none
Provisioning Groups into FIM 2010 from oracle database RRS feed

  • Question

  • Greetings,

    I am trying to provision security groups from an oracle database where i have a view that contains:

    Department_Code

    Department_Name

    DepParent_Code

    The view has a recursive relation between Department_Code and DepParent_Code (1 to many).

    The view will lead to a Tree that has departments and sub-departments, i want to provision this data into FIM then to AD as security groups reserving the same hierarchy.

    Any help would be appreciated.


    Mohamad Chahla

    Thursday, December 26, 2013 12:55 PM

Answers

  • I have done something like this myself.  Using my approach I would do the following:

    1. Extend the Group and group resource type schema in FIM and the FIM Metaverse respectively, adding a new REFERENCE attribute binding ParentGroup/parentGroup respectively;
    2. Create an Oracle MA for importing DEPARTMENT objects with the anchor attribute Department_Code and with DepParent_Code declared as type REFERENCE;
    3. Create an inbound sync rule to import department objects as GROUP objects, with IAFs as follows:
      'DEPT-' + Department_Code => group.displayName
      Department_Name => group.description
      DepParent_Code => group.parentGroup
      ... and other IAFs according to the instructions you will find here;
    4. Either create your FIM groups as static (easy), or dynamic/query based (harder - i.e. you would do this if each Person object had a string binding of Department with values which exactly match the DEPT data you are importing) by using an appropriate MPR/workflow;
    5. Define an outbound sync rule to synchronise your FIM group objects to AD.

    If creating dynamic groups, your new workflow "Set Department Group Filter' can be created by using the Function Evaluator to construct the necessary XML filter value (create a group manually first to determine what this must look like) such that each group has a matching filter, e.g. the filter for DEPT-ABC would be /Person[Department='ABC']


    Bob Bradley (FIMBob @ TheFIMTeam.com) ... now using FIM Event Broker for just-in-time delivery of FIM 2010 policy via the sync engine, and continuous compliance for FIM

    • Proposed as answer by UNIFYBobMVP Thursday, December 26, 2013 1:53 PM
    • Marked as answer by Mohamad Chahla Monday, January 6, 2014 11:32 AM
    Thursday, December 26, 2013 1:53 PM

All replies

  • I have done something like this myself.  Using my approach I would do the following:

    1. Extend the Group and group resource type schema in FIM and the FIM Metaverse respectively, adding a new REFERENCE attribute binding ParentGroup/parentGroup respectively;
    2. Create an Oracle MA for importing DEPARTMENT objects with the anchor attribute Department_Code and with DepParent_Code declared as type REFERENCE;
    3. Create an inbound sync rule to import department objects as GROUP objects, with IAFs as follows:
      'DEPT-' + Department_Code => group.displayName
      Department_Name => group.description
      DepParent_Code => group.parentGroup
      ... and other IAFs according to the instructions you will find here;
    4. Either create your FIM groups as static (easy), or dynamic/query based (harder - i.e. you would do this if each Person object had a string binding of Department with values which exactly match the DEPT data you are importing) by using an appropriate MPR/workflow;
    5. Define an outbound sync rule to synchronise your FIM group objects to AD.

    If creating dynamic groups, your new workflow "Set Department Group Filter' can be created by using the Function Evaluator to construct the necessary XML filter value (create a group manually first to determine what this must look like) such that each group has a matching filter, e.g. the filter for DEPT-ABC would be /Person[Department='ABC']


    Bob Bradley (FIMBob @ TheFIMTeam.com) ... now using FIM Event Broker for just-in-time delivery of FIM 2010 policy via the sync engine, and continuous compliance for FIM

    • Proposed as answer by UNIFYBobMVP Thursday, December 26, 2013 1:53 PM
    • Marked as answer by Mohamad Chahla Monday, January 6, 2014 11:32 AM
    Thursday, December 26, 2013 1:53 PM
  • Do i need to create a custom resource type for "ParentGroup" ?

    can you give more explanation for  [

    1. Extend the Group and group resource type schema in FIM and the FIM Metaverse respectively, adding a new REFERENCE attribute binding ParentGroup/parentGroup respectively;         ]

    Thanks


    Mohamad Chahla

    Tuesday, December 31, 2013 10:07 AM
  • No you don't want to create a custom resource type for ParentGroup - Group.ParentGroup is always going to be a reference to another Group object, being the "parent" group in a parent-child hierarchy.

    First create a custom attribute ParentGroup (type Reference) in the FIM Portal (see here and here for further details), then create a Group binding for it.  Then create a custom Metaverse attribute parentGroup for the group Metaverse object class.

    There is already an MPR which allows the sync engine to read/create/update/delete group objects and specified attributes - you will need to add your new attribute binding to this MPR.  Refresh the FIM MA schema after doing this to detect the schema change - then add the new attribute to the selected attributes in the FIM MA, and an export attribute flow for this attribute from MV.group.parentGroup => CS.Group.ParentGroup.


    Bob Bradley (FIMBob @ TheFIMTeam.com) ... now using FIM Event Broker for just-in-time delivery of FIM 2010 policy via the sync engine, and continuous compliance for FIM

    Wednesday, January 1, 2014 1:33 PM