locked
How to create a Set based on group membership RRS feed

  • Question

  • Hi,

    is it possible to create a set in FIM which is based on group memberships of users?

    I tried to manually create a XPath Filter for the set like the following:

    /Person[ObjectID = /Group[DisplayName = 'SomeGroup']/ExplicitMember]

    When submitting this change to the set I receive a access denied message.

    The event log shows the following messages:

    Microsoft.ResourceManagement: Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException: SystemConstraint ---> Procedure: CreateMembershipConditionStatement.  Line number: 539.  Message: Invalid membership condition statement de-referenced value..
       --- End of inner exception stack trace ---
       at Microsoft.ResourceManagement.Utilities.ExceptionManager.ThrowException(Exception exception)
       at Microsoft.ResourceManagement.Data.Exception.DataAccessExceptionManager.ThrowException(SqlException innerException)
       at Microsoft.ResourceManagement.Data.DataAccess.CreateMembershipConditionStatement(String xpath, Int32 referentKey, String attribute, Boolean operatorEqual, Boolean operatorGreater, Boolean operatorLess, Boolean operatorLike, Boolean operatorInversion, Nullable`1 literalValueBoolean, Nullable`1 literalValueDateTime, Nullable`1 literalValueInteger, Nullable`1 literalValueReference, String literalValueString, String functionValue, Boolean missingValue, Int32[] dereferencedValueMembershipConditionKeys, String dereferencedValueAttribute, String recursivelyDereferencedAttribute, Boolean recursionFrom, Boolean recursionTo, String[] attributes)
       at Microsoft.ResourceManagement.FilterEvaluation.Language.Statement.Create()
       at Microsoft.ResourceManagement.FilterEvaluation.Language.MembershipCondition.BasicMembershipCondition.Create()
       at Microsoft.ResourceManagement.FilterEvaluation.Language.MembershipCondition.Create(ReadOnlyCollection`1 membershipConditions)
       at Microsoft.ResourceManagement.FilterEvaluation.Language.MembershipCondition.Create(QueryFilter queryFilter, Int32[]& membershipConditions)
       at Microsoft.ResourceManagement.ActionProcessor.FilteredResourceActionProcessor.FilteredResourceActionProcessHelper.DoPreProcessRequest(RequestType request)
       at Microsoft.ResourceManagement.ActionProcessor.FilteredResourceActionProcessor.PreProcessRequestFromAttribute(RequestType request)
       at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.PreProcessRequestFromAttribute(RequestType request)
       at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(CreateRequestDispatchParameter dispatchParameter)
       at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation, Nullable`1 serviceId, Nullable`1 servicePartitionId)
       at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation)

     

    Can someone please shed some light on this?

     

    Regards

    Steffen

    Thursday, May 26, 2011 7:46 AM

Answers

  • This should really be posted in the FIM forum... there are a lot more eyes there these days...

     

    The answer to your question is - no (sorry).  From TechNet:

     Sets cannot reference the membership of Group resources. The following filter is not supported: /Person[Manager = /Group[ObjectID = ‘7CF6B5A3-01B2-45d3-8337-5EB521DDA08D’]/ComputedMember].

     


    CraigMartin – Edgile, Inc. – http://identitytrench.com
    Thursday, May 26, 2011 6:26 PM

All replies

  • This should really be posted in the FIM forum... there are a lot more eyes there these days...

     

    The answer to your question is - no (sorry).  From TechNet:

     Sets cannot reference the membership of Group resources. The following filter is not supported: /Person[Manager = /Group[ObjectID = ‘7CF6B5A3-01B2-45d3-8337-5EB521DDA08D’]/ComputedMember].

     


    CraigMartin – Edgile, Inc. – http://identitytrench.com
    Thursday, May 26, 2011 6:26 PM
  • So the only way to achieve this would be to flow the memberOf attribute into the metaverse?

     

    Friday, June 3, 2011 6:53 AM
  • Can you describe the scenario you are trying to achieve?
    CraigMartin – Edgile, Inc. – http://identitytrench.com
    Friday, June 3, 2011 7:11 AM
  • you cannot flow back-link attribute such as "memberof" from AD to FIM, since it will not available in the "select attributes" in MA configuration.

    how ever you can add custom "MemberOf" reference attribute in FIM portal for the user object, and add it to the FilterPermission resource, then you need to fill the "MemberOf" attribute using powershell. then you can create SETs based on MemberOf

    you can modify the following for your needs:

    function AddMultivalueAttribute
    {
        PARAM($object, $attributeName, $attributeValue)
        END
        {
            $importChange = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportChange
            $importChange.Operation = 0
            $importChange.AttributeName = $attributeName
            $importChange.AttributeValue = $attributeValue
            $importChange.FullyResolved = 1
            $importChange.Locale = "Invariant"
            if ($object.Changes -eq $null) {$object.Changes = (,$importChange)}
            else {$object.Changes += $importChange}
        }
    }


    if(@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation"}).count -eq 0){add-pssnapin "FIMAutomation"}

    $groups = export-FIMConfig -CustomConfig "/Group" –onlyBaseResources -Uri "http://localhost:5725"


    foreach($group in $groups)
    {
    $groupID = $group.ResourceManagementObject.ObjectIdentifier.split(":")[2]

    $members = @(($group.ResourceManagementObject.ResourceManagementAttributes | Where-Object {$_.AttributeName -eq
    "ExplicitMember"}).Values)

    foreach($member in $members)
    {
    #$member = $member.split(":")[2]
    #$person = export-FIMConfig -CustomConfig "/Person[ObjectID='$member']" –onlyBaseResources -Uri "http://localhost:5725"

    # Create Import object that will update object in FIM
    $importObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject
    $importObject.ObjectType = "Person"
    $importObject.TargetObjectIdentifier = "$member"
    $importObject.SourceObjectIdentifier = "$member"
    $importObject.State = [Microsoft.ResourceManagement.Automation.ObjectModel.ImportState]::Put

    AddMultivalueAttribute -object $importObject -attributeName "MemberOf" -attributeValue $groupID

    $importObject | Import-FIMConfig -uri "http://localhost:5725"
    write-host "completed"

    }
    }

    #------------------------------------------------------------------------------------------------------
     trap
     {
        Write-Host "`nError: $($_.Exception.Message)`n" -foregroundcolor white -backgroundcolor darkred
        Exit
     }
    #------------------------------------------------------------------------------------------------------

     


    Sunday, June 5, 2011 9:30 AM
  • I'm thinking about a scenario where provisioning of users is controlled by group membership.

    The idea is to assign a user to a group (by manual request) and then have FIM do the provisioning into the connected system.

    Wednesday, June 8, 2011 10:56 AM
  • Provisioning based on group membership

     

    Cheers,
    Markus


    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
    Wednesday, June 8, 2011 11:06 AM
  • hi markus

    what about configuring request-based MPR for group, so when ever new value is added to "manually-managed membership" attribute in the group, run action workflow that fill custom memberOf attribute for the members "users" using custom workflow activity. is it feasible?

    Wednesday, June 8, 2011 4:33 PM
  • Hi Markus,

     

    I was aware of this approach, but I was wondering if there is a solution which does not need a second MA to flow the memberOf attribute. It would have been so easy if sets could be created based on group membership.

     

    Regards

    Steffen

    Friday, June 10, 2011 12:03 PM
  • In another related thread on this subject I suggest a work-around implemented by Paul Williams at a site I've since had some involvement, where a FIM custom activity was used to maintain a set in sync with a group (stamped with the group ID) whenever membership changes to that group were made.


    Bob Bradley, www.unifysolutions.net (FIMBob?)
    Saturday, June 11, 2011 3:34 AM