Dynamic Multivalue User Attribute -> Security Groups

Hi All and thanks for any advice

We are migrating from Novell IDM and have struck a issue with MS FIM 2010

we have Teachers and Students with Classes stored in multi-valued attributes,

The list changes as subjects and classes get added, changed and deleted, we would like FIM to create the classes as security groups in Active Directory and assign members,

NOTE: the key point is we are trying to avoid creating a rule for every security group, the goal would be to have FIM create the groups that are in the users attribute and assigning/removing members with changes,

example data in FIM

user1 - classcosed = 11MTA01, 11ENG03, 11DES02

user2 - classcosed = 11MTA02, 11ENG03, 11DES02

user3 - classcosed = 9MTA01, 9ENG03, 9DES02

user4 - classcosed = 9MTA02, 9ENG03, 9DES02


Desired Security Groups Result in Active Directory

11MTA01 = user1

11MTA02 = user2

11ENG03 = user1,user2

11DES02 = user1,user2

9MTA01 = user3

9MTA02 = user4

9ENG03 = user3, user4

9DES02 = user3, user4

again thank-you in advance for any ideas

Steve

August 2nd, 2015 12:15am

If you have a look at the 3rd topic that Tomasz presented at one of our FIMTeam July meeting last year, I think you will find details of the same approach that we have since implemented at UNIFY ourselves.  Essentially the way the solution works is that a custom resource is defined in the FIM Service which acts as a group template.  A scheduled job then maintains FIM groups with filters calculated according to the template definitions ... whereby the job either

  • creates a group for all the various distinct string attribute values on the Person resource type; or
  • creates a group for all the unique values of a nominated FIMService resource where there is a corresponding reference binding on the Person resource type.

Another approach is where you can derive a group object in the CS of the MA for your authoritative source.  There are a number of different ways to achieve this, depending on the type of your authoritative MA - and you could even use the Replay MA idea to achieve this by dropping and transforming an audit file on every import run.

Free Windows Admin Tool Kit Click here and download it now
August 13th, 2015 9:02am

thankyou for your insight

I have found the following solution to be quite a good one

http://www.wapshere.com/missmiis/who-needs-group-populator-when-you-have-multivalue-tables


August 23rd, 2015 9:54pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics