What is the current thinking on how best to populate Owner and Displayed Owner in the Portal for groups that have none? I just want to set a default value, like "Administrator". I'm still not sure on two things: - the best way to get around the still-missing "Is present" operator in sets, and - whether I can use the OOB Function Evaluator workflow to add the owner. Thankshttp://www.wapshere.com/missmiis

Carol - presumably you are talking about groups provisioned to the portal from AD or some non-portal authoritative source? I have a site where this has come up with groups provisioned from NOTES ... and I am wondering if perhaps the answer is not to pre-populate the owner/displayed owner fields with references to a dummy person, but rather to update the OOTB group management MPRs with set definitions that exclude groups where there is no displayed owner? If you're concerned about groups showing up in the portal with that RED WARNING message then I'm not sure it's a bad thing to set up a new workflow directed to administrators to get them to rectify the issue with a REAL owner? Where this gets tricky is where you need to set the "EQUAL PRECEDENCE" checkbox to achieve owner/displayedOwner export flows ... if you want to set a default value, but thereafter want to make the FIM portal authoritative, you get caught in a catch-22. Jury's still out on this ... see an old thread where this topic's just resurfaced :).Bob Bradley, www.unifysolutions.net (FIMBob?)

Hi there Bob - been away so just getting back to this. I'd like to just make a workflow that sets Administrator as group owner until someone better is found - but how do you make the set of "Owner not present"? I've seen various blog posts about how to get around the lack of IsPresent but some refer to older versions of FIM, so I not sure what the best option is these days.http://www.wapshere.com/missmiis

Hi Carol, In the FIM Release Notes there is this example: Sets Removes support for the use of the != operator with multivalued attributes. XPath equality expressions on multivalued attributes must use the not() function. For example, the following XPath is not supported: /Group[Owner != /Person]. Instead, use the following XPath: /Group[not(Owner = /Person)] That filter works as a query, but when I try to create a set with it, the operation fails. Cheers, Paolo Paolo Tedesco - http://cern.ch/idm

So I can't create a set of groups with no owner then?http://www.wapshere.com/missmiis

I cannot find a way to do that, but judging from the release notes this should be supported. Maybe my test installation is broken, have you tried on your test environment? I cannot even define a set of groups with an owner (i.e. /Group[Owner=/Person]) to use a transition-out MPR. Otherwise, maybe you could define a workflow that gets triggered when a group is created or when a group's owner is changed, and from the WF you set the owner as administrator if the current value is null. Also, if this would just be a one time operation, you could use a script. The 'no owner' filter works as a query, after all. Cheers, PaoloPaolo Tedesco - http://cern.ch/idm

@Carol did you solve this somehow? Populating with a default owner then then letting the portal be authorative would be nice./Frederik Leed

Not yet - it hasn't become a pressing enough problem yet so I'd let it slide.http://www.wapshere.com/missmiis

Yes you can. You just can't always do it via the Filter builder. Basically, you have to dereference the membership of another set of objects that you wish to check for the presence of, e.g. in your case you will say /Group[not(Owner = /Set[ObjectID = '<GUID of All People Set>']/ComputedMember)]. Loose the NOT clause and you have all Groups with at least one /Person as an owner. For single value attributes this works in the Filter Builder, you just use IN or NOT IN.

FWIW I actually default Ownership. I provision a subset of groups from SQL. The SQL database in question has no knowledge of ownership or even users, only what groups must exist. The FIMMA can create group resources without ownership attributes as it bypasses the AuthZ that mandates ownership. I therefore provision the group in an invalid state and then do one of two things: For groups that I have nothing to go on I default the DisplayedOwner and Owner attributes to a GUID specified in a generic custom activity that performs resource attribute updates. You can actually use the Function Evaluator to write DisplayedOwner but you need your own to write the multi-value attribute. I actually set the FIMMA account as the default owner. This has a well known GUID, however any GUID is fine. For groups that have some metadata that signifies the owner, e.g. the datasource has an account name, I lookup the target via account name and write the resultant resource's objectID to the group in question. Again I use the same activity, but I also have an enumerate activity that I use to lookup the object.

actually, a request from a user's group membership to access the resource should not be approved by the owner of the resource without prompting the user manager. But the manager to confirm the "owner" should be an attribute computed based on the user request to join the group. Because each user has a different manager :-) Yes, we can write a custom workflow for confirmation, but I think it should be a basic functional or to be examples of integration, such as KarolW provided for running Powershell scripts

KarolW, can comment on?

Sorry, me? On what?http://www.wapshere.com/missmiis

But the manager to confirm the "owner" should be an attribute computed based on the user request to join the group. Because each user has a different manager :-) may have a similar design to powershell in FIM, you have made?

But the manager to confirm the "owner" should be an attribute computed based on the user request to join the group. Because each user has a different manager :-) may have a similar design to powershell in FIM, you have made?

But the manager to confirm the "owner" should be an attribute computed based on the user request to join the group. Because each user has a different manager :-) may have a similar design to powershell in FIM, you have made?

So are you saying when a user asks to join a group it should be their own manager who approves, and not the owner of the group? I don't think you'd need any coding to do this. Have a look at the default "Owner Approval Workflow". You want to create one similar, perhaps called "Manager Approval Workflow". To find the manager you just need to ask for approval from //Requestor/Manager. Then I think all you need to do is swap the Authorization Workflow on the MPR "Group management workflow: Owner approval on add member". http://www.wapshere.com/missmiis