This is another post based on my current experiences with the Microsoft Workflow Activity Library aka MIM WAL.
Of course you can do ths with a own custom activity or PowerShell activity but both requires a lot of code to maintain. I saw this question on how to update set members based on group members a lot of times in the TechNet forum and as you now due to limitation of FIM / MIM you can not do that with OoB functions.
But with the MIMWAL there is now an fast and reliable solution for that, so you can for example grant permissions in Portal (indirectly) based on AD groups.
The scenario for this example is like following:
- I assume we have a set and a group with the same DisplayName. ( _ModifySetByGroup in this example)
- We want to completly have the group and set membership in sync
- I want to use only one workflow for multiple groups
So first there is the need to create a couple of things:
- Create a Set and a Group called: _ModifySetByGroup both with manually member only
- Create a Set (ex: Groups that can update sets) which contains all the groups (the one above) that you want to keep in sync with sets
Now you need to create the action workflow with the MIMWAL Update Resource Activity:
The Queries section is for looking up the sets that we want to modify, the xpath filter here searches for sets that meet the Groups (Target Resource) DisplayName. The Key value is a handle for later usage of the queried set. The Updates section then sets the current groups [//Target/ExplicitMember] attribute to the sets we queried above [//Queries/Set/ExplicitMember]. Dont forget to set the Allow Null flag to also remove all members from the set.
Last thing is to create an Management Policy Rule (MPR) like following:
- PolicyType: Request based
- Requestor Set: All People
- Operation: Add and Remove multivalue attribute
- Target Resource Set (Before and After): The set you created above (ex. Groups that can update sets)
- Select specific attribute: Manually-managed Membership (ExplicitMember)
- Policy Workflow: The action workflow with the MIMWAL activity created above
As you can see the membership of the set is completly overwritten every time the group changes its members, but if you take a look to the request history you only see the delta changes of the differences between the group and the sets membership due to the effective implementation of MIMWAL.
Now all you need to do to add additional sets that need to be updated by groups is to add new proper named sets and groups and add the group to the set called: Groups that can update sets created unter point 2. above.
Modifications of that solution:
If you want to have sets with members updated by group but be also be able to add/remove additional members manually you can modify the Updates section like this:
- Remove the current value expression and target
- Add Expression: RemoveValues([//Delta/ExplicitMember/Removed]) and Target: [//Queries/Set/ExplicitMember] Allow Null: unchecked
- Add Expression: InsertValues([//Delta/ExplicitMember/Added]) and Target: [//Queries/Set/ExplicitMember] Allow Null: unchecked
This will only add or remove the delta changes you make on the group memberships instead of setting the complete membership every time.
JustIDM 
This is a really nice solution Peter. I was racking my brain trying to figure out a way to configure the single workflow activity so that it would support a relationship between group and set where the set does not have the same name as the group. For example, I like to prepend all my non-default sets in FIM with “_”. So the group “HelpDesk” would be represented by the set “_HelpDesk”.
Would I have to do a separate MPR and Workflow for each of these group to set relationships to make this happen?
Thanks!
Matt
Hi,
did not test it but you can maybe set the query part of my solution something like:
‘_’ + [//target/DisplayName]
or have an additional attribute (not DisplayName) that has the same name like the group.
with that you should be able to only use one Set/Workflow/MPR combination like I above.
for me did not work…:-( the members of the set do not get updated
You maybe have an error in the configuration, I have this still working in my demo lab.
Or do you mean the 1 MPR/Workflow for multiple groups, never tried this was just a suggestion.
Sorry.. It works… but I did not fully understand the mechanics.. So I had an AD group and I created a set. I implemented the process and the set was not updated with members until I added a manual member to the group.(That triggered the workflow )..
I am a newbie when it comes to fim..
Question off topic.
what is the best way to assign specific permissions to members of a HelpDesk security group (replicated from ad)..
is the above method the best.. ?
Thank you
Yes the workflow only triggers on changes, I did not describe the inital load part. I assumed empty groups in that demo.
Regarding your question, in general all permissions in FIM/MIM are based on sets not on group either created in MIM or synchronized.
So I see no way around to use this solution of something similar.
Thank you very much
we managed to “improve” a bit the workflow.. we added an activity to check if the set exists.. if it does not then it will create a set with display name = Prefix_name_of_the_group and add the members..Thank you for your help
Nice one! One question: I would like my Sets to have a prefix so that if a group for example is named “foobar” then I’d like to name the Set that it updates “extGroupfoobar” (and have the same prefix on all the Sets updated by this logic). Any idea how I’d achieve that?
I guess I’d have to alter the XPath Filter but I can’t seem to get it exactly right. I’ve tried things like /Set[DisplayName=concat(‘extGroup’,'[//Target/DisplayName]’)] but it doesn’t feel right (and also it doesn’t work)
Hi,
never tried this but it schould be possible, but I think concat is the wrong function, try using this one:
https://github.com/Microsoft/MIMWAL/wiki/Concatenate-Function
Or at least with a + maybe
Haha… After some fiddling around I found the answer and it was even easier than any of our guesses:
/Set[DisplayName=’ExtGroup[//Target/DisplayName]’]
(The lookup is simply expanded to the groups display name and is then part of the same string as the prefix)
Hi ,
This was a great article. I am new to MIM WAL and I was trying find a method to do so. I have a question regarding my scenario, where my client have lot of nested group and they want to Expand them in to a new group with flat members. I have synced an extension attribute for all group which need expanding. Will you please give me some advice on how to use MIM WAL to create a new Group based on extension attribute set. The new group can have Synced_From_Displayname. Thank you for your help
After I originally left a comment I appear to have clicked on the -Notify me when new comments are added- checkbox and from now on whenever a comment is added I get 4 emails with the exact same comment. There has to be an easy method you can remove me from that service? Appreciate it!
Can you point me to your old comment, I cannot find a comment by a user with your name.
Also you are not in my follower or email follower list.
Contact me maybe with the contact form and send me your mail address so I can try to find you.
Hello Peter
It has helpmed me a lot to fulfillment of my client requirement. but below is the unexpected behaviour which i was experiencing.
When am adding a user to group by MIM Portal, and while removing the delta changes, i mean the recently added user, along with that user other other existing users are also removingfrom the group using the above (Add Expression: RemoveValues([//Delta/ExplicitMember/Removed]) and Target: [//Queries/Set/ExplicitMember] Allow Null: unchecked).
I would need your help on this not remove the existing users.
Thanks