Hi, We would like to identify the best means of automatically adding/removing users from priviliged admin type AD groups based on authorisation received. Removing the users is dependent on the period of time requested for access. Adding users does not seem to be difficult to configure, it is the automated removing that we are unsure we can acheive. Does FIM have the ability to do this? ~FimDB

Hi, FIM can manage security groups in these ways: Manually managedCriteria managed (based on an attribute value)Managed (based on approval) In case of the criteria managed variant, you can remove a membership when an attribute is not present, or after a certain date. For more information, take a look at this page: http://technet.microsoft.com/en-us/library/ee534903(v=ws.10).aspx Best regards, Pieter.Pieter de Loos - Consultant at Traxion (http://www.traxion.com) http://fimfacts.wordpress.com/

Hi Pieter, Do you know which FIM attribute I can set in the Synchronisation rules to configure it as "Criteria Managed" for instance. I know the portal has this defined as 'Member Selection' but I am unable to determine what it is in the metaverse. Similarly is there a way in a group based synchronisation rules to reference a user attribute in the custom expressions? ~FIMDB

You need a custom object class to handle the time based relationship between the groups and their members. It is no longer a direct one dimensional membership, but has obtained other properties, in particular an expiration date, so you need to be able to record those in a way that is particular to each group-member relationship. See Bob's posts on the subject of "entitlements" http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/25825ef0-eab4-462f-b83f-d98020dd0a8c and http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/699262b3-c930-4d9b-97b8-0bdbcbc38db4. http://www.wapshere.com/missmiis

You need a custom object class to handle the time based relationship between the groups and their members. It is no longer a direct one dimensional membership, but has obtained other properties, in particular an expiration date, so you need to be able to record those in a way that is particular to each group-member relationship. See Bob's posts on the subject of "entitlements" http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/25825ef0-eab4-462f-b83f-d98020dd0a8c and http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/699262b3-c930-4d9b-97b8-0bdbcbc38db4. http://www.wapshere.com/missmiis

Thank you Carol