none
New to MIM, looking for assistance on triggering workflows in order RRS feed

  • Question

  • Hi folks, I'm new to MIM and gradually learning as I go.  I have a solution which pulls data from an HR app (via csv file) and creates AD users based on that.  I'm no developer and also want to keep the solution as simple as possible for the end users of the system.  To that end I've tried as much as possible to only use worfklows and rules from within MIM portal where possible, with everything else padded out with MIMWAL (eg Powershell commands etc).  I have a situation where I have MIMWAL generating a unique username (feeding in to an oubound sync rule to AD, so after the user object has been pulled in to MIM), I also have a workflow set up to run a Powershell command (Add-ADGroupMember) to configure the default AD Group memberships - however, this Powershell command is not executing correctly, as it sees the username (for the "-Members" instance) as being NULL.  The script works perfectly well executing via Powershell logged in as the user account that is being used so the script is fine - but I'm wondering if the issue I'm hitting is because both the unique username generation workflow and the Add default groups workflow are firing at the same time - which is possibly resulting in the AD Group workflow firing before a samAccountName has been passed to AD.  How can I stagger the workflows?  I'm thinking it would be via MPRs and Sets (both the workflow for the group membership and the unique name generation fire on transition in to the All People set), but I can't for the life of me work out how I can pass a user to a set based on completion of a sync rule, or to check whether the user exists in AD and use that as the basis.  I daresay I'm sounding like a complete newbie and missing something completely obvious to those more familar with the app and I can definitely detect some eyerolls :)  but can anyone give me a starter for 10 as to how to get the AD group workflow to only trigger after the account name has been generated?

    I should also add that there are multiple different default AD group workflows which are dependent on different job titles if that makes any difference.

    Essentially, I want - workflow to generate unique name -> Outbound rule to AD -> workflow to add default AD groups

    I'm sure I'm missing something simple.

    Friday, October 18, 2019 2:57 PM

Answers

  • For info, just in case anyone else runs in to a similar issue, I got round this by using the delay activity option from MIMWAL before the workflow activity that runs the Powershell.  Bit clunky, but it does the trick.
    • Marked as answer by MeragoJert Tuesday, October 29, 2019 5:08 PM
    Tuesday, October 29, 2019 5:08 PM

All replies

  • Hi,

    I wouldn't use the workflows to add the members. Instead, use e.g. Criteria based groups in MIM. You'll get better performance and eliminate a lot of errors.

    Br,

    Leo


    Did my post help? Please use "Mark as answer" or "Propose as answer". Thank you!

    Monday, October 21, 2019 8:35 AM
  • Hi Leo,

    Thanks for that.  I was under the impression that when using MIM to manage groups, it was best to let MIM handle everything related to groups altogether.  We actually want the groups to continue to be managed via Active Directory as a rule, but to only use MIM for initial default groups and removing them from all groups once they leave the company (this workflow works).  Is there a simple way to manage the order of the workflows that I'm missing?  I don't want to pull in all of the managed groups to MIM as it will only be dealing with a tiny subset (6 or 7) of the couple of hundred groups in AD.  I'd rather avoid pulling the groups in to MIM at all if I can.

    Monday, October 21, 2019 2:54 PM
  • For info, just in case anyone else runs in to a similar issue, I got round this by using the delay activity option from MIMWAL before the workflow activity that runs the Powershell.  Bit clunky, but it does the trick.
    • Marked as answer by MeragoJert Tuesday, October 29, 2019 5:08 PM
    Tuesday, October 29, 2019 5:08 PM
  • I agree with Leo about the criteria based group. If you still want to add members to groups using a workflow, you can use a custom Set with an a condition that is accountName startswith %

    Ahmed is an independent consultant in Ottawa, Canada specialized in .NET, Biztalk, WCF, WPF, TFS and other Microsoft technologies.

    Blog: http://lajak.wordpress.com

    Twitter: ahmedalasaad

    Tuesday, October 29, 2019 10:05 PM
  • Thanks for the input Ahmed.  As above though, we don't want MIM managing the groups if we can help it, only for the initial additions - we want the group memberships to be handled ultimately manually via ADUC, so criteria based membership was what we were trying to avoid.
    Wednesday, October 30, 2019 8:57 AM
  • Hi,

    Delay is one option, but if the Sync if disabled you could run into problems.

    We usually flow the AD DN back to the Portal, and trigger on that to to similar stuff (Set Transition in when ADDN attribute is set in portal, to ensure user is created).

    Br,

    Leo


    Did my post help? Please use "Mark as answer" or "Propose as answer". Thank you!


    Wednesday, October 30, 2019 10:52 AM