none
Dynamic Multivalue User Attribute -> Security Groups RRS feed

  • Question

  • Hi All and thanks for any advice

    We are migrating from Novell IDM and have struck a issue with MS FIM 2010

    we have Teachers and Students with Classes stored in multi-valued attributes,

    The list changes as subjects and classes get added, changed and deleted, we would like FIM to create the classes as security groups in Active Directory and assign members,

    NOTE: the key point is we are trying to avoid creating a rule for every security group, the goal would be to have FIM create the groups that are in the users attribute and assigning/removing members with changes,

    example data in FIM

    user1 - classcosed = 11MTA01, 11ENG03, 11DES02

    user2 - classcosed = 11MTA02, 11ENG03, 11DES02

    user3 - classcosed = 9MTA01, 9ENG03, 9DES02

    user4 - classcosed = 9MTA02, 9ENG03, 9DES02


    Desired Security Groups Result in Active Directory

    11MTA01 = user1

    11MTA02 = user2

    11ENG03 = user1,user2

    11DES02 = user1,user2

    9MTA01 = user3

    9MTA02 = user4

    9ENG03 = user3, user4

    9DES02 = user3, user4

    again thank-you in advance for any ideas

    Steve

    Sunday, August 2, 2015 4:12 AM

All replies

  • If you have a look at the 3rd topic that Tomasz presented at one of our FIMTeam July meeting last year, I think you will find details of the same approach that we have since implemented at UNIFY ourselves.  Essentially the way the solution works is that a custom resource is defined in the FIM Service which acts as a group template.  A scheduled job then maintains FIM groups with filters calculated according to the template definitions ... whereby the job either

    • creates a group for all the various distinct string attribute values on the Person resource type; or
    • creates a group for all the unique values of a nominated FIMService resource where there is a corresponding reference binding on the Person resource type.

    Another approach is where you can derive a group object in the CS of the MA for your authoritative source.  There are a number of different ways to achieve this, depending on the type of your authoritative MA - and you could even use the Replay MA idea to achieve this by dropping and transforming an audit file on every import run.


    Bob Bradley (FIMBob @ TheFIMTeam.com) ... now using FIM Event Broker for just-in-time delivery of FIM 2010 policy via the sync engine, and continuous compliance for FIM

    • Proposed as answer by UNIFYBobMVP Thursday, August 13, 2015 1:02 PM
    Thursday, August 13, 2015 1:01 PM
  • thankyou for your insight

    I have found the following solution to be quite a good one

    http://www.wapshere.com/missmiis/who-needs-group-populator-when-you-have-multivalue-tables


    Monday, August 24, 2015 1:53 AM