membership through the rule extensions. The cost of doing so may result in poor performance due to the amount of work being done processing each object. Take a look at the following articles which will provide insight on managing reference attributes. This should give you insight on what you want to do.

    Design Concepts for Reference Attributes

    Anyhow, without using the web application, you can accomplish this by just synchronizing the directories and using direct attribute flow between AD and ADAM. Membership of each group can be directly flowed through ILM into ADAM through the “member” reference attribute therefore allowing the application to do what it needs to do. The only code you’d need to add is within the metaverse rule extension to provision groups into ADAM, everything else is direct attribute flow. The downfall of this is you’d have mirroring groups in both AD and ADAM; not to mention there would still need to be a method that (either manual or automated) determines group membership based on the “department” attribute.

    Wednesday, February 6, 2008 8:19 PM
  • Thanks again Chris. If the Group Management components can use the same SQL instance then it makes this solution much more attractive. We wil pursue this as the preferred solution.

     

    Sorry to be a pain, but just one final question. With the latter option (without Web Application) how do I configure the attibute flow since the groups do not exist in AD? The member attribute in the metaverse is a reference attribute so cannot be mapped to anything in the AD CS. I have tried creating a multi-valued attribute in the MV which I can successfully populate with the member info. However, I cannot flow this to the group member attribute in the ADAM CS.

     

    Regards

    Wednesday, February 6, 2008 11:09 PM
  • You can map these using direct attribute flow; the AD and ADAM Management Agents recognize the “member” attribute as a multi-valued attribute which can be mapped to the metaverse “member” attribute.

    On import within the AD MA, as long as the member attribute has a reference relationship back to the user with the CS, the reference calculation will reflect into the MV. The same happens on export into the CS of the ADAM MA.

    Hope this helps.

    Thursday, February 7, 2008 12:29 AM
  • Sorry Chris I still don't follow. On Import all we have is a data source object type of User with the attributes cn and department. What do we map these to? I can map the user/department attribute to the MV group/cn using an indirect mapping with a rules extension. This will create the groups.

    Thursday, February 7, 2008 2:17 AM
  • You wouldn’t. And that wouldn’t work….

    You really should take a look at the MIIS 2003 Scenarios documentation. This will definitely help to explain some of the terms we use around the product.  In addition, take a look at the IDA Series documentation Peter recommended earlier in the string. This documentation will provide step-by-step instructions on how to implement the Group Management add-in.

    Based on what I think you have, you already have a populated AD MA. It sounds like its already managing users. You want to modify it to manage groups; therefore configure it to project groups into the metaverse. From what I just said, AD will be the authoritative source for groups provisioned into ADAM. In all, what you will be doing is provisioning both user and group objects into ADAM. Configure your attribute flow appropriately. If you are going to do this, it really should be tested in a development environment and modified to fit what you have.

    You will also need to modify what container to import groups from. Also as I mentioned, “there would still need to be a method that (either manual or automated) determines group membership based on the “department” attribute.”

    Last you need to add code to your metaverse rule extension to provision objects into ADAM. This piece will create the group objects into ADAM. The rest is handled through regular attribute flow. Here is an example to give you an idea.

    Code Snippet

    Public Sub Provision(ByVal mventry As MVEntry) Implements IMVSynchronization.Provision

     

            Dim adamMAName As String = "ADAM MA"

            Dim usersContainer As String = "CN=Users,DC=adam,DC=contoso,DC=com"

            Dim groupContainer As String = "CN=Groups,DC=adam,DC=contoso,DC=com"

     

            Dim ma As ConnectedMA = mventry.ConnectedMAs(adamMAName)

            If mventry("cn").IsPresent Then           

                Select Case mventry.ObjectType.ToLower()

                    Case "person"

                        Dim rdn As String = "CN=" & mventry("cn").Value.ToLower()

                        If ma.Connectors.Count = 0 Then

                            ' If there is not alread an object in ADAM

                            Dim csentry As CSEntry = ma.Connectors.StartNewConnector("user")

                            Try

                                csentry.DN = ma.EscapeDNComponent(rdn).Concat(usersContainer)

                                csentry.CommitNewConnector()

                            Catch ex As ObjectAlreadyExistsException

                                ' Do something creative here for the exception.

                            End Try

     

                        ElseIf ma.Connectors.Count = 1 Then

                            Dim csentry As CSEntry = ma.Connectors.ByIndex(0)

                            csentry.DN = ma.EscapeDNComponent(rdn).Concat(usersContainer)

                        Else

                            Throw New Exception("Think of something creative so say here.")

                        End If

     

                    Case "group"                    

                        Dim adamRDN As String = "CN=" & mventry("cn").Value.ToLower

                        If ma.Connectors.Count = 0 Then

                            Dim csentry As CSEntry = ma.Connectors.StartNewConnector("group")

                            Try

                                csentry.DN = ma.EscapeDNComponent(adamRDN).Concat(groupContainer)

                                csentry.CommitNewConnector()

                            Catch ex As ObjectAlreadyExistsException

                                ' Do something creative here for the exception.

                            End Try

     

                        ElseIf ma.Connectors.Count = 1 Then

                            Dim csentry As CSEntry = ma.Connectors.ByIndex(0)

                            csentry.DN = ma.EscapeDNComponent(adamRDN).Concat(groupContainer)

                        Else

                            Throw New Exception("Think of something creative so say here.")

                        End If

                End Select

            End If

     

        End Sub

     

     

     

     

     

    Thursday, February 7, 2008 2:59 AM
  • I should have mentioned that we have been using ILM/MIIS for around two years in production so am familiar with the basics around provisioning of users and groups.

     

    I have installed the Group Populator in our test environmnet and built some attribute based groups using the user "company" and "department" attributes. I am able to create the groups in the MV using the group management MA and also provison the groups into ADAM (I was able to get this far previously without the group populator). However, the groups do not contain any members.  What is required is to populate users with the company and department attributes into the newly created groups? These groups do not exist in AD but are created "on the fly" by the Group Populator. You mention above that “there would still need to be a method that (either manual or automated) determines group membership based on the “department” attribute. Where is this method applied? There is no access to the reference attributes in the CS so I cannot write a method within the MA rules extension.

     

    Regards,

    Wednesday, February 13, 2008 5:56 AM
  • Finally got this working. Needed to use the "/p" option with the group populator. I assume the "p" stands for populate the group membership.

    Thursday, February 14, 2008 1:40 AM