Groups with Static and Dynamic Members in FIMService

We had a business case whereby a filter couldn’t really create groups which catered for the purpose. We also needed to put in some static members (Explicit Members) in it.

Now by default a /Group in FIMService can either be Explicit or a Filter type group. But a Set allows you to have an explicit as well as filter on it.

WARNING: Many custom attributes are used for our purpose but you hopefully will get the gist of it

CREATE

So came up with a design for such groups (we identify them by Autogen and have an attribute called accountType)

  • Create a Set with Autogen-{GroupName} with an accountType = AutogenSet
  • Set the filter and explicit members needed on the set
  • Create a filter group with Autogen-{GroupName} with an accountType = AutogenGroup
  • Put the ResourceID of the new group in the set to an attribute called ‘connectedGroupObjectID’ and viceversa to ‘connectedSetObjectID’ – This it have relation between the group and set
  • Set the filter on this group as

CLEANUP

  • Create a auth workflow with delete resource and target =  [//Target/connectedSetObjectID]
  • Create a set which has ‘All Autogen Groups’
  • Create a MPR which ties the above i.e. when a delete resource happens for any in set ‘All Autogen Groups’ then run the Auth workflow which will delete the set as well

SCRIPT

Wrote a script so that these groups, sets and links can be created in one go using FIM/MIM Service Powershell Module.

NOTE

  • I assume user already knows the XPATH for his filter (Will help you on how to create it easily as well in a post coming soon).
  • Many custom attributes have been used in FIMService but you get the bigger picture and not necessarily needed for your environment.
  • I am really bad at powershell so don’t be surprised if you see some ‘what the hell did he do that for?’ moment 🙂 You will definitely find mistakes but hey.. works for me.. Still please point it out 🙂

LOGIC

This script was written by me quite specific for our environment and therefore contains a lot of custom attributes and logic. This is just to give an idea what we do / can do with the idea. I have decided not to dumb it down and present it as-is. If you get confused somewhere please do contact me or leave a comment

  • Asks for DisplayName (Mandatory)
  • Asks for a requestedAccountName (Mandatory in our env to generate sAMAccountName and AccountName)
  • Asks for a owner AccountName / uid (Mandatory in our environment to set as the owner of the group)
  • Asks if the Group will have a mail address (if so then we populate some additional attributes to provision to GoogleApps)
    • If Mail Enabled then asks for some additional attributes to be set like
      • Mail Prefix (to generate the mail address)
      • Posting Permission
      • To be hidden from Global Address List or not
      • Is it going to be used as a Security Group in AD (sets as Distribution else as MailEnabledSecurity)
    • If not then sets it as a Security Group
  • Asks for the XPATH Filter – then it goes and checks if it’s correct and does return some users back else exists.
  • Creates the Set and adds the above filter to it
  • Creates the Group
    • Sets the filter pointing to the set above
  • Links the two
  • Done

The only thing it doesn’t do is setting explicit members to the set which is done manually after creation.

 

To the sync side you will simply see one Group come out with Member attribute containing both ExplicitMembers and ComputedMembers and a combination.

Hope this helps someone in their “complex business” environment.