Hi all,

i want to sync my AD groups to the FIM portal and i want the members to be approved by a specific administrator, also i want to remove the members automatically after a specific period of time how can i do that.

Hello,

for the first part I would work with the owner attribute of groups and setting that to the specific administrator. You can then work with the default owner approval MPRs (and workflows) or modify them to fit your need.

Have a look at those default MPRs on how that works.

For the second part you could have a look at this "older" post:

https://social.technet.microsoft.com/Forums/en-US/699262b3-c930-4d9b-97b8-0bdbcbc38db4/expiration-of-group-member?forum=ilm2

-Peter

Thanks Peter,

i have the below URL for the Request Management, but all the configuration is talking about the distribution group, is there anything specific for the security groups or it's the same.

https://technet.microsoft.com/en-us/library/ee534919(v=ws.10).aspx

Hello Teka,

from the systems perspective they are both just groups with different attributes (type/scope) so it doesn't make a difference to the portal and request management.

-Peter

Thanks Peter,

regarding the above link is there any detailed steps on how to do this, also in another post they mention the BHOLD for group managment.

Hello,

BHOLD is a complete solution for Role based access management, that goes far beyond simple group membership approval. but you can have a look at its features.
I never used it until now.

The owner approval thing is simple to implement.

Check that Portal/Service can send mail through mailserver (Exchange for ex.)

Check that users have email address populated in portal

Check that groups have set the owner attribute the the correct users

activate the MPRs I checked in the following screenshot.

This enables all users with to become a member of security groups but with owner approval, owner of groups can modify relevant attrubutes on their groups.

The "Group management workflow: Owner approval in add member" is for owner approval if users are want to become a member of a group. this MPR works for sec and dist groups (all groups with owner approval).

-Peter

Thanks Peter,

is there a similar details for the the automatic removal from the group, also is there  away to disable or enable users after a specific period of time.

also how to Check that Portal/Service can send mail through mailserver (Exchange 2010)?

Thanks

Hello,

I think for autoremoval of users from groups there is no simple way, beside the possiblility that you have a date attribute on a user and use dynamic groups with a approp. critera.

Next Version of FIM (MIM vNext) will provide the Just-In-Time (JIT) access management with such a feature, maybe this could be useful for you in future.

If you have setup FIMService/Portal with mail server and there are no error messages in eventlog thats a good starting point. After that try to build a simple notification workflow on change of an attribute. Its quite simple to build.

Thanks Peter,

now when i login with the the user account to the fim portal i only see the DG i need to request for joining security groups as well.

Hello,

you must users give permission to view the Homepage, Navigationbar Resources and Search Scopes used.

Simplest way is to add the Keyword "BasicUI" to the approp. resources.

There is a default MPR called "General: Users can read non-administrative configuration resources" which does this, they are based on some sets starting with the name "All Basic.......".

Take a look at these and may create your own ones to feed your needs.

-Peter

thanks peter for your usual support, i already enabled this MPR but i can't see the SG's also i can't add more than one resource in the target resources.

Hi,

as I said, easiest way is to put the Keyword "BasicUI" on the navigation elements.

Administration > Homepage/Navigationbar Resources

Administration > Search Scopes

Modify the objects for security groups, and set the attribute "Keyword"

Also have a look at this video:https://technet.microsoft.com/en-us/video/customizing-the-forefront-identity-manager-2010-portal.aspx

and this Technet Article:

https://technet.microsoft.com/en-us/library/ff393653%28WS.10%29.aspx

-Peter