how can i remove user from group after 1 day? Expiration workflow remove user entirely from FIM...

Hi- You'd likely need to use a custom workflow activity to do this. You can define a set that has time based criteria and then use a Transition MPR to fire the workflow activity which pulls the user out of the group.My Book - Active Directory, 4th Edition My Blog - www.briandesmond.com

where "time based criteria" located? I create new Set but not see in Criteria-based Members elements like "time based criteria"...

You'd need to set a timestamp attribute of some sort on the user and then you can create filters in the set where you say <timestamp attribute> prior to X days ago or similiar.My Book - Active Directory, 4th Edition My Blog - www.briandesmond.com

Do I understand correct? I need create custom attribute in metaverse with timestamp data type?

Hi There, We've been playing with some of this because we want to have email notifications going out "daily" without having to have 30 different temporal sets defined to send the notifications out. What we did was simply use the Tools4FIM function evaluator as the last workflow activity in the MPR to set the date to a range outside of what the temporal set was looking for (as it allows us to readily add "days" to the existing date time stamp). In our case, we set it to the value of tomorrow so that the user would transition into the group again the next day and another email would be set if they hadn't set their password. Thanks B

When facing the same dilema as Brian, my solution was to create a userGroup record to record the begin/end date of the relationship between a user and a group ... managing this "link" object collection (adds/deletes) entirely by a couple of custom activities. Then I defined no more than a couple of temporal sets by comparing todays date with the begin/end date on the link record. Works well, but took a bit to set up ...Bob Bradley, www.unifysolutions.net (FIMBob?)

Sounds like I've done something similar with my customer Bob. The customer and I have written WF activities that manage ResourceControlObject resource types. We use these RCOs to manage the lifetime of a reference. The solution is called reference expiry. Basically, when a reference value is written within the scope of an MPR we create an RCO that defines the resource, reference, etc. and we clean these things up on deletion of either the referenced user or the target resource. Works a treat until it comes to requesting an extension. The OOB activities bypass AuthZ so we're currently implementing extension approval via a scheduled PS script that flips a boolean and triggers AuthZ for either the reference value, in the case of a user being a member of a role or group, or the owner of the resource that contains the reference. We're unhappy with this but are struggling to invoke the approval from within the WF itself. Even going out to the WCF endpoint via a custom WCF client doesn't help unless we store credentials somewhere and I'm really not happy about thinking about that. @ the OP: All in all, this is quite achievable with some custom activities but not exactly a simple or straight forward solution.

Of your answers do not understand how to remove a user from the group after the specified number of days?

Put simply, you cannot do this without quite a bit of WF development effort. The product doesn't support it OOB so your options are do it in WF or shunt it all out to SQL and do it via triggers and SPs and bring the membership back into FIM. Hope this helps? Sorry, I know it's not the answer you're looking for.

Maybe I've been looking at this problem from a more complex point of view than was required. If you define a group and you want all the users who meet a date criteria to only be there for a day, establish a range within the Temporal Set... for example -> select all users who meet all the following conditions - Employee End Date is after today - Employee End Date is prior to 1 day from today This would give you the set of people who are expiring from "Now/Today" until tomorrow. (Well, 24 hours from now). Thanks B

in this case for each group, where user added, I need to create a separate attribute with the date of inclusion or exclusion from the group. and then create a separate data sets for the processing of each attribute all my problems would solve a "magic" button in the properties of each group with the text "exclude from the group - never \ according to the rule" )