none
How to manage MIM Group members not part of OU that MIM connected . RRS feed

  • Question

  • I'm having an issue with MIM AD Group  members get dropped off from MIM sync , when particular user not in same AD containers that MIM is connected . seems to me MIM is not ware of this users not in other OUs!!

    Is there any workaround to manage AD Groups members  that not a MIM user?

    Thanks in advance .


    CJ



    • Edited by TechCJ Friday, April 22, 2016 10:25 PM
    Friday, April 22, 2016 4:47 AM

Answers

  • This is a known limitation. Basically, if MIM should manage the memberships in a group, all users needs to be managed by MIM. Also, it's not possible to manually add members to that group - MIM will remove them.

    Carol har a great post on this (old, but valid):

    http://www.wapshere.com/missmiis/group-members-and-other-multivalued-attributes

    As with all things in life, there are workarounds :) Actually, we had this problem yesterday. You can solve it using a Rules Extension. Just remember that MIM does not support handling Advanced flows for Reference attributes, so you need to use a multivalue string attribute and some custom code.


    Did my post help? Please use "Vote As Helpful", "Mark as answer" or "Propose as answer". Thank you!

    • Marked as answer by TechCJ Tuesday, April 26, 2016 3:53 AM
    Friday, April 22, 2016 6:20 AM

All replies

  • This is a known limitation. Basically, if MIM should manage the memberships in a group, all users needs to be managed by MIM. Also, it's not possible to manually add members to that group - MIM will remove them.

    Carol har a great post on this (old, but valid):

    http://www.wapshere.com/missmiis/group-members-and-other-multivalued-attributes

    As with all things in life, there are workarounds :) Actually, we had this problem yesterday. You can solve it using a Rules Extension. Just remember that MIM does not support handling Advanced flows for Reference attributes, so you need to use a multivalue string attribute and some custom code.


    Did my post help? Please use "Vote As Helpful", "Mark as answer" or "Propose as answer". Thank you!

    • Marked as answer by TechCJ Tuesday, April 26, 2016 3:53 AM
    Friday, April 22, 2016 6:20 AM
  • Hi,

    Thats normal behavior, as for MIM to keep group members over all systems (like Portal, AD or other) the corresponding user objects must exists in MIM and the connected systems. Otherwise the referential integrity will not work.

    So you need to have those group members also in MIM.

    As a workaround in AD and if you cannot bring those users to MIM you can split up the group, create a additional group for the group you want to manage, let only MIM handle this group and make this group a member of the original group.

    With that you can manage the original group manually and the new group is manages by MIM, but is also member of the manually managed group.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Friday, April 22, 2016 6:24 AM
  • Hi,

    Thats normal behavior, as for MIM to keep group members over all systems (like Portal, AD or other) the corresponding user objects must exists in MIM and the connected systems. Otherwise the referential integrity will not work.

    So you need to have those group members also in MIM.

    As a workaround in AD and if you cannot bring those users to MIM you can split up the group, create a additional group for the group you want to manage, let only MIM handle this group and make this group a member of the original group.

    With that you can manage the original group manually and the new group is manages by MIM, but is also member of the manually managed group.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Peter's suggestion with nested groups is a good solution, and I guess considered best practice.

    Just keep in mind that your other applications accessing the AD using LDAP will need to have support for the nested groups. This is what stopped us, unfortunately. So we're going with the Rules Extension solution.


    Did my post help? Please use "Vote As Helpful", "Mark as answer" or "Propose as answer". Thank you!


    Friday, April 22, 2016 11:34 AM
  • Hi Leo/Peter, Thanks for your reply , I create filter in ADMA keep out this group coming to MIM so it's not manage by  MIM anymore . I think with the nested grouping option also I have to manage filter to group in ADMA  keep the referential integrity.

    with Leo suggestion with  "Rules Extension' approach , do you have any howto document that you can share?

    just to give you background of my MIM setup .

    we import Users/groups from HR system . to get  group members we us multivalued table.  

    flowing this  Users/Groups and memberships to Provision in AD and ADMA is connect to 3 different OU.

    issue is not all the Users/groups and Group members are not in source HR system. also not all AD users part of 3 OU MIM manage .

    BRGDS

     

        

    CJ

    Friday, April 22, 2016 11:43 PM
  • For Rules Extension, please see documentation here:

    General:

    https://msdn.microsoft.com/en-us/library/windows/desktop/ms695365(v=vs.100).aspx

    Examples:

    https://msdn.microsoft.com/en-us/library/windows/desktop/ms696041(v=vs.100).aspx

    Note that you cannot use MV Reference attributes in an Advanced flow, so you'll need a workaround here.


    Did my post help? Please use "Vote As Helpful", "Mark as answer" or "Propose as answer". Thank you!

    • Proposed as answer by Leo Erlandsson Monday, April 25, 2016 7:42 AM
    • Marked as answer by TechCJ Tuesday, April 26, 2016 3:52 AM
    • Unmarked as answer by TechCJ Tuesday, April 26, 2016 3:53 AM
    Monday, April 25, 2016 6:13 AM