MIMWAL: Update set membership based on group membership


This is another post based on my current experiences with the Microsoft Workflow Activity Library aka MIM WAL.

Of course you can do ths with a own custom activity or PowerShell activity but both requires a lot of code to maintain. I saw this question on how to update set members based on group members a lot of times in the TechNet forum and as you now due to limitation of FIM / MIM you can not do that with OoB functions.

But with the MIMWAL there is now an fast and reliable solution for that, so you can for example grant permissions in Portal (indirectly) based on AD groups.

The scenario for this example is like following:

  • I assume we have a set and a group with the same DisplayName. ( _ModifySetByGroup in this example)
  • We want to completly have the group and set membership in sync
  • I want to use only one workflow for multiple groups

So first there is the need to create a couple of things:

  1. Create a Set and a Group called: _ModifySetByGroup both with manually member only
  2. Create a Set (ex: Groups that can update sets) which contains all the groups (the one above) that you want to keep in sync with sets

Now you need to create the action workflow with the MIMWAL Update Resource Activity:

UpdateSetsByGroups1

The Queries section is for looking up the sets that we want to modify, the xpath filter here searches for sets that meet the Groups (Target Resource) DisplayName. The Key value is a handle for later usage of the queried set. The Updates section then sets the current groups [//Target/ExplicitMember] attribute to the sets we queried above [//Queries/Set/ExplicitMember]. Dont forget to set the Allow Null flag to also remove all members from the set.

Last thing is to create an Management Policy Rule (MPR) like following:

  • PolicyType: Request based
  • Requestor Set: All People
  • Operation: Add and Remove multivalue attribute
  • Target Resource Set (Before and After): The set you created above (ex. Groups that can update sets)
  • Select specific attribute: Manually-managed Membership (ExplicitMember)
  • Policy Workflow: The action workflow with the MIMWAL activity created above

As you can see the membership of the set is completly overwritten every time the group changes its members, but if you take a look to the request history you only see the delta changes of the differences between the group and the sets membership due to the effective implementation of MIMWAL.

Now all you need to do to add additional sets that need to be updated by groups is to add new proper named sets and groups and add the group to the set called: Groups that can update sets created unter point 2. above.

Modifications of that solution:

If you want to have sets with members updated by group but be also be able to add/remove additional members manually you can modify the Updates section like this:

  • Remove the current value expression and target
  • Add Expression: RemoveValues([//Delta/ExplicitMember/Removed]) and Target: [//Queries/Set/ExplicitMember]  Allow Null: unchecked
  • Add Expression: InsertValues([//Delta/ExplicitMember/Added]) and Target: [//Queries/Set/ExplicitMember] Allow Null: unchecked

This will only add or remove the delta changes you make on the group memberships instead of setting the complete membership every time.

 

Advertisements

About Peter Stapf
Senior Consultant Infrastructure Services (Main focus: Identity Management) MVP Directory Services

11 Responses to MIMWAL: Update set membership based on group membership

  1. Pingback: FIM Portal : Sync up security groups with SETs | tlktechidentitythoughts

  2. ma11br00ks says:

    This is a really nice solution Peter. I was racking my brain trying to figure out a way to configure the single workflow activity so that it would support a relationship between group and set where the set does not have the same name as the group. For example, I like to prepend all my non-default sets in FIM with “_”. So the group “HelpDesk” would be represented by the set “_HelpDesk”.

    Would I have to do a separate MPR and Workflow for each of these group to set relationships to make this happen?

    Thanks!

    Matt

  3. Peter Stapf says:

    Hi,
    did not test it but you can maybe set the query part of my solution something like:
    ‘_’ + [//target/DisplayName]

    or have an additional attribute (not DisplayName) that has the same name like the group.
    with that you should be able to only use one Set/Workflow/MPR combination like I above.

  4. vas says:

    for me did not work…:-( the members of the set do not get updated

    • Peter Stapf says:

      You maybe have an error in the configuration, I have this still working in my demo lab.
      Or do you mean the 1 MPR/Workflow for multiple groups, never tried this was just a suggestion.

      • vas says:

        Sorry.. It works… but I did not fully understand the mechanics.. So I had an AD group and I created a set. I implemented the process and the set was not updated with members until I added a manual member to the group.(That triggered the workflow )..
        I am a newbie when it comes to fim..

        Question off topic.
        what is the best way to assign specific permissions to members of a HelpDesk security group (replicated from ad)..
        is the above method the best.. ?

        Thank you

      • Peter Stapf says:

        Yes the workflow only triggers on changes, I did not describe the inital load part. I assumed empty groups in that demo.

        Regarding your question, in general all permissions in FIM/MIM are based on sets not on group either created in MIM or synchronized.
        So I see no way around to use this solution of something similar.

      • vas says:

        Thank you very much

  5. Daniel Malmgren says:

    Nice one! One question: I would like my Sets to have a prefix so that if a group for example is named “foobar” then I’d like to name the Set that it updates “extGroupfoobar” (and have the same prefix on all the Sets updated by this logic). Any idea how I’d achieve that?

    I guess I’d have to alter the XPath Filter but I can’t seem to get it exactly right. I’ve tried things like /Set[DisplayName=concat(‘extGroup’,'[//Target/DisplayName]’)] but it doesn’t feel right (and also it doesn’t work)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: