Get Groups with specific attributes and create a set based on the group display name RRS feed

  • Question

  • HI 

    I am trying to create a set from Group display name using work flow. The Xpath Filter for the query is /Group[((Type = 'Security') and (extensionAttribute15 = 'Expand'))]. The result does have multiple groups in them. I will like to get the display name and convert then to "_MIM_Synced"+"Display name of the group".  I am trying to achieve this using MIMWAL flow. The End result is to then create a new group from the created set and Expand members in that group. Once the group is created, i am planning to sync the new group back to on premises AD.

    Tried different ways because it is a array in the query result i am not sure how to proceed. Any advice will be helpfull. I am new to MIMWAL and work flow.


    Wednesday, February 21, 2018 12:03 AM

All replies

  • Take a look at the Iteration wiki to loop over a collection of items.
    Wednesday, February 21, 2018 7:51 AM
  • And since you mentioned you are new, to create the Set objects inside the Iteration loop, check the wiki: Using the MIMWAL to create Policy objects.

    Wednesday, February 21, 2018 8:57 AM
  • Hi Thanks for the replay. I manage to create the set using Iteration. Now i want to add members in to the set but when i use, Iteration i cannot use [\\value\..] in the query filled, as this is currently only available for notification flow.  It thee any other way to update a group inside Iteration. 

    For my set creation rule, I use the below.


    Key: NewDisplayName

    XPath Filter: /Group[((Type = 'Security') and (extensionAttribute15 = 'Expand'))]



    Conflicting Resource Search Filter
    /Set[DisplayName = '_MIMSynced_[//Value/DisplayName]']

    Attribute Population

    Value Expression                                   Target

    [//Value/DisplayName]                          $Display

    "_MIMSynced_" +$Display                     $DisplayName

    $DisplayName                                       DisplayName

    This allow me to create the set. But how do i update members in to this create set.


    Thursday, February 22, 2018 5:16 AM
  • Not sure what your use case is, but if this is one time conversion of a bunch of groups to sets, it's best done via an external bulk update script.

    You are right, iteration with an iteration is only supported for the WAL Notification activity and has not been extended to other WAL activities. If you want to do it via a workflow, you could have a suitable MPR to trigger a cascading workflow to populate the Set membership on the creation of Set (starting with specific display name convention).

    Thursday, February 22, 2018 1:23 PM
  • Just revisiting, you nested iteration question thru me off the track. For copying over members, you don't need iteration, you can just define the relevant value Expression and Target like any other attribute that you are coping over. 
    Saturday, February 24, 2018 7:04 AM
  • Hi Sorry, I did went off track. I was learning MIMWAL and got myself confused. As you said i do not even need to create a set. What i was trying to achieve to create a group from current group with ext attribute set to some value. I have managed to create a new group from the current group. This issue some of the group i am recreating had nested groups. I do not know how will i expand members of the nested group in to the new group. The client has an application which only work with groups where it can read the users as the member. Also i would like to handle the delta change on the group members. Any help and reference to an article will be a great help. I think I have burned around 200 hours to get the basics correct for MIMWAL. Still a lot to learn.

    Once MIM portal has the new group and the members from nested group users as members. I can run a out bound work flow to write the new group in to AD. 


    Saturday, February 24, 2018 11:36 AM
  • Not sure if you have tried to think about the complete solution design before trying to implement it. Now that you have mentioned, seems to me this is best implemented as one time bulk update for flattening the groups than an ongoing activity and in that case this is better implemented outside a workflow. Otherwise depending of the number of groups that would essentially planned to be duplicated, users may run into Kerberos authentication issues due to token bloat. Also while you can detect and handle delta changes to a group and an example is part of the Iteration wiki, but how are you planning to cascade up the membership changes from a nested group, grand-nested group and so on to the flattened group on an on-going basis? And then there would be circular references to watch out for which is no small task even when you try to do this via a direct AD PowerShell script!
    Sunday, February 25, 2018 9:28 AM
  • HI , Thank for the quick replay. I was trailing a scenario so i can design the project for the client. I was testing this in my LAB. Could you please validate my idea for this. 

    I think I will have to flatten the group users using Powershell MA and store it in a SQL or CSV. Create new Display name in the the SQL data while flattening the group. Then Sync the new Groups to FIM portal.  i will need to check the delta using Power Shell then flow the data to Metaverse.  Create Outbound sync rule for these newly created groups. They do have large number of group objects and the full company work on the basic of few manually managed groups and lot of nested groups. Due to the large number of groups workflow Iteration many not be the answer for this. IF the Iteration worked in the query part, may be i could have used the workflow.

    I do have a simple PowerShell script which can run on a schedule task. This script will flatted and create new group and alsol do delta update using source and destination members. I used Compare-Object to check source and destination members. But due the size and number of the groups, I may not be able to use it.

    Thanks a lot man




    Monday, February 26, 2018 1:16 AM